agenda - aga, baltimore...
TRANSCRIPT
Agenda • Environment and context
• GAO Green Book
• OMB Circular A-123
• KPMG's 10 critical implementation elements
~ .,., L KPMC l F- :J Delaware m tflC ~b1 'V ~;r+ner:r ~ :r"" t1 e J S merr..-er f;rm of the t<PMC:i -etw,;rk t ,C,,j:=or• ~r• ,~ m2 r fir111 )ff: Jtc~ N KPMG r,~rn· t:urv:: -'"'~' .:t1-18 KF Ml h ter ":l1 ,,.,::1 :: Sw':::s ef"''•ty -1\,;, r l""~s reserv-:::j 2
The envronment • Uncertainty = certainty
• Crucial juncture
• Organizational and cultural challenges
kJWrbl .._ "- ~ 15 KPMG l ' l )eldwan -.•te<"' ~b. ty ,.. ~rti'91" ;,.,, ,) n"' 4.1'6 U S r-am er f·rm 'If u·e K'P~1G r.::atwcrk. ... ~ r '.?pel d: ·f'l' n em~ er - 5 ~ff 1te( ..v1tr k.. ~M' rter aft..)rq '('I p "'r:3.tive (' KP~(, r~9ma1: 11 ) J Sw~s~ e1 t•ty A ri~},t res~.:rv~~ 4
The context Federa Managers· F·nanc·a ntegrity Act of 1982 (FMF AJ
• Public Law 97-255, September 8, 1982
• Broad application across the enterprise
• Required annual reporting
• GAO Standards for Internal Control in the Federal Government (Green Book)
• Assessment and reporting requirements in OMB Circular A-123, Management's Responsibility for Enterprise Risk Management and Internal Control
~ .:.~ 2' .. 16 KF MG LLP 3 L~eldN-}r m1ted !1 ~btl.~y partn1 ,rsn~p '3nl the U S memt;:r fi,-r ,f :r.. KFMr, nt twc ~,. r"lf 1-?perc;l::!r t nerr bf't firn .:. ~ff, ~te( ""' :t"l ..,,lfvH., n'ep'\.Jt'OI 1
"'c";:-~nttv.-:'! KPM(; ..,t~rr~t ·n;=ii 3 wt:S >?r ty A! I nchts reserved 5
Fundamenta Green Book conceots • "Internal control is a process effected by an entity's oversight body,
management and personnel that provides reasonable assurance that the objectives of an entity will be achieved."
• "An internal control system is a continuous built-in component of operations, effected by people, that provides reasonable assurance, not absolute assurance, that an entity's objectives will be achieved."
• "Internal control is a process to help achieve objectives."
Source: GA0-14-704G, September 10, 2014
kJWrbl ,._ .,, ~ KF'M. l F ~ O;- __ :w; :I'A ,..,, er' :::::br 'ty "Jrtne• ::.~ p q(1t,j the L ~ 111 .mber r;~m -!f ·t-e KPMr, ,-,etv: rk r· "~dt·~' nder t Y"'r."lbt r f<rTI .aff JtPC ~- h Kt='"~1ll , .,...,_~tiC"
C:c0J.;ar.trv-:, KFW.._ lr·ern'lt:.)l!..ll) J~W'~-~rtr•y A!lr;;rt: r c;erv8r+ 7
s·gn"ficant Green Book changes • September 2014 GAO Green Book*
- 17 new principles aligned to the five internal control components
• 2013 COSO update to its Internal Control- Integrated Framework
- Attributes explaining each principle
- 20 to 80 pages
- Principle 8: "Management should consider the potential for fraud when identifying, analyzing, and responding to risks."
• GAO's "A Framework for Managing Fraud Risks in Federal Programs"**
*See http://www.gao.gov/greenbook/overview
**See http://www.gao.gov/products/GA0-15-593SP, July 28, 2015
~ ~ ,Q· n KPMG LP 1 ... e1awe~r rr :etl ·a! .;ty put1 et.<:hlp Jr:C .h~ L ~ il~mt~r r; m )f u .. e Kf.IM(, ~"'etw. rk ct ~..,dPpF"r.Gt!rt 1rrrbtr f1rmj ;aff; -Jt .... d w:th KPMG t, rn· t;cl12:! Cnc-oent•ve (' t<PM(:, rtgrn:",tl "'"~~ ) .::~ 3w1~.:i er'!1 ''t AI riQt"lts reserver!
