advisory internal controls over financial reporting (icofr) management’s assertions central pa...
TRANSCRIPT
ADVISORY
Internal Controls Over Financial Reporting (ICOFR)Management’s AssertionsCentral PA Chapter of the AGA February 9, 2011
PUBLIC SECTOR
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 2
Contents
Background Federal Managers’ Financial Integrity Act (FMFIA) of 1982 Office of Management and Budget (OMB) Circular No. A-123
Significant Revisions
Management Responsibilities
Accountability Office’s (GAO’s) Green Book
Integrate Compliance into the Internal Control Framework
Annual Assurance Statement
Appendix A, Internal Control Over Financial Reporting (ICOFR)
Sample Assurance Statement on ICOFR
Additional Resources
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A. For internal use only 3
Internal Controls Over Financial Reporting (ICOFR)
“Government should lead by example. We should be as good or better than those we are regulating.”
David Walker, Comptroller General to CongressCFO Magazine, June 2003
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 4
BACKGROUND - Overview
In 2002, Congress passed the Sarbanes-Oxley Act (SOX) in response to improper financial reporting issues by a number of publicly traded companies in the United States (Enron/WorldCom)
Among other things, the Act requires publicly traced companies to receive an opinion from independent auditors on their internal controls as they relate to financial reporting.
SOX requirements DID NOT apply to the federal government, the Office of Management and Budget (OMB) revised OMB Circular A-123 in 2004, adding Appendix A, which required the implementation of ICOFR.
Appendix A requires the 24 agencies covered by the Chief Financial Officers Act of 1990 to conduct internal control reviews over their financial reporting processes:
New internal control review process stipulated
New Statement of Assurance
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 1-5
Internal Controls: An Evolution
OMB A-1231981
OMB A-1231981
OMB Q&A1984
OMB Q&A1984
OMB A-1231995
OMB A-1231995
OMB A-1232004
OMB A-1232004
GAO Green Book
1983
GAO Green Book
1983
IG Act1978
FISMA2002
Budget and Accounting Procedures Act of 1950
Sarbanes-Oxley 2002
FMFIA1982
GAO Green Book
1999
GAO Green Book
1999
Superseded
Federal Acts
Guidance
Standards
Non Federal
FDICIA1991
FFMIA1996
CFO Act1990
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 6
FMFIA of 1982
Internal accounting and administrative controls of each executive agency shall be established in accordance with standards prescribed by the Comptroller General, and shall provide reasonable assurances that:
Obligations and costs are in compliance with applicable law;
Funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation; and
Revenues and expenditures applicable to agency operations are properly recorded and accounted for to permit the preparation of accounts and reliable financial and statistical reports and to maintain accountability over the assets.
Annually, an agency head must evaluate and report on the control and financial systems that protect the integrity of federal programs.
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 7
OMB Circular No. A-123
Defines management’s responsibility for internal controls for federal agencies and government corporations.
Appendix A revision was influenced by the Sarbanes-Oxley Act of 2002 and was based on recommendations by a joint committee:
Required for the 24 Chief Financial Officer (CFO) Act of 1990 agencies;
Strengthen the requirements for conducting management’s assessments of ICOFR; and
Emphasize the need for agencies to integrate and coordinate their internal control assessments with other related assessment activities.
Effective October 1, 2005, for federal fiscal year 2006.
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 1-8
OMB A-123: Revised Requirements (continued)
Additional Key Management Requirements (Appendix A):• Management must provide a conclusion on the operating effectiveness of internal
control over financial reporting using the framework provided by OMB Circular No. A-123 as of June 30 of each fiscal year
• Suggests establishing a senior management council and a senior assessment team, or body of similar construct
• Determine those financial reports that will be included in the agency’s assessment• Identify significant accounts, classes of transactions, and business processes
that support the agency’s financial reporting processes• Assess the agency’s control environment, risk assessment, control activities,
information and communication, and monitoring processes, as related to financial reporting
• Document the agency’s understanding of its financial reporting business processes• Test a sample of controls to determine if the agency’s internal control over financial
reporting is in place and operating effectively• Maintain a corrective action plan to remediate control deficiency • Monitor the agency’s internal control over financial reporting through periodic testing
of controls throughout the year
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 9
Significant Revisions
Mandates FMFIA annual assurance statement to be included within an agency’s Performance Accountability Report (PAR).
Updates internal control standards and changes certain terminology. Integrates related statutes into an agency’s internal control framework. Establishes a Senior Management Council and Senior Assessment
Team. Defines the type of ICOFR deficiencies. Requires management to document its assessment process and test of
controls. Appendix A describes a high-level process to assess, document, and
report.Does not require an audit opinion for internal controls.
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY
10]\OL
p
GAOs Green Book
`Risk Assessment
Every entity faces a variety of risks from external and internal sources that must be assessed at both the entity and the activity level.
