aga gulf region pdt coso and the green book: an...
TRANSCRIPT
5/4/2015
1
AGA Gulf Region PDT
COSO and the Green Book: An Enhanced Internal Control
Framework
Isabelle Dikland, Director, MorganFranklin Consulting
Timothy Grace, Director, MorganFranklin Consulting
May 6, 2015
© MorganFranklin Consulting, LLC. All Rights Reserved. 2
Agenda
• Introductions
• Background
• Green Book Revisions
• Internal Control Overview
• Standards
• Documentation Requirements
• Service Organizations
• Questions and Answers
• Resources
2
5/4/2015
2
The Government Accountability Office (GAO) is required to issue standards for internal control in
the government
• Standards for Internal Control in the Federal Government (“The Green Book”) –
November 1999
o Reflects federal internal control standards required for the Federal Managers’
Financial Integrity Act (FMFIA)
o Serves as a base for OMB Circular No. A-123
o Leverages private sector guidance issued by the Committee of Sponsoring
Organizations (COSO), the 1992 COSO Framework
3
Background: GAO Green Book
3 © MorganFranklin Consulting, LLC. All Rights Reserved.
1983 Present
© MorganFranklin Consulting, LLC. All Rights Reserved. 4
Background: Updated COSO Framework
• Released May 14, 2013
• Relationship of Objectives and Components
• Direct relationship between objectives
(which are what an entity strives to
achieve) and the components (which
represent what is needed to achieve the
objectives)
• COSO cube
o Three objectives represented by
columns
o Five components represented by
rows
o Entity’s organization structure is
represented by the third dimension
4
5/4/2015
3
Revisions - From COSO to The Green Book
5
2013 COSO Framework
Update
2013/2014 Green Book
Revision
© MorganFranklin Consulting, LLC. All Rights Reserved.
Green Book: Reasons for Revisions
© MorganFranklin Consulting, LLC. All Rights Reserved.
Updated Green Book Issued September 2014
5/4/2015
4
1. GAO performs preliminary revision
2. Green Book Advisory Council, comprised of members from the following entities:
3. Exposure Draft distributed for review and comment by the Public
4. Comment Period can be extended if significant volume of salient comments received. For most recent version:
• 43 comment letters resulting in 527 comments
• Major themes of comments
o Clarification of requirements
o Definition of key terms
o Applicability to state, local, and not-for-profit organizations
o Documentation requirements
o Editorial suggestions
5. Revisions are not an ad hoc process but a deliberative one
6. Final Green Book issued September 2014
7
• Federal agency management (nominated by OMB)
• Inspector general
• State and Local Government
• Private Sector
• Academia
• Independent public accounting firms
Green Book: Revision Process
© MorganFranklin Consulting, LLC. All Rights Reserved.
Green Book: What did / did not Change?
8
What Did NOT Change What did Change
• Core definition of internal control
• Changes in operating environments
considered
• Three categories of objectives and five
components of internal control
• Operations and reporting objectives
expanded
• Each of the five components of internal
control are required for effective internal
control
• Fundamental concepts underlying five
components articulated as principles
• Important role of judgment in designing,
implementing and operating an internal
control system and evaluating its
effectiveness
• Additional consideration given to
operations, compliance, and non-financial
reporting objectives
© MorganFranklin Consulting, LLC. All Rights Reserved.
5/4/2015
5
Green Book Revision: Standards for Internal Control in the Federal Government
9
Standards
Standards
Overview
© MorganFranklin Consulting, LLC. All Rights Reserved.
Overview: Fundamental Concepts
10
What is Internal Control?
• “Internal control comprises the plans, methods, policies, and procedures
used to fulfill the mission, strategic plan, goals, and objectives of the
organization. Internal control serves as the first line of defense in safeguarding
assets. In short, internal control helps federal managers achieve desired results
through effective stewardship of public resources.”
What is an Internal Control System?
• “An internal control system is a continuous built-in component of operations,
effected by people, that provides reasonable, not absolute assurance, that an
organization’s objectives will be achieved.”
• Emphasis on reasonable assurance and flexibility in achieving it.
