Transcript Document

Integrating Risk Management and Compliance
into Integrated Financial Management
Information Systems (IFMIS)
The Global Financial Environment
The Global Financial Environment
• No successful economy or government can operate
today without global interconnectivity
• Markets and industries exist transparently across the
globe, and conduct business 24 hours a day.
• Growth of that connectivity has increased the demands
for the availability and reliability of financial information
• That information demand is fed by the growing use of
automated Financial Management Systems, using
integrated Information Technology (IT).
© Grant Thornton
333
The New Financial Reporting Environment
• As a result of the global economy, Financial Reporting
must be relevant, timely, and comparable across
jurisdictions
• Company assets are considered more "intangible" and
subject to inconsistent valuation
• Company data is instantly accessible but not always
sufficient to satisfy all stakeholders requirements
– Citizens
– Shareholders
– Regulators
© Grant Thornton
444
The Result of their Analysis?
• In the long term, Financial reporting will be standardized
to provide adequate information to all interested parties
• Global auditing standards will converge and harmonize
to deliver reasonable assurance of the accuracy of
financial reports
• Adoption of new data standards to improve enforcement
of controls and improve detection of Fraud
• Financial systems must have adequate internal controls
enabled for consistent transparency
© Grant Thornton
555
Impact on Federal Managers
• Governments are increasingly involved in global financial
markets, not only as regulators but as investors and
participants.
• They must provide the highest quality financial
information to a range of interested parties, in a
multitude of formats, often with repetitive efforts and
inefficient processes.
• Government agencies are entrusted by their citizens to
maintain sound financial practices, limit fraud and
corruption, and provide adequate controls over financial
reporting
© Grant Thornton
666
Overview of Internal Controls
Internal Controls Defined
Internal control is broadly defined as a process, effected
by an entity's board of directors, management, and other
personnel, that is designed to provide reasonable
assurance regarding the achievement of objectives in
the following categories:
– Effectiveness and efficiency of operations
– Reliability of financial reporting
– Compliance with applicable laws and regulations
Source - The Committee of Sponsoring Organizations of the Treadway
Commission Internal Control — Integrated Framework
Management has a fundamental responsibility to
develop and maintain effective internal control.
© Grant Thornton
888
Background on Internal Controls
Internal control is a means of managing the risk associated with
programs and operations
Internal Controls
Procedures
Organization
Policies
Procedure 1
Procedure 2 Procedure 3
Policies
Internal controls – organization, policies, and procedures – are tools to help
program and financial managers achieve results and safeguard the integrity of
their program
© Grant Thornton
999
COSO
• Committee of Sponsoring Organizations of the Treadway
Commission (COSO)
– US private-sector initiative created in 1985.
– Its major objective is to identify the factors that cause fraudulent
financial reporting and to make recommendations to reduce its
incidence.
– COSO is sponsored by 5 main professional accounting organizations in
the US:
• American Institute of Certified Public Accountants (AICPA),
• American Accounting Association (AAA),
• Financial Executives Institute (FEI),
• The Institute of Internal Auditors (IIA)
• The Institute of Management Accountants (IMA).
• COSO has established a common definition of internal controls,
standards, and criteria against which companies and organizations
can assess their control systems which is the basis for the SOX
Internal Control framework.
» Source: www.coso.org
© Grant Thornton
10
10
10
COSO Internal controls structure
© Grant Thornton
11
11
11
Control Environment
• Sets the tone of the organization – influencing control
consciousness of its people
• Includes integrity, ethical values, competence,
authority, and responsibility
• Acts as foundation for all other components of control
© Grant Thornton
12
12
12
Risk Assessment
• Identification and analysis of relevant risks to achieving
the entity's objectives – forming the basis for
determining control activities
© Grant Thornton
13
13
13
Control Activities
• Policies and procedures assure management's
directives are carried out
• Range of activities, including approvals, authorizations,
verifications, recommendations, performance reviews,
asset security, and segregation of duties
© Grant Thornton
14
14
14
Information and Communication
• Pertinent information identified, captured, and
communicated in a timely manner
• Access to internally and externally generated
information
• Flow of information that allows for successful control
actions from instructions on responsibilities to
summary of findings for management action
© Grant Thornton
15
15
15
Monitoring
• Assessment of a control system's performance over
time
• Combination of ongoing and separate evaluation
• Management and supervisory activities
• Internal audit activities
© Grant Thornton
16
16
16
Internal Controls Are Integrated into Processes
Finance &
Administration
Internal
Controls
Major
Programs
© Grant Thornton
Information
Technology
17
17
17
Global Trends in Internal Control mandates
U.S. Sarbanes-Oxley Act
• The Public Company Accounting Oversight Act, otherwise known
U.S. Sarbanes-Oxley Act of 2002 or "SOX".
