nashville final green book presentation (v3)nashvilleaga.org/education/winter2016/nashville_final...
TRANSCRIPT
1/12/2016
1
Standards for Internal Control in the Government
GAO’s Revised Green Book
Standards for Internal Control
in the Federal Government
1
Internal Control through the Years
2
Why the Green Book?
3
Federal Managers’ Financial Integrity Act 31 USC 3512
GAO develops the internal control (IC) standards
OMB develops guidance for agencies to implement GAO IC standards
Consultation
OMB A-123
OMB A-127
OMB A-136
The “Green Book”
Agencies use GAO “Green Book” Guidance to
design internal controls
Agencies issue IC implementation procedures
Agencies use OMB Guidance to conduct IC assessment
FMFIA compliance Report Source: GAO analysis of the framework of the
Federal Managers' Financial Integrity Act 31 USC
3512.
What’s in the Green Book for the Federal Government?
• Reflects federal internal control standards required per Federal Managers’ Financial Integrity Act (FMFIA)
• Serves as a base for OMB Circular A-123
• Written for government
• Leverages the COSO Framework
• Uses government terms
4
What’s in Green Book for State and Local Governments?
• Is an acceptable framework for internal control on the
state and local government level under OMB’s Uniform
Guidance for Federal Awards
• Written for government
• Leverages the COSO Framework
• Uses government terms
Page 5
OMB’s Uniform Guidance for Federal Awards
§
§§
§ 200.303 Internal controls.
The non-Federal entity must:
(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in ‘‘Standards for Internal Control in the Federal Government’’ issued by the Comptroller General of the United States and the ‘‘Internal Control Integrated Framework’’, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Page 6
1/12/2016
2
OMB’s Uniform Guidance for Federal Awards
§
§§
§ 200.61 Internal controls.
Internal controls means a process, implemented by a non-Federal entity, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
(a) Effectiveness and efficiency of operations;
(b) Reliability of reporting for internal and external use; and
(c) Compliance with applicable laws and regulations.
Page 7
What’s in the Green Book for Management and Auditors?
• Provides standards for management
• Provides criteria for auditors
• Can be used in conjunction with other standards, e.g. Yellow Book
8
Session Objective
1) Introduce revisions to GAO’s Green Book
9
Updated COSO Framework
ReleasedMay 14, 2013
Page 10
The COSO Framework
• Relationship of Objectives and Components
• Direct relationship between objectives and the components
• COSO depicts the relationship
in the form of a cube:
• Three objectives: columns
• Five components: rows
• Organizational structure: third dimensionSource: COSO
Page 11
From COSO to Green Book: Harmonization
COSOGreen Book
Page 12
1/12/2016
3
Revision to the Green Book
What has not changed
• The fundamental concepts of internal control
• Three categories of objectives and five components of internal control
• Each of the five components of internal control are required for effective internal control
• Important role of judgment in designing, implementing and operating an internal control system and evaluating its effectiveness
What changed
• Expanded discussion on objectives: operations, reporting, and compliance
• More detail of requirements to help management better understand and implement the standards
• Discusses management evaluation of internal control
• Additional consideration that apply to all components of an internal control system
13
Revised Green Book: Overview
• Discuss the layout of the Green Book
• Explain fundamental concepts of internal control
• Addresses how components, principles, and attributes relate to an entity’s objectives
14
Revised Green Book: Standards for Internal Control
in the Federal Government
15
Overview
Standards
Highlights Page
Page 16
Facsimile Page
Page 17
Fundamental Concepts
• What is internal control in Green Book?
• OV1.01 Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved.
• What is an internal control system in Green Book?
• OV1.04 An internal control system is a continuous built-in component of operations, effected by people, that provides reasonable assurance, not absolute assurance, that an entity’s objectives will be achieved.
18
1/12/2016
4
Fundamental Concepts (cont.)
Put simply, internal control is a process to help entities achieve objectives.
