Opening Remarks - Association of Local Government Auditors, KY
Download
Report
Transcript Opening Remarks - Association of Local Government Auditors, KY
COSO Internal Control – Integrated Framework and
Green Book Exposure Draft Comparison
Kristine Adams-Wannberg
Senior Management Auditor,
City of Portland, OR
Larry Stafford
Internal Performance Auditor,
Clark County, WA
ALGA Webinar
April 2014
1
Opening Remarks
Moderator
R. Kinney Poynter
Executive Director
NASACT
Speaker
Kristine Adams-Wannberg
Senior Management Auditor
City of Portland (OR)
Speaker
Larry Stafford
Internal Performance Auditor
Clark County (WA)
2
Intentionally
Left
Blank
3
Purpose of our session
Objectives
• Provide background on
COSO’s Internal Control
Framework and the
Green Book Exposure
Draft
• Compare the two
resources and who they
apply to in organizations
• Present applications for
internal control
assessments
• Provide other resources
for internal control
reviews
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
4
What’s Internal Control?
COSO Definition – “A process, effected by an
entity’s board of directors, management, and
other personnel, designed to provide reasonable
assurance regarding the achievement of the
objectives relating to operations, reporting, and
compliance.”
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
5
Practical implications of
insufficient controls…
• “London Whale scandal to cost JP Morgan $920m in
penalties: US's biggest bank to pay penalties to US and
UK regulators for 'unsound practices' relating to $6.2bn
losses last year”
• “Europe Says Tests Show Horse Meat Scandal Is
‘Food Fraud’”
• “Port of Oakland implements tighter expense
controls, details improper spending”
6
What is COSO? Green Book?
• COSO is an organization that authors guidance
on internal control, enterprise risk management
and fraudulent reporting.
• The Green Book is the set of internal control
standards for the federal government.
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
7
COSO - Who and History
• Started in 1985 by
five professional
organizations to deal
with fraudulent
reporting.
• It authored the
Internal ControlIntegrated Framework
guidance. Latest
version was released
in May 2013.
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
8
Green Book – Who and history
• GAO’s current Green
Book is from 1999.
New exposure draft
with revisions was
issued in Sept. 2013.
• ALGA’s Professional
Issues Committee
reviewed and sent
their comment letter
in November 2013.
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
9
Internal Control Standards
Who requires government organizations to have
internal controls?
US Federal Government
• Office of Management and Budget (OMB)
A-123 managers in the federal government
A-133 entities who receive federal funds
Uniform Administrative Requirements (Title 2 CFR)
State Laws and Regulatory Agencies
• Washington State Auditor’s Office Accounting Manual
• Oregon Accounting Manual
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
10
Internal Control Standards
Internal Controls Provide Reasonable Assurance of
Achieving Objectives
Operations
• Efficiency
• Effectiveness
Safeguarding
of Assets
Reporting
• Reliability
• Internal /
External
Compliance
• Laws
• Regulations
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
11
Internal Control Standards
Other Considerations
Size and complexity of organization
Applicable laws and regulations
Limitations of internal controls due to
• Human involvement: bias and errors
• Ability to override or circumvent
• Events beyond organization’s control
Management judgment
• Setting objectives
• Evaluating and addressing risk
• Cost vs benefit of internal controls
• Designing, implementing, operating, and evaluating
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
12
Internal Control Framework
5 components supported by 17 principles
Control Environment
Risk Assessment
Control Activities
Information &
Communication
Monitoring Activities
Source: COSO
1.
2.
3.
4.
5.
Demonstrates commitment to integrity and ethical values
Exercises oversight responsibility
Establishes structure, authority and responsibility
Demonstrates commitment to competence
Enforces accountability
6.
7.
8.
9.
Specifies suitable objectives
Identifies and analyzes risk
Assesses fraud risk
Identifies and analyzes significant change
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
13
Internal Control Standards
What’s Required: An Effective System of Internal
Controls
COSO Framework
• Each of the five
components and relevant
principles are present and
functioning
Green Book
• Each of the five
components, 17 principles,
and relevant attributes are
effectively designed,
implemented, and operating
• The five components are
operating in an integrated
manner
• The five components are
operating together in an
integrated manner
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
14
Internal Control Standards
Deficiencies in Internal Controls
COSO Framework
• A shortcoming in a component or components and relevant
principle(s) that reduce the likelihood of an entity achieving
its objectives.
