Considerations in a

simpleluncheonΔιαχείριση

10 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

78 εμφανίσεις

Internal Control
Considerations in a
Shared Services
Environment

2

Introductions

Speakers:






Adam Goldberg
, Executive Architect, Office of Financial Innovation and
Transformation, U.S. Department of the Treasury



Gil Hawk
, Chief Information Officer, USDA National Finance Center



Francois Barnard
, Senior Manager, MorganFranklin


Moderator:



Geoff Harkness
, Managing Director, MorganFranklin


3

Agenda

Topics of discussion:



-

Introduction to shared services

-

What is the future for shared services in the federal government?

-

Internal control considerations from a shared services provider/federal


center of excellence perspective

-

Internal control considerations from a user agency perspective

-

What is SSAE16 and what does it mean to the parties in a shared


services arrangement?


Internal Controls and
Shared services

THE FUTURE FOR SHARED SERVICES IN THE
FEDERAL GOVERNMENT

5

The Case for Financial Management

Shared Services




Reduce risk of
failed systems implementations (cost avoidance)




Free up agency resources to focus on
mission
-
based programs




Ensure greater
standardization of data which allows for more


Transparency




Enable
better decision
-
making through improved data analytics




Make adoption of new
government
-
wide requirements easier




Deliver greater
efficiencies and cost savings for the federal


government

6

7

USDA National
Finance
Center

A SHARED SERVICE CENTER OF EXCELLENCE


9

Shared Service Provider

A shared service provider:



Provision one or more business capabilities or services from a common
platform to one or more Partner Agencies/customers.



Strive to deliver best value in the Federal Government for the specific
service.



Guarantee high level of quality and reliability to maintain trust and
confidence by customers.




10

Benefits of Shared Services

Implementation of the Shared Services Strategy and “Shared First”
principles will produce a number of beneficial outcomes:


Eliminate inefficient spending that results from duplicative systems


Enhance awareness and adoption of available shared services across
the government


Promote agility and innovation within agencies by improving speed,
flexibility and responsiveness


Focus more agency resources on core mission requirements rather than
administrative support services


Spur the adoption of best practices and best
-
in
-
class ideas and
innovations


Reduce the support costs of redundant IT resources


Improve cost efficiencies and streamline through shared commodity IT



11

NFC’s Business Model

Cross
-
Service (Shared Services) Provider


Employee
-
Centric Services


Agency Support Services

Economy Act Contracts


Benefits for a cost



Breakeven”

“Best Value”


Internal


Other Federal


Commercial




12

NFC’s Business
Portfolio

Human Resources Line of Business


Payroll/Personnel


Human Resource Services

Office of Personnel Management Services


Direct Premium
Remittance


FEHB Clearinghouse


Health Care Reform


High Risk Individuals (PCIP)

Customer
-
Specific Services


Data Center Hosting


Applications


Operations






13

NFC’s Business Lines

Payroll/Personnel

Personnel, time & attendance, payroll, and payroll accounting reporting

Since
1983,
system functions have grown
400
%

If annual costs had increased by inflation alone, the average rate would be
$42 higher this year

Background


Services USDA and 170 other Federal organizations in all three Federal
branches of Government