Page 19
Revised Green Book: The Components, Objectives, and Organizational Structure of Internal Control
20
Components, Principles, and Attributes
Achieve Objectives
Components
Principles
Attributes
21
Structure of the Green Book
22
Components and Principles
• In general, all components and principles are required for an effective internal control system
OV2.05: The 17 principles support the effective design, implementation, and operation of the associated components and represent requirements necessary to establish an effective internal control system.
Page 23
Components and Principles (cont.)
24
COMPONENTS & PRINCIPLES
=CRITERIA
1/12/2016
5
Components and Principles (cont.)
25
Components and Principles (cont.)
26
Attributes
• Attributes are considerations that can contribute to the design, implementation, and operating effectiveness of principles
OV2.07 excerpt: The Green Book contains additional information in the form of attributes. . . Attributes provide further explanation of the principle and may explain more precisely what a requirement means and what it is intended to cover, or include examples of procedures that may be appropriate for an entity.
Page 27
Attributes (cont.)
• Attributes are relevant to the proper implementation of the Green Book, but are NOT requirements.
• How do you use attributes?
• Use attributes to provide context and describe how a principle was not met.
• Do not cite attributes as criteria. However, attributes can be used to support criteria by further explaining the principle requirements.
28
Control Environment
29
Control Environment – Red Flags
Examples that could indicate an internal control deficiency and require further analysis:
� Personnel do not understand what behavior is acceptable or unacceptable.
� Top management is unaware of actions taken at the lower level of the entity.
� It is difficult to determine the entities or individuals that have responsibility for programs or particular parts of a program.
� The entity’s structure is inefficient or dysfunctional.
� Management displays a lack of concern for internal control and is unresponsive to internal control deviations or recommendations to improve internal control.
30
1/12/2016
6
Risk Assessment
31
Risk Assessment – Red Flags
Examples that could indicate an internal control deficiency and require further analysis:
� Management has not reassessed the risk related to recent major changes — for example, new responsibilities, reorganization, cuts in funding, and expansion of programs.
� The agency or program does not have well-defined objectives.
� The agency or program does not have adequate performance measures.
� Management has not considered previous issues with fraud, waste, or abuse in the agency’s risk assessment.
� The agency is unable to prioritize work appropriately.
� The agency is unaware of obstacles to its mission.
� The agency is not able to overcome obstacles to its mission efficiently or at all.
32
Control Activities
33
Control Activities – Red Flags
Examples that could indicate an internal control deficiency and require further analysis:
� Employees are unaware of policies and procedures, but do things the way “they have always been done.”
� Operating policies and procedures have not been developed or are outdated.
� Key documentation is often lacking or does not exist.
� Key steps in a process are not being performed.
� Personnel and management are uncertain why processes are being performed or how processes are related to and support program goals.
34
Information & Communication
35
Information and Communication – Red Flags
Examples that could indicate an internal control deficiency and require further analysis:
� When top management needs information, there is an excessive rush to assemble the information, or the process is handled through ad hoc mechanisms (e.g., the information was not readily available).
� Key information requests for basic information on the status of operations from external stakeholders (e.g., Congress or GAO) are difficult for the agency to respond to and require extra resources or special efforts.
� Management is using poor quality information or outdated information for making decisions.
� Staff are frustrated by requests for information because it is time-consuming and difficult to provide the information.
� Management does not have reasonable assurance that the information it is using is accurate.
� Personnel are unaware of separate communication lines for reporting confidential information.
36
1/12/2016
7
Monitoring
37
Monitoring (cont.)
• Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. (16.01)
• The following attributes contribute to the design, implementation, and operating effectiveness of this principle:
-Establishment of a Baseline
-Internal Control System Monitoring
-Evaluation of Results
38
Monitoring (cont.)
• Management should remediate identified internal control deficiencies on a timely basis. (17.01)
• The following attributes contribute to the design, implementation, and operating effectiveness of this principle:
- Reporting of Issues
- Evaluation of Issues
- Corrective Actions
39
Monitoring – Red Flags
Examples that could indicate an internal control deficiency and require further analysis:
� Management does not evaluate a program on an ongoing basis.