• An internal control deficiency or combination of deficiencies
that severely reduces the likelihood that the entity can
achieve its objectives is referred to as a “major deficiency”.
• When a major deficiency exists, the organization cannot
conclude that it has met the requirements for an effective
system of internal controls.
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
15
Internal Control Standards
Deficiencies in Internal Controls
Green Book
• A deficiency in design exists when (a) a control necessary to
meet a control objective is missing or (b) an existing control is
not properly designed so that even if the control operates as
designed, the control objective would not be met.
• A deficiency in implementation exists when a properly
designed control is not implemented correctly in the internal
control system.
• A deficiency in operation exists when a properly designed
control does not operate as designed, or when the person
performing the control does not possess the necessary
authority or competence to perform the control effectively.
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
16
Internal Control Standards
Deficiencies in Internal Controls
Green Book
Generally, management first considers whether controls are
designed, implemented, and operating effectively to achieve
each relevant attribute, then each principle, then each
component:
• If a principle is not designed, implemented, or operating
effectively, then the respective component is not likely to be
effective, and an internal control system is unlikely to be
effective in helping the entity in achieving its objectives.
• If one or more of the five components are not effectively
designed, implemented, or operating effectively, then an
internal control system is ineffective.
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
17
Internal Control Standards
Documentation Required
COSO Framework
Green Book
The extent of documentation
supporting the presence and
functioning of each of the
components and relevant
principles of internal control
and components operating
together is a matter of
judgment
Minimum requirements:
• Internal control system
(3.02c)
• Policies
• Results of ongoing
monitoring
• Internal control deficiencies
• Corrective actions
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
18
Intentionally
Left
Blank
19
Control Environment – What is it?
• COSO Definition: The control environment is the
set of standards, processes, and structures that
provide the basis for carrying out internal control
across the organization.
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
20
Comparisons – Control Environment
Component
COSO
Green Book
Control Environment
5 Principles
20 Points of Focus
5 Principles
14 Attributes
Principles are similar:
1) Organization demonstrates commitment to integrity and ethical values
2) Board exercises oversight responsibility
3) Management establishes structure, authority and responsibility
4) Organization demonstrates commitment to competence
5) Organization enforces accountability
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
21
Control Environment – Principle 1
(Organization demonstrates commitment to integrity and ethical values)
COSO Points of Focus
Green Book Attributes
1) Sets the Tone at the Top
1.02a) Set the Tone at the Top
2) Establishes Standards of Conduct
1.02b) Establish Standards of Conduct
3) Evaluates Adherence to Standards
of Conduct
1.02c) Evaluate Adherence to
Standards of Conduct
4) Addresses Deviations in a Timely
Manner
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
22
Control Environment – Principle 2
(Board exercises oversight responsibility)
COSO Points of Focus
Green Book Attributes
1) Establishes Oversight
Responsibilities
2.02a) Establish Oversight Structure
2) Applies Relevant Expertise
2.02b) Provide Oversight for the
Internal Control System
3) Operates Independently
2.02c) Provide Input for the
Remediation of Deficiencies
4) Provides Oversight for the System
of Internal Control
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
23
Control Environment – Principle 3
(Management establishes structure, authority and responsibility)
COSO Points of Focus
Green Book Attributes
1) Considers All Structures of the
Entity
3.02a) Establish Organizational
Structure
2) Establishes Reporting Lines
3.02b) Assign Responsibility and
Delegate Authority
3) Defines, Assigns, and Limits
Authorities and Responsibilities
3.02c) Document Internal Control
System
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
24
Control Environment – Principle 4
(Organization demonstrates commitment to competence)
COSO Points of Focus
1) Establishes Policies and Practices
Green Book Attributes
4.02a) Establish Expectations of
Competence
2) Evaluates Competence and
Addresses Shortcomings
3) Attracts, Develops, and Retains
Individuals
4.02b) Attract, Develop, and Retain
Individuals
4) Plans and Prepares for Succession
4.02c) Plan and Prepare for
Succession
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
25
Control Environment – Principle 5
(Organization enforces accountability)
COSO Points of Focus
1) Enforces Accountability through
Structures, Authorities, and
Responsibilities
Green Book Attributes
5.02a) Enforce Accountability
2) Establishes Performance
Measures, Incentives, and Rewards
3) Evaluates Performance Measures,
Incentives, and Rewards for Ongoing
Relevance
4) Considers Excessive Pressures
5.02b) Consider Excessive Pressures
5) Evaluates Performance and
Rewards or Disciplines Individuals
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
26
Control Environment – Audit Application
• Audit evaluated
management practices
• Auditors found issues in:
•
•
•
•
Strategic planning
Policies and procedures
Performance measures
Teamwork, training, and
employee development
• Staffing and workload
management
• High turnover
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
27
Risk Assessment – What is it?
