Single Audit Update: Internal Control over Compliance and the GAO s Green Book. MSBO s 80 th Annual Conference April 19, 2018

Transcription

1 Single Audit Update: Internal Control over Compliance and the GAO s Green Book MSBO s 80 th Annual Conference April 19, 2018

2 Presented by: Stephen W. Blann, CPA, CGFM, CGMA Director of Governmental Audit Quality Rehmann 2

3 Session Outline Why the Green Book? What is the Green Book and how is it used? Fundamental concepts of internal control Establishing an effective ICS Evaluation of an effective ICS Internal Control over Compliance 3

4 Why the Green Book? The Uniform Guidance (2 CFR 200) Internal controls. The non-federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. (cont.) 4

5 Why the Green Book? The Uniform Guidance (2 CFR 200) Internal controls. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States and the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 5

6 What is the Green Book? Standards for Internal Control in the Federal Government Sets internal control standards for federal entities May also be adopted by state and local governments and nonprofits as a framework for an internal control system 6

7 What is internal control? Internal control is a process used by management to help an entity achieve its objectives 7

8 How does internal control work? Internal control helps an entity Run its operations efficiently and effectively Report reliable information about its operations Comply with applicable laws and regulations 8

9 How does an entity use the Green Book? An entity uses the Green Book to design, implement, and operate internal controls to achieve its objectives related to operations, reporting, and compliance. 9

10 Who would use the Green Book? A program manager at a government agency Inspector general staff conducting a financial or performance audit An independent public accountant conducting an audit of expenditures of federal dollars A compliance officer responsible for making sure that personnel have completed required training 10

11 The Cube The Components, Objectives, and Organizational Structure of Internal Control 11

12 The 17 Principles Each of the five components of internal control contains several principles. Principles are the requirements of each component. 12

13 Attributes Each principle has important characteristics, called attributes, which explain principles in greater detail. 13

14 Overview of Internal Control Internal Control Integrated Framework COSO Report (1992 & 2013) Committee of Sponsoring Organizations (AICPA, AAA, IIA, IMA, FEI) Codified in Auditing Standards by AICPA, GAO, OMB, and PCAOB (SOX) 14

15 Defining Internal Control (COSO) Internal control is a process, effected by an entity s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance 15

16 Defining an Internal Control System OV1.04 An internal control system is a continuous built-in component of operations, effected by people, that provides reasonable assurance, not absolute assurance, that an entity s objectives will be achieved 16

17 Defining an Internal Control System OV1.05 Internal control is not one event, but a series of actions that occur throughout an entity s operations. Internal control is recognized as an integral part of the operational processes management uses to guide its operations rather than as a separate system within an entity. 17

18 Defining an Internal Control System OV1.06 People are what make internal control work. Management is responsible for an effective internal control system, and sets the entity s objectives, implements controls, and evaluates the internal control system. However, personnel throughout an entity also play important roles in implementing and operating an ICS. 18

19 Defining an Internal Control System OV1.07 An effective internal control system increases the likelihood that an entity will achieve its objectives. However, no matter how well designed, implemented, or operated, an internal control system cannot provide absolute assurance that all of an organization s objectives will be met. 19

20 Components and Principles Control Environment The set of standards, processes, and structures that provide the basis for carrying out internal control across the organization 20

21 Components and Principles Control Environment Principle 1: Demonstrate Commitment to Integrity and Ethical Values The oversight body and management should demonstrate a commitment to integrity and ethical values. Tone at the Top Standards of Conduct Adherence to Standards of Conduct 21

22 Components and Principles Control Environment Principle 2: Exercise Oversight Responsibility The oversight body should oversee the entity s internal control system. Oversight Structure Oversight for the Internal Control System Input for Remediation of Deficiencies 22

23 Components and Principles Control Environment Principle 3: Establish Structure, Authority, and Responsibility Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity s objectives. Organizational Structure Assignment of Responsibility and Delegation of Authority Documentation of the Internal Control System 23

24 Components and Principles Control Environment Principle 4: Demonstrate Commitment to Competence Management should demonstrate a commitment to recruit, develop, and retain competent individuals. Expectations of Competence Recruitment, Development, and Retention of Individuals Succession and Contingency Plans and Preparation 24

25 Components and Principles Control Environment Principle 5: Enforce Accountability Management should evaluate performance and hold individuals accountable for their internal control responsibilities. Enforcement of Accountability Consideration of Excessive Pressures 25

26 Components and Principles Risk Assessment A dynamic and iterative process for identifying and assessing the possibility that an event will occur and adversely affect the achievement of objectives 26

27 Components and Principles Risk Assessment Principle 6: Define Objectives and Risk Tolerances Management should define objectives clearly to enable the identification of risks and define risk tolerances. Definitions of Objectives Definitions of Risk Tolerances 27

28 Components and Principles Risk Assessment Principle 7: Identify, Analyze, and Respond to Risks Management should identify, analyze, and respond to risks related to achieving the defined objectives. Identification of Risks Analysis of Risks Response to Risks (acceptance, avoidance, reduction, sharing) 28

