Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated.

Using Internal Control to Manage Risk

Mary C. Braun, CPA, CGFMManagement Concepts, Incorporated

Agenda

• Background

• Requirements

• Implementation

Internal Control Legislation

– 1950 Accounting and Auditing Act – 1982 Federal Managers’ Financial Integrity

Act– 1990 Chief Financial Officers Act– 1994 Government Management Reform

Act– 1996 Federal Financial Management

Improvement Act

What are Internal Controls?

• Anything you do to successfully achieve your mission/goal legally and efficiently

• Objectives of controls:– Effective and efficient operations– Reliable financial reporting– Compliance with laws and regulations

• Applies to all aspects of life

Internal Control Standards• Treadway Commission:

Internal Control Guidance

Control Environment

Risk Assessment

Activities

M

Info

rmat

ion

Com

munication

GAO Standards COSO Framework

Internal Control Standards

Control Environment

Risk Assessment

Control Activities

M

Info

rmat

ion

Com

munication

GAO Standards

Control Environment: Tone at the Top

Risk Assessment: Threats to Mission

Control Activities: Design & Operation

Monitoring: Test Schedule

Information & Communication: Up and down the Organization

Government Implementation: Assess Controls

Elements of an IC Program

Mission

Objectives

Risks

Control Activities

Internal GoalsManagement:• Acknowledge it responsibility for

establishing and maintaining ICs• Apply IC objectives:

– Effective and efficient operations– Reliable financial reporting– Compliance with laws and regulations

• Understand that ICs exist (or should) at every level and in every process of the organization

• Realize that good internal control leads to financial reporting integrity

Three Step Process

• Planning Phase

• Testing Phase

• Reporting Phase

Planning Phase• Identify assessable units• Establish governance body• Determine material contributors• Identify/document key business

processes• Perform risk assessment• Identify key controls• Develop 3-yr control assessment

schedule• Develop test methodology

Divide and Conquer !!

Establish Assessable Units

Divide and Conquer !!Establish Assessable Units

Establish Governance• Establish a governance body who will:

– Have decision-making leaders as members

– Identify material business lines/ processes

– Know flowcharted business process

– Identify risks and assess materiality

– Document internal controls

– Test internal controls

– Report on control effectiveness

– Develop corrective action plans

Identify Material Contributors

Look at the Budget/Financials

2010 2009 Change 2010 2009 Change 2010 2009 ChangeAssets:Cash and investments............. $ 10.7 $ 10.4 $ 0.3 $ 4.6 $ 4.6 $ - $15.3 $ 15.0 $ 0.3Capital assets (net).................. 28.6 26.7 1.9 0.1 0.1 - 28.7 26.8 1.9All other assets......................... 7.9 7.1 0.8 1.6 1.4 0.2 9.5 8.5 1.0Total assets.............................. 47.2 4 4.2 3.0 6.3 6.1 0.2 53.5 50.3 3.2Liabilities:Accounts payable..................... 5.9 6.0 (0.1) 0.9 0.9 - 6.8 6.9 (0.1)All other current liabilities.... 4.2 3.7 0.5 4.1 2.1 2.0 8.3 5.8 2.5Total current liabilities............ 10.1 9.7 0.4 5.0 3.0 2.0 15.1 12.7 2.4Bonds payable.......................... 9.8 8.5 1.3 - - - 9.8 8.5 1.3All other long-term liabilities 3.8 2.8 1.0 2.5 2.5 - 6.3 5.3 1.0Total long-term liabilities........ 13.6 11.3 2.3 2.5 2.5 - 16.1 13.8 2.3Total Liabilities........................ 23.7 21.0 2.7 7.5 5.5 2.0 31.2 26.5 4.7

Government Business-type Total

Identify Key Business Processes

• Capital Assets:– What processes add to balances?– What processes decrease balances?– What systems support the processes?– Where do the processes take place? – Where do the managers exist in the state’s

organization chart?

Document Key ProcessesProperty, Plant and Equipment – Buildings & StructuresDisposals Subprocess

Staff AccountantReal Property

Accountability OfficerDistrict Engineer

Hand Receipt Holder or Realty Specialist

Receives notice of approved disposal

Start

B

B

A


and notifies the staff accountant

Approves Disposal

Generates Record of Disposal in RD 72

screen within in REMIS to add disposal info to

asset’s record

Instructs Hand Receipt Holder of what to do with

asset

Notifies staff accountant that

the asset has been disposed of in

REMIS

Completes disposal request document and

forwards to district engineer and RPAO

Verifies that all required

documents are included, properly

and accurately completed, and

approved.