• COSO Definition: Risk Assessment involves a
dynamic and iterative process for identifying and
assessing risks to the achievement of objectives,
forming a basis for determining how risks will be
managed.
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
28
Comparisons – Risk Assessment
Component
COSO
Green Book
Risk Assessment
4 Principles
27 Points of Focus
4 Principles
10 Attributes
Principles are similar:
6) Organization specifies suitable objectives
7) Organization identifies and analyzes risk
8) Organization assess fraud risk
9) Organization identifies and analyzes significant change
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
29
Risk Assessment – Principle 6
(Specifies suitable objectives)
COSO Points of Focus
Green Book Attributes
Operations Objectives (4)
6.02a) Define Objectives
External Financial Reporting
Objectives (3)
6.02b) Define Risk Tolerances
External Non-Financial Reporting
Objectives (3)
Internal Reporting Objectives (3)
Compliance Objectives (2)
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
30
Risk Assessment – Principle 7
(Identifies and analyzes risk)
COSO Points of Focus
Green Book Attributes
1) Includes Entity, Subsidiary, Division, 7.02a) Identify Risks
Operating Unit, and Functional Levels
2) Analyzes Internal and External
Factors
3) Involves Appropriate Levels of
Management
7.02b) Analyze Risks
4) Estimates Significance of Risks
Identified
5) Determines How to Respond to
Risks
7.02c) Respond to Risks
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
31
Risk Assessment – Principle 8
(Assess fraud risk)
COSO Points of Focus
Green Book Attributes
1) Considers Various Types of Fraud
8.02a) Consider Types of Fraud
2) Assesses Incentive and Pressures
8.02b) Consider Fraud Risk Factors
3) Assesses Opportunities
4) Assesses Attitudes and
Rationalizations
8.02c) Respond to Fraud Risks
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
32
Risk Assessment – Principle 9
(Identifies and analyzes significant change)
COSO Points of Focus
Green Book Attributes
1) Assesses Changes in the External
Environment
9.02a) Identify Change
2) Assesses Changes in the Business
Model
9.02b) Analyze and Respond to
Change
3) Assesses Changes in Leadership
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
33
Risk Assessment – Audit Application
• Audit determined the City
of Portland’s current
process for assessing
Citywide risk and
managing that risk.
• Also identified major
issues facing the city in
the next four years.
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
34
Risk Assessment – Audit Application
• Assessed management’s process for evaluating risk and
managing risk through the following techniques:
– Performed interviews with City managers, directors, and elected
officials
– Reviewed bureau assessments of subject area issues
– Reviewed City financial documents (budget, CAFR, etc.)
– Reviewed prior audit reports
• Findings:
–
–
–
–
–
City lacks a formal, Citywide Enterprise Risk Assessment
City expenses exceed revenues
City does not maintain all its major assets in good condition
City services may not be adequately prepared to withstand a disaster
City workforce is aging
35
Control Activities – What are they?
• COSO Definition: Control activities are the
actions established through policies and
procedures that help ensure that management’s
directives to mitigate risks to the achievement of
objectives are carried out.
