Central PA Chapter of the AGA

fishglugΛογισμικό & κατασκευή λογ/κού

13 Δεκ 2013 (πριν από 3 χρόνια και 10 μήνες)

86 εμφανίσεις



ADVISORY


Internal Controls Over Financial Reporting
(ICOFR)

Management’s Assertions

Central PA Chapter of the AGA

February 9, 2011


PUBLIC SECTOR

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

2

Contents



Background



Federal Managers’ Financial Integrity Act (FMFIA) of 1982



Office of Management and Budget (OMB) Circular No. A
-
123



Significant Revisions



Management Responsibilities



Accountability Office’s (GAO’s) Green Book



Integrate Compliance into the Internal Control Framework



Annual Assurance Statement


Appendix A, Internal Control Over Financial Reporting (ICOFR)



Sample Assurance Statement on ICOFR


Additional Resources


© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

For internal use only

3

Internal Controls Over Financial
Reporting (ICOFR)

“Government should lead by example. We should be as
good or better than those we are regulating.”

David Walker, Comptroller General to Congress

CFO Magazine, June 2003

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

4

BACKGROUND
-

Overview



In 2002, Congress passed the Sarbanes
-
Oxley Act (SOX) in response
to improper financial reporting issues by a number of publicly traded
companies in the United States (Enron/WorldCom)



Among other things, the Act requires publicly traced companies to receive
an opinion from independent auditors on their internal controls as they relate
to financial reporting.


SOX requirements
DID NOT
apply to the federal government, the Office
of Management and Budget (OMB) revised OMB Circular A
-
123 in 2004,
adding Appendix A, which
required

the implementation of ICOFR.


Appendix A requires the 24 agencies covered by the Chief Financial
Officers Act of 1990 to conduct internal control reviews over their
financial reporting processes:



New internal control review process stipulated


New Statement of Assurance




© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

1
-
5

Internal Controls: An Evolution

OMB

A
-
123

1981

OMB

Q&A

1984

OMB

A
-
123

1995

OMB

A
-
123

2004

GAO

Green Book

1983

IG Act

1978

FISMA

2002

Budget and

Accounting

Procedures

Act of 1950

Sarbanes
-

Oxley 2002

FMFIA

1982

GAO

Green Book

1999

Superseded

Federal Acts

Guidance

Standards

Non Federal

FDICIA

1991

FFMIA

1996

CFO Act

1990

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

6

FMFIA of 1982


Internal accounting and administrative controls of each executive agency
shall be established in accordance with standards prescribed by the
Comptroller General, and shall provide reasonable assurances that:


Obligations and costs are in compliance with applicable law;


Funds, property, and other assets are safeguarded against waste, loss,
unauthorized use, or misappropriation; and


Revenues and expenditures applicable to agency operations are properly
recorded and accounted for to permit the preparation of accounts and reliable
financial and statistical reports and to maintain accountability over the assets.



Annually, an agency head must evaluate and report on the control and
financial systems that protect the integrity of federal programs.

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

7

OMB Circular No. A
-
123


Defines management’s responsibility for internal controls for federal
agencies and government corporations.


Appendix A revision was influenced by the Sarbanes
-
Oxley Act of 2002
and was based on recommendations by a joint committee:


Required for the 24 Chief Financial Officer (CFO) Act of 1990 agencies;


Strengthen the requirements for conducting management’s assessments of
ICOFR; and


Emphasize the need for agencies to integrate and coordinate their internal
control assessments with other related assessment activities.



Effective October 1, 2005, for federal fiscal year 2006.

