Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated
Mar 28, 2015
Using Internal Control to Manage Risk
Mary C. Braun, CPA, CGFMManagement Concepts, Incorporated
Agenda
• Background
• Requirements
• Implementation
Internal Control Legislation
– 1950 Accounting and Auditing Act – 1982 Federal Managers’ Financial Integrity
Act– 1990 Chief Financial Officers Act– 1994 Government Management Reform
Act– 1996 Federal Financial Management
Improvement Act
What are Internal Controls?
• Anything you do to successfully achieve your mission/goal legally and efficiently
• Objectives of controls:– Effective and efficient operations– Reliable financial reporting– Compliance with laws and regulations
• Applies to all aspects of life
Internal Control Standards• Treadway Commission:
Internal Control Guidance
Control Environment
Risk Assessment
Activities
M
Info
rmat
ion
Com
munication
GAO Standards COSO Framework
Internal Control Standards
Control Environment
Risk Assessment
Control Activities
M
Info
rmat
ion
Com
munication
GAO Standards
Control Environment: Tone at the Top
Risk Assessment: Threats to Mission
Control Activities: Design & Operation
Monitoring: Test Schedule
Information & Communication: Up and down the Organization
Government Implementation: Assess Controls
Elements of an IC Program
Mission
Objectives
Risks
Control Activities
Internal GoalsManagement:• Acknowledge it responsibility for
establishing and maintaining ICs• Apply IC objectives:
– Effective and efficient operations– Reliable financial reporting– Compliance with laws and regulations
• Understand that ICs exist (or should) at every level and in every process of the organization
• Realize that good internal control leads to financial reporting integrity
Three Step Process
• Planning Phase
• Testing Phase
• Reporting Phase
Planning Phase• Identify assessable units• Establish governance body• Determine material contributors• Identify/document key business
processes• Perform risk assessment• Identify key controls• Develop 3-yr control assessment
schedule• Develop test methodology
Divide and Conquer !!
Establish Assessable Units
Divide and Conquer !!Establish Assessable Units
Establish Governance• Establish a governance body who will:
– Have decision-making leaders as members
– Identify material business lines/ processes
– Know flowcharted business process
– Identify risks and assess materiality
– Document internal controls
– Test internal controls
– Report on control effectiveness
– Develop corrective action plans
Identify Material Contributors
Look at the Budget/Financials
2010 2009 Change 2010 2009 Change 2010 2009 ChangeAssets:Cash and investments............. $ 10.7 $ 10.4 $ 0.3 $ 4.6 $ 4.6 $ - $15.3 $ 15.0 $ 0.3Capital assets (net).................. 28.6 26.7 1.9 0.1 0.1 - 28.7 26.8 1.9All other assets......................... 7.9 7.1 0.8 1.6 1.4 0.2 9.5 8.5 1.0Total assets.............................. 47.2 4 4.2 3.0 6.3 6.1 0.2 53.5 50.3 3.2Liabilities:Accounts payable..................... 5.9 6.0 (0.1) 0.9 0.9 - 6.8 6.9 (0.1)All other current liabilities.... 4.2 3.7 0.5 4.1 2.1 2.0 8.3 5.8 2.5Total current liabilities............ 10.1 9.7 0.4 5.0 3.0 2.0 15.1 12.7 2.4Bonds payable.......................... 9.8 8.5 1.3 - - - 9.8 8.5 1.3All other long-term liabilities 3.8 2.8 1.0 2.5 2.5 - 6.3 5.3 1.0Total long-term liabilities........ 13.6 11.3 2.3 2.5 2.5 - 16.1 13.8 2.3Total Liabilities........................ 23.7 21.0 2.7 7.5 5.5 2.0 31.2 26.5 4.7
Government Business-type Total
Identify Key Business Processes
• Capital Assets:– What processes add to balances?– What processes decrease balances?– What systems support the processes?– Where do the processes take place? – Where do the managers exist in the state’s
organization chart?
Document Key ProcessesProperty, Plant and Equipment – Buildings & StructuresDisposals Subprocess
Staff AccountantReal Property
Accountability OfficerDistrict Engineer
Hand Receipt Holder or Realty Specialist
Receives notice of approved disposal
Start
B
B
A
Receives notice of approved disposal
and notifies the staff accountant
Approves Disposal
Generates Record of Disposal in RD 72
screen within in REMIS to add disposal info to
asset’s record
Instructs Hand Receipt Holder of what to do with
asset
Notifies staff accountant that
the asset has been disposed of in
REMIS
Completes disposal request document and
forwards to district engineer and RPAO
Verifies that all required
documents are included, properly
and accurately completed, and
approved.
Determines Asset’s need for disposal through periodic inspections
Changes asset status within
CEFMS from “in service” to “retired”Rejects
Disposal
A
CEFMS transfers asset value into
buildings or structures awaiting disposal account
Forwards Disposal Request
Document to RPAO as notice to start the disposal
process
Receives and reviews Disposal request
document and approves or rejects
disposal request
BS.4
Changes asset status in CEFMS from “Retired”
to “Disposed”
Disposes of asset within REMIS in RD 82 screen
BS.3
CEFMS transfers asset value to appropriate
SGL accounts removing the value from the
financial statements.