Coverage is 655,000 employees


Personnel Offices


4,137


Operates
as one of four approved e
-
Payroll providers



Evolution of NFC Services

14

2008
-
12



EmpowHR

9.0


PPS Database


Change


EPIC Web


webTA



EmpowHR

8.8


OPM Shared


Services


Center Selection


OPM


Clearinghouse


System


Employee


Personal Page


TCP/IP


Applications


Direct Premium


Remittance


System


Multiple


Payroll/Personnel


Databases


Thrift Savings


Plan System


Electronic Access/


customer data


entry


First Cross
-


Servicing client



EmpowHR

8.8


OPM Shared


Services


Center Selection


OPM


Clearinghouse


System


Employee


Personal Page


TCP/IP


Applications


Direct Premium


Remittance


System


Multiple


Payroll/Personnel


Databases


Thrift Savings


Plan System


Electronic Access/


customer data


entry


First Cross
-


Servicing client

2006


OPM Shared


Services


Center Selection


OPM


Clearinghouse


System


Employee


Personal Page


TCP/IP


Applications


Direct Premium


Remittance


System


Multiple


Payroll/Personnel


Databases


Thrift Savings


Plan System


Electronic Access/


customer data


entry


First Cross
-


Servicing client

2005


Direct Premium


Remittance


System


Multiple


Payroll/Personnel


Databases


Thrift Savings


Plan System


Electronic Access/


customer data


entry


First Cross
-


Servicing client

1990

1983


Electronic Access/


customer data


entry


First Cross
-


Servicing client


Thrift Savings


Plan System


Electronic Access/


customer data


entry


First Cross
-


Servicing client

1987


Multiple


Payroll/Personnel


Databases


Thrift Savings


Plan System


Electronic Access/


customer data


entry


First Cross
-


Servicing client

1989


Employee


Personal Page


TCP/IP


Applications


Direct Premium


Remittance


System


Multiple


Payroll/Personnel


Databases


Thrift Savings


Plan System


Electronic Access/


customer data


entry


First Cross
-


Servicing client

1998
-
99


OPM


Clearinghouse


System


Employee


Personal Page


TCP/IP


Applications


Direct Premium


Remittance


System


Multiple


Payroll/Personnel


Databases


Thrift Savings


Plan System


Electronic Access/


customer data


entry


First Cross
-


Servicing client

2000

163,000






W
-
2s Processed




700,000


76,200

Payroll/Personnel
Help Desk Calls

65,161

35




Departments/Agencies Serviced




170

4,017,569






Lines of Code





20,000,000+

1,300
EmpowHR
3,800


Help Desk Calls

1,000




DPRS Accounts



31,799

Payroll/Personnel Payee Growth

0.00%
50.00%
100.00%
150.00%
200.00%
250.00%
300.00%
350.00%
FY2006
FY2009
FY2010
FY2011
FY 2012
FY 2013
Pay Rate Increases Compared to Volume Increases

% Increase in Average Billed Rate
% Increase in Average Number Paid
Payroll

2006

2009

2010

2011

2012

2013

Average Number of Bi
-
Weekly Employee Payments

578,310

606,943

632,585

659,906

657,770


652,883

Average Payroll Rate


$ 135.00


$ 141.98


$ 147.57


$ 143.62


$ 136.74


$ 135.07

Average Billed Rate vs. Rate of
Inflation (Base Year = 2004)


$136


$135


$142


$148


$144


$137


$135


$136


$144


$155


$159


$163


$167


$171

$-
$20
$40
$60
$80
$100
$120
$140
$160
$180
FY 2004
FY 2006
FY 2009
FY 2010
FY 2011
FY 2012
FY 2013
Unit Cost

Payroll/Personnel Adjusted Costs

Average Billed Rate
Inflation Adjusted Rate (3.32% actual 2005; 2.4% per year thereafter)
16

webTA Rates

17

2009
2010
2011
2012
2013
webTA
Rate
Comparison

% Change in Average Billed Rate
webTA

2009

2010

2011

2012

2013

Employees serviced

140,000

91,213

93,866

215,392

291,519

Average
webTA
Rate


$

29.26


$ 45.77


$ 29.92


$ 26.68


$ 26.50

18

NFC’s Business Lines
(cont’d)

Human Resources Line of Business (HR LoB)

Human Resources Life Cycle


“From Hire to Retire”


Strategize and Plan


Position Management


Recruiting and Hiring


Development, Performance Management,

and Compensation


Separating

Background


Servicing USDA, LoC, DHS, DoJ, GPO with
EmpowHR


Business area includes entire employee life cycle


Operates as one of five
Federal Shared
Service Centers


NFC’s HRLOB Strategic Solution

19

General Support
Systems

HRLOB Rates

20

2006
2009
2010
2011
2012
2013
EmpowHR

Rate
Comparison

% Change in Average Billed Rate
EmpowHR

2006

2009

2010

2011

2012

2013

Employees serviced

135,576

205,599

189,153

174,878

199,400

201,213

Average
EmpowHR


Rate

$115.00

$105.46

$105.00

$104.85

$104.77

$91.12

21

NFC’s Business Lines
(cont’d)

Office of Personnel Management

Government
-
wide
Benefit Systems


Direct Premium Remittance servicing 120,000 annual premiums


Federal Employee Health Benefits Clearinghouse supporting 4.2M
enrollees


High Risk Insurance Pool servicing 20 + states


22

NFC’s Business Lines
(cont’d)

Agency Specific Services

Provides for USDA and external customers:


Complete data center services


Application development and maintenance services


Employee support services


Bulk mailing services


Security services



23

Customer Profile


Several components within the Legislative Branch


Several
components within the Judicial Branch


Approximately half of small agencies


Payroll covers 35% of civilian Federal staff


Benefits recordkeeping for 90% Federal and beyond


Why NFC?

We deliver quality customer service


Platform for future value added


Helpdesk for full suite of services


Data warehouses


reporting and analytics


Disaster recovery


fully tested


Best cost/value




24

Bringing a New Customer

On
-
board


System demonstration


Fit
-
gap Session with the customer


Functional Requirements Document (FRD)


Level
-
of
-
effort & cost estimates for implementation


Reviews the costs with the customer


System development


Develop/test/edit conversion & load scripts for data conversion


Load customer data into the Quality Assurance (QA)


Testing in QA

25

Bringing a New Customer

On
-
board (con’t)


Load customer data into Customer User Acceptance Test (CUAT)


Conduct training on the product for customer


CUAT testing


Resolve any defects from testing


Customer approval to Go Live


Move customer into production environment for Go Live




26

NFC’s Management Controls
Program

Management controls


Essential for enhancing business integrity, minimizing business risks, and
operating in an “effective, efficient, secure, auditable, and well
-
controlled”
(EESAC) environment in support of National Finance Center (NFC) goals
and objectives.


Objectives of internal controls


Effectiveness and efficiency of operations, reliability of financial
reporting, and compliance with applicable laws and regulations


“Management control activities are not stand
-
alone management
practices, but rather are woven into the day
-
to
-
day operational
responsibilities of agency management.” (OMB)


27

Management Responsibilities


Conduct risk assessments of operational activities.


Ensure key management controls are developed, documented,
maintained, implemented, evaluated, improved, and reported on.


Ensure adherence to NFC
-
wide management controls.


Assess effectiveness of management controls on an ongoing basis and
annually document assessment process.


Report possible material weaknesses, significant deficiencies, and/or
non
-
conformances to the general control standards and the financial
management system requirements.


28

Assessing Controls


A
-
123, Assessment of
Internal Controls over Financial Reporting


Annual FISMA self
-
assessment


Assessment and Authorization (formerly C&A)


Statement on Standards for Attestation Engagements (SSAE) No. 16,
Reporting on Controls at a Service Organization


29

Summary

Shared services allow customers to
focus on their main mission areas

Internal Control
Considerations in a
Shared Services
Environment

USER AGENCY AND SHARED SERVICES PROVIDER
PERSPECTIVE

Internal Control Considerations

Overview


FISMA requires that user agencies maintain and periodically assess the
protections over the information collected or maintained by or on behalf
of the user agency


The American Institute of Certified Public Accounts (AICPA) provides
guidance through standards on performing an objective and independent
assessment of the effectiveness of the protections maintained by the
shared services
providers


Outsourcing tasks or functions to a shared services provider does not eliminate the
risks associated with those activities, nor compliance with requirements


32

Internal Control Considerations

User Agency Perspective


Assessing the effectiveness of the applicable internal controls
maintained at the shared services providers will require an assessment


Conducting an on
-
site assessment will require the consent and
cooperation of the shared services providers


The
ability to conduct on
-
site assessments (‘right to audit’ clause), if any,
at a shared services provider is usually defined within the contractual
agreement (MOU, RA, SLA etc.)


Shared services providers may be reluctant to provide the necessary access to their
operations


33

Internal Control Considerations

Shared Services Providers
Perspective



User agencies continue to increase their due diligence and governance
over the services they are receiving from their shared services providers


Allowing on
-
site assessments will most likely prove disruptive and
impractical


Being able to measure the effectiveness of shared services provider’s
environment once and provide that information to many agencies can
avoid the disruption on
-
site assessments may cause


Demonstrating an effective and well controlled environment will help satisfy the
user agencies requirements around the due diligence of the services being provided


34

Internal Control Considerations

Service Organization Reports
(SOC reports)


The
assessment
can address both the effectiveness of controls over
financial reporting (SOC 1) or specific compliance or operational
requirements (SOC 2, SOC 3)



The SOC reports allow the shared services provider to meet the needs

of
their clients


35

Service Organization Reports


36

SOC 1

SOC 2

SOC 3

Governing
Professional
Standard

Statement on Standards for
Attestation Engagements
No. 16
(SSAE16)

Attestation Standards (AT) Section 101, using
criteria in Trust Service Principles
(TSP)
Section 100

Subject
Matter

Internal controls over
financial reporting

Internal controls relevant to the selected
Trust
Service Principles
(security, availability,
processing integrity, confidentiality and/or
privacy)

Objectives


Customized objectives

based on the nature of the
service organization

Predefined criteria

for each of the Trust
Service Principles included in the report

Intended
Purpose of
Report

Support the audit

of
internal controls over
financial reporting

of the
user entities

Provide
information
and

an

opinion
on

compliance and
operations

Provide
an

opinion
on

compliance and
operations


Service Organization Reports

(Continued)


37

SOC 1

SOC 2

SOC 3

Types of
Reports

-

Type I:

Contains auditor’s opinion regarding
management’s description of the

shared service
provider’s
s祳瑥y
s

a湤 瑨攠
suitability of the design

of the controls to achieve the related control
objectives included in the description
as of a
specified date



-

Type II
:

Contains auditor’s opinion regarding
management’s description of the service
organization’s system and the suitability of the
design and operating effectiveness

of the controls to
achieve the related control objectives included in the
description
throughout a specified period
.

General use report
(with a public seal)
that provides only
the auditor’s report
潮ow桥瑨敲e瑨攠
system achieved the
trust services criteria

Distribution

Restricted

use report

Generally a restricted
user report

General user

report
publicly available to
anyone

38

SOC 1

SOC 2

SOC 3

Report
Components



a敳e物r瑩潮t潦o瑨攠s祳瑥洠a湤 楴猠扯u湤a物敳




䵡湡来g敮琧s ass敲e楯渠牥条牤楮朠瑨攠s祳瑥洠
d敳e物r瑩潮t⁡湤 su楴慢楬楴礠潦o瑨攠d敳楧渠a湤/潲o
潰敲a瑩湧t敦晥捴楶敮敳e 潦o瑨攠捯湴牯汳




Auditor’s opinion




a敳e物r瑩潮t潦o瑨攠瑥獴t⁰敲景牭敤 a湤 瑨攠
牥獵汴l




啮rud楴敤
d敳e物r瑩潮t潦⁴桥
s祳瑥洠a湤 楴猠
扯u湤a物敳




䵡湡来g敮琧s
assertion regarding the
operating effectiveness
of the controls




䅵d楴潲is 潰楮o潮o
w桥瑨敲e瑨攠敮瑩e礠
浡楮瑡楮敤⁥晦散瑩v攠
controls over its system


Service Organization Reports

(Continued)

Service Organization Reports

Trust Principles

The Trust Services Principles include the following:


Security
-

The system is protected against unauthorized access

(both
physical and logical)


Availability
-

The system is available for operation and use as committed
or agreed (including Business Continuity)


Integrity


System processing is complete, accurate, timely, and authorized


Confidentiality


Information designated as confidential is protected as
committed or agreed


Privacy


Personal information is collected, used, retained, disclosed, and
disposed of in conformity with the commitments in the entity’s privacy
notice and with criteria set forth in Generally Accepted Privacy Principles
GAPP issued by the AICPA and Canadian Institute of Chartered
Accountants.


39

Service Organization Reports

(SOC) Reports
-

Which SOC Report?

40

Criteria

Response

SOC1

SOC2

SOC3

Will the report be used to plan and perform a
financial

statement audit
?

Yes

P

W楬氠瑨攠牥r潲琠扥⁵s敤 as 灡牴p潦o瑨t

捯浰汩l湣攠睩瑨n瑨攠位B
-
䄱2P 潲⁳業o污爠污w
潲⁲敧e污瑩潮㼠

Y敳

P

W楬氠瑨攠牥r潲琠扥⁵s敤 瑯⁧慩渠捯湦楤敮捥ea湤
灬a捥⁴牵r琠楮iat

a⁳桡牥r s敲e楣敳 灲潶楤敲e


Y敳

P

P

Will the report be generally available

or posted
on a website
?

Yes

P

Will the recipients of

the report
have the need
for and ability to understand the details of the
processing and controls at a service
organization, the tests performed by the service
auditor and results of those tests?

Yes

P



P

SSAE 16

SSAE 16

Responsibilities
-

Shared Services
Provider

Under the standard a shared services provider has five primary responsibilities:

1.
Prepare and present a complete and accurate description of the system(s) being used (not
just controls/control environment)

2.
Specify the control objectives of the system(s) and include those control objectives in the
description of the system

3.
Identify the risks that threaten the achievement of the control objective(s)

4.
Design, implement and maintain controls to provide reasonable assurance that the control
objectives will be achieved

5.
Provide a written assertion to accompany the description as to the completeness and
accuracy of the information provided as well as the criteria used as a basis for making the
assertion


42

SSAE 16

Responsibilities


User Agencies

Under the standard a user agency has the following responsibilities:

1.
Verify that the report and the period covered is applicable to the services provided by the
service organization

2.
Read and understand the description of the service organization’s system and confirm that it
provides adequate information to understand the flows of transactions through the service
organization and where errors could occur

3.
Review results of the report and apply information accordingly

4.
Retain the report and assessment as test evidence


5.
Determine impact of

reported control weaknesses on clients assertions/control objectives

6.
Make sure that applicable Complementary User Entity Controls (CUECs) are in place and
operational


User agencies should assess any services provided to the shared services provider
and passed through to the user agency that may not be covered by the SSAE 16
report (‘carve outs’/ subservice organizations)


43

SSAE 16

Assessing Test Failures


The potential impact of test failures noted within the SSAE 16 report
should be evaluated


Compensating controls may already exist within the report, that may
help reduce the overall impact



In addition, the user agencies should also be able to leverage CUECs,
where appropriate




A test failure do not automatically translate to control failure


44

SSAE 16

Responsibilities


User Agencies

Complementary User Entity Controls (CUECs)

Formerly known as User Control Considerations (UCCs)


Describe controls that are the responsibility of the user agency, and
deemed out of scope of the SOC1 report


If CUECs are not designed and operating effectively at the user
organization, the control objectives in the SOC1 report may not be met


Conversely, CUECs may compensate/mitigate control weaknesses at
the service provider


It is the responsibility of the user agency to document these controls and provide
evidence of their operational effectiveness to their auditor


45

References


AICPA. (2010). Service Organization Controls: Managing Risks by
Obtaining a Service Auditor’s Report [White Paper].

Retrieved
from
http://www.aicpa.org/interestareas/informationtechnology/resources/trus
tservices/downloadabledocuments/10957
-
378%20soc%20whitepaper.pdf


46

Questions & Answers

Thank You