Download - Monitoring Internal Controls for ICOs
![Page 1: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/1.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r
Monitoring Internal Controls for ICOs
Presented to the Financial Management Advisory Committee
September 28, 2017Scott DeViney, CPA
![Page 2: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/2.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r
By the end of the class, we want to answer three questions:
1. What is monitoring?
2. How does monitoring affect audits?
3. How to start developing a monitoring plan?
Learning objectives
![Page 3: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/3.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r 3
16. Checking that controls are working.17. Timely follow-up on control
deficiencies.
What is monitoring?
![Page 4: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/4.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r 4
SAAM 20.28
![Page 5: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/5.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r
Line Staff & Supervisors
(E)
Agency Management
(D)
ICO & Internal
Audit
(C & F)
Independent Audit
1st Line
2nd Line
3rd Line
Diagram adapted from IIA Position Paper: The Three Lines of Defense in in Effective Risk Management and Control
Our audits are not “monitoring”
(G)
Governance(A & B)
![Page 6: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/6.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r 6
Monitoring keeps systems on track. Counteracts expected breakdown and
obsolesce of controls over time
Provides resilience by fixing small control failures before they become bigger
Providing opportunities to evaluate and improve controls
Why monitoring is an essential element of control
Maintenance
![Page 7: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/7.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r 7
Why monitoring is an essential element of control
U.S. Government Accountability Office (2014). Standards for Internal Control in the Federal Government, p. 64
![Page 8: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/8.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r
“Internal audit” reviews by independent, knowledgeable people
Independent reviews of summary reports, reconciliation proofs or other documents that demonstrate performance
Dashboards
Performance measures
Standing / periodic meetings (“status reports”)
Periodic surveys
What does monitoring look like?
![Page 9: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/9.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r 9
What does monitoring look like?
![Page 10: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/10.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r 10
What does monitoring look like?
Control Activity Monitoring
AFRS reconciliations and secondary review of supporting details by accounting staff
Independent review of a summary of all 27 reconciliations and year-end results and follow-up on any that are outside of tolerances.
Program change controls overupdating a software calculation
Independent review of documentation of the test calculations and rate table
Supervisory review of employees Management review and follow-up on performance measures
![Page 11: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/11.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r 11
Performance auditsCAFR Audit
Accountability audits
Statewide Single Audit
How monitoring affects audits
![Page 12: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/12.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r
PLANNING
Evaluate 23 factors
PLANNING
12
Like before, planning financial, single audit and accountability audits will consider agency monitoring:
Will SAAM 20 updates change our audits? NO
REPORT
18 other factors+
Agency-level controls(Control Environment, Info
/ Communications, Risk Assessment, Monitoring)
TESTING
![Page 13: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/13.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r
Documented plan for monitoring to meet SAAM 20?
If Yes, has plan been sufficiently followed? Consider:
Extent of coverage compared to assessed risk
Actual vs planned coverage
Coverage of high risk areas
If Yes, is planned monitoring relevant to audit objective?
How auditors evaluate monitoring
13
![Page 14: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/14.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r
If Yes, does monitoring plan appear effective? Consider:
Are plan and results sufficiently summarized to allow for analysis?
Is plan aligned with most recent risk assessment?
Does plan ensure high risk areas are reviewed adequately and timely?
Does plan include sufficient testing of program change controls, user access controls and key edit checks, calculations or exception reports for significant systems as applicable?
Are identified weaknesses or issues corrected or developed as corrective action plans or recommendations?
Advice: If applicable, synchronize with annual internal audit work plan (IPPF 2010).
How auditors evaluate monitoring
14
![Page 15: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/15.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r
Annual summary of monitoring activity and results documented? Summary should include:
List of monitoring activity and results (showing extent of achievement of work plan)
List of recommendations / identified weaknesses
Status of responses or corrective action from current and prior periods.
Presented to executive management?
Advice: If applicable, synchronize with internal audit reporting (IPPF 2020 and 2060).
How auditors evaluate monitoring
15
![Page 16: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/16.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r
What if one of these items is a “no”?
If nothing: non-compliance with SAAM
Higher overall risk
May contribute to specific risks
Note: audit recommendations are for “where you’re at”
How will auditors use agency risk assessment and monitoring?
1. Factor in determining level of audit work needed
2. Identify areas of higher and lower risk
3. Audit may rely on internal work if AU-C 610 requirements are met
Effect on the audit
16
![Page 17: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/17.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r
Effect on the audit
Compliance with SAAM 20
All elements and principles working effectively together.
Recommendations: Comply
Recommendations: improve control effectiveness
AGENCY’S PROGRESS AUDIT PROGRESS
More valuable audit (clearly aligned to agency risks)
Less audit issues
Lower likelihoodand magnitude of issues
Lower risk agency(less audit work needed)
Less surprises
17
![Page 18: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/18.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r 18
"Don't do nothing just because you can't do everything." ~ Colleen Patrick-Goudreau
How to start developing a monitoring plan?
![Page 19: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/19.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r
(IPPF 2120.A1 and 2130.A1)
Develop separate or distinguishable plans by objective
19
![Page 20: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/20.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r 20
Start at the Agency-wide Level
Start here
Progress to detailed levels
![Page 21: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/21.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r 21
Plan to monitor over a period of time
SAAM 20.15.30.a
![Page 22: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/22.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r 22
Save space in your plans for hot topics
Core areas
Cycled areas
Hot Topics
Critical controls (high impact to agency) needing annual or biennial review
Lower impact risks on 4-6 year rotation, based on risk assessment
Based on risk assessment, external feedback or alignment with other agency initiatives
![Page 23: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/23.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r 23
Required GL reconciliations
For key automated calculations, confirming rate tables when they change and testing calculations
For key service organizations, reviewing SOC reports and making sure corresponding user agency controls are in place
Example considerations for Financial Reporting
![Page 24: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/24.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r
1. Should be interesting and useful:
Process and format useful to executive management
Process and format useful to dept and staff
Integrated with process improvements, performance measures, dashboards, staff evaluations and other regular activities
2. Should result in kudos and corrections.
3. Should eventually reduce audit issues to within tolerances. Audits provide valuable feedback on effectiveness of monitoring.
24
Development considerations to make monitoring effective
![Page 25: Monitoring Internal Controls for ICOs](https://reader030.vdocuments.mx/reader030/viewer/2022012506/618138c1757ff56a365afa1d/html5/thumbnails/25.jpg)
O f f i c e o f t h e W a s h i n g t o n S t a t e A u d i t o r
Monitoring is the maintenance elementto counteract expected breakdown and obsolesce of controls over time.
Processes should be useful and insightful to management and the governing body.
25
Murphy’s Law and other reasons why things go wrongby Arthur Bloch © 1979
“Everything put together falls apart sooner or later”
In Conclusion