gao’s new green book: a revised internal control framework for government a nasact webinar...

GAO’s New Green Book: A Revised Internal Control Framework for Government

A NASACT WEBINAR

February 11, 2015

Opening Remarks

MODERATORR. Kinney PoynterExecutive Director,

NASACT

SPEAKERKristen Kociolek

Assistant Director, Financial Management and

Assurance Team, Government Accountability Office

SPEAKERCecile M. Ferkul

Deputy Legislative Auditor (MN)

SPEAKERJeanine Kuwik

Director, Internal Control and Accountability, Office of Management

and Budget (MN)

THIS PAGE INTENTIONALLY LEFT BLANK

Going Green

Standards for Internal Control in the Federal Government

4

Session Objective

• To discuss GAO’s Standards for Internal Control in the Federal Government (Green Book)

5

Green Book Through the Years

1983 Present

6

What’s in Green Book for the Federal Government?

• Reflects federal internal control standards required per Federal Managers’ Financial Integrity Act (FMFIA)

• Serves as a base for OMB Circular A-123

• Written for government• Leverages the COSO Framework• Uses government terms

7

What’s in Green Book for State and Local Governments?

• May be an acceptable framework for internal control on the state and local government level under proposed OMB Uniform Guidance for Federal Awards

• Written for government• Leverages the COSO Framework• Uses government terms

8

What’s in Green Book for Management and Auditors?

• Provides standards for management

• Provides criteria for auditors

• Can be used in conjunction with other standards, e.g. Yellow Book

9

Updated COSO Framework

ReleasedMay 14, 2013

10

The COSO Framework

• Relationship of Objectives and Components• Direct relationship between objectives (which are what an entity

strives to achieve) and the components (which represent what is needed to achieve the objectives)

• COSO depicts the relationshipin the form of a cube:

• The three objectives are represented by the columns

• The five components are represented by the rows

• The entity’s organization structure isrepresented by the third dimension

11

Source: COSO

From COSO to Green Book: Harmonization

COSO Green Book

12

Revised Green Book: Standards for Internal Control

in the Federal Government

13

Overview

Standards

•Consists of two sections:• Overview• Standards

•Establishes:• Definition of internal control • Categories of objectives• Components and principles of

internal control• Requirements for effectiveness

Revised Green Book: Standards for Internal Control

in the Federal Government

14

Revised Green Book: Overview

• Explains fundamental concepts of internal control

• Addresses how components, principles, and attributes relate to an entity’s objectives

• Discusses management evaluation of internal control

15

Overview

Standards

Fundamental Concepts

• What is internal control in Green Book?• OV1.01: Internal control is a process effected by an entity’s

management that provides reasonable assurance that the objectives of an entity will be achieved.

• What is an internal control system in Green Book?• OV1.04: An internal control system is a continuous built-in

component of operations, effected by people, that provides reasonable assurance, not absolute assurance, that an organization’s objectives will be achieved.

16

Overview: Components, Principles, and Attributes

Achieve Objectives

Components

Principles

Attributes

17

Overview

Standards

Revised Green Book: Principles

18

Components and Principles

19

Component, Principle, Attribute

20

Overview: Principles and Attributes

21

Overview

Standards

• In general, all components and principles are required for an effective internal

control system

• Principles and Attributes• Entity should implement relevant principles• If a principle is not relevant, document the rationale of how,

in the absence of that principle, the associated component could be designed, implemented, and operated effectively

• Attributes are considerations that can contribute to the design, implementation, and operating effectiveness of principles

Overview: Principles and Attributes (cont)

• OV2.05: The 17 principles support the effective design, implementation, and operation of the associated components and represent requirements necessary to establish an effective internal control system.

• OV2.07 excerpt: The Green Book contains additional information in the form of attributes. . . Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover, or include examples of procedures that may be appropriate for an entity.

