Financial Management in the Federal Government:

Transcription

1 Financial Management in the Federal Government: Considerations regarding the integration of OMB Circular No. A-123 and enterprise risk management for the Centers for Disease Control and Prevention (CDC) AUTHORED BY: Martin Long, Long & Associates, LLC and Elena Yearly, EMY Consulting March 8, 2018 SUBMITTED BY: COMPANY DATA & CERTIFICATIONS Martin Long, CPA Founder & CEO Corporate Structure: S Corporation 5755 North Point Parkway, Suite 29 Cage Code: 6RXD1 Alpharetta, GA Duns Number: Office: (a) Case Number: Cell: SBA 8(a) Certified; Graduation Date 11/16/2024 Fax: BOS: Tanzee L. Hall-Jones; (404) , ext martin.long@lacpallc.com

2 Considerations regarding the integration of OMB CIRCULAR No. A-123 and Enterprise Risk Management March 8, 2018 Internal controls in the federal government The Office of Management and Budget (OMB) Circular No. A-123 defines management s responsibility for risk management and internal control. OMB Circular No. A-123 and the Federal Managers Financial Integrity Act (FMFIA) of 1982 are at the center of Federal requirements to improve accountability in Federal programs and operations. Internal control requirements for federal agencies were and continue to be reexamined in light of the new Standards for Internal Control in the Federal Government (the Green Book) issued by the U.S. Government Accountability Office (GAO). Special attention is called to the following that should be front-of-mind whenever organizations are supporting federal agencies with their OMB Circular No. A- 123 efforts annually: Determine that an agency has a system of internal control based on the Green Book and in conjunction with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) requirements; Take into account the need for enterprise risk management (ERM) to provide an effective system of internal control; Integrate and coordinate internal control assessments in support of mission delivery (e.g., administrative services, financial management, human capital, information technology, procurement, and performance management); Reinforce that corrective action planning and implementation takes place to ensure that the root causes of control deficiencies are identified and addressed; Collaborate with the Office of the Inspectors General (OIG) in correcting the internal control deficiencies; and Make sure that internal control reporting is streamlined by eliminating areas of overlap and duplication, while maintaining separate assurances on internal control over financial reporting. OMB Circular No. A-123 seeks to foster an open and transparent culture, one in which employees at all levels of an agency from the day-to-day staff to the senior staff are fully engaged in supporting the organization s objectives by leveraging existing functions through a framework of risk management. The Green Book continues to serve as a tool for annually measuring the effectiveness of the agency s internal controls and the aforementioned update to the Green Book retained key components of internal control that apply to all organizational levels and to all categories of objectives within federal agencies.

3 Finally, COSO, which provides thought leadership and guidance on enterprise risk management and internal control, provides the following 8-point structure 1 as a solid foundation for OMB Circular No. A-123 implementation: 1. Internal environment: The internal environment encompasses the tone of an organization and sets the basis for how risk is viewed and addressed by an entity s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. 2. Objective setting: Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity s mission and are consistent with its risk appetite. 3. Event identification: Internal and external events affecting achievement of an entity s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management s strategy or objective-setting processes. 4. Risk assessment: Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. 5. Risk response: Management selects risk responses avoiding, accepting, reducing, or sharing risk developing a set of actions to align risks with the entity s risk tolerances and risk appetite. 6. Control activities: Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. 7. Information and communication: Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity. 8. Monitoring: The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both. 1 See