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
36
Control Activities
Component
COSO
Green Book
Control Activities
3 Principles
16 Points of Focus
3 Principles
11 Attributes
Principles are similar:
10) Select and develop control activities
11) Select and develop controls over technology
12) Deploy through policies and procedures
Source: G.A.O
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
37
Control Activities – Principle 10 comparisons
(Select and develop activities to achieve objectives and limit risk)
COSO Points of Focus
1) Integrate with risk assessment
Green Book Attributes
10.02a) Response to objectives and
risks
2) Consider entity specific factors
3) Determine relevant business
processes
10.02b) Design the types of control
activities
4) Evaluate a mix of control activities
5) Consider what level activities are
applied
10.02c) Design control activities at
various levels
6) Address segregation of duties
10.02d) Consider segregation of
duties
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
38
Control Activities – Principle 11 comparisons
(Select and develop control activities over IT systems)
COSO Points of Focus
Green Book Attributes
7) Determine dependency between use
of technology in business practices and
technology general controls
11.02a) Design the entity’s
information system
8) Establish relevant technology
infrastructure control activities
11.02b) Design appropriate types of
control activities
11.02c) Design the information
technology infrastructure
9) Establish relevant security
management process control activities
11.02d) Design security
management
10) Establish relevant technology
acquisition, development, and
maintenance control activities
11.02e) Design information
technology acquisition, development
and maintenance
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
39
Control Activities – Principle 12 comparisons
(Deploy control activities through policies and procedures)
COSO Points of Focus
Green Book Attributes
11) Establish policies and procedures to
support deployment of management’s
directives
12.02a) Document responsibilities
through policies
12) Establishes responsibility and
accountability for executing policies and
procedures
12.02b) Perform periodic reviews
13) Performs in a timely manner
14) Takes corrective action
15) Performs using competent
personnel
16) Reassesses policies and procedures
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
40
Control Activities – Audit Application
• Reviewed if policies and
practices were effective in
administering building
inspection programs.
– Assessed several control
activities:
• Policies in place
• Supervision tools used
• Comparison of other cities
policies and tools
• Review of CPE for licenses
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
41
Control Activities – Audit Application
• Assessed control activities through the following
techniques
–
–
–
–
Performed management and staff interviews
Reviewed policies, procedures, and employee manuals
Reviewed labor contracts
Compared City Code and policies to State regulations, other
cities, and professional codes
• Finding – Control Activities were insufficient/weak
–
–
–
–
No manuals or guidance for inspection work or customer service
Little supervision in the field from managers
No annual employee reviews or strategic employee development
Limited use of technology for monitoring or improving efficiency
42
Information and Communication –
What are they?
• COSO Definition: Management obtains or
generates and uses relevant and quality
information from internal and external sources to
support internal control. Communication is
continual and iterative and enables personnel to
understand internal control responsibilities and
their importance to the achievement of
objectives.
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
43
Information and Communication
Component
COSO
Green Book
Information &
Communication
3 Principles
14 Points of Focus
3 Principles
7 Attributes
Principles are similar:
13) Obtain or generate and use relevant, quality info. to support internal
control
14) Internally communicate info. to support internal control
15) Communicate with external parties about internal control
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
44
Info & Communication – Principle 13 comparisons
(Obtain or generate and use relevant, quality info. to support internal
control)
COSO Points of Focus
Green Book Attributes
1) Identifies information requirements
13.02a) Identify Information
Requirements
2) Captures internal and external data
sources
13.02b) Obtain Relevant Data from
Reliable Sources -
3) Processes relevant data into
information
13.02c) Process Data into Quality
Information
4) Maintains quality throughout
processing
5) Considers costs and benefits
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
45
Info & Communication – Principle 14 comparisons
(Internally communicate info. to support internal control)
COSO Points of Focus
6) Communicates internal control
information
Green Book Attributes
14.02a) Communicate throughout the
entity
7) Communicates with the Board of
Directors
8) Provides separate communication
lines
9) Selects relevant methods of
communication
14.02b) Select appropriate methods of
communication
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
46
Info & Communication – Principle 15 comparisons
(Communicate with external parties about internal control)
COSO Points of Focus
10) Communicates to external parties
Green Book Attributes
15.02a) Communicate with external
parties
11) Enables inbound communications
12) Communicates with the Board of
Directors
13) Provides separate communication
lines
14) Selects relevant methods of
communication
15.02b) Select appropriate methods of
communication
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
47
Info & Communication – Audit application
City of Portland Auditor – Residential and Commercial
Inspections: Strengthen oversight and management
practices; document procedures:
• Reviewed management information and internal
communication practices
– Assessed various aspects:
•
•
•
•
Type and timing of data
Methods of communication
Information recipients
How the info was used toward achievement of objectives
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
48
Info & Communication – Audit application
• Assessed Information and Communication through the
following techniques
– Reviewed monthly inspection reports (workload)
– Interviewed management and staff
– Assessed usefulness of other reports in database
• Finding – Internal information and communication were
insufficient
– Information was insufficient to determine performance -- heavily
focused on workload.