22

Overview: Management Evaluation

An effective internal control system requires that each of the five components are:• Effectively designed, implemented, and operating• Operating together in an integrated manner

Management evaluates the effect of deficiencies on the internal control system

A component is not effective if related principles are not effective

23

Overview

Standards

Overview

Standards

Overview: Additional Considerations

The impact of service organizations on an entity’s internal control system

Discussion of documentation requirements in the Green Book

Applicability to state, local, and quasi-governmental entities as well as not-for-profits

Cost/Benefit and Large/Small Entity Considerations

24

Overview

Standards

Overview

Standards

Revised Green Book: Standards

• Control Environment

• Risk Assessment

• Control Activities

• Information and Communication

• Monitoring

25

Overview

Standards

Revised Green Book: Standards

• Explains principles for each component

• Includes further discussion of considerations for principles in the form of attributes

26

Overview

Standards

Control Environment

27

Risk Assessment

28

Control Activities

29

Information & Communication

30

Monitoring

31

Controls Across Components

32

Other Key Considerations

• Standards vs. Framework

• Documentation Requirements• Overview lists in OV4.08 the documentation requirements

found in the principles which represent the minimum level of documentation necessary for an effective internal control system.

33

Documentation Requirements

• Excerpt from OV2.06: If management determines a principle is not relevant, management supports that determination with documentation that includes the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively.

34

Documentation Requirements (cont.)

• Control Environment• 3.09: Management develops and maintains

documentation of its internal control system.

• Control Activities• 12.02: Management documents in policies

the internal control responsibilities of the organization.

35

Documentation Requirements (cont.)

• Monitoring• 16.09: Management evaluates and documents the

results of ongoing monitoring and separate evaluations to identify internal control issues.

• 17.05: Management evaluates and documents internal control issues and determines appropriate corrective actions for internal control deficiencies on a timely basis.

• 17.06: Management completes and documents corrective actions to remediate internal control deficiencies on a timely basis.

36

Accessibility of Green Book

• Comments raised during exposure identified new need -

• How do we make the Green Book more accessible to our user community?

37

The Green Book layout

• Changed the layout of the Green Book itself to make it more user friendly:

• Introduced a highlights page

• Facsimile page

• Graphics throughout the overview and standards

38

Highlights Page

39

Facsimile Page

40

Cube as Navigation Aid

41

The Green Book in Action

• Relationship between the Green Book and Yellow Book

42

Green Book and Yellow Book

• Can be used by management to understand requirements

• Can be used by auditors to understand criteria

43

The Yellow Book: Framework for Audits

• Findings are composed of • Condition (What is)

• Criteria (What should be)

• Cause

• Effect (Result)

• Recommendation (as applicable)

44

Linkage Between Criteria (Yellow Book) and Internal Control (Green Book)

• Green Book provides criteria for the design, implementation, and operating effectiveness of an effective internal control system

45

The Yellow Book: Framework for Audits

• Findings are composed of • Condition (What is)

• Criteria (What should be)

• Cause

• Effect (Result)

• Recommendation (as applicable)

46

Linkage Between Findings (Yellow Book) and Internal Control (Green Book)

• Findings may have causes that relate to internal control deficiencies

47

Effective Date

• Green Book effective beginning fiscal year 2016 and for the FMFIA reports covering that year.

• Management, at its discretion, may elect early adoption of the Green Book.

48

Where to Find the Green Book

• The Green Book is on GAO’s website at: www.gao.gov/greenbook

• For technical assistance, contact us at: [email protected]

49

http://www.gao.gov/greenbook

mailto:[email protected]

O L A

Adopting the Green Book in Minnesota…moving on from COSO

Cecile Ferkul, Deputy Legislative Auditor

Jeanine Kuwik, Director of Internal Controls and Accountability

O L A

Not a Major Change for Minnesota

•No Framework

•COSO

•Green Book

O L A

Before 2007 COSO used by auditors But, auditors did not expect much

management involvement in internal controls

“Entity management has not conducted a formal assessment of the risk factors that could impact their ability to produce the financial statements. Management is aware of the implications of misrepresenting the financial statements and takes precautions to prevent that.”

