using internal control to manage risk mary c. braun, cpa, cgfm management concepts, incorporated
TRANSCRIPT
![Page 1: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/1.jpg)
Using Internal Control to Manage Risk
Mary C. Braun, CPA, CGFMManagement Concepts, Incorporated
![Page 2: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/2.jpg)
Agenda
• Background
• Requirements
• Implementation
![Page 3: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/3.jpg)
Internal Control Legislation
– 1950 Accounting and Auditing Act – 1982 Federal Managers’ Financial Integrity
Act– 1990 Chief Financial Officers Act– 1994 Government Management Reform
Act– 1996 Federal Financial Management
Improvement Act
![Page 4: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/4.jpg)
What are Internal Controls?
• Anything you do to successfully achieve your mission/goal legally and efficiently
• Objectives of controls:– Effective and efficient operations– Reliable financial reporting– Compliance with laws and regulations
• Applies to all aspects of life
![Page 5: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/5.jpg)
Internal Control Standards• Treadway Commission:
Internal Control Guidance
Control Environment
Risk Assessment
Activities
M
Info
rmat
ion
Com
munication
GAO Standards COSO Framework
![Page 6: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/6.jpg)
Internal Control Standards
Control Environment
Risk Assessment
Control Activities
M
Info
rmat
ion
Com
munication
GAO Standards
Control Environment: Tone at the Top
Risk Assessment: Threats to Mission
Control Activities: Design & Operation
Monitoring: Test Schedule
Information & Communication: Up and down the Organization
![Page 7: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/7.jpg)
Government Implementation: Assess Controls
![Page 8: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/8.jpg)
Elements of an IC Program
Mission
Objectives
Risks
Control Activities
![Page 9: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/9.jpg)
Internal GoalsManagement:• Acknowledge it responsibility for
establishing and maintaining ICs• Apply IC objectives:
– Effective and efficient operations– Reliable financial reporting– Compliance with laws and regulations
• Understand that ICs exist (or should) at every level and in every process of the organization
• Realize that good internal control leads to financial reporting integrity
![Page 10: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/10.jpg)
Three Step Process
• Planning Phase
• Testing Phase
• Reporting Phase
![Page 11: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/11.jpg)
Planning Phase• Identify assessable units• Establish governance body• Determine material contributors• Identify/document key business
processes• Perform risk assessment• Identify key controls• Develop 3-yr control assessment
schedule• Develop test methodology
![Page 12: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/12.jpg)
Divide and Conquer !!
Establish Assessable Units
![Page 13: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/13.jpg)
Divide and Conquer !!Establish Assessable Units
![Page 14: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/14.jpg)
Establish Governance• Establish a governance body who will:
– Have decision-making leaders as members
– Identify material business lines/ processes
– Know flowcharted business process
– Identify risks and assess materiality
– Document internal controls
– Test internal controls
– Report on control effectiveness
– Develop corrective action plans
![Page 15: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/15.jpg)
Identify Material Contributors
Look at the Budget/Financials
2010 2009 Change 2010 2009 Change 2010 2009 ChangeAssets:Cash and investments............. $ 10.7 $ 10.4 $ 0.3 $ 4.6 $ 4.6 $ - $15.3 $ 15.0 $ 0.3Capital assets (net).................. 28.6 26.7 1.9 0.1 0.1 - 28.7 26.8 1.9All other assets......................... 7.9 7.1 0.8 1.6 1.4 0.2 9.5 8.5 1.0Total assets.............................. 47.2 4 4.2 3.0 6.3 6.1 0.2 53.5 50.3 3.2Liabilities:Accounts payable..................... 5.9 6.0 (0.1) 0.9 0.9 - 6.8 6.9 (0.1)All other current liabilities.... 4.2 3.7 0.5 4.1 2.1 2.0 8.3 5.8 2.5Total current liabilities............ 10.1 9.7 0.4 5.0 3.0 2.0 15.1 12.7 2.4Bonds payable.......................... 9.8 8.5 1.3 - - - 9.8 8.5 1.3All other long-term liabilities 3.8 2.8 1.0 2.5 2.5 - 6.3 5.3 1.0Total long-term liabilities........ 13.6 11.3 2.3 2.5 2.5 - 16.1 13.8 2.3Total Liabilities........................ 23.7 21.0 2.7 7.5 5.5 2.0 31.2 26.5 4.7
Government Business-type Total
![Page 16: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/16.jpg)
Identify Key Business Processes
• Capital Assets:– What processes add to balances?– What processes decrease balances?– What systems support the processes?– Where do the processes take place? – Where do the managers exist in the state’s
organization chart?
