1

HHS Webinar

Internal Controls and You:How Internal Controls Can Improve and Protect Your Energy Assistance Program

John M. Harvanko, DirectorOffice of Energy Assistance Programs

State of MinnesotaJohn.harvanko@state.mn.us

March 10, 2011

2

Presentation Intentions To introduce how internal controls are a means of being

more effective, efficient, and address integrity concerns Promote LIHEAP adoption of Internal Controls

Framework (ICF) as a means to improvement and mitigate program risk

by Explaining “why” internal controls? Describing “what” ICF is Showing examples of “how” Minnesota did it

3

Why Internal Controls? All funds need good controls Being good stewards of taxpayer’s funds Minnesota Office of Legislative Auditor (OLA)– Three years of “No Findings” for EAP

OLA is requiring the development of an Internal Control Framework

National movement toward Internal Controls (aka COSO) including from the GAO

Why ICF

4

Pennsylvania

Why ICF

5

Internal Controls?GAO (Government Accounting Office)HHS efforts (this webinar, National Conferences, other) The Committee of Sponsoring Organizations (COSO)State or Local requirements

Why ICF

6

Minnesota Office of the Legislative AuditorAudit Issues Significant weaknesses in common internal control concepts.

• Opportunities for fraud• Common areas of noncompliance

Emerging Issue – Internal Control Maturity• Assessing how well an agency identifies its risks, whether it

documents and assigns its control procedures, and how it monitors the performance and effectiveness of the procedures.

Why ICF

7

Tone at the TopAgency management has the primary responsibility to design, implement, and maintain an effective internal control system. This goes from: Governor Commissioner Deputy Commissioner Program Director Service Provider Executive Directors EAP Coordinator

Why ICF

8

Tone at the Top (continued)

Management shapes an organization's guiding values, disciplined business conduct, and operating policies forming the foundation of an agency's internal control structure.

Why ICF

9

State Directive

Internal control procedures over financial management activities,

An analysis of relevant risks, Periodic evaluation of these control procedures

Agency head must develop a plan for establishing, implementing and maintaining an effective internal control system. This plan at a minimum requires documentation of:

To satisfy management that these procedures are adequately designed, properly implemented, and functioning effectively.

Why ICF

10

EAP & ICF Why does EAP have a ICF?

• MN OLA required EAP to have or have a Audit finding• EAP took the “opportunity” to analyze and assess it’s existing

business processes & controls & placed into ICF framework What does existing program components, effort definitions,

implementation plans and policies mean?• Asked how existing documents equated to internal controls• Incorporated existing documents into the ICF• Organized structure identified strengths and weaknesses• ICF is a evolving, living document EAP will be advancing in

the coming year and maintain going forward

Why ICF

11

Internal Control Framework (ICF)What is ICF?How does it affect EAP?

What is ICF

12

What is ICF? The Framework is used assess the Internal Control Competency to determine how well an organization: Identifies its risks Whether it documents and assigns its control

procedures, and How it monitors the performance and effectiveness

of the procedures

What is ICF

13

Internal Controls Some pieces most likely already exist in your office

and program operations (incrementally without regard to ICF)

ICF provided the framework allowing these pieces to fit together

You can (and should) incorporate ICF into any Local Plans, staff meetings, any training, and specially all aspects of monitoring

What is ICF

14

ICF outlines criteria EAP uses to:Frames State Office Operations Management approach

Determine competent Service ProvidersContract with Local Plans that include ICF

Monitor and evaluate program performance Field Monitoring, Routine review, Ad Hoc Review

Build the competency of the SPs Training, Support, Corrective Action and T&TA

What is ICF

15

Frames within Framework (ICF) Federal & State Controls

• Rules and fiscal practices• GAO, HHS, OLA, MMB

Department of Commerce • Mission & Fiscal Control

EAP State Office• Program Policy & Procedure Requirement• Risk and quality controls• Fiscal allocation and auditing• Monitoring• T&TA

EAP Service Providers• Execute Program mission• Implementation of policies and procedures with a quality

control environment• Manage SP specific risks

What is ICF

16

Internal Control DefinitionDefines internal control as a process, effected by individuals within an organization, designed to provide reasonable assurance regarding the achievement of these objectives:

1. Effectiveness and efficiency of operations,2. Reliability of financial reporting, and 3. Compliance with applicable laws & regulations

What is ICF

17

ICF Structure

1. Control Environment2. Risk Assessment & Management3. Control Activities4. Information & Communication5. Monitoring

The three objectives are supported by the framework. The Framework, is comprised of five interrelated components that can react dynamically to changing conditions:

What is ICF

18

EAP Specific Control Examples1. Environment (or Leadership or Tone at the Top)

Ex: EAP Service Provider’s (SP) leadership supports mission, structure and staffing to effectively process EAP Applications and delivers energy assistance

2. Risk Assessment and ManagementEx: SP has and is aware of Disaster Plan so in case of flood or fire the harm to households reduce.