O L A

Before 2007

The auditors assessed risks identified the control activities

O L A

Auditing Standards Change

Prompted by Crisis SOX AICPA Super Suite Federal Single Audit

Illustration by J. T. Morrow

O L A

Starting in 2007

1) Financial Reporting2) Federal Compliance3) Financial operations

We took a firm stand:

Agency management needed to ensure they understood and assessed the risks and show us they had appropriate and sufficient internal controls They needed to have all

elements of COSO, including risk assessment

O L A

Maturity Model

2

Ad H

oc

Repeatable

Defi

ned

Man

aged

Optim

ized

5

4

3

1

Most agencies were below 3

O L A

Infamous Finding One

Management had not adequately assessed risks related to Financial reporting Federal compliance Financial operations

O L A

Reactions

Shock Resistance Delay

O L A

A Significant Audit

Minneapolis

Veterans

Home

O L A

A Significant Audit

Legislative hearings focused on management’s responsibility to have effective internal controls

O L A

The Result?

New legislation in 2009

“The head of each executive agency is responsible for designing, implementing, and maintaining an effective internal control system”

O L A

The Result?

The creation of the Internal Control & Accountability Unit in Minnesota Management and Budget

Minnesota Adoption of the Green Book

February 11, 2015

Click icon to add picture

Jeanine KuwikInternal Control & Accountability Director

History of Internal Control Legislation

• Included in the Governor’s 2010-2011 budget recommendations

• Passed by the Legislature in the 2009 session (Minn. Statute Section 16A.057)

• Originally budgeted for up to 6 staff

MS 16A.057 Responsibilities

• Adopt statewide internal control standards and policies

• Coordinate agency training and assistance• Share internal audit resources• Monitor Office of the Legislative Auditor

reports• Report biennially on the executive branch

system of internal controls and internal audit

Monthly Internal Control Bulletin

Going green: MN adopts updated internal control standards

Volume 6, Issue 9 – September 29, 2014

Highlights

The state is switching from the COSO Framework to the federal standards for internal control, known as the Green Book, as its internal control framework.

Several important components of the Green Book are the same as the COSO Framework.

The statewide internal control policy and related procedures will conform to the Green Book for the 2015 internal control certification.

When it comes to a standard for internal controls, the State of Minnesota is making the switch and “going green.” The state is switching from the COSO Internal Control Integrated Framework as its standard model for internal controls to the U.S. Government Accountability Office (GAO), Standards for Internal Control in the Federal Government, also known as the Green Book. The Green Book provides a standard model for organizing, documenting, and discussing internal controls. The MMB Internal Control & Accountability Unit made the decision to switch to the Green Book, because of its government focus, use of government terminology, and its similarities to the COSO Framework.

Fundamentally, there are few differences between the COSO Framework and the Green Book. In fact, several important components are the same, including the:

Core definition of internal control Three categories of control objectives

(operations, reporting, and compliance) Five components of internal control (control

environment, risk assessment, control activities, information and communication, and monitoring)

Requirement that all five components of internal control be present and functioning for an effective internal control system

Role of judgment in designing, implementing, and assessing internal control effectiveness

One significant change is the codification of seventeen principles that support the five internal control components. The seventeen principles of effective internal control for agencies to implement are as follows:

Control Environment 1. Demonstrate commitment to integrity and

ethical values 2. Exercise oversight responsibility

3. Establish structure, responsibility, and authority

4. Demonstrate commitment to competence 5. Enforce accountability Risk Assessment 6. Define objectives and risk tolerances 7. Identify, analyze, and respond to risk 8. Assess fraud risk 9. Analyze and respond to change Control Activities 10. Design control activities 11. Design activities for the information system 12. Implement control activities Information & Communication 13. Use quality information 14. Communicate internally 15. Communicate externally Monitoring 16. Perform monitoring activities 17. Remediate deficiencies

For effective internal controls, the updated Green Book requires that each of the five components and the seventeen relevant principles be present and functioning; and that the five components operate together in an integrated manner.