29 Components and Principles Risk Assessment Principle 8: Assess Fraud Risk Management should consider the potential for fraud when identifying, analyzing, and responding to risks. Types of Fraud (fraudulent financial reporting, misappropriation of assets, corruption) Fraud Risk Factors (incentive/pressure, opportunity, attitude/rationalization) Response to Fraud Risks 29

30 Components and Principles Risk Assessment Principle 9: Identify, Analyze, and Respond to Change Management should identify, analyze, and respond to significant changes that could impact the internal control system. Identification of Change Analysis of and Response to Change 30

31 Components and Principles Control Activities The actions established through policies and procedures that help ensure that management s directives to mitigate risks to the achievement of objectives are carried out 31

32 Components and Principles Control Activities Principle 10: Design Control Activities Management should design control activities to achieve objectives and respond to risks. Response to Objectives and Risks Design of Appropriate Types of Control Activities Design of Control Activities at Various Levels Segregation of Duties 32

33 Components and Principles Control Activities 33

34 Components and Principles Control Activities Principle 11: Design Activities for the Information System Management should design the entity s information system and related control activities to achieve objectives and respond to risks. Design of the Entity s Information System Design of Appropriate Types of Control Activities Design of Information Technology Infrastructure Design of Security Management Design of Information Technology Acquisition, Development, and Maintenance 34

35 Components and Principles Control Activities Principle 12: Implement Control Activities Management should implement control activities through policies. Documentation of Responsibilities through Policies Periodic Review of Control Activities 35

36 Components and Principles Information and Communication The continual, iterative process of providing, sharing, and obtaining necessary information to carry out internal control responsibilities to support the achievement of the entity s objectives 36

37 Components and Principles Information and Communication Principle 13: Uses Quality Information Management should use quality information to achieve the entity s objectives. Identification of Information Requirements Relevant Data from Reliable Sources Data Processed into Quality Information 37

38 Components and Principles Information and Communication Principle 14: Communicate Internally Management should internally communicate the necessary quality information to achieve the entity s objectives. Communication throughout the Entity Appropriate Methods of Communication 38

39 Components and Principles Information and Communication Principle 15: Communicate Externally Management should externally communicate the necessary quality information to achieve the entity s objectives. Communication with External Parties Appropriate Methods of Communication 39

40 Components and Principles Monitoring Activities Ongoing evaluations are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning 40

41 Components and Principles Monitoring Activities Principle 16: Perform Monitoring Activities Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Establishment of a Baseline Internal Control System Monitoring Evaluation of Results 41

42 Components and Principles Monitoring Activities Principle 17: Evaluate Issues and Remediate Deficiencies Management should remediate identified internal control deficiencies on a timely basis Reporting of Issues Evaluation of Issues Corrective Actions 42

43 Documentation Documentation is a necessary part of an effective internal control system. Required to demonstrate the design, implementation, and operating effectiveness of an entity s internal control system The level and nature of documentation vary based on the size of the entity and the complexity of the operational processes the entity performs (based on management judgment) 43

44 Documentation GAO documentation requirements: Internal control system overview Policies showing organizational responsibilities Results of monitoring, including corrective action If a principle is not relevant, document how the component can be designed, implemented, and operated effectively without it 44

45 Uniform Guidance (2 CFR 200) Documenting IC over Compliance High-level Controls Control Environ Info & Comm Risk Assess Monitoring Control Activities Granular Controls Entity-wide controls Program-specific controls 45

46 Uniform Guidance (2 CFR 200) Documenting IC over Compliance A. Activities allowed or unallowed B. Allowable costs/cost principles C. Cash management D. [reserved]* E. Eligibility F. Equipment and real property management G. Matching, level of effort, and earmarking H. Period of performance I. Procurement/suspension and debarment J. Program income K. [reserved] L. Reporting M.Subrecipient monitoring N. Special tests and provisions 46

47 Internal Control Examples Activities Allowed or Unallowed / Cost Principles Control Objectives - to provide reasonable assurance that: Federal awards are expended only for allowable activities Costs of goods and services charged to Federal awards are allowable and in accordance with Federal Cost Principles 47

48 Internal Control Examples Activities Allowed or Unallowed / Cost Principles Control Activities Adequate segregation of duties Authorization is performed by a knowledgeable individual Computations are checked for accuracy Supporting documentation compared to list of allowable and unallowable expenditures Accounting policies consistently applied 48

49 Internal Control Examples Cash Management Control Objectives - to provide reasonable assurance that: States comply with applicable Treasury agreements The time between the drawdown of Federal cash and expenditures is minimized When reimbursement is required, it is requested only after costs have been incurred Recipients properly monitor payments to subrecipients 49

50 Internal Control Examples Cash Management Control Activities Written policy that provides: Procedures for minimizing the time elapsed between drawing Federal funds and incurring related expenditures Documentation of the basis for all cash draws Monitoring of cash management activities Repayment of excess interest earnings where required Appropriate level of supervisory review of cash management activities 50