� Significant problems exist in controls and management was not aware of those problems until a big problem occurred or until an outside party brought it to its attention.
� There are unresolved problems with the other components: control environment, risk assessment, control activities, and information and communications.
� Previously identified engagement findings are not being resolved adequately or timely.
� Management misses key deadlines and was not aware that it would not be able to meet deadlines.
40
Controls Across Components
Page 41
Documentation requirements
Documentation is required for the effective design, implementation,and operating effectiveness of an entity’s internal control system.Green Book’s minimum documentation requirements are as follows:
• Management develops and maintains documentation of its internal control system. (3.09)
• Management documents in policies the internal control responsibilities of the organization. (12.02)
• Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues. (16.09)
• Management evaluates and documents internal control issues and determines appropriate corrective actions for internal control deficiencies on a timely basis. (17.05)
42
1/12/2016
8
Documentation requirements (cont.)
• Management completes and documents corrective actions to remediate internal control deficiencies on a timely basis. (17.06)
• If management determines a principle is not relevant, management supports that determination with documentation that includes the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively. (OV2.06)
-See pages 19-20 of the Green Book
43
Assessing Internal Control: Overview
� Assessing Internal Control
44
Yellow Book Requirements for Understanding and Assessing an Entity’s Internal Control
� Auditors should obtain an understanding of internal control that is significant within the context of the audit objectives. (Yellow Book, Para. 6.16)
� For internal control that is significant within the context of the audit objectives, auditors should assess whether internal control has been properly designed and implemented and should perform procedures designed to obtain sufficient, appropriate evidence to support their assessment about the effectiveness of those controls. (Yellow Book, Para. 6.16)
45
Engagement Planning
• Develop engagement objectives and determine whether engagement requires the consideration of internal control in the course of the engagement.
46
Planning and Design
� Obtain background information about the entity and program under review, including the entity’s objectives for the program, relevant risks associated with the program, and internal control to the extent relevant to the objectives and scope of the engagement.
� Obtaining background information helps auditors better identify and understand the entity objectives (operations, compliance, and reporting) to be evaluated.
� The background information obtained during planning can form the basis for obtaining an understanding of internal control when gathering evidence.
47
Helpful Hints for Obtaining an Understanding of Internal Control
Below is one possible approach for obtaining an understanding of internal control:
1. Obtain an understanding of internal control at the entity level for each of the five components of internal control.
2. If a specific program is being reviewed, obtain an understanding of internal control related to the program.
3. Document the obtained understanding of internal control at a level of detail that is sufficient for understanding the controls that are relevant to the engagement.
4. Identify the entity’s key controls that are relevant to the engagement.
48
1/12/2016
9
Helpful Hints for Obtaining an Understanding of Internal Control (cont.)
• Auditors identify the key controls related to the entity’s objectives that are relevant to the engagement.
• Key controls often have one or both of the following characteristics:
• Their failure might materially affect the entity’s objectives, yet not reasonably be detected in a timely manner by other controls, and/or
• Their operation might prevent other control failures or detect such failures before they have an opportunity to become material to the entity’s objectives.
49
Case Study: Background
Congress passed the Bright Future of America Act (Act), authorizing the Department of Education to establish the Office of Promising Talent (Office) to support students in America from middle school through undergraduate school to improve academic performance in key areas of cultural, scientific, and economic studies. This Act requires that the Department of Education report to Congress 45 days after fiscal year-end on how the funds are being used. The Department of Education will provide only limited oversight to the Office, and the Office’s appropriations will be a separate line item on the department’s annual budget request to Congress.
50
Cast Study (cont.)
Office Strategic Goal:
• Support students in America from middle school through undergraduate school to improve academic performance in key areas of cultural, scientific, and economic studies.
Office Objective:
• Establish a grant program that sponsors academic competitions in key educational areas to encourage educational achievement.
51
Case Study (cont.)