![Page 17: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/17.jpg)
Document Key ProcessesProperty, Plant and Equipment – Buildings & StructuresDisposals Subprocess
Staff AccountantReal Property
Accountability OfficerDistrict Engineer
Hand Receipt Holder or Realty Specialist
Receives notice of approved disposal
Start
B
B
A
Receives notice of approved disposal
and notifies the staff accountant
Approves Disposal
Generates Record of Disposal in RD 72
screen within in REMIS to add disposal info to
asset’s record
Instructs Hand Receipt Holder of what to do with
asset
Notifies staff accountant that
the asset has been disposed of in
REMIS
Completes disposal request document and
forwards to district engineer and RPAO
Verifies that all required
documents are included, properly
and accurately completed, and
approved.
Determines Asset’s need for disposal through periodic inspections
Changes asset status within
CEFMS from “in service” to “retired”Rejects
Disposal
A
CEFMS transfers asset value into
buildings or structures awaiting disposal account
Forwards Disposal Request
Document to RPAO as notice to start the disposal
process
Receives and reviews Disposal request
document and approves or rejects
disposal request
BS.4
Changes asset status in CEFMS from “Retired”
to “Disposed”
Disposes of asset within REMIS in RD 82 screen
BS.3
CEFMS transfers asset value to appropriate
SGL accounts removing the value from the
financial statements.
![Page 18: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/18.jpg)
Perform Risk Assessment• Assess Risk: Document from flowcharts
Property, Plant and Equipment – Buildings & StructuresDisposals Subprocess
Staff AccountantReal Property
Accountability OfficerDistrict Engineer
Hand Receipt Holder or Realty Specialist
Receives notice of approved disposal
Start
B
B
A
Receives notice of approved disposal
and notifies the staff accountant
Approves Disposal
Generates Record of Disposal in RD 72
screen within in REMIS to add disposal info to
asset’s record
Instructs Hand Receipt Holder of what to do with
asset
Notifies staff accountant that
the asset has been disposed of in
REMIS
Completes disposal request document and
forwards to district engineer and RPAO
Verifies that all required
documents are included, properly
and accurately completed, and
approved.
Determines Asset’s need for disposal through periodic inspections
Changes asset status within
CEFMS from “in service” to “retired”Rejects
Disposal
A
CEFMS transfers asset value into
buildings or structures awaiting disposal account
Forwards Disposal Request
Document to RPAO as notice to start the disposal
process
Receives and reviews Disposal request
document and approves or rejects
disposal request
BS.4
Changes asset status in CEFMS from “Retired”
to “Disposed”
Disposes of asset within REMIS in RD 82 screen
BS.3
CEFMS transfers asset value to appropriate
SGL accounts removing the value from the
financial statements.
![Page 19: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/19.jpg)
IT Assertions
• Completeness
• Accuracy
• Validity
• Restricted Access
![Page 20: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/20.jpg)
Financial Assertions
• Completeness
• Obligations/Rights
• Valuation
• Existence/Occurrence
• Reporting/Presentation
Look for Risk of Misstatement
![Page 21: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/21.jpg)
Identify Key ControlsDocument from flow charts
Property, Plant and Equipment – Buildings & StructuresDisposals Subprocess
Staff AccountantReal Property
Accountability OfficerDistrict Engineer
Hand Receipt Holder or Realty Specialist
Receives notice of approved disposal
Start
B
B
A
Receives notice of approved disposal
and notifies the staff accountant
Approves Disposal
Generates Record of Disposal in RD 72
screen within in REMIS to add disposal info to
asset’s record
Instructs Hand Receipt Holder of what to do with
asset
Notifies staff accountant that
the asset has been disposed of in
REMIS
Completes disposal request document and
forwards to district engineer and RPAO
Verifies that all required
documents are included, properly
and accurately completed, and
approved.
Determines Asset’s need for disposal through periodic inspections
Changes asset status within
CEFMS from “in service” to “retired”Rejects
Disposal
A
CEFMS transfers asset value into
buildings or structures awaiting disposal account
Forwards Disposal Request
Document to RPAO as notice to start the disposal
process
Receives and reviews Disposal request
document and approves or rejects
disposal request
BS.4
Changes asset status in CEFMS from “Retired”
to “Disposed”
Disposes of asset within REMIS in RD 82 screen
BS.3
CEFMS transfers asset value to appropriate
SGL accounts removing the value from the
financial statements.
![Page 22: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/22.jpg)
Document Key Controls
IntraGov Accts Rec
Not reported
Entity
Preparer
Control Number
Account/ Line Item/Event
Business