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

1
-
8

OMB A
-
123: Revised Requirements
(continued)

Additional Key Management Requirements (Appendix A):


Management must provide a
conclusion on the operating effectiveness

of internal
control over financial reporting using the framework provided by OMB Circular

No. A
-
123 as of June 30 of each fiscal year


Suggests establishing a senior management council and a
senior assessment
team
, or body of similar construct


Determine those
financial reports

that will be included in the agency’s assessment


Identify
significant accounts, classes of transactions, and business processes

that support the agency’s financial reporting processes


Assess the agency’s control environment, risk assessment, control activities,
information and communication, and monitoring processes, as related to financial
reporting


Document the agency’s understanding of its financial reporting business processes


Test a sample of controls

to determine if the agency’s internal control over financial
reporting is in place and operating effectively


Maintain a
corrective action plan

to remediate control deficiency


Monitor the agency’s internal control over financial reporting through periodic testing
of controls throughout the year

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

9

Significant Revisions


Mandates FMFIA annual assurance statement to be included within an
agency’s Performance Accountability Report (PAR).


Updates internal control standards and changes certain terminology.


Integrates related statutes into an agency’s internal control framework.


Establishes a Senior Management Council and Senior Assessment
Team.


Defines the type of ICOFR deficiencies.


Requires management to document its assessment process and test of
controls.


Appendix A describes a high
-
level process to assess, document, and
report.

Does not require an audit opinion for internal controls.

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

10
]
\
OL




























































































































































































































p

GAOs Green Book

`

Risk Assessment

Every entity faces a variety of risks
from external and internal sources
that must be assessed at both the
entity and the activity level.


Control Activities

These policies and
procedures help ensure


management directives
are carried out.

Monitoring

Internal control systems

need to be monitored


a
process that assesses the
quality of the system’s
performance over time.

Information and Communication

Pertinent information must be
identified, captured,

and communicated in a form
and time frame that supports
all other control components.


Control Environment

The control environment
sets the tone of an

organization, influencing
the control consciousness

of its people.

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

11

Reduce Compliance Cost via Integration

Management can integrate multiple compliance initiatives into a single process,
thereby fulfilling numerous regulatory requirements cost effectively.

FISMA

FFMIA

GPRA

IPIA

FMFIA

Single

Audit

Act

IG Act

Clinger

Cohen

CFO Act

Source: KPMG LLP (U.S.), 2005

The cost of compliance with controls initiatives (e.g., A
-
123, FISMA, etc.) is high.

The commercial sector’s experience with Sarbanes
-
Oxley provides some
perspective


Average $ spent


Average time taken


Average FTE’s utilized


Planned $ to be spent


Planned time to execute


Planned resources

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

12

Management’s Steps to Compliance

Document Controls:


Entity
-
level Framework


Process
-
level Flowcharts
and/or Narratives


Internal Control Matrix:
Objectives, Risks & Controls



Identify and Correct Deficiencies


Categorization of Deficiencies


Corrective Action Plans


Remediated Controls
Documentation




Report on Internal Control:


Assurance Letters


Conclusion of Effectiveness


FMFIA Annual Assurance
Statement

Plan and Scope the Evaluation:



Scoping Document


Assessment Process
Documentation

Evaluate Design and
Operating Effectiveness


Test
approach and test plans


Test Results


Internal Control Matrix:
Assessment of Design and
Operating Effectiveness


List of Design or Operating
Deficiencies

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

13



Annual Statement of Assurance

FMFIA Annual Assurance Statement previously included:

• Section 2, Internal Controls Achieved Objectives; and


• Section 4, Conformance with System Requirements.


OMB Circular No. A
-
123 consolidates these statements of assurance:


Overall adequacy and effectiveness of internal controls, both financial,
operational, and compliance;


• Each annual statement prepared pursuant to Section 4 shall include a
separate report on whether the agency's accounting system conforms to the
principles, standards, and related requirements prescribed by the Comptroller
General; and


• Under the revised A
-
123, includes a Statement of Assurance on the ICOFR.


© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

14

Appendix A
-

ICOFR

Applies to all three internal control objectives:


Operational;


Financial (including the assessment of ICOFR); and


Compliance.