Auditor understanding of an application review process
52
Helpful Hints for Obtaining an Understanding of Internal Control (cont.)
Below are some examples of documentation to:
• Obtain from the entity:
• Entity-level control documentation
• Policies and procedures
• Documents or records that support the processes and controls (e.g., flowcharts, memorandums, spreadsheets)
• Responses to questionnaires concerning controls
• Prepare:
• Narratives (e.g., Record of Inspection/Observation, Record of Interview)
• Tables
• Flowcharts
53
Evidence Gathering and Analysis
54
1/12/2016
10
Assessing Internal Control
55
Evaluating Design of Internal Control
• When evaluating design of internal control, management determines if controls individually and in combination with other controls are capable of achieving an objective and addressing related risks. (Para. OV3.05)
• A deficiency in design exists when (1) a control necessary to meet a control objective is missing or (2) an existing control is not properly designed so that even if the control operates as designed, the control objective would not be met. (Para. OV3.05)
• There is no need to determine implementation if a control is not effectively designed.
56
Helpful Hints for Evaluating Design of Internal Control
One possible approach for evaluating the design of internal control is to perform the following steps:
1. Select the internal controls to evaluate for each entity objective being reviewed.
2. Individually evaluate the design of each selected control to determine whether the control, if operating as designed, is capable of achieving the entity objective and addressing related risks.
3. Consider the individual control evaluations and evaluate the design of the controls in the aggregate to determine whether the controls, if operating as designed, are capable of achieving the entity objectives and addressing related risks.
4. Document the evaluation of the design of the entity’s internal control, including the conclusion on the design effectiveness and any deficiencies identified.
57
Determining Implementation and Testing Operating Effectiveness of Internal Control
• Determining implementation of controls is verifying the existence of design of controls by obtaining evidence.
• A deficiency in implementation exists when a properly designed control is not implemented correctly in the internal control system. (Para. OV3.05)
• In evaluating operating effectiveness of controls, management [or auditor] determines if controls were applied at relevant times during the period under evaluation, the consistency with which they were applied, and by whom or by what means they were applied. (Para. OV3.06)
• A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or competence to perform the control effectively. (Para. OV3.06)
58
Summary of Internal Control Assessments
� Evaluating design of controls will not allow you to conclude on internal controls beyond the point of design.
� Determining implementation of controls does not provide assurance for a time period of effectiveness. It provides assurance of effective implementation for a point in time when you reviewed documentation (e.g., on March 31, 2016).
� A control cannot be effectively operating if it was not effectively designed and implemented. (Para. OV3.06)
59
Significance of Internal Control Deficiencies
� Evaluate the significance of a deficiency by considering the magnitude of impact, likelihood of occurrence, and nature of the deficiency. (Para. OV3.08)
� Significance refers to the relative importance of a deficiency to the entity achieving a defined objective. (Para. OV3.08)
� Deficiencies are evaluated both on an individual basis and in the aggregate. (Para. OV3.09)
� Auditors' professional judgment is used in the evaluation.
60
1/12/2016
11
Product Development and Distribution
Auditors should include in the audit
report (Yellow Book, Para. 7.19):
� the scope of their work on internal control and
� any deficiencies in internal control that are significant within the context of the audit objectives and based upon the audit work performed.
61
Product Development and Distribution (cont.)
� In a performance audit, auditors may conclude that identified internal control deficiencies are the cause of deficient performance of the program or operations being audited. In reporting this type of finding, the internal control deficiency would be described as the cause. (Yellow Book, Para. 7.20)
� If the agency responds to draft report findings with mitigating controls, the auditor may evaluate whether the controls mitigate the identified deficiencies.
62
Green Book and Yellow Book
� Condition
� Criteria
� Cause
� Effect
63
Where to Find Us
• The Green Book is available on GAO’s website at:
www.gao.gov/greenbook
• For technical assistance, contact us at:
• Chari Nash-Cannaday, Senior Auditor, GAO, [email protected], 202-512-4666
64
Thank You
Questions?
65