In the coming months, the MMB Internal Control & Accountability Unit will update Statewide Operating Policy 0102-01, Internal Controls to conform to the Green Book. All policy, procedures, and related guidance updates will be complete for the 2015 internal control certification.

Suggested action steps: Read and become familiar with the revised Green Book (www.gao.gov/greenbook/overview). Watch for updated internal control materials that incorporate Green Book components and principles.

If you have any questions, please contact Heidi Henry at [email protected] or 651-201-8078.

NOTE: Actual bulletin can be accessed at: http://mn.gov/mmb/images/September%2520ICB%25202014.docx

http://mn.gov/mmb/images/September%20ICB%202014.docx

Agency Head Responsibilities“The head of each executive agency must annually certify that the agency head has reviewed the agency’s internal control systems, and that these systems are in compliance with standards and policies established by the commissioner [of Minnesota Management and Budget].”

We began the certification process in 2012 by requiring each agency head to certify that he/she had assess the agency’s control environment using the control environment self-assessment tool.

Control Environment – Green Book Implications

• Revised (i.e. tweaked) our guidance to conform to the 5 Green Book CE principles1. Demonstrate Commitment to Integrity and

Ethical Values2. Exercise Oversight Responsibility3. Establish Structure, Responsibility and Authority4. Demonstrate Commitment to Competence5. Enforce Accountability

Control Environment Tool• Promotes high, agency level look at controls• Contains 20 goals/control objectives that

model exemplary control behaviors• Lists recommended controls that allow

agencies to demonstrate an effective control environment

• Contains references to related Minnesota statues, laws, rules, and policies

CE Self-Assessment ToolControl Environment Self - Assessment Tool

Purpose: Agency-wide Control Environment Self-Assessment ToolTarget Audience: Agency Senior ManagementFrequency of Review/Completion: Annually

Item # A: Goal B: Control Objective C: Recommended Controls1

D: Assessment Rank 1-3

1 - Excellent, 2 - Adequate, 3 - Inadequate

E: Action Taken/Controls Implemented

F: Action Items/Areas Needing Improvement

G: Target Completion

date

H: Responsible Party I: References2

CONTROL ENVIRONMENT: Demonstrates Commitment to Integrity and Ethical Values and Enforces Accountability1 Agency management fosters and

encourages an agency culture that emphasizes the importance of integrity and ethical values.

Agency senior management has set the proper “tone at the top” by emphasizing the importance of ethical behavior through formal and informal communication, including implementation of the Code of Conduct Policy.

A. Management fosters and encourages ethical behavior through training and communication (e.g., ethics/code of conduct training).

MS 43A.38, Code of EthicsMS 16C.04, Code of Ethics for Procurement

Blank Blank Blank B. The agency head and other applicable senior staff have signed the code of conduct certification.

MMB Statewide Operating Policy 0103-01, Code of Conduct

Blank Blank Blank C. Ethics-related communications and training materials are periodically re-evaluated and updated as necessary.*

2 The agency's positive culture promotes appropriate moral and ethical behavior in dealings with co-workers.Employees know what kind of behavior is acceptable.

Agency management has communicated appropriate ethical and moral behavioral standards, disciplinary actions for unacceptable behavior and a method for employees to comfortably report questionable behavior.

A. Applicable employees have current Code of Conduct certifications on file.


Blank Blank Blank B. All employees are made aware of the Code of Ethics statute.

MS 43A.38, Code of Ethics

Blank Blank Blank C. The types of disciplinary actions that can be taken are widely communicated, including penalties for misappropriation or misuse of funds.