Perform Risk Assessment• Assess Risk: Document from flowcharts
Property, Plant and Equipment – Buildings & StructuresDisposals Subprocess
Staff AccountantReal Property
Accountability OfficerDistrict Engineer
Hand Receipt Holder or Realty Specialist
Receives notice of approved disposal
Start
B
B
A
Receives notice of approved disposal
and notifies the staff accountant
Approves Disposal
Generates Record of Disposal in RD 72
screen within in REMIS to add disposal info to
asset’s record
Instructs Hand Receipt Holder of what to do with
asset
Notifies staff accountant that
the asset has been disposed of in
REMIS
Completes disposal request document and
forwards to district engineer and RPAO
Verifies that all required
documents are included, properly
and accurately completed, and
approved.
Determines Asset’s need for disposal through periodic inspections
Changes asset status within
CEFMS from “in service” to “retired”Rejects
Disposal
A
CEFMS transfers asset value into
buildings or structures awaiting disposal account
Forwards Disposal Request
Document to RPAO as notice to start the disposal
process
Receives and reviews Disposal request
document and approves or rejects
disposal request
BS.4
Changes asset status in CEFMS from “Retired”
to “Disposed”
Disposes of asset within REMIS in RD 82 screen
BS.3
CEFMS transfers asset value to appropriate
SGL accounts removing the value from the
financial statements.
IT Assertions
• Completeness
• Accuracy
• Validity
• Restricted Access
Financial Assertions
• Completeness
• Obligations/Rights
• Valuation
• Existence/Occurrence
• Reporting/Presentation
Look for Risk of Misstatement
Identify Key ControlsDocument from flow charts
Property, Plant and Equipment – Buildings & StructuresDisposals Subprocess
Staff AccountantReal Property
Accountability OfficerDistrict Engineer
Hand Receipt Holder or Realty Specialist
Receives notice of approved disposal
Start
B
B
A
Receives notice of approved disposal
and notifies the staff accountant
Approves Disposal
Generates Record of Disposal in RD 72
screen within in REMIS to add disposal info to
asset’s record
Instructs Hand Receipt Holder of what to do with
asset
Notifies staff accountant that
the asset has been disposed of in
REMIS
Completes disposal request document and
forwards to district engineer and RPAO
Verifies that all required
documents are included, properly
and accurately completed, and
approved.
Determines Asset’s need for disposal through periodic inspections
Changes asset status within
CEFMS from “in service” to “retired”Rejects
Disposal
A
CEFMS transfers asset value into
buildings or structures awaiting disposal account
Forwards Disposal Request
Document to RPAO as notice to start the disposal
process
Receives and reviews Disposal request
document and approves or rejects
disposal request
BS.4
Changes asset status in CEFMS from “Retired”
to “Disposed”
Disposes of asset within REMIS in RD 82 screen
BS.3
CEFMS transfers asset value to appropriate
SGL accounts removing the value from the
financial statements.
Document Key Controls
IntraGov Accts Rec
Not reported
Entity
Preparer
Control Number
Account/ Line Item/Event
Business Cycle, Accounting Application Assertion Risk
Inherent Risk
Internal Control
Currently In Place
Control Risk
Internal Control Test Method Used
Risk Analysis
Account Line: Accounts Receivable
Document, document, document
high1 Reimb R/O Track & check low Inspect
Preliminary Control Assessment
Develop Key Control Assessment Schedule
• All key controls are assessed at least once every three years
• Some more:– High risk– Change in:
• Law• System• Key personnel
Control Testing Options:3-Year Plan
ControlRisk
Risk TestLow
Hig
h
Develop Corrective Action Plan
If:
Changes in:-Personnel?-Process?-System?
Yes
Annually for 3 years
No
Rotate to 3-year plan
Testing Phase
• Entity-Level Assessment
• Control Testing:– Process level– Transaction level– Include automated systems– Remember service providers
Entity-Level Assessment
• Evaluate Internal Control at Entity Level– GAO-01-1008G: Internal Control
Management and Evaluation Tool– Use GAO Internal Control Standards
Control Testing• Test key controls
– Develop test plan and document– Decide on the appropriate test method– Establish tolerance level for error,
document– Identify sample size:
OMB recommendations– Test and document
• Consider dependencies– Service provider process controls – SAS 70 reports???
Reporting Phase
• Identifying Material Weaknesses
• Developing Corrective Action Plans
• Preparing Statement of Assurance
Identify Material Weaknesses
• At assessable unit level• At subagency/department level• At Agency/ Bureau/ Department level
Management has the discretion to make the determination!
OMB generous withMaterial Weaknessdefinitions
Basis for Assurance
• Deficiencies can be:
–Single deficiency
–Significant deficiency
–Material weakness
• Determines level of assurance
–Cannot be unqualified if material weakness exists
Develop Corrective Actions
• Managers: Process Owners develop corrective actions plans and timelines
• Governance body concurs or non-concurs
• Published in Annual Financial Report (PAR) for feds
• Should be monitored by leadership• Fed report periodically on progress to
Office of Management and Budget
Corrective Action Plans
• Plan well
• Divide corrective steps into small manageable pieces – governance body should approve
• Develop realistic target dates
• Monitor progress continuously
Statement of Assurance
• Report on effectiveness of internal control• Separate statements of assurance:
– for operations and administration– for systems (Sec 4)– for financial reporting
• Report options:– Prescribed format for statement– Defined qualifiers: Unqualified
QualifiedNo Assurance
Internal Control Reporting