Control ActivitiesThese policies and
procedures help ensure management directives
are carried out.
MonitoringInternal control systems need to be monitored – a process that assesses the
quality of the system’s performance over time.
Information and CommunicationPertinent information must be
identified, captured,and communicated in a form and time frame that supports all other control components.
Control EnvironmentThe control environment
sets the tone of anorganization, influencing
the control consciousnessof its people.
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 11
Reduce Compliance Cost via Integration
Management can integrate multiple compliance initiatives into a single process, thereby fulfilling numerous regulatory requirements cost effectively.
FISMA FFMIA GPRA
IPIA FMFIASingleAuditAct
IG Act ClingerCohen
CFO Act
Source: KPMG LLP (U.S.), 2005
The cost of compliance with controls initiatives (e.g., A-123, FISMA, etc.) is high.
The commercial sector’s experience with Sarbanes-Oxley provides some perspective
• Average $ spent
• Average time taken
• Average FTE’s utilized
• Planned $ to be spent
• Planned time to execute
• Planned resources
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 12
Management’s Steps to Compliance
Deliverables
Document Controls:• Entity-level Framework• Process-level Flowcharts
and/or Narratives• Internal Control Matrix:
Objectives, Risks & Controls
Identify and Correct Deficiencies• Categorization of Deficiencies• Corrective Action Plans• Remediated Controls
Documentation
Report on Internal Control:• Assurance Letters• Conclusion of Effectiveness• FMFIA Annual Assurance
Statement
Plan and Scope the Evaluation: • Scoping Document• Assessment Process
Documentation
Evaluate Design and Operating Effectiveness• Test approach and test plans • Test Results• Internal Control Matrix:
Assessment of Design and Operating Effectiveness
• List of Design or Operating Deficiencies
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 13
Annual Statement of Assurance
FMFIA Annual Assurance Statement previously included:• Section 2, Internal Controls Achieved Objectives; and
• Section 4, Conformance with System Requirements.
OMB Circular No. A-123 consolidates these statements of assurance:• Overall adequacy and effectiveness of internal controls, both financial, operational, and compliance;
• Each annual statement prepared pursuant to Section 4 shall include a separate report on whether the agency's accounting system conforms to the principles, standards, and related requirements prescribed by the Comptroller General; and
• Under the revised A-123, includes a Statement of Assurance on the ICOFR.
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 14
Appendix A - ICOFR
Applies to all three internal control objectives:• Operational;
• Financial (including the assessment of ICOFR); and
• Compliance.
OMB Circular No. A-123, Appendix A provides a methodology for agency
management to assess, document, and report on their ICOFR. .
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 15
Appendix A – ICOFR – Management’s Steps
Defines the boundaries of the assessment. Establish assessment process. Identify significant financial reports. Define materiality. Identify significant accounts, relevant financial report assertions, and major transaction cycles. Link the accounts and cycles.
Plan & Scope the Evaluation1
Document and obtain an understanding of controls for all significant accounts, groups of accounts, and transactions.
Document Controls2
Evaluate design and operating effectiveness of internal control over financial reporting at the entity, process, transaction, or application level and document results of evaluation.
Evaluate Design & Operating Effectiveness3
Identify, accumulate and evaluate design and operating control deficiencies; communicate findings and correct deficiencies.
Identify & Correct Deficiencies 4
Prepare management’s written assurance on the effectiveness of internal control over financial reporting.
Report on Internal Control5
If required, prepare for independent auditor to conduct the internal control audit and attestation on management’s assertion.
Independent Audit of Internal Control 6
Under theCircular, thisstep is optional.
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 16
Appendix A – ICOFR - Scope
Objectives of ICOFR• Should provide reasonable assurance to enable management to make the following
assertions:
• Existence and occurrence; Completeness; Rights and obligations; Valuation; Presentation and disclosure; Compliance;
• Assets are safeguarded against fraud and abuse; and
• Documentation for internal control, all transactions, and other significant events is readily available for examination.
Definition of Financial Reporting• An agency needs to determine the scope of financial.
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 17
Current Chatter: Loud and Confusing
Growing (Unfunded) Costs
Additional Legislation
Software Provider Claims
Consulting Firm Promises
GAO and Congressional
Concerns
More Accountability
A-123 Requirements
Media
Forums and ProfessionalAssociations
MarketplacePerplexity
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 18
Challenges
Today, agency managers face three major challenges:
1. Compliance with laws and requirements
2. Minimize the cost of compliance by integrating related internal controls
3. Reduce the overall cost of controls and transform operations to improve mission effectiveness
These challenges also present opportunities to:• Minimize the cost of compliance by integrating related internal controls
• Reduce the overall cost of controls and transform operations to improve mission effectiveness
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 19
Risk and Internal Controls
Objectives
Risk
Measuring Risk
Risk and Internal Control
Self Assessment
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 20
Internal Controls Lessons Learned
Expensive and chaotic to change controls or systems
Realization that requirements are permanent
Surprising degree to which information technology contributes to all operations and financial processes
Better understanding and analysis of monitoring controls and what controls can do for you
Need to embed internal controls within programs and operations
Re-implementation of basic controls
“Over-identified” key controls
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 21
Just Check the Box? Compliance
Federal agencies are usually more willing to embrace new initiatives that address program improvement
However, new regulatory compliance initiatives are generally seen as “necessary evils” that distract an agency from its mission
Compliance with new regulations often degenerates into “check the box” exercises
Agencies miss out by just “checking the box”
Compliance is an opportunity to transform and improve.