• Composed of three sections:
– Title I – Public Company Accounting Oversight Board. PCAOB formed
as branch of Securities and Exchange Commission (SEC). Public
Auditing firms must register with PCAOB and are now brought under the
regulation of the PCAOB.
– Title III – Corporate Responsibility. Section 302 establishes certification
requirements for CEOs and CFOs of Annual and Quarterly reports filed
with the SEC.
– Title IV – Enhanced Financial Disclosures. Section 404 (a) requires
management to assess and report on internal controls, and Section 404
(b) requires the company’s External Auditor to attest to and report on
management’s assertions on internal controls.
© Grant Thornton
19
19
19
Canadian Bill 198
• Published in 2003 by the Ontario Securities Commission and the
Canadian Security Administrators
• Consists of three statutes:
– Multilateral Instrument 52-108 Auditor Oversight
– Multilateral Instrument 52-109 Certification of Disclosure in Companies'
Annual and Interim Filings (“CSOx”)
– Multilateral Instrument 52-110 Audit Committees
• Multilateral Instrument 52-109 is basically Section 302 with an
emphasis on Disclosure Controls and Procedures (DC&P).
• Implementation of Section 404 equivalent certification still pending
© Grant Thornton
20
20
20
Japanese SOX (J-SOX)
• February 15th, 2007 – Business Accounting Council of the Financail
Services Agency
– "Implementation Standards for Evaluation and Auditing of Internal
Controls over Financial Reporting"
• Requires all publicly-held companies to submit consolidated internal
control reports on or after April 1, 2008
• Reporting standards similar to sections 302 and 404 under US SOX.
© Grant Thornton
21
21
21
Evolution of Internal Controls in the US Government
Sarbanes
Oxley
2002
Budget and
Accounting
Procedures
Act of 1950
IG Act
1978
FMFIA
1982
OMB
A-123
1981
CFO Act
1990
OMB
Q&A
1984
GAO
Green Book
1983
© Grant Thornton
FFMIA
1996
FISMA
2002
DHS
Financial
Accountability
Act
2004
OMB
A-123
2004
OMB
A-123
1995
GAO
Green Book
1999
CFO Council
Implementation
Guide
200522
22
22
Other International Government Standards
• INTOSAI Internal Control Standards
• UK Government Internal Audit Good Practice
Guide
• Canada Government Internal Audit Policy
• Institute of Internal Auditors (IIA) Code of Ethics
• Canadian Government risk management
framework
© Grant Thornton
23
23
23
Integrated Financial Management Information
Systems (IFMIS)
Describing a Financial Management System
• The term "financial management system" means an information
system, comprised of one or more applications, that is used for any
of the following:
– Collecting, processing, maintaining, transmitting, and reporting data
about financial events;
– Supporting financial planning or budgeting activities;
– Accumulating and reporting cost information; or
– Supporting the preparation of financial statements
• A financial system may include multiple applications that are
integrated through a common database or are electronically
interfaced, as necessary, to meet defined data and processing
requirements
» Source: Office of Management and Budget (OMB) Circular A-127
© Grant Thornton
25
25
25
Information Technology (IT) and IFMIS
• IFMIS systems are designed to automate financial
process to aid transparency and accountability in public
financial management
• Modern Financial Management Systems are driven by IT
• Key to driving adequate transparency and accountability
is to enable systems with comprehensive internal
controls framework
• IT requires special considerations to properly implement
and enforce Internal Controls
© Grant Thornton
26
26
26
IT 's Potential Contribution to Internal Control
• IT provides potential benefits of effectiveness and
efficiency for an entity’s internal control because it
enables an entity to:
– Consistently apply predefined business rules and perform
complex calculations in processing large volumes of transactions
and data
– Enhance the timeliness, availability, and accuracy of information
– Facilitate the additional analysis of information from multiple
sources on an as needed basis
© Grant Thornton
27
27
27
IT's Potential Contribution to Internal Control
(cont.)
• Enhance the ability to monitor the performance of the
entity’s activities, policies, and procedures
• Reduce the risk that controls will be circumvented
• Enhance the ability to achieve effective segregation of
duties by implementing security controls in applications,
databases, and operating systems
© Grant Thornton
28
28
28
IT as a Source of Risk
• Reliance on systems or programs that are inaccurately processing
data, processing inaccurate data, or both
• Unauthorized access to data that may result in destruction of data or
misappropriation of assets through improper changes to data,
including the recording of unauthorized or nonexistent transactions, or
inaccurate recording of transactions
• Potential loss of data
• Unauthorized changes to data in master files
• Unauthorized changes to systems or programs
• Failure to make necessary changes to systems or programs
• Inappropriate manual intervention
© Grant Thornton
29
29
29
Automation of Internal Controls and Risk
Management
Why Automate the Controls Process?