3. Control ActivitiesEx: SP understands, collects & maintains income documentation as a control the services reach the intended households. SP has proper segregation of duties for payment certification

4. Information and CommunicationEx: SP makes policy & procedural Information is available to agency fiscal staff, mechanical contractors, vendors etc. to enable the program mission and controls to be consistently performed

5. MonitoringEx: SP monitors timeliness of application processing and improves processes when possible

What is ICF

19

1. Control Environment “Tone at the top" is set & demonstrated by an

organization leader's actions & words It is the foundation for all other components of

internal control. It encompasses: • Integrity, ethical values & competence of all people in

an organization • Management's philosophy & style • How management assigns authority, responsibility

and organizes and develops its people• The attention & direction executive leadership

provides

What is ICF

20

ICF Implementations1. Control Environment Local Plan, contracts establish documented understanding of ICF competencies SP connects Business Strategy Model (BSM) & SP Mission EAP Manual is use to guide SP policy and procedures development SP participates in EAP management methodology

• Understands and adopts administrative policies and procedures documentation Service Providers participates in EAP training and trains staff to:

• Promotes program compliance and consistency• Shares common mission, intention, goals, values and approach to program delivery• Assure policies are understood

How ICF

21

2. Risk Management Involves the identification and analysis of

relevant risks to achieve desired objectives In the risk assessment process, management

identifies:• Internal and external risks • Assesses the impact and the likelihood these risks

might occur • Selects whether to avoid, reduce, share, or accept

various risks• Considers controls to mitigate risk or to contain it to

an acceptable level

How ICF

22

ICF Implementations2. Risk Management (Risk assessment & Mitigation)

SP conduct risk assessment & mitigation activities State and SP conduct oversight activities including:

• Data, file and other checks• Data & Technology practices

SP make a maintain disaster plans SP designs processes with proper segregation of duty in key areas SP uses incident reporting process SP uses error & fraud processes

How ICF

23

3. Control Activities Consists of policies & procedures to help ensure management

directives are carried out Control activities occur throughout the organization at all

levels in all functions.

How ICF

24

ICF Implementations3. Control Environment SP processes have approvals & authorizations for benefit

determination & payments• Separation of incompatible duties

SP conducts analytical procedures like quality controls including timely service

SP conduct and support verifications like: • Income eligibility and documentation• vendor registration & sound payment process• Household check points:

– Benefit notification to assure accountability of service delivery – Appeals and compliant process

SP conducts reconciliations of funds Reviews of operating performance SP assures security of assets

How ICF

25

4. Information & Communication Addresses how an organization identifies, captures &

communicates pertinent information in a timely manner to the right people to enable them to carry out their responsibilities

Information systems within the organization are key to this element of internal control

Internal information, and external events, activities & conditions must be communicated to enable management to make informed business decisions and employees to perform their assigned duties

How ICF

26

ICF Implementations4. Communication & Information SP has communication plan for dissemination of program information SP has routines like meetings to inform staff and partners SP conducts appropriate and effective outreach SP retains information overtime SP is up to date with routine EAP communication

How ICF

27

5. Monitoring Are activities to evaluate whether components of the internal

control system are operating effectively Is performed by management and supervisors sometimes with

internal auditors on a continuous or periodic basis Includes identified internal control deficiencies being reported

to top management and remedied in a timely manner with appropriate corrective actions

Is periodic follow-up on corrective actions taken to ensure control weaknesses are strengthened and no longer exist

How ICF

28

ICF Implementations5. Monitoring SP and DOC conduct routine oversight and monitoring designed to facilitate:

• Staff review of data for quality and performance controls • Review financial transactions

Onsite Monitoring including State Monitors• Formal and observational assessment including random file selection • Fiscal and audit requirements

DOC is working with the Minnesota Office of the Legislative Auditor (OLA) and implementing recommendations and suggestions and SPs will help develop and implement improvements

How ICF

29

Our Responsibility Advance our understanding ICF Understand how existing EAP controls fit ICF Continue to implement new ICF activities Strengthening controls when weaknesses are detected Providing adequate supervision necessary to ensure internal

controls are operating effectively as designed Obtain information & training on internal controls for ourselves

and staff, necessary to meaningfully take responsibility for internal controls

FFY2010 EAP Manual Chapters 1 & 3 have ICF integration

How ICF

30

Q & A