8
Green Book comoonents and or"nc·o es Components (5) Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring
Principles (17) 1. Demonstrate Commitment to Integrity and Ethical Value 2. Exercise Oversight Responsibi lity 3. Establish Structure, Responsibility, and Authority 4. Demonstrate Commitment to Competence 5. Enforce Accountability
6. Define Objectives and Risk Tolerances 7. Identify, Analyze, and Respond to Risk 8. Asses Fraud Risk 9. Analyze and Respond to Change
1 0. Design Control Activities 11. Design Activities for the Information System 12. Implement Control Activities
13. Use Quality Information 14. Communicate Internally 15. Communicate Externally
16. Perform Monitoring Activities 17. Remediate Deficiencies
KPlfGl .,0 1 _, K.PMG l P oJ OeiaNa•e l1m1t~ 11~ :~1 -•y partn~rd11p 111. t! e J S mertler f;rn of the KPMG etwc per ~ent nemt:er fi T) ;~ff. 1ateo W'th KF MC lr tern'1tli r~
- --· er:::.t.ve KPMG lrl~rngt ,..,;_ 1 1 _.w::s en•ity A!: r' .,t'l•s reseNed 9
Objectve To "modernize existing efforts by requiring agencies to implement an Enterprise Risk Management (ERM) capability coordinated with the strategic planning and strategic review process established by GPRAMA and the internal control framework required by FMFIA and Government Accountability Office (GAO)'s Green Book. This integrated governance structure will improve mission delivery, reduce costs, and focus corrective actions toward key risks."
Source: Transmittal to OMB Circular A-123, July 15, 2016
~ 20·1e KPMG l P :t ')e:c)w,Jf... .,,·:ad 'at ,ty nartf"'er ShiP ar d the U ~ rnemter firrn of t.he ~:PMl; ret11crk rr 1epef'd~~rt mer ,,.,er f:rr. ~ :H; dtArt wl':r t<~M1l r;·er· 3t·:: :t
~n::: p!.:r;:tf've f KPMC, n~' m: t1c.nal , 1 ')w·"- er t1 y AP ;- gt t: o;.erved 11
ERM oernlon "ERM as a discipline deals with identifying, assessing, and managing risks. Through adequate risk management, agencies can concentrate efforts towards key points of failure and reduce or eliminate the potential for disruptive events . ... Risk management is a series of coordinated activities to direct and control challenges or threats to achieving an organizations goals and objectives . ... ERMis an effective Agency-wide approach to assessing the full spectrum of the organization's external and internal risks by understanding the combined impact of risks as an interrelated portfolio, rather than by addressing risks only within silos."
Source: OMB Circular A-123
kP~ '--0 6 t<1)MG l J ) ne:aw<:ra .. ,,te< :: ;bllity partf'ler il"l p u ct the L S Tl:.:mber t: ~, f t.he KF Mt .,dw,, • f 1'' er e!"'den~ n,em.,er f 3 ::ff 3tefl w<h k.F M(' ~· t~~rr 3i ~..~, ..