• Given the complexity of IT and financial reporting,
automated controls software can potentially provide
tremendous benefits to an internal controls program.
• Automated solutions can detect, monitor, and report a
wide range of control issues, risk areas, and
performance indicators.
• Software allows for business rules to be built into system
to insure compliance with regulations and automate
reporting processes.
© Grant Thornton
31
31
31
Benefits of automation
• Provides structure for the internal control program
• Improves monitoring of control deficiencies and
corrective action plans at all levels of management within
an organization
• Provides a repository of documentation that can be
made available to auditors and stakeholders
• Enables senior management to gain awareness of areas
that require process changes or additional resources
© Grant Thornton
32
32
32
Discipline over internal control program
• Software can help an organization maintain discipline
over its internal control program by providing a
framework for documenting and assessing controls,
testing internal controls or controlling the workflow to
ensure the controls are enforced
• Software can make it easier to demonstrate your internal
controls to your auditors and may lessen the amount of
testing that needs to be performed by the auditors
© Grant Thornton
33
33
33
Uses of automated internal control software
• The types of software available in the market
include:
–
–
–
–
–
–
–
–
Testing and Reporting
Document and records management
Business process modeling
Policy management
Risk management and risk assessment
Support for multiple control frameworks
Support for multiple regulations across multiple business units
Controls automation and monitoring
© Grant Thornton
34
34
34
Repository software
• Provides a central repository for the documentation of internal
controls throughout the organization
• Allows the documentation of workflow and key processes, control
objectives, control activities and risks for each major function in the
organization
• May be set up as a web based tool that allows multiple users to
input information
• Allows the organization to centrally manage the documentation of
internal controls and capture information about the results of testing
• May come "out of the box" with standard templates for control
objectives, control activities and risks
© Grant Thornton
35
35
35
Testing software
• Allows an organization to test the internal controls of a
system by directly interfacing with the system
• May test for segregation of duty and authorization
violations
• Allows organizations to identify where violations can or
have occurred and make changes to business processes
or roles as appropriate
• May come "out of the box" with standard control
objectives and control activities that can be modified as
appropriate
• May has a limited repository capability to document
workflow
© Grant Thornton
36
36
36
Business process management software
• Allows an organization to design and dictate the
workflow for a given process
• Integral to the performance of the process
• Allows for the documentation of the workflow process
• The workflow is performed outside of the primary system
• Helps ensure the workflow process is performed as
designed by not allowing the process to continue until
each step is performed
• May include features such as email notification when a
step has been completed
• May have a limited capability for repository or to test
transactions
© Grant Thornton
37
37
37
Reporting capabilities
• Capabilities may allow for management reports to
provide a status on one or more of the following:
– Documentation or testing of controls
– Potential violations that have been identified
– Where a document is in the process
• May also allow for customizable management reports
– May be capable of personalized "dashboards" for each user that
present a current status, a "to do" list and interactive reports with
drilldown capability
© Grant Thornton
38
38
38
Basic steps to implementing a software solution
• Selection
– Products should be selected based on the needs of a defined
internal controls program
– A requirements analysis should be performed to identify areas
that the program can be improved, or further meet compliance
goals
– The analysis forms the basis for product selection
• Implementation
– Once a product is selected, an implementation plan should be
developed
– The plan incorporates the required steps to implement the
solution and how the functions will be used in the corresponding
areas of the internal control program
© Grant Thornton
39
39
39
Basic steps to implementing a software solution
• Utilization
– Once the solution is fully implemented, the full functionality of the
solution can be utilized
– Key performance indicators (KPIs) should be established that
measure how well the solution is improving risk management
and compliance efforts.
• Example KPIs include:
– Improved rate of fraud detection
– Improved speed in reporting
– Accuracy of reporting measures
© Grant Thornton
40
40
40
Conclusions
• The implementation, maintenance and reporting of
Internal controls compliance and risk management is the
way of the future for global financial management and
accounting
• Financial reporting will become increasingly demanding
and require greater transparency and validity of financial
information
• Automated tools and processes can be of benefit in
managing the increasing level of effort in meeting the
demands for financial reporting, managing risk and
providing reasonable assurance of internal controls and
fraud detection.
© Grant Thornton
41
41
41