© MorganFranklin Consulting, LLC. All Rights Reserved.
5/4/2015
6
Overview: Establishing an Internal Control System
• All components, principles, and attributes are relevant for an effective internal control system
• 5 Components
• Entity should implement relevant principles
• Attributes contribute to the design implementation and operating effectiveness of principles
11
Control Objectives
Components
Principles
Attributes
© MorganFranklin Consulting, LLC. All Rights Reserved.
Overview: Evaluation of an Internal Control System
12
Framework to Evaluate an Internal Control System
• An effective internal control system provides reasonable assurance that the
organization will achieve its objectives, and requires that each of the five
components are:
o Effectively designed, implemented, and operating
o Operating together in an integrated manner
• Management evaluates the effect of deficiencies on the internal control system
• A component is likely to not be effective if related principles are not effective
Attributes Principles Components
© MorganFranklin Consulting, LLC. All Rights Reserved.
5/4/2015
7
Standards: Objectives, Components, and Principles
13
Objectives
Components
• Principles
• Attributes
© MorganFranklin Consulting, LLC. All Rights Reserved.
Standards: Objectives
1. Operations – Effectiveness and Efficiency of Operations
2. Reporting – Reliability of Reporting for Internal and External Use
• External Financial Reporting Objectives Agency Financial Report
• External Nonfinancial Reporting Objectives Management Assurance
Statement
• Internal Financial and Nonfinancial Reporting Objectives Reporting on
Aging of Receivables (financial), Staffing Reports (nonfinancial)
3. Compliance – Compliance with Applicable Laws and Regulations
14
Safeguarding of Assets
• Subset of 3 categories of objectives
• Prevention or prompt detection of unauthorized acquisition, use, or disposition of an entity’s assets
© MorganFranklin Consulting, LLC. All Rights Reserved.
5/4/2015
8
Standards: Five Components and Seventeen Principles
15 © MorganFranklin Consulting, LLC. All Rights Reserved.
Standards: Control Environment – Principles and Attributes
16
1. Commitment to integrity and ethical values
• Tone at the top
• Establishment of standards of conduct
• Evaluate adherence to standards of conduct
2. Exercise oversight responsibility
• Establish oversight structure
• Provide oversight for internal control system
• Provide input for remediation of deficiencies
3. Establish structure, authority, and
responsibility
• Establish organizational structure
• Assign responsibility and delegate authority
• Document internal control system
4. Demonstrate commitment to competence • Establish expectations of competence
• Attract, develop, and retain individuals
• Plan and prepare for succession
5. Enforce accountability
• Enforce accountability for performance of internal
control responsibilities
• Consider excessive pressures
© MorganFranklin Consulting, LLC. All Rights Reserved.
5/4/2015
9
Standards: Risk Assessment – Principles and Attributes
17
6. Define objectives and risk tolerances
• Define objectives in specific and measurable terms
• Define risk tolerances for objectives
7. Identify, analyze, and respond to risk
• Identify risks throughout the entity
• Analyze risks to estimate their significance
• Design risk responses
8. Assess fraud risk • Consider types of fraud
• Consider fraud risk factors
• Respond to fraud risks
9. Identify, analyze and respond to change • Identify changes that could significantly impact the
entity’s internal control system
• Analyze and respond to identified changes
© MorganFranklin Consulting, LLC. All Rights Reserved.
Standards: Control Activities – Principles and Attributes
18
10. Design control activities
• Respond to objectives and risks
• Design the types of control activities
• Design control activities at various levels
• Consider segregation of duties
11. Design activities for the information system
• Design the entity’s information system
• Design appropriate types of control activities
• Design the information technology infrastructure
• Design security management
• Design IT acquisition, development, and maintenance
12. Implement Control Activities • Document responsibilities through policies
• Periodically review control activities to determine
continued relevance, redesign when necessary, and
communicate as appropriate
© MorganFranklin Consulting, LLC. All Rights Reserved.