1 'lc.:~r·Jt;'JF'\ 1- KP'v1() r1".·:?,.,., -t;c- -JI 1 ~ .. NI~ ert:ty A1 r ::: • ., r ~e1 "er 12
OMB ERM mode
k},IMGJ 'f'\1f; KPMG L P 3 D€'13'-Nare ted bll1ty partf"ersi.,,p "!"nr '.he US rrem:..er ftrll'll)ftl-.e t<?MG "'~et..v0rk ('If L"~!jFJpPr .?f't 11! mb~r f1rr: J aff ::ted w1tt., KI=MG u~rn: .tK.:1
"' - ~~entiv'3 KPMG II t.=>r 11 Jr.~' _ ")wtS: ~nt'ty .1\: rrgh!.s reserv8r:1 13
OMB Grcu ar A-123 ·n a nutshe • Introduces guidance on ERM and its application
• Links ERM to GPRAMA and OMB Circular A-11, Part 6, sections 230 and 270.24 to 270.28
• Adopts concepts and guidelines included in COSO's Internal Control-Integrated Framework
• Describes the relationship between ERM and internal control
• Provides Green Book implementation guidance
• Encourages establishment of a Risk Management Council (RMC)
• Establishes minimum requirements for corrective action plans
• Requires a risk-based reporting, balancing emphasis between operations, reporting, and compliance
• Increases focus on fraud risk management
fPMGl "'Q· 6 KPMG Lt' 1 Qe!aw.:are nrteC ::-bt tv ~,. ... artrersr.~ 9rd the\. S mer·ber f11.., of the KF MG ,etwor· f'lf rtjept>rJel"t ,.,emter f11 ,'5 affi !!';ted wttt"l k.F MC It .t:~rnah..Jr1:3 ..... -oper~' ve (' KIJMG r.t~rn.Jt:ot Ji ~ ...... ~ 'Ss 8r •·ty A.t. r·~l" t<:; reser vue!
14
crearng an enteror"se- eve r·sk or ore Provides agency discretion as to content and format, while including general risk profile components
• Identification of objectives
• Identification of risks
• Inherent risk assessment
• Risk response
• Residual risk assessment
• Proposed action
• Proposed action category
Source: OMB Circular A-123
,kJW,Gl .,1"\ .. · KPM' L F- :1 0PI2\'Iare ,ttec1 ,3b1 t·v p::}rtnerst"<p ,..net '.P~ US rem:.er 'rm ,fH-e t<PM(3 n~twc 'k ... :r 1epender t l"': n bL·or ftrm.; aff: .. Jted N' :111(~)M~..,; ,~'3rr~.Jt,ora
(":.- "'~er t1v~: KF-Ml lf1~ar.,~t ~~ 3; ,; Sw'.:;s er"l1ty AI: r1C!h: > 1""9Servet1 15
OMB Grcu ar A-123 ·mo ementation dead ines Deliverable
kPA.tbl
Due Date - No later than
As soon as practicable, prior to June 20171nitial Risk Profile deliverable
June 2, 2017
September 15, 2017
Annually by June 3
Description
Agencies are encouraged (not required) to develop an approach to implement ERM, which may include (1) planned risk management governance structure, (2) process for considering risk appetite and risk tolerance levels, (3) methodology for developing a risk profile, and (4) general implementation time line and plan for maturing the comprehensiveness and quality of the risk profiles over time.
Agencies must complete initial risk profiles in coordination with the agency Strategic Reviews. Key findings should be made available for discussion with OMB by June 2, 2017 as part of strategic review meetings under Circular A-11 and GPRAMA and will inform the development of each agency's new strategic plan and the President's FY 2019 Budget.
For risks for which formal internal controls have been identified as part of the Initial Risk Profile in FY 2017, all agencies must present assurances on internal control processes in the FY 2017 Agency Financial Report (AFR) or the Performance and Accountability Report (PAR), along with a report on identified material weaknesses and corrective actions.
No less than annually, all agencies must prepare a complete risk profile and include required risk components and elements. CFO Act agencies, at a minimum, must complete risk profiles in coordination with their strategic review meetings, with key findings made available for discussion with OMB by June 3rd. The Risk Profile will help to inform changes to strategy, policy, operations, and the President's Budget.