Determines Asset’s need for disposal through periodic inspections

Changes asset status within

CEFMS from “in service” to “retired”Rejects

Disposal

A

CEFMS transfers asset value into

buildings or structures awaiting disposal account

Forwards Disposal Request

Document to RPAO as notice to start the disposal

process

Receives and reviews Disposal request

document and approves or rejects

disposal request

BS.4

Changes asset status in CEFMS from “Retired”

to “Disposed”

Disposes of asset within REMIS in RD 82 screen

BS.3

CEFMS transfers asset value to appropriate

SGL accounts removing the value from the

financial statements.

Perform Risk Assessment• Assess Risk: Document from flowcharts

Property, Plant and Equipment – Buildings & StructuresDisposals Subprocess





Start

B

B

A



Approves Disposal



asset’s record


asset



REMIS






approved.




Disposal

A





process



disposal request

BS.4


to “Disposed”


BS.3




IT Assertions

• Completeness

• Accuracy

• Validity

• Restricted Access

Financial Assertions

• Completeness

• Obligations/Rights

• Valuation

• Existence/Occurrence

• Reporting/Presentation

Look for Risk of Misstatement

Identify Key ControlsDocument from flow charts

Property, Plant and Equipment – Buildings & StructuresDisposals Subprocess





Start

B

B

A



Approves Disposal



asset’s record


asset



REMIS






approved.




Disposal

A





process



disposal request

BS.4


to “Disposed”


BS.3




Document Key Controls

IntraGov Accts Rec

Not reported

Entity

Preparer

Control Number

Account/ Line Item/Event

Business Cycle, Accounting Application Assertion Risk

Inherent Risk

Internal Control

Currently In Place

Control Risk

Internal Control Test Method Used

Risk Analysis

Account Line: Accounts Receivable

Document, document, document

high1 Reimb R/O Track & check low Inspect

Preliminary Control Assessment

Develop Key Control Assessment Schedule

• All key controls are assessed at least once every three years

• Some more:– High risk– Change in:

• Law• System• Key personnel

Control Testing Options:3-Year Plan

ControlRisk

Risk TestLow

Hig

h

Develop Corrective Action Plan

If:

Changes in:-Personnel?-Process?-System?

Yes

Annually for 3 years

No

Rotate to 3-year plan

Testing Phase

• Entity-Level Assessment

• Control Testing:– Process level– Transaction level– Include automated systems– Remember service providers

Entity-Level Assessment

• Evaluate Internal Control at Entity Level– GAO-01-1008G: Internal Control

Management and Evaluation Tool– Use GAO Internal Control Standards

Control Testing• Test key controls

– Develop test plan and document– Decide on the appropriate test method– Establish tolerance level for error,

document– Identify sample size:

OMB recommendations– Test and document

• Consider dependencies– Service provider process controls – SAS 70 reports???

Reporting Phase

• Identifying Material Weaknesses

• Developing Corrective Action Plans

• Preparing Statement of Assurance

Identify Material Weaknesses

• At assessable unit level• At subagency/department level• At Agency/ Bureau/ Department level

Management has the discretion to make the determination!

OMB generous withMaterial Weaknessdefinitions

Basis for Assurance

• Deficiencies can be:

–Single deficiency

–Significant deficiency

–Material weakness

• Determines level of assurance

–Cannot be unqualified if material weakness exists

Develop Corrective Actions

• Managers: Process Owners develop corrective actions plans and timelines

• Governance body concurs or non-concurs

• Published in Annual Financial Report (PAR) for feds

• Should be monitored by leadership• Fed report periodically on progress to

Office of Management and Budget

Corrective Action Plans

• Plan well

• Divide corrective steps into small manageable pieces – governance body should approve

• Develop realistic target dates

• Monitor progress continuously

Statement of Assurance

• Report on effectiveness of internal control• Separate statements of assurance:

– for operations and administration– for systems (Sec 4)– for financial reporting

• Report options:– Prescribed format for statement– Defined qualifiers: Unqualified

QualifiedNo Assurance

Internal Control Reporting

Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated.

Documents

organization slide

incorporated slide

internal control management

risk of misstatement

internal control legislation

good internal control

control effectiveness

test methodology slide