5/4/2015
10
Standards: Information and Communication – Principles and Attributes
19
13. Use quality information
• Identify information requirements
• Obtain relevant data from reliable sources
• Process data into quality information
14. Communicate internally
• Communicate quality information throughout the
entity using established reporting lines
• Select appropriate methods of communication
15. Communicate externally • Communicate with external parties using established
reporting lines
• Select appropriate methods of communication
© MorganFranklin Consulting, LLC. All Rights Reserved.
Standards: Monitoring – Principles and Attributes
20
16. Perform Monitoring Activities
• Establish a baseline for monitoring the internal control system
• Monitor the internal control system through ongoing
monitoring and separate evaluations
• Evaluate and document the results
17. Remediate Deficiencies
• Report internal control issues to appropriate parties on a timely
basis
• Evaluate and document internal control issues and determine
corrective action approach
• Complete and document corrective actions to remediate
internal control deficiencies
© MorganFranklin Consulting, LLC. All Rights Reserved.
5/4/2015
11
© MorganFranklin Consulting, LLC. All Rights Reserved.
Standards: Component, Principle, Attribute
21
© MorganFranklin Consulting, LLC. All Rights Reserved.
Standards: Principle can be effected by controls in other components
22
5/4/2015
12
Principal/ Attribute: Specified Documentation Requirements
• Management must determine the level of documentation needed to assess the effectiveness
of internal control
• Documentation is essential – It enables monitoring and enables the assurance process
• Green Book specifies the minimum level of documentation required for an entity’s internal
control system:
o Control Environment: 3.12 – Management should develop and maintain
documentation of its internal control system
o Control Activities: 12.03 – Management should document in policies the internal
control responsibilities of the organization
o Monitoring: 16.12 – Management should evaluate and document the results of
ongoing monitoring and separate evaluations to identify internal control issues
o Monitoring: 17.07 – Management should evaluate and document internal control
issues and determine appropriate corrective actions for internal control deficiencies on
a timely basis
o Monitoring: 17.09 – Management should complete and document corrective actions
and remediate internal control deficiencies on a timely basis
23 © MorganFranklin Consulting, LLC. All Rights Reserved.
Additional Consideration: Service Organizations
• Service Organizations are external parties that perform certain operational processes
for the department/agency
• Management retains responsibility for the performance of processes aligned to service
organizations
• Management needs to understand the controls each service organization has
designed, implemented, and operates, and how the service organization’s internal
control system impacts the entity’s internal control system
• Management considerations for the determination of the extent of oversight controls
required:
o Controls identified by auditors
o Nature of services outsourced
o Service organization’s standard of conduct
o Magnitude and level of complexity of entity’s operations
o Availability and content of SSAE16 Report
24 © MorganFranklin Consulting, LLC. All Rights Reserved.
5/4/2015
13
Components Operating Together in an Integrated Manner
An effective internal control system provides reasonable assurance that the organization will
achieve its objectives, and requires that each of the give components are:
• Effectively designed, implemented, and operating
• Operating together in an integrated manner
25 © MorganFranklin Consulting, LLC. All Rights Reserved.
Key Resources for Additional Information
• GAO Green Book Page: http://www.gao.gov/assets/670/665712.pdf
• Green Book Issued September 2014
• COSO: http://www.coso.org/
• 2013 Framework Executive Summary
• Thought Leadership Papers
26 © MorganFranklin Consulting, LLC. All Rights Reserved.
5/4/2015
14
MorganFranklin is an execution-oriented business consulting and technology solutions company.
We deliver financial management, performance improvement, and technology enablement solutions to
industry and government clients.
Business Facts
• Founded in 1998
• Headquartered in the Washington, D.C.
• National presence and international reach
• Diverse full-time workforce comprised of industry, global consulting, Big Four,
and government professionals
• Technical excellence: CPA, CIA, CISA, CISSP, MCSE, RCDD, MBA, Ph.D., PMP
• Fast access to a powerful network of trusted partners with solid industry experience
• Unique blend of industry and government clients
• Industry recognition as a top consulting firm in the U.S.
• Recognized for industry-leading workplace best practices
27
About MorganFranklin
© MorganFranklin Consulting, LLC. All Rights Reserved.
Questions & Answers