4 Taking Circular No. A-123 a step further Of special note is the integrated approach of internal controls and risk management that is being espoused. For instance, federal agency management should pay special attention to the following directives regarding risk: Define objectives clearly to enable the identification of risks. Define risk tolerances. Identify, analyze, and respond to risks related to achieving the defined objectives. Consider the potential for fraud when identifying, analyzing, and responding to risks. Identify, analyze and respond to significant changes that could affect the internal control system. The OMB Circular No. A-123 guidance also requires agencies to create a risk profile that helps them identify and assess risks arising from mission and mission-support operations, and consider those risks as part of the annual strategic review process. The efforts indicated above serve as a springboard toward implementing the ERM directives released in Risk management in the federal government It has been nearly two years since the OMB updated its mandates for agencies internal-control practices in July It did so through the release of OMB Circular No. A-123, titled Management s Responsibility for Enterprise Risk Management (ERM), which revised the 2014 Standards for Internal Control in the Federal Government, or the Green Book, to integrate and coordinate risk management and strong and effective internal control into existing business activities and as an integral part of managing an Agency. 2 Prior to 2016, several federal agencies implemented ERM internal directives and activities that allowed them to address risk-based issues in a proactive manner and to identify and respond to risk more readily. The OMB defines enterprise risk management as an effective agency-wide approach to addressing the full spectrum of the organization s external and internal risks by understanding the combined impact of risks as an interrelated portfolio, rather than addressing risks only within silos. 3 In other words, while ERM is not new to government agencies, the OMB now requires that ERM be integrated with internal controls. The goal is to ensure that new or emerging risks, and/or changes in existing risks, are brought to the attention of an agency s leadership and dealt with in the most effective way that supports the agency s mission. Specifically, the new mandates require an agency s chief operating officer and his or her financial staff to collaborate closely with the agency s performance-improvement staff across all agency mission and mission-support functions, and to connect the dots across its internal controls, compliance activities and oversight functions. 2 See 3 Ibid.

5 The need for ERM These new guidelines underscore each federal employee s role in safeguarding public assets and efficiently delivering public services. Similarly, it outlines the responsibility of federal agency leaders to establish goals and objectives around operating environments, to ensure compliance with relevant laws and regulations, and to manage expected or unexpected events by identifying, assessing, responding to, reporting on, and correcting deficiencies related to risks. According to the OMB, incorporating ERM into the processes of internal controls allows information to flow freely through an organization bottom-up, top-down and laterally thereby allowing agencies to incorporate risk awareness into their culture and ways of doing business. It enhances the quality of decision-making as it relates to an agency s missions, programs, and operations through a structured understanding of opportunities and threats. Further, effective ERM helps agencies implement strategies to ensure effective use of resources, enable an optimized approach to the identification and remediation of compliance issues, and promote reliable reporting and monitoring across business units. Integrating ERM with Green Book principles The GAO s Green Book presents five internal-control components and 17 distributed principles for demonstrating compliance. These are shown in the following graph. Control environment 1. Demonstrate commitment to integrity and ethical values 2. Exercise oversight responsibility 3. Establish structure, responsibility, and authority 4. Demonstrate commitment to competence 5. Enforce accountability Risk assessment 6. Define objectives and risk tolerances 7. Identify, analyze, and respond to risks 8. Assess fraud risk 9. Identify, analyze, and respond to change Control activities 10. Design control activities 11. Design activities for the information system 12. Implement control activities Information and communication 13. Use quality information 14. Communicate internally 15. Communicate externally Monitoring 16. Perform monitoring activities 17. Evaluate issues and remediate deficiencies

6 These components and principles are maintained by the new mandates of July 2016; however, the revised Green Book requires that agencies go several steps further to assess the 17 principles as they relate to the effectiveness of their internal controls. It will require involvement by agency CFOs to assess entry-level controls and to assess both financial and operational risks. For agencies that implement shared-service operating models, the new requirements state the responsibility for management to understand the internal controls of the shared service provider and how those controls affect the relevant user s internal controls. In addition, new criteria assess the design, implementation, and operating effectiveness of government agencies internal controls to determine their systems effectiveness. Established frameworks for ERM implementation According to GAO s December 2016 Report to the Committee on Oversight and Government Reform, House of Representatives entitled Enterprise Risk Management: Selected Agencies Experiences Illustrate Good Practices in Managing Risk, ERM is a forward-looking management approach that allows agencies to assess threats and opportunities that could affect the achievement of its goals. In this report, GAO had the opportunity to take a step back and review its risk management framework by studying best practice techniques. GAO subsequently incorporated changes to better address recent and emerging federal experience with ERM and identified the following essential elements of ERM as shown in the following graph 4. 4 GAO 17-63:

7 The Chief Financial Officers Council (CFOC) and the Performance Improvement Council (PIC) released the federal government s ERM Playbook in July 2016 to coincide with and meet the requirements of the revised OMB No. Circular A-123. The Playbook emphasizes the need to address the full spectrum of the organization s significant risks by considering the combined array of risks (such as the 11 risk categories shown in the following graph) as an interrelated portfolio, rather than addressing risks only within silos. This approach improves insight on how to prioritize and manage them more effectively. The ERM Playbook provides concrete aspects of ERM that help provide direction for integrating risk management and internal controls.

8 In addition, the Playbook outlines principles of ERM that serve as a strong foundation for establishing, implementing and measuring an agency s approach to ERM/internal controls integration: 1. Governance framework is important 2. Managing risk is everyone s responsibility 3. Managers own the risk 4. Transparency supports informed decision making 5. Forums for discussing risk are important 6. Risk management should be integrated into key agency processes 7. Establishing risk appetite is key 8. Existing risk analysis models are important within limitations 9. Planning fosters a culture of resilience 10. Diversity of people and thought aids risk management

9 Implementing the integration of OMB Circular No. A-123 and risk management The following graph depicts a suggested approach for aligning OMB Circular No. A-123 with risk management. This was created while keeping the aforementioned frameworks and directives in mind. The objective of this type of process is to assess where your internal controls and risk efforts are today and how to position and tailor these efforts in 2018 and beyond. Conclusion As agencies refine their processes for integrating ERM with internal controls, they look to experienced providers for assistance. Long & Associates, LLC, and its teaming partner, EMY Consulting, LLC, have the experience and resources to assist agencies with meeting the requirements of the OMB. Our team uses the ERM Playbook, the COSO s 8-point structure and other important and tested resources to assist federal agencies with this new requirement. We view this approach as an opportunity to help better position agencies in responding to changes in the broader financial and operational environments. We are confident that the OMB Circular No. A-123 challenges are far outweighed by the resulting agency that s stronger and overall more effective.

10 The authors Long & Associates, LLC (L&A) is an 8(a) certified, minority-owned Small Business professional corporation focusing on financial statements auditing, internal control reviews, risk assessment services, grant management support and business consulting services since A few of our key clients include the YKK Corporation of America, Piolax Corporation and The Coca-Cola Company, a Fortune 100 company. L&A is a Public Company Accounting Oversight Board (PCAOB) registrant firm, a certified Small Business Enterprise with the City of Atlanta s Small Business Opportunity Program and a certified African American Business Enterprise with the City of Atlanta s Equal Business Opportunity Program. L&A leadership, including the firm s Founder & CEO who spent 8 years of his career with E&Y, brings more than 35 years of public and private sector experience and has provided internal control assessments and support for its corporate clients utilizing a risk-based approach and best practices. Founded in 2013, EMY Consulting (EMY) is a professional services audit and advisory firm. As a certified Woman-Owned Small Business (WOSB) headquartered in Chantilly, VA. EMY offers expert specialists in internal controls, government program assessments, internal audits, and performance and compliance audits. EMY has worked extensively with U.S. Government agencies as hands on Senior Audit Managers and Subject Matter Experts (SME) to support successful executions of operational and financial audits. Some of the key federal agencies EMY has served include the Centers for Medicare & Medicaid Services (CMS); the DoD Joint Group on Depot Maintenance; the Defense Logistics Agency (DLA); the General Services Administration (GSA); the U.S. Department of Housing and Urban Development (HUD), and the Universal Service Administrative Company (USAC). EMY s CEO was a former senior leader at KPMG and brings more than 30 years of U.S. Government and private sector experience.