51 Internal Control Examples Eligibility Control Objectives - to provide reasonable assurance that: Only eligible individuals and organizations receive assistance under Federal award programs Subawards are made only to eligible subrecipients Amounts provided to or on behalf of eligible individuals or groups of individuals were calculated in accordance with program requirements 51

52 Internal Control Examples Eligibility Control Activities Written procedures for calculating eligibility amounts Manual criteria checklists or automated process used in making eligibility determinations Verification of accuracy of information used in eligibility determinations Process to discontinue benefits when necessary Safeguards to limit access to participant files 52

53 Internal Control Examples Equipment and Real Property Management Control Objectives - to provide reasonable assurance that: Proper records are maintained for equipment acquired with Federal awards Equipment is adequately safeguarded & maintained Disposition of any equipment or real property is in accordance with Federal requirements The Federal awarding agency is appropriately compensated for its share of any property sold or converted to non-federal use 53

54 Internal Control Examples Equipment and Real Property Management Control Activities Property tags placed on equipment Adequately descriptive property records A physical inventory of equipment is periodically taken and compared to property records Assign responsibility for tracking disposition of property to assure that any federal reimbursement is properly identified 54

55 Internal Control Examples Matching, Level of Effort and Earmarking Control Objectives - to provide reasonable assurance that: Matching, level of effort, or earmarking requirements are met using only allowable funds or costs which are properly calculated and valued 55

56 Internal Control Examples Matching, Level of Effort and Earmarking Control Activities Obtain evidence such as a certification from the donor, or other procedures performed to identify whether matching contributions: Are from non-federal sources Involve Federal funding, directly or indirectly Were used for another federally-assisted program Adequate review of monthly cost reports and adjusting entries 56

57 Internal Control Examples Period of Performance Control Objectives - to provide reasonable assurance that: Federal funds are used only during the authorized period of performance 57

58 Internal Control Examples Period of Performance Control Activities Review of disbursements performed by knowledgeable person Advising program managers of impending cut-off dates and review of expenditures just before and after cut-off date Cancellation of unliquidated commitments at the end of the period of performance 58

59 Internal Control Examples Procurement and Suspension and Debarment Control Objectives - to provide reasonable assurance that: Procurement of goods and services are made in compliance with the provisions of the Uniform Guidance (2 CFR ) Covered transactions (as defined in the suspension and debarment common rule) are not made with a debarred or suspended party 59

60 Internal Control Examples Procurement and Suspension and Debarment Control Activities Written procurement policy Adequate segregation of duties Procurement actions are appropriately documented Verify that vendors are not suspended or debarred Contractor s performance with the terms, conditions and specifications of the contract is monitored and documented 60

61 Internal Control Examples Program Income Control Objectives - to provide reasonable assurance that: Program income is correctly earned, recorded, and used in accordance with the program requirements 61

62 Internal Control Examples Program Income Control Activities Pricing and collection policies procedures clearly communicated to personnel responsible for program income Mechanism in place to ensure that program income is properly recorded as earned and deposited in the bank as collected Policies and procedures provide for correct use of program income in accordance with Federal program requirements 62

63 Internal Control Examples Reporting Control Objectives - to provide reasonable assurance that: Reports of Federal awards submitted to the Federal awarding agency or pass-through entity: Include all activity of the reporting period Are supported by underlying accounting or performance records Are fairly presented in accordance with program requirements 63

64 Internal Control Examples Reporting Control Activities Written policies Tracking system which reminds staff when reports are due The general ledger or other reliable records are the basis for reports Supervisory review of reports 64

65 Internal Control Examples Subrecipient Monitoring Control Objectives - to provide reasonable assurance that: Federal award information and compliance requirements are identified to subrecipients Risk assessment is made for all subrecipients, and appropriate monitoring occurs Subrecipient audit findings are resolved The impact of any subrecipient noncompliance on the pass-through entity is evaluated 65

66 Internal Control Examples Subrecipient Monitoring Control Activities Standard agreement templates that include required federal information Documented subrecipient risk assessment Subrecipient certification of satisfaction of audit requirements Require subrecipients to provide a copy of the completed audit, when necessary Regular contact with subrecipient program staff Monitoring visits, as appropriate 66

67 Internal Control Examples Special Tests and Provisions Control Objectives - to provide reasonable assurance that: Specific requirements of the Federal program are met The specific requirements for Special Tests and Provisions are unique to each Federal program and are found in the laws, regulations, and the provisions of contract or grant agreements pertaining to the program. 67

68 Internal Control Examples Special Tests and Provisions Control Activities Assign a member of management the responsibility of becoming knowledgeable of program requirements Stay current on changes in program requirements through continuing education and correspondence with grant awarding agencies 68

69 Questions? 69

70 For more information... Stephen W. Blann, CPA, CGFM, CGMA Director of Governmental Audit Quality Rehmann 70