– Supervisors reviewed reports generally on a monthly basis
– Little or no communication with staff on performance trends or
reaching any clear, identifiable goals
49
Monitoring Activities - What are they?
• COSO Definition: Evaluations (ongoing, separate, or a
combination) are used to ascertain whether each of the
five components and their principles are present and
functioning. Findings are evaluated and deficiencies are
communicated to management and the board of
directors as appropriate.
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
50
Monitoring Activities
Component
COSO
Green Book
Monitoring
2 Principles
10 Points of Focus
2 Principles
6 Attributes
Principles are similar:
16) Perform monitoring activities
17) Remediate deficiencies
Source: G.A.O
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
51
Monitoring– Principle 16 comparisons
(Perform monitoring activities)
COSO Points of Focus
Green Book Attributes
1) Consider a mix of ongoing and
separate evaluations
16.02a) Establish a baseline
2) Consider a rate of change
16.02b) Monitor the internal control
system
3) Establishes baseline understanding
4) Uses knowledgeable personnel
5) Integrates with business processes
6) Adjusts scope and frequency
7) Objectively evaluates
16.02c) Evaluate results
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
52
Monitoring– Principle 17 comparisons
(Remediate Deficiencies)
COSO Points of Focus
Green Book Attributes
8) Assesses Results
17.02a) Report Issues
9) Communicates Deficiencies
17.02b) Evaluate Issues
10) Monitors Corrective Actions
17.02c) Complete Corrective Actions
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
53
Monitoring – Audit application
• Reviewed City’s housing
loan program and
assessed the following:
– Did City have clear goals in
place for the program
– Did projects maximize
housing dollars
– Did the asset management
system protect the City’s
investment
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
54
Monitoring – Audit application
• Assessed five components through the following
techniques:
– Reviewed City housing policies, procedures, and documentation
related to project selection and annual review
– Interviewed staff, borrowers, and affordable housing lenders
– Reviewed documentation for all grants and loans issued in FY
2011, 2012, and 2013.
– Sampled housing projects and evaluated those against program
policies and best practices
• Finding – Weaknesses in each control component
– Weak annual review process
– Likelihood of repayment not integrated into strategic decisionmaking
– Policies and procedures and loan guidelines are not clear on the
products offered or circumstances in which products are used
55
– Lack of measurable outcomes or benchmarks set
Key Points
• While very similar, COSO Framework and Green
Book exposure draft are not identical
• COSO provides more narrative and examples
• Green Book is indexed more like a set of standards
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
56
Questions?
Moderator
R. Kinney Poynter
Executive Director
NASACT
Speaker
Kristine Adams-Wannberg
Senior Management Auditor
City of Portland (OR)
Speaker
Larry Stafford
Internal Performance Auditor
Clark County (WA)
57
Intentionally
Left
Blank
58
Other Resources
• COSO: http://www.coso.org/resources.htm
• AICPA: Internal Control Tools and Resources
http://www.aicpa.org/InterestAreas/InformationTechnology/Reso
urces/InternalControl/Pages/default.aspx
• GAO: www.GAO.gov
• NASACT: NASC Internal Controls Information
Sharing Group,
http://www.nasact.org/nasc/committees/multistate/#Re
sources
• Audit Abstracts on ALGA website: algaonline.org
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
59
Contact Information
Kristine Adams–Wannberg
City of Portland, OR
Kristine.adamswannberg@portlandoreg
on.gov
Phone: 503-823-3537
Larry Stafford
Clark County, WA
[email protected]
Phone: (360) 397-2310 Ext:
4795
ALGA Webinar: COSO and Green Book Comparisons, 4/8/14
60