OMB Circular No. A
-
123, Appendix A provides a methodology for agency

management to assess, document, and report on their ICOFR.

.

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

15

Appendix A


ICOFR


Management’s Steps

Defines the boundaries of the assessment. Establish
assessment process. Identify significant financial reports.
Define materiality. Identify significant accounts, relevant
financial report assertions, and major transaction cycles. Link
the accounts and cycles.

Plan & Scope the
Evaluation

1

Document and obtain an understanding of controls for all
significant accounts, groups of accounts, and transactions.

Document Controls

2

Evaluate design and operating effectiveness of internal
control over financial reporting at the entity, process,
transaction, or
application level
and document results of
evaluation.

Evaluate Design &
Operating Effectiveness

3

Identify, accumulate and evaluate design and operating control
deficiencies; communicate findings and correct deficiencies.

Identify & Correct
Deficiencies

4

Prepare management’s written assurance on the effectiveness
of internal control over financial reporting.

Report on Internal Control

5

If required, prepare for independent auditor to conduct the
internal control audit and attestation on management’s
assertion.

Independent Audit of
Internal Control

6

Under the

Circular, this

step is optional.

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

16

Appendix A


ICOFR
-

Scope

Objectives of ICOFR


Should provide reasonable assurance to enable management to make the following
assertions:


Existence and occurrence; Completeness; Rights and obligations; Valuation;
Presentation and disclosure; Compliance;


Assets are safeguarded against fraud and abuse; and


Documentation for internal control, all transactions, and other significant events is
readily
available for examination.

Definition of Financial Reporting


An agency needs to determine the scope of financial
.

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

17

Current Chatter: Loud and Confusing

Growing
(Unfunded) Costs

Additional
Legislation

Software

Provider Claims

Consulting Firm
Promises

GAO and
Congressional
Concerns

More Accountability

A
-
123 Requirements

Media

Forums and
Professional

Associations

Marketplace

Perplexity

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

18

Challenges

Today, agency managers face three major challenges:

1.
Compliance with laws and requirements

2.
Minimize the cost of compliance by integrating related internal controls

3.
Reduce the overall cost of controls and transform operations to improve
mission effectiveness


These challenges also present
opportunities to
:


Minimize the cost of compliance by
integrating related internal controls


Reduce the overall cost of controls and
transform operations to improve
mission effectiveness

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

19

Risk and Internal Controls


Objectives


Risk


Measuring Risk


Risk and Internal Control


Self Assessment

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

20

Internal Controls Lessons Learned










Expensive and chaotic to change controls or systems

Realization that requirements are permanent

Surprising degree to which information technology contributes to all
operations and financial processes

Better understanding and analysis of monitoring controls and what
controls can do for you

Need to embed internal controls within programs and operations

Re
-
implementation of basic controls

“Over
-
identified” key controls





© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

21

Just Check the Box? Compliance

Federal agencies are usually more willing to embrace new initiatives that
address program improvement

However, new regulatory compliance initiatives are generally seen as
“necessary evils” that distract an agency from its mission

Compliance with new regulations often degenerates into “check the box”
exercises

Agencies miss out by just “checking the box”



Compliance is an opportunity to transform and improve.


© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

22

Driving Value From Compliance


The results of the analyses (top
-
down and bottom
-
up) will help agencies
identify opportunities to


Improve the quality of controls and better manage risks


Improve mission performance


Reduce the ongoing cost of compliance over time


Develop better operations insights

Applying the agency’s prioritization framework to those opportunities
helps to identify priority initiatives for both immediate and future
change


and make the business case for change



© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

23

Deriving Value from Compliance


Agencies can build on the
foundation of compliance to
improve both controls and
business processes.


Over time, agencies can achieve
both risk management and
program improvement by
transforming compliance initiatives
into efficient and sustainable
efforts that enable them to identify
cost
-
saving opportunities and
improve operations.