MS 13.09, Data Practices, PenaltiesMS 15.43, Acceptance of Advantage by State Employee, PenaltyMS 43A.39, Compliance with LawMS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required

Blank Blank Blank D. The agency has established a communication mechanism for employees to raise ethical concerns or potential Code of Conduct violations without fear of retaliation. Employees are made aware of both internal and external (e.g., MMB Human Resources, OLA, etc.) resources for seeking advice on ethical/code of conduct issues.

MS 181. 932, Disclosure of Information by Employees (Whistleblower Protection Statute)MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor RequiredMMB Statewide Operating Policy 0103-01, Code of Conduct

Blank Blank Blank E. The agency has a formal internal process for investigating and resolving alleged wrongdoings, conflicts of interest or code of conduct concerns from employees, recipients, customers, vendors and other outside parties.

MR 3900.9500, Reporting and Investigating Conflicts of InterestMS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required

Blank Blank Blank F. As necessary, management takes appropriate action in response to instances of wrongdoing, conflicts of interest, ethical and Code of Conduct violations.


Blank Blank Blank G. Management has developed a formal risk assessment plan to ensure key objectives and the reputation of the agency are protected.

MS 16A.057, Internal Controls and Internal Auditing MMB Guide to Risk Assessment and Control Activities

Actual tool can be accessed at: http://mn.gov/mmb/images/Control%2520Environment%2520Self-Assessment%2520Tool.xlsx

http://mn.gov/mmb/images/











date


























Ribbon identifies the specific related Green Book control

environment principle(s), such as “Demonstrates Commitment to Integrity and Ethical Values”









date


























Goal indicates the desired behavior, such as “Goal 1: Agency management fosters and

encourages an agency culture that emphasizes the importance of integrity and ethical values”









date


























Recommended Controls or specific actions needed, such as “A. Management fosters and encourages ethical behavior through training and communication” and “B. The agency head and other applicable senior staff have

signed the code of conduct certification”









date


























Agencies are asked to rank their status using a scale of 1 to 3









date


























Plenty of room for agencies to insert what actions they have already taken,

and comment on any areas still needing improvement.









date


























Final column provides references to related state

laws, rules, and policies (i.e. we didn’t just make this stuff up!)

Risk Assessment• Assessment plans required beginning in 2013• Agencies decide which processes need formal

risk assessments, but must consider:– Items material to the CAFR– Major single audit programs– Major sources and uses of funding (financial)– Areas critical to agency mission (operational)

• Risk assessments currently underway in most agencies

Risk Assessment – Green Book Implications

• Currently revising policy, procedures, and guidance to conform to the Green Book principles– Four risk assessment principles– Three control activities principles

Risk Assessment/Control Activities Potential Issues

• Biggest sticking point is Principle 11, due to Minnesota’s recent IT consolidation– Principle 11 – Management should design control

activities for the entity’s information system• Other principles being discussed

– Principle 6 – Management should define objectives clearly … and define risk tolerances

– Principle 8 – Management should consider the potential for fraud

Other Green Book Components

• Information and Communication– Embedded in all other components– Must make this component implicit in all guidance

• Monitoring– Still to be determined

Questions?Minnesota Management and Budget (MMB) Internal Control and Accountability Unit• [email protected]• http://mn.gov/mmb/internalcontrol/

mailto:[email protected]

Question & Answer Session

MODERATORR. Kinney PoynterExecutive Director,

NASACT

SPEAKERKristen Kociolek

Assistant Director, Financial Management and

Assurance Team, Government Accountability Office

SPEAKERCecile M. Ferkul

Deputy Legislative Auditor (MN)

SPEAKERJeanine Kuwik

Director, Internal Control and Accountability, Office of Management

and Budget (MN)

GAO’s New Green Book: A Revised Internal Control Framework for Government

THANK YOU FOR ATTENDING

gao’s new green book: a revised internal control framework for government a nasact webinar...

Documents

internal control system

federal government green

objectives coso

remarks gaos new green

entitys objectives

federal awards

federal government14

entitys management