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 22
Driving Value From Compliance
The results of the analyses (top-down and bottom-up) will help agencies identify opportunities to• Improve the quality of controls and better manage risks
• Improve mission performance
• Reduce the ongoing cost of compliance over time
• Develop better operations insights
Applying the agency’s prioritization framework to those opportunities helps to identify priority initiatives for both immediate and future change – and make the business case for change
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 23
Deriving Value from Compliance
• Agencies can build on the foundation of compliance to improve both controls and business processes.
• Over time, agencies can achieve both risk management and program improvement by transforming compliance initiatives into efficient and sustainable efforts that enable them to identify cost-saving opportunities and improve operations.
Program Improvement
Comply
Transform Operations
Integrate Compliance
Realize Opportunities
Ris
k M
anag
emen
t
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 24
Deriving Value from Compliance –Understanding the Controls Portfolio
• A portfolio view helps managers understand the scope, magnitude, and impact of controls across their agency.
• Documenting and managing the controls portfolio enables managers to assess the quantity and quality of controls.
• The portfolio is mapped by attribute (automated or manual, detective or preventive) and analyzed to assess which controls need to evolve to support changes in agency programs.
Automated
Manual
PreventiveIncreasedRisk and
Cost
Lower Risk and Cost
Detective
Control Portfolio X
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 25
Deriving Value from Compliance –Understanding the Cost of Controls
Performance
Ongoing Assessmentand Monitoring
Total Cost
Largely “Hidden”
Increasingly Visible
Although the performance cost of control tends to be larger than the cost related to control assessment, the more visible cost is the costs associated
with self assessments and independent reviews.
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 26
Deriving Value from Compliance –Transformation and Program Improvement
Integrating and Sustaining Compliance
• Implement an efficient, sustainable process that integrates and evaluates its internal control environment on a periodic basis
• Consider employing documentation standards, planning, and documentation templates, questionnaires, and work plans, and automated tools
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 27
Deriving Value from Compliance –Transformation and Program Improvement
Integrating and Balancing Risk with Program Improvement
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 28
Opportunities
Automated
Manual
Detective Preventive
Existing Control
Desired Control Portfolio• Mostly automated controls that prevent anomalies from occurring or taking effect
• Anomalies’ effects (wasted money, time, effort) are never felt
• Reduce control costs by introducing cost-savings
• Help agencies better manage their risks of doing business
Desired Control Portfolio
Previous Control
Future (new) Control
Improved Business PracticesBetter Understanding of CostsLinking Controls to Performance, cont.
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 29
Move to Sustainability
The question: “How do we comply with A-123?” Becomes…
“How can we use controls as a new lens to support the integrity and value of information in an ever-changing business?”
Today
• Project oriented
• Viewed in isolation
• Managed disparately
• Separated from the flow of business
• Owned by compliance
• Manual and detective
Tomorrow
• “The way we do business”
• Dynamic and action-oriented
• Integrated into processes
• Process and data centric
• Owned by the “business”
• Automated and preventive
What happens when?
• People leave
• Processes are improved
• New systems are implemented
• Businesses are sold/acquired
• Processes are outsourced
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 30
Summary
• Implementing an approach to ongoing compliance with a focus on efforts to best use scarce resources can reduce compliance risk and cost over time.
• High-level and detailed analyses of the controls portfolio can help identify areas to enhance risk management, reduce compliance costs, reprogram funds for mission needs, and improve performance
• Transforming compliance will likely take many months or years• During each step of transformation, seek to balance controls
improvements with improved business performance• Alignment of people, processes, systems, risk and controls, along
with the appropriate tone at the top can help shape ongoing compliance issues as opportunities rather than problems
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 31
Contact Information
Terry L. Carnahan, CGFM, CPAManaging Director, KPMG LLP
McLean, VA OfficePhone: (703) 286-8560
E-mail: [email protected]
Mr. Carnahan is a Managing Director in KPMG’s Federal Internal Audit Services practice. He is responsible for, and involved in, internal control assessments of Federal, State and local government entities. Prior to joining KPMG, Mr. Carnahan worked for the District of Columbia Government, as well as for the U.S. Government Accountability Office for over 20 years, where he directed and managed risk-based audits of government programs and operations on various levels.
All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.