\/:,_ ... .,C-i ~ . KPMt l F- Celawar~ :-n t~d lb: ty r;artner· .. h1p 1nd the.: U 8 rrefTiber f irm t"!f . .,e K ~MG f"'et¥v0rk ,.,f r · :epert... r : ·r ::-:ff~. :dtar' w1 :h t<t'M(J n::r• lh)r C'"'cper diV.! j KPMl lr ternat"lr :1 ) !-)WI :i5 ~r ty \ II Ql ~~ r · · -:~rver'
16
on the horizon: Aooendix A uodate
Internal Control over Fi 'c:~ ~c ial Reporting
~ ..,. 2".. "6 t<F MU L t P :: LA._ic3WaJe 11m ted .J~ •v 1= ::finrr )I ; :ro-1 tl·e <J mer b~1 f:. ... f th:- KF Mr n tw'- "k ,... lepen'jer"t me1 "'be1 r ff c:te1 wd· K )~~, :- "~1-., 'ltiJt 3: 17 ·c-.~~r.:tt·v~ KPM(.; l.·tem :it :n;-. l ')W15:S ·r'·tv .ll. r t'l~'5 reservad
Feder a ERM P aybook
f},IJLfGl
Ckv~Jo~d ond issu~d in colloborotion w1th Fe dual Govrrnmrnt orgoflllOtiOns to provide guidanc~ ond support for f"RM
:::: CFO UN ITED STATES CHIEF FINANCIAL OFFICERS COUNCIL
• ··I PIC.!~v Performenc~ lm~mtnt Counol
6 KPMG l P '1 De1awmA -.ite~ ~!:'· () 'lartnel st"l•p and •.t-aft IJ S JTierlOel f:rm cf th3 KF MG n~twc'"k i.lf ~l!:"'p~r ··e!"'t ,,mt-< r f:rm:; idff ::~L1 w1~P I{,)M _ 1"1 p'!nt•ve KPMl: lf!t>?rn11t c :11 J ~ ~W·".o; enh:y AI ng11tr re~~rv
...-t.on.l 18
KPMG's 10 crlca ·mo ementaton e ements
KPlfGl ~· ...,0_ a Kt'~'?' LP a Oeiawar? rntted i3b11.;y partne.rsh1p and the U S member f;rm of the KPMG ner.vorK "'~f ndepJ?rdert member fi _ rrs affi ;ated w:th KF MG 11 t?.mattona 20 Cnoper3t1ve ('KPMG ntern: ttanal )_ ~ Sw1s5 ert1ty At ght"i re~H rved
1. Estao ·sh c ear too management ownersh·o
• Is top management fully invested, so that its commitment permeates throughout the organization and become imbedded in the culture?
• Does top management instead view this as an unfunded mandate or new compliance exercise that is owned by the CFO and/or IG?
• Does top management agree in concept with the value but has higher priorities and not willing to invest the time and effort?
• Or do the changes to Circular A-123 and the Green Book not even make it to top management's radar screen?
KPikGl ~ J 1..; 1 0 Kr'MG l LP 3 OelawoJJ? rn: :e1 ·ab1 :ty pa1t11er ::;h:p and the U S memt er firrr of the KPMG ~etwc,rk 0f 11depef'1•jent nember f, "f'TlS aff; 3ted w;th KPMG lr t;:trf'1;Jt1Cn.:Ji
Cc~cen•i-.r~? ( KPMG rt~rn?tiC"lai"). a Sw:ss ent1ty All,.;grt~ rest!rved 21
2. Aooo·nt a CRO • Powerful signal
• A facilitator
• Adequately empowered, with sufficient capabilities and resources
~ o~. 21 1(. t'F MG LLP -: Oe;aware m t~:j 1b ty p:'lrtners~·p "Oct :he US mefT!~er f:rm )f tre t<PMG Aetwr:rk f ;ce~Ar··el t 1-: "'bt·· f:rm.; at' ~tr~c .yr+' KPM£ t. r .. JI_na Ct.: ... ~~er'3tJvo KPMG .. tPn 1t11 :r. :. ~w: ~:s -n· ty AI; ...,h~.; 8!;• rv 22
3. Estab ·sh the risk aooetite • Risk appetite: "The broad-based amount of risk an organization is
willing to accept in pursuit of its mission/vision. It is established the organizations most senior /eve/leadership and serves as a guidepost to set strategy and select objectives."
• Risk tolerance: "The acceptable level of variance in performance relative to the achievement of objectives. It is generally established at the program, objective, or component level. In setting risk tolerance levels, management considers the relative importance of the related objectives and aligns risk tolerance with risk appetite."
Source: OMB Circular A-123
kMfGJ ~~< \} b I(PMG LLF' a Oetaware milell i3t ty partne1shrp '-,,.,d the L S rperrb€' rrn "~f :re KF·MG network of 1 -ceper1 o:?f'"1t TJ~.rber f1rn _jff;lldt(:1 w' :r Kf'J"'!I) rt?rnFJtc ... 1 (', c jo.i~' it tv~=! (" KPMG rtet n;-t:c..,a: 1. 1 Sw s~ o3rt,ty A! r 9• .t~ .: ·~:: rvec! 23
4. ncoroorate ERM in strategt o anning • Links ERM with GPRAMA and OMB Circular A-11, Preparation,
Submission, and Execution of the Budget
• Means of communicating top management priorities
• Reinforces ERM as integral to programs and operations
• Helps identify and break down organizational barriers
• A step to embedding ERM in normal business processes
~ \!, "ll ) K~'~G LP 1 )eldwo;r.:? fTI' :ed :bUy r-artf'lel3h;p a~d tJ"!e u S member f rM "'~f the KPMG networ\ ,.,f rrlererdf'rt mef"li1~• ftcn 1S aff "dtacl w".h K. )MG nte!""'latlu!"'J
(':oo..,el 1t: .. e {' KPMG nt>?rn: ti'"lll2:1 ~ S'N'S" er t''Y All r•qr ts rPse~ve~ 24
5. nc ude ERM ·n the governance oro cess • Clear roles and responsibilities
• Well-designed policies and procedures
• Fact-based trade-offs
• Documenting key judgments
• Accountability and transparency
• Oversight and monitoring
• Education
• Open communication
• Continuous reevaluation
• Customer and stakeholder involvement
• Partnership with the IG
• ERM maturity models
~ ':'(..16 KPMG LLP a Oelawa' a l1m:ted liab111ty partnersh1p and :he US rnemoer firm 01 tr.e KPMG et'Nork cf rndependel"'t 1errber f1rm~ aft- ated w~th KPMG u ttrn':tt('lnar '"'."opBratt'le 1 KPMG i"'ternat1onaf g Sw:ss ent ty Ai1 "ig~ts re~~ rveti 25
6. Embed fraud r'sk management in ERM • Green Book principle 8: "Management should consider the potential for
fraud when identifying, analyzing, and responding to risks.
• GAO's "A Framework for Managing Fraud Risks in Federal Programs," July 2015
• OMB Circular A-123- adherence with the leading practices in the GAO Fraud Risk Framework
• Fraud Reduction and Data Analytics Act of 2015 (Public Law 114-186, June 30, 2016)
~ ~ ~ :?0 16 KPMG l _p ~ Oelawa'"e m t9d l1ab1.1ty partnerst"11p '3nd the U S rf1ember f1rm cf tre KPMG netwNk cf 1rCepef"'lje1 ;t 1emt.'er f11 ns aff:.1ated ·1dl KPMG 1, ttllfri'A nc Cooper::ttlve, KPMG li•ternat:on-3i '3 SwiSS ~rtity A: ·•ghf<> rest'rved 26
7. dantfy r·sks and mitigaton actons • Not starting from scratch
• Management/stakeholder interviews/facilitated sessions
- Risk objectives and context
- Initial risk identification - inherent risk
- Adequacy of current risk response
- Residual risk
- Risk ranking - impact and likelihood
- Development of a heat map
- Proposed action (accept, avoid, reduce, and/or share)
• Maintain as a living document
~ r"'1t KF MC' l F i [1e!awa1 a m tea 1i :Jh11lt'y partne: sr•: iJnd :re lJ S rref'Tl!'er f;r•l1 crf tre KPMG netwnrk rf ..,Ceper.:~n .,em~er f, .,.. :; aft; ~te(i W!th KPMC h tr•rrat .Jn' ·:o1 ·pent1ve KPMl h ter al -,,.,~1 1 ~w·.::s er ·,ty Ar gf"1•· eljtrver1 27
8. Understand ong-ta· and emerging risks • Long-tail risk: Low likelihood of occurrence, but with potentially
devastating impacts
• Emerging risk: Has not yet manifested itself in ways that the impact is viewed as serious
• Changes to the risk environment
• Situational awareness
~ '(': 1 ,.. KPMt_ l P 1 ~e1awar~ m·:ef1 3!· _:-,1 partn,:t ht~ i.lt d •r.-u B 11Pmt"'r f .. ·t tr.· k.PMt"' 1'~twnrt.. -f t.1ep=!r•1en• t.mt ·r ft T j :.f' Jed w1tl KF-Mr t. tar 11 ... neat 28 (.Ot')t'Br::t;ve KPMG .rtern1t· nat' 1 ~W!~~ et ·tt·'t AI qhts reser.-ed
9. Make r'sk mitigation a critica comoonent of management exoectar ons
• Identify "the" root cause
• Define expectations
• Establish action steps
• Leverage leading practices
• Be honest about resource needs
-• Set a deadline
• Assign a "hammer"
~ 11.. ,c· n I( "·1G L ) ;~; )e!aw; :r~ . 1rtel ~t .. ty '"'a' :r'~Hrsr 'f..' ~r .... t! e uS mel-~9! form o' t! e ~PMG etw~ ,rt: cf r· Cepef"r .e1 •t ,j ·mtt.·r f1 "';; ;~;fl 11ted w1t1 KPMl lr tfl11'1tr ..~n;_
__:t'("'pentrve t<PMi..:i rter>'1 -:.t;Q., . .li ~ Sw S"' . ef"'ttty A~ n~Ns reserv-ed 29
10. View ERM as a never-ending marathon. not a spr"nt and get started.
• Build incrementally
• Start smartly with clear purpose
• Widely share early successes and lessons learned
• Go beyond "check the box"
• Often attributed to Mark Twain: "The secret to getting ahead is getting started. The secret of getting started is breaking your complex overwhelming tasks into small manageable tasks, and then starting on the first."
~ "C16 KPMC l P a Oe'awt!rq r.>' :ef'l :~r , • .,.. ""dr'"'PI ;I"' p ~,.,'1 the L S me,...,ber f:,.,., "'f tl"'-. k.PMC' n;"!t"NOrk. nf r ~eoe~"~d~n· ,..,em~er f, . .,..-; ::ff; :tE:!r' wtth KPMC' 11 '..!t -:.Jt• tr
,:'·)r'l~en•~ve t t<PMG fltern;-;tJonal a Sw·ss e1 t1ty A;1 r yhts rese1veo 30
Fina thoughts • Look broadly and to the long haul
• Focus on creating value, not just a record of compliance
~ '.!:<' ·016 KPMG l P (e:~war~ m1terj llal"-r,,fy partncr~r~~ ~nC"' t!"'e US rrem:"er f rm P')ft.re Kt'Mt""; retwc-rk c~ t."'1rpennert n.-mt- r f;rrll.; ;aft' . .atrd w•.t K ... MG r~rrn: t!vJ'I·_ C or;perative KPMC·. h IArrat1: :r'l-31' a sw·~s Bf"!t .. ty All rr~h; ~ reserveo 31
For further information
Jeffrey C. Steinhoff, CGFM, CPA, CFE, CGMA -
Managing Director, KPMG Government Institute and Federal Advisory T: 703-286-871 0 E: [email protected]
kpmg.com/us/governmentinstitute
~ © ~'l 1 b KPMt3 LLI, ~ I"Jelawan:~ r·'·ec tab:hty partn~r-:;n,o 3f'" tre J S rnerber f:- , cf the k.PMG "'19two~ -t nr'eperc~n~ rrent:Jer t; ·· "Jff;lic:tter w:':h KPMG n•ernat: Jrd
Ccoper~t:ve (' KJJMG r'Prn~t:c'1al ) -::~ Sw!SS ef"lttt~y· A: rlf'.t"lls reserved 32
~
rllml111~ .... kpmg.com/socialmedia
The information conta1ned herein IS of a general nature and IS not intended to address the circumstances of any parttcular mdividual or ent1ty Although we endeavor to provide accurate and t1mely tnformat1on, there can be no guarantee trat such information IS accurate as of the date 1t IS rece1ved or that 1t Will cont1nue to be accurate in the future No one should act on such informat1on without appropriate professional adv1ce after a thorough examination of the part1cular s1tuat1on
© 2016 KPMG LLP, a Delaware l1m1ted llabtlity partnership and the U.S member f;rm of the KPMG network of independent member firms affiliated wtth KPMG International Cooperative ("KPMG lnternat1ona '), a Sw1ss ent1ty All rights reserved
The KPMG name and logo are reg1stered trademarks or trademarks of KPMG International