Program Improvement

Comply

Transform
Operations

Integrate
Compliance

Realize

Opportunities

Risk Management

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

24

Deriving Value from Compliance


Understanding the Controls Portfolio


A portfolio view helps managers
understand the scope,
magnitude, and impact of
controls across their agency.


Documenting and managing the
controls portfolio enables
managers to assess the quantity
and quality of controls.


The portfolio is mapped by
attribute (automated or manual,
detective or preventive) and
analyzed to assess which
controls need to evolve to
support changes in agency
programs.


Automated

Manual

Preventive

Increased

Risk and

Cost

Lower Risk

and Cost

Detective

Control Portfolio X

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

25

Deriving Value from Compliance


Understanding the Cost of Controls

Performance


Ongoing Assessment

and Monitoring

Total
Cost

Largely
“Hidden”

Increasingly
Visible

Although the performance cost of control tends to be larger than the cost
related to control assessment, the more visible cost is the costs associated
with self assessments and independent reviews.

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

26

Deriving Value from Compliance


Transformation and Program Improvement

Integrating and Sustaining Compliance



Implement an efficient, sustainable
process that integrates and evaluates
its internal control environment on a
periodic basis


Consider employing documentation
standards, planning, and
documentation templates,
questionnaires, and work plans, and
automated tools


© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

27

Deriving Value from Compliance


Transformation and Program Improvement

Integrating and Balancing Risk with Program Improvement

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

28

Opportunities

Automated

Manual

Detective Preventive

Existing Control

Desired

Control Portfolio


Mostly
automated

controls that
prevent

anomalies from occurring or taking effect


Anomalies’ effects (wasted money, time, effort) are never felt


Reduce control costs by introducing cost
-
savings


Help agencies better manage their risks of doing business

Desired

Control Portfolio

Previous Control

Future (new) Control

Improved Business Practices

Better Understanding of Costs

Linking Controls to Performance, cont.



© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

29

Move to Sustainability

The question: “How do we comply with A
-
123?”
Becomes…


“How can we use controls as a new lens to support the integrity and
value of information in an ever
-
changing business?”

Today


Project oriented


Viewed in isolation


Managed disparately


Separated from the flow
of business


Owned by compliance


Manual and detective

Tomorrow


“The way we do business”


Dynamic and action
-
oriented


Integrated into processes


Process and data centric


Owned by the “business”


Automated and preventive

What happens when?


People leave


Processes are improved


New systems are implemented


Businesses are sold/acquired


Processes are outsourced

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

30

Summary


Implementing an approach to ongoing compliance with a focus on
efforts to best use scarce resources can reduce compliance risk
and cost over time.


High
-
level and detailed analyses of the controls portfolio can help
identify areas to enhance risk management, reduce compliance
costs, reprogram funds for mission needs, and improve
performance


Transforming compliance will likely take many months or years


During each step of transformation, seek to balance controls
improvements with improved business performance


Alignment of people, processes, systems, risk and controls, along
with the appropriate tone at the top can help shape ongoing
compliance issues as opportunities rather than problems

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

U.S.A.

FOR INTERNAL USE ONLY

31

Contact Information

Terry L. Carnahan, CGFM, CPA

Managing Director, KPMG LLP

McLean, VA Office

Phone: (703) 286
-
8560

E
-
mail:
tcarnahan@kpmg.com



Mr. Carnahan is a Managing Director in KPMG’s Federal Internal Audit Services
practice. He is responsible for, and involved in, internal control assessments of
Federal, State and local government entities. Prior to joining KPMG, Mr. Carnahan
worked for the District of Columbia Government, as well as for the U.S. Government
Accountability Office for over 20 years, where he directed and managed risk
-
based
audits of government programs and operations on various levels.

All information provided is of a general nature and is not intended to address the circumstances of any particular individual

or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such
information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should ac
t
upon such information without appropriate professional advice after a thorough examination of the particular situation.