KPMG Talkbook Full-page
Download
Report
Transcript KPMG Talkbook Full-page
PUBLIC SECTOR
Internal Controls Over Financial Reporting
(ICOFR)
Management’s Assertions
Central PA Chapter of the AGA
February 9, 2011
ADVISORY
Contents
Background
Federal Managers’ Financial Integrity Act (FMFIA) of 1982
Office of Management and Budget (OMB) Circular No. A-123
Significant Revisions
Management Responsibilities
Accountability Office’s (GAO’s) Green Book
Integrate Compliance into the Internal Control Framework
Annual Assurance Statement
Appendix A, Internal Control Over Financial Reporting (ICOFR)
Sample Assurance Statement on ICOFR
Additional Resources
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
2
Internal Controls Over Financial
Reporting (ICOFR)
“Government should lead by example. We should be as
good or better than those we are regulating.”
David Walker, Comptroller General to Congress
CFO Magazine, June 2003
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
For internal use only
3
BACKGROUND - Overview
In 2002, Congress passed the Sarbanes-Oxley Act (SOX) in response
to improper financial reporting issues by a number of publicly traded
companies in the United States (Enron/WorldCom)
Among other things, the Act requires publicly traced companies to receive
an opinion from independent auditors on their internal controls as they relate
to financial reporting.
SOX requirements DID NOT apply to the federal government, the Office
of Management and Budget (OMB) revised OMB Circular A-123 in 2004,
adding Appendix A, which required the implementation of ICOFR.
Appendix A requires the 24 agencies covered by the Chief Financial
Officers Act of 1990 to conduct internal control reviews over their
financial reporting processes:
New internal control review process stipulated
New Statement of Assurance
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
4
Internal Controls: An Evolution
Budget and
Accounting
Procedures
Act of 1950
IG Act
1978
FMFIA
1982
OMB
A-123
1981
Superseded
Federal Acts
Guidance
SarbanesOxley 2002
FDICIA
1991
CFO Act
1990
OMB
Q&A
1984
GAO
Green Book
1983
FFMIA
1996
FISMA
2002
OMB
A-123
1995
OMB
A-123
2004
GAO
Green Book
1999
Standards
Non Federal
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
1-5
FMFIA of 1982
Internal accounting and administrative controls of each executive agency
shall be established in accordance with standards prescribed by the
Comptroller General, and shall provide reasonable assurances that:
Obligations and costs are in compliance with applicable law;
Funds, property, and other assets are safeguarded against waste, loss,
unauthorized use, or misappropriation; and
Revenues and expenditures applicable to agency operations are properly
recorded and accounted for to permit the preparation of accounts and reliable
financial and statistical reports and to maintain accountability over the assets.
Annually, an agency head must evaluate and report on the control and
financial systems that protect the integrity of federal programs.
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
6
OMB Circular No. A-123
Defines management’s responsibility for internal controls for federal
agencies and government corporations.
Appendix A revision was influenced by the Sarbanes-Oxley Act of 2002
and was based on recommendations by a joint committee:
Required for the 24 Chief Financial Officer (CFO) Act of 1990 agencies;
Strengthen the requirements for conducting management’s assessments of
ICOFR; and
Emphasize the need for agencies to integrate and coordinate their internal
control assessments with other related assessment activities.
Effective October 1, 2005, for federal fiscal year 2006.
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
7
OMB A-123: Revised Requirements (continued)
Additional Key Management Requirements (Appendix A):
• Management must provide a conclusion on the operating effectiveness of internal
control over financial reporting using the framework provided by OMB Circular
No. A-123 as of June 30 of each fiscal year
• Suggests establishing a senior management council and a senior assessment
team, or body of similar construct
• Determine those financial reports that will be included in the agency’s assessment
• Identify significant accounts, classes of transactions, and business processes
that support the agency’s financial reporting processes
• Assess the agency’s control environment, risk assessment, control activities,
information and communication, and monitoring processes, as related to financial
reporting
• Document the agency’s understanding of its financial reporting business processes
• Test a sample of controls to determine if the agency’s internal control over financial
reporting is in place and operating effectively
• Maintain a corrective action plan to remediate control deficiency
• Monitor the agency’s internal control over financial reporting through periodic testing
of controls throughout the year
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
1-8
Significant Revisions
Mandates FMFIA annual assurance statement to be included within an
agency’s Performance Accountability Report (PAR).
Updates internal control standards and changes certain terminology.
Integrates related statutes into an agency’s internal control framework.
Establishes a Senior Management Council and Senior Assessment
Team.
Defines the type of ICOFR deficiencies.
Requires management to document its assessment process and test of
controls.
Appendix A describes a high-level process to assess, document, and
report.
Does not require an audit opinion for internal controls.
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
9
GAOs Green Book
`
Risk Assessment
Every entity faces a variety of risks
from external and internal sources
that must be assessed at both the
entity and the activity level.
Control Environment
The control environment
sets the tone of an
organization, influencing
the control consciousness
of its people.
Control Activities
These policies and
procedures help ensure
management directives
are carried out.
Monitoring
Internal control systems
need to be monitored – a
process that assesses the
quality of the system’s
performance over time.
Information and Communication
Pertinent information must be
identified, captured,
and communicated in a form
and time frame that supports
all other control components.
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
p
Reduce Compliance Cost via Integration
The cost of compliance with controls initiatives (e.g., A-123, FISMA, etc.) is high.
The commercial sector’s experience with Sarbanes-Oxley provides some
perspective
• Average $ spent
• Average time taken
FISMA
FFMIA
GPRA
• Average FTE’s utilized
• Planned $ to be spent
IPIA
FMFIA
Single
Audit
Act
• Planned time to execute
• Planned resources
IG Act
Clinger
Cohen
CFO Act
Management can integrate multiple compliance initiatives into a single process,
thereby fulfilling numerous regulatory requirements cost effectively.
Source: KPMG LLP (U.S.), 2005
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
11
Management’s Steps to Compliance
Plan and Scope the Evaluation:
• Scoping Document
• Assessment Process
Documentation
Identify and Correct Deficiencies
• Categorization of Deficiencies
• Corrective Action Plans
• Remediated Controls
Documentation
Report on Internal Control:
Document Controls:
• Entity-level Framework
• Process-level Flowcharts
and/or Narratives
• Internal Control Matrix:
Objectives, Risks & Controls
Evaluate Design and
Operating Effectiveness
• Test approach and test plans
• Test Results
• Internal Control Matrix:
Assessment of Design and
Operating Effectiveness
• List of Design or Operating
Deficiencies
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
• Assurance Letters
• Conclusion of Effectiveness
• FMFIA Annual Assurance
Statement
12
Annual Statement of Assurance
FMFIA Annual Assurance Statement previously included:
• Section 2, Internal Controls Achieved Objectives; and
• Section 4, Conformance with System Requirements.
OMB Circular No. A-123 consolidates these statements of assurance:
• Overall adequacy and effectiveness of internal controls, both financial,
operational, and compliance;
• Each annual statement prepared pursuant to Section 4 shall include a
separate report on whether the agency's accounting system conforms to the
principles, standards, and related requirements prescribed by the Comptroller
General; and
• Under the revised A-123, includes a Statement of Assurance on the ICOFR.
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
13
Appendix A - ICOFR
Applies to all three internal control objectives:
• Operational;
• Financial (including the assessment of ICOFR); and
• Compliance.
OMB Circular No. A-123, Appendix A provides a methodology for agency
management to assess, document, and report on their ICOFR.
.
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
14
Appendix A – ICOFR – Management’s Steps
1
Defines the boundaries of the assessment. Establish
assessment process. Identify significant financial reports.
Define materiality. Identify significant accounts, relevant
financial report assertions, and major transaction cycles. Link
the accounts and cycles.
Plan & Scope the
Evaluation
2
Document Controls
3
Document and obtain an understanding of controls for all
significant accounts, groups of accounts, and transactions.
Evaluate Design &
Operating Effectiveness
Identify & Correct
Deficiencies
4
5
Under the
Circular, this
step is optional.
Report on Internal Control
6
Independent Audit of
Internal Control
Evaluate design and operating effectiveness of internal
control over financial reporting at the entity, process,
transaction, or application level and document results of
evaluation.
Identify, accumulate and evaluate design and operating control
deficiencies; communicate findings and correct deficiencies.
Prepare management’s written assurance on the effectiveness
of internal control over financial reporting.
If required, prepare for independent auditor to conduct the
internal control audit and attestation on management’s
assertion.
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
15
Appendix A – ICOFR - Scope
Objectives of ICOFR
• Should provide reasonable assurance to enable management to make the following
assertions:
• Existence and occurrence; Completeness; Rights and obligations; Valuation;
Presentation and disclosure; Compliance;
• Assets are safeguarded against fraud and abuse; and
• Documentation for internal control, all transactions, and other significant events is
readily available for examination.
Definition of Financial Reporting
• An agency needs to determine the scope of financial.
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
16
Current Chatter: Loud and Confusing
Media
Additional
Legislation
Growing
(Unfunded) Costs
Software
Provider Claims
Marketplace
Perplexity
A-123 Requirements
GAO and
Congressional
Concerns
Forums and
Professional
Associations
Consulting Firm
Promises
More Accountability
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
17
Challenges
Today, agency managers face three major challenges:
1.
Compliance with laws and requirements
2.
Minimize the cost of compliance by integrating related internal controls
3.
Reduce the overall cost of controls and transform operations to improve
mission effectiveness
These challenges also present opportunities to:
•
Minimize the cost of compliance by integrating related internal controls
•
Reduce the overall cost of controls and transform operations to improve
mission effectiveness
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
18
Risk and Internal Controls
Objectives
Risk
Measuring Risk
Risk and Internal Control
Self Assessment
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
19
Internal Controls Lessons Learned
Expensive and chaotic to change controls or systems
Realization that requirements are permanent
Surprising degree to which information technology contributes to all
operations and financial processes
Better understanding and analysis of monitoring controls and what
controls can do for you
Need to embed internal controls within programs and operations
Re-implementation of basic controls
“Over-identified” key controls
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
20
Just Check the Box?
Compliance
Federal agencies are usually more willing to embrace new initiatives that
address program improvement
However, new regulatory compliance initiatives are generally seen as
“necessary evils” that distract an agency from its mission
Compliance with new regulations often degenerates into “check the box”
exercises
Agencies miss out by just “checking the box”
Compliance is an opportunity to transform and improve.
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
21
Driving Value From Compliance
The results of the analyses (top-down and bottom-up) will help agencies
identify opportunities to
• Improve the quality of controls and better manage risks
• Improve mission performance
• Reduce the ongoing cost of compliance over time
• Develop better operations insights
Applying the agency’s prioritization framework to those opportunities
helps to identify priority initiatives for both immediate and future
change – and make the business case for change
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
22
Deriving Value from Compliance
Risk Management
Realize
Opportunities
Transform
Operations
Integrate
Compliance
Comply
• Agencies can build on the
foundation of compliance to
improve both controls and
business processes.
• Over time, agencies can achieve
both risk management and
program improvement by
transforming compliance initiatives
into efficient and sustainable
efforts that enable them to identify
cost-saving opportunities and
improve operations.
Program Improvement
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
23
Deriving Value from Compliance –
Understanding the Controls Portfolio
• A portfolio view helps managers
understand the scope,
magnitude, and impact of
controls across their agency.
• Documenting and managing the
controls portfolio enables
managers to assess the quantity
and quality of controls.
• The portfolio is mapped by
attribute (automated or manual,
detective or preventive) and
analyzed to assess which
controls need to evolve to
support changes in agency
programs.
Control Portfolio X
Lower Risk
and Cost
Automated
Manual
Increased
Risk and
Cost
Detective
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
Preventive
24
Deriving Value from Compliance –
Understanding the Cost of Controls
Ongoing Assessment
and Monitoring
Increasingly
Visible
Total
Cost
Performance
Largely
“Hidden”
Although the performance cost of control tends to be larger than the cost
related to control assessment, the more visible cost is the costs associated
with self assessments and independent reviews.
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
25
Deriving Value from Compliance –
Transformation and Program Improvement
Integrating and Sustaining Compliance
• Implement an efficient, sustainable
process that integrates and evaluates
its internal control environment on a
periodic basis
• Consider employing documentation
standards, planning, and
documentation templates,
questionnaires, and work plans, and
automated tools
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
26
Deriving Value from Compliance –
Transformation and Program Improvement
Integrating and Balancing Risk with Program Improvement
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
27
Improved Business Practices
Better Understanding of Costs
Linking Controls to Performance, cont.
Opportunities
Desired Control Portfolio
Automated
Existing Control
Previous Control
Future (new) Control
Manual
Detective
Preventive
Desired Control Portfolio
• Mostly automated controls that prevent anomalies from occurring or taking effect
• Anomalies’ effects (wasted money, time, effort) are never felt
• Reduce control costs by introducing cost-savings
• Help agencies better manage their risks of doing business
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
28
Move to Sustainability
Today
What happens when?
• Project oriented
• “The way we do business”
• People leave
• Viewed in isolation
• Managed disparately
• Separated from the flow
of business
• Owned by compliance
Tomorrow
• Processes are improved
• Dynamic and actionoriented
• New systems are implemented
• Integrated into processes
• Businesses are sold/acquired
• Process and data centric
• Processes are outsourced
• Owned by the “business”
• Manual and detective
The question: “How do we comply with A-123?”
• Automated and preventive
Becomes…
“How can we use controls as a new lens to support the integrity and
value of information in an ever-changing business?”
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
29
Summary
• Implementing an approach to ongoing compliance with a focus on
efforts to best use scarce resources can reduce compliance risk
and cost over time.
• High-level and detailed analyses of the controls portfolio can help
identify areas to enhance risk management, reduce compliance
costs, reprogram funds for mission needs, and improve
performance
• Transforming compliance will likely take many months or years
• During each step of transformation, seek to balance controls
improvements with improved business performance
• Alignment of people, processes, systems, risk and controls, along
with the appropriate tone at the top can help shape ongoing
compliance issues as opportunities rather than problems
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
30
Contact Information
Terry L. Carnahan, CGFM, CPA
Managing Director, KPMG LLP
McLean, VA Office
Phone: (703) 286-8560
E-mail: [email protected]
Mr. Carnahan is a Managing Director in KPMG’s Federal Internal Audit Services
practice. He is responsible for, and involved in, internal control assessments of
Federal, State and local government entities. Prior to joining KPMG, Mr. Carnahan
worked for the District of Columbia Government, as well as for the U.S. Government
Accountability Office for over 20 years, where he directed and managed risk-based
audits of government programs and operations on various levels.
All information provided is of a general nature and is not intended to address the circumstances of any particular individual
or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such
information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act
upon such information without appropriate professional advice after a thorough examination of the particular situation.
© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.
FOR INTERNAL USE ONLY
31