Implementing a Strong and Effective Internal Control Program for the State of North Carolina October 15, 2008 David McCoy State Controller October 15,

Implementing a Strong and Effective Internal Control Program for the State of North Carolina

Implementing a Strong and Effective Internal Control Program for the State of North Carolina

October 15, 2008 David McCoy State Controller October 15, 2008 David McCoy State Controller

22

AgendaAgenda

• What is EAGLE?What is EAGLE?

• Why is EAGLE Important to North Carolina?Why is EAGLE Important to North Carolina?

• EAGLE Implementation EffortsEAGLE Implementation Efforts

• EAGLE Methodology: Top-Down, Risk-BasedEAGLE Methodology: Top-Down, Risk-Based

• Lessons LearnedLessons Learned

33

What is EAGLE?What is EAGLE?

• During 2004 the State Controller outlined his strategic During 2004 the State Controller outlined his strategic vision for implementing a statewide internal control and vision for implementing a statewide internal control and accountability program for North Carolina – a program accountability program for North Carolina – a program similar to the one imposed on the private sector similar to the one imposed on the private sector through the Sarbanes-Oxley legislation in 2002.through the Sarbanes-Oxley legislation in 2002.

• The State Controller formed at Statewide Internal The State Controller formed at Statewide Internal Control Task force – consisting of representatives from Control Task force – consisting of representatives from all three branches of government, the University all three branches of government, the University System, and the Community College System.System, and the Community College System.

• The Statewide Internal Control Task Force presented The Statewide Internal Control Task Force presented recommendations, in the form of proposed legislative recommendations, in the form of proposed legislative action, to the State Controller.action, to the State Controller.

44

What is EAGLE?What is EAGLE?

• Recommended legislative action received the support Recommended legislative action received the support of the State Auditor.of the State Auditor.

• The Task Force’s recommendations lead to the The Task Force’s recommendations lead to the passage of House Bill 1551 during 2007 session of the passage of House Bill 1551 during 2007 session of the General Assembly.General Assembly.

– Established internal control standards for State Established internal control standards for State governmentgovernment

– Increased fiscal accountability within State Increased fiscal accountability within State governmentgovernment

• EAGLE, which stands for EAGLE, which stands for EEnhancing nhancing AAccountability in ccountability in GGovernment through overnment through LLeadership and eadership and EEducation, ducation, resulted from the actions taken by the North Carolina resulted from the actions taken by the North Carolina General Assembly.General Assembly.

55

What is EAGLE?What is EAGLE?

• EAGLE leverages two widely accepted frameworks:EAGLE leverages two widely accepted frameworks:

– COSO model for internal controlCOSO model for internal control

– COBIT framework for information technology COBIT framework for information technology controlscontrols

66

Why is EAGLE Important to North Carolina?Why is EAGLE Important to North Carolina?• Enhances Public Accountability to the State’s Key Enhances Public Accountability to the State’s Key

Stakeholders – Our Taxpayers. Stakeholders – Our Taxpayers.

• Enhances Accountability to other Stakeholders – including Enhances Accountability to other Stakeholders – including the Federal Government and bond rating agencies. the Federal Government and bond rating agencies.

• Creates a competitive advantage for federal and Creates a competitive advantage for federal and foundation dollars.foundation dollars.

• Fosters a general notion that government should be as Fosters a general notion that government should be as good as or better than those it regulates.good as or better than those it regulates.

• Cost-savings may be realized through identifying ways to Cost-savings may be realized through identifying ways to make business processes more efficient and effective.make business processes more efficient and effective.

77

Why is EAGLE Important to North Carolina?Why is EAGLE Important to North Carolina?

All too confusing and overdone… All too confusing and overdone… Except when we get in troubleExcept when we get in trouble

Must do it… Must do it… But how do we do it better?But how do we do it better?

Keep Us Out of TroubleKeep Us Out of Trouble Make Our Agencies BetterMake Our Agencies Better

goalgoalInaccurate Financial Reporting

CatastrophicReputational

Consequences

Larger Fines and Settlements

Budget Constraints

Expanded Regulation

Enhanced and

Coordinated Risk

Management Activities

Ability to Deliver

Efficient and Cost

Effective Services

Improved Risk Reporting and

Disclosure

Enhanced Technologies

State Auditor Findings Standardized

Procedures Across State

Agencies

Reduced Total

Operating Expenses

88

EAGLE ImplementationEAGLE Implementation• Five-person team dedicated to the EAGLE Program, Five-person team dedicated to the EAGLE Program,

complemented by staff in the Agency Accounting Section of the complemented by staff in the Agency Accounting Section of the Office of the State Controller’s Statewide Accounting Division.Office of the State Controller’s Statewide Accounting Division.

• As a result of the magnitude and scope of the legislation, a As a result of the magnitude and scope of the legislation, a decision was made to implement of EAGLE in a phased decision was made to implement of EAGLE in a phased approach:approach:

– Phase I: Phase I:

• Internal Control over Financial ReportingInternal Control over Financial Reporting

– Future Phases: Future Phases:

• Compliance with applicable Laws and RegulationsCompliance with applicable Laws and Regulations

• Efficiency and Economy of OperationsEfficiency and Economy of Operations

99

EAGLE ImplementationEAGLE Implementation• The Office of the State Controller issued a Request The Office of the State Controller issued a Request

for Proposal to assist in the development of the for Proposal to assist in the development of the EAGLE Program. Ernst & Young was awarded the EAGLE Program. Ernst & Young was awarded the contract.contract.

• Ernst & Young partnered with the Office of the State Ernst & Young partnered with the Office of the State Controller to co-develop an internal control guidance Controller to co-develop an internal control guidance manual and assessment tools, and to provide manual and assessment tools, and to provide statewide training on the EAGLE Program.statewide training on the EAGLE Program.

• All state agencies were required to appoint an All state agencies were required to appoint an Internal Control Officer to serve as the liaison Internal Control Officer to serve as the liaison between the agency they represent and the Office of between the agency they represent and the Office of the State Controller.the State Controller.

1010

EAGLE ImplementationEAGLE Implementation• A decision was made to rollout Phase I of the EAGLE Program into three A decision was made to rollout Phase I of the EAGLE Program into three

groups:groups:

• Group 1 Group 1

– Training: March 31, 2008Training: March 31, 2008

– Targeted Completion Date: July 31, 2008Targeted Completion Date: July 31, 2008

• Group 2Group 2

– Training: October 22, 2008Training: October 22, 2008

– Targeted Completion Date: July 31, 2009Targeted Completion Date: July 31, 2009

• Group 3Group 3

– Training: Fall 2009 (Date to be determined)Training: Fall 2009 (Date to be determined)

– Targeted Completion Date: July 31, 2010Targeted Completion Date: July 31, 2010

• Group 1 included15 state agencies and universities. Group 2 consists of all Group 1 included15 state agencies and universities. Group 2 consists of all remaining state agencies and universities. Group 3 will consist of all remaining state agencies and universities. Group 3 will consist of all community colleges.community colleges.

1111

EAGLE ImplementationEAGLE Implementation

• Group 1 agencies were asked to form an Group 1 agencies were asked to form an agency assessment team – led by the agency’s agency assessment team – led by the agency’s Internal Control Officer.Internal Control Officer.

• EAGLE Team provides on-site assistance to EAGLE Team provides on-site assistance to agencies as they complete their self-agencies as they complete their self-assessment deliverables. assessment deliverables.

• EAGLE Team monitors the results of an EAGLE Team monitors the results of an agency’s implementation efforts through a web-agency’s implementation efforts through a web-based documentation tool – utilizing Microsoft’s based documentation tool – utilizing Microsoft’s SharePoint software. SharePoint software.

1212

EAGLE ImplementationEAGLE Implementation

• Agencies are responsible for uploading their Agencies are responsible for uploading their milestone deliverables to the EAGLE milestone deliverables to the EAGLE SharePoint website. The EAGLE Team SharePoint website. The EAGLE Team reviews this documentation and provides reviews this documentation and provides agencies with feedback.agencies with feedback.

• For FY 2008, Group 2 and Group 3 agencies For FY 2008, Group 2 and Group 3 agencies continued to complete the traditional Annual continued to complete the traditional Annual Self-Assessment of Internal Controls Self-Assessment of Internal Controls Questionnaire. Questionnaire.

1313

EAGLE Methodology: Top-Downed, Risk-BasedEAGLE Methodology: Top-Downed, Risk-BasedOverviewOverview

Identifying Controls

Entity-Level Controls

Identifying Risk(Including risk of fraud)

Consolidated Financial Statements

Consolidated Account

Process / Class of Transaction

Location

Account Component

Consolidated Account

Process / Class of Transaction

Location

Account Component

Prioritized Risks

Ma

teri

alit

y &

Ris

k C

rite

ria

Higher Risk Lower RiskLower Risk Higher Risk

Direct ELCs

Monitoring Controls

Indirect ELCs

Information Technology General

Controls

Transaction Level Controls

Direct ELCs

Monitoring Controls

Indirect ELCs

Information Technology General Controls

Transaction Level Controls(manual, IT-dependent manual, application controls)

Control Population

“Right” Combination of Controls

Efficient Testing Strategy and Execution“risk control failure” + “evidence requirements”

Conclude on Design and Operating Effectiveness

Supports Reliable Financial Reporting

Top-Down, Risk-Based Approach

5 C

OS

O C

om

po

nen

ts

5 C

OS

O C

om

po

nen

tsIde

nti

fy F

inan

cia

l R

epo

rtin

g E

lem

ents

Ide

nti

fy w

her

e ri

sks

re

sid

e

Le

verag

e

En

tity Le

vel C

on

trols

Selec

t the

“Rig

ht”

Co

ntro

ls

Identifying Controls

Entity-Level Controls

Identifying Risk(Including risk of fraud)

Consolidated Financial Statements

Consolidated Account

Process / Class of Transaction

Location

Account Component

Consolidated Account

Process / Class of Transaction

Location

Account Component

Prioritized Risks

Ma

teri

alit

y &

Ris

k C

rite

ria

Higher Risk Lower Risk

Identifying Risk(Including risk of fraud)

Consolidated Financial Statements

Consolidated Account

Process / Class of Transaction

Location

Account Component

Consolidated Account

Process / Class of Transaction

Location

Account Component

Prioritized Risks

Ma

teri

alit

y &

Ris

k C

rite

ria

Higher Risk Lower RiskLower Risk Higher Risk

Direct ELCs

Monitoring Controls

Indirect ELCs

Information Technology General

Controls

Transaction Level Controls

Direct ELCs

Monitoring Controls

Indirect ELCs

Information Technology General Controls

Transaction Level Controls(manual, IT-dependent manual, application controls)

Control Population

“Right” Combination of Controls

Efficient Testing Strategy and Execution“risk control failure” + “evidence requirements”

Conclude on Design and Operating Effectiveness

Supports Reliable Financial Reporting

Top-Down, Risk-Based Approach

5 C

OS

O C

om

po

nen

ts

5 C

OS

O C

om

po

nen

tsIde

nti

fy F

inan

cia

l R

epo

rtin

g E

lem

ents

Ide

nti

fy w

her

e ri

sks

re

sid

e

Le

verag

e

En

tity Le

vel C

on

trols

Selec

t the

“Rig

ht”

Co

ntro

ls

© 2007 Ernst & Young.

1414

EAGLE Methodology: Top-Downed, Risk-Based EAGLE Methodology: Top-Downed, Risk-Based Risk AssessmentRisk Assessment

• In a top-down approach, the In a top-down approach, the organization begins by identifying, organization begins by identifying, understanding, and evaluating the risk understanding, and evaluating the risk at a financial statement level.at a financial statement level.

• At the financial statement and process At the financial statement and process level, the organization identifies those level, the organization identifies those accounts and processes that possess accounts and processes that possess the quantitative (i.e. materiality) and the quantitative (i.e. materiality) and qualitative factors for higher or lower qualitative factors for higher or lower risk to determine the final scope.risk to determine the final scope.

Advantages of a Top-Down, Risk-Based Advantages of a Top-Down, Risk-Based

Approach:Approach:

By using a Top-Down, Risk-Based By using a Top-Down, Risk-Based approach, the agencies within the State approach, the agencies within the State of North Carolina focus the majority of of North Carolina focus the majority of their internal control efforts on those their internal control efforts on those highest risk areas and avoids highest risk areas and avoids performing excess work on the lowest performing excess work on the lowest risk areas. risk areas.

© 2007 Ernst & Young.

1515

EAGLE Methodology: Top-Downed, Risk-BasedEAGLE Methodology: Top-Downed, Risk-BasedDesign Effectiveness - Controls IdentificationDesign Effectiveness - Controls Identification• After the agencies have completed the After the agencies have completed the

risk assessment and identified those risk assessment and identified those accounts and processes in scope, the accounts and processes in scope, the flow of transactions is documented to flow of transactions is documented to gain an understanding of the highest gain an understanding of the highest risks within those processes.risks within those processes.

• For those risks that exist in the For those risks that exist in the transaction processing, the organization transaction processing, the organization identifies those internal controls that identifies those internal controls that either prevent or detect an error from either prevent or detect an error from occurring.occurring.

EAGLE’s Phase I Implementation EAGLE’s Phase I Implementation

Approach:Approach:

In Phase I, Group 1 agencies will focus In Phase I, Group 1 agencies will focus on the internal control design efforts only on the internal control design efforts only in those accounts and processes in those accounts and processes identified as high risk in Year 1. identified as high risk in Year 1. However, in Year 2 Group 1 must include However, in Year 2 Group 1 must include the moderate risk accounts and the moderate risk accounts and processes. Groups 2 and 3 will focus on processes. Groups 2 and 3 will focus on both high and moderate accounts and both high and moderate accounts and processes in their Year 1 efforts. processes in their Year 1 efforts.

© 2007 Ernst & Young.

1616

EAGLE Methodology: Top-Downed, Risk-Based EAGLE Methodology: Top-Downed, Risk-Based Operating Effectiveness – Execution and EvaluationOperating Effectiveness – Execution and Evaluation

Supports Reliable Financial ReportingSupports Reliable Financial Reporting

Efficient Testing Strategy and ExecutionEfficient Testing Strategy and Execution

““risk control failure” + “evidence requirements”risk control failure” + “evidence requirements”

Conclude on Design and Operating EffectivenessConclude on Design and Operating Effectiveness

• After the agencies have completed the documentation of the processes and After the agencies have completed the documentation of the processes and identified the “right” combination of controls, a testing strategy is designed to identified the “right” combination of controls, a testing strategy is designed to focus efforts on those controls that have been designed to prevent or detect focus efforts on those controls that have been designed to prevent or detect errors of the highest risk processes.errors of the highest risk processes.

Advantages of a Top-Down, Risk-Based Approach:Advantages of a Top-Down, Risk-Based Approach:

By using a Top-Down, Risk-Based approach, the agency focuses the testing By using a Top-Down, Risk-Based approach, the agency focuses the testing and self-assessment effort to allow the organization the ability to better time and self-assessment effort to allow the organization the ability to better time and schedule the testing over the course of the entire reporting period by and schedule the testing over the course of the entire reporting period by testing the lower risk controls earlier in the year and the highest risk controls testing the lower risk controls earlier in the year and the highest risk controls closer to year-end.closer to year-end.

© 2007 Ernst & Young.

1717

Lessons LearnedLessons Learned• You must have strong executive leadership and support of your program.You must have strong executive leadership and support of your program.

• Recognize and manage program risk. Implement your program in phases – Recognize and manage program risk. Implement your program in phases – start with a small group of state agencies and focus only on the high risk start with a small group of state agencies and focus only on the high risk areas in Year 1.areas in Year 1.

• Establish a target date for completion of the self-assessment; however, Establish a target date for completion of the self-assessment; however, provide a recommended timeline for the completion of each milestone to keep provide a recommended timeline for the completion of each milestone to keep agencies on target.agencies on target.

• Provide agencies with a concise list of the required procedures to be Provide agencies with a concise list of the required procedures to be performed for each milestone.performed for each milestone.

• Training is essential. At the beginning of each milestone, provide customized, Training is essential. At the beginning of each milestone, provide customized, one-on-one training with each agency assessment team.one-on-one training with each agency assessment team.

• Review the deliverables for each milestone to ensure that agencies remain on Review the deliverables for each milestone to ensure that agencies remain on track – provide constructive feedback.track – provide constructive feedback.

• Understand the importance of your IT environment and the challenges it Understand the importance of your IT environment and the challenges it brings as you implement your program.brings as you implement your program.

1818

Contact information:Contact information:

Ben McLawhorn, CISA, CISM, CFEBen McLawhorn, CISA, CISM, CFERisk Mitigation Services ManagerRisk Mitigation Services ManagerNorth Carolina Office of the State ControllerNorth Carolina Office of the State Controller1410 Mail Service Center1410 Mail Service CenterRaleigh, NC 27699-1410Raleigh, NC 27699-1410Email: Email: [email protected]@ncosc.net Phone: (919) 981-5409Phone: (919) 981-5409Fax: (919) 981-5567Fax: (919) 981-5567

For additional information on EAGLE, please visit our For additional information on EAGLE, please visit our website: website: http://www.ncosc.net/eaglehttp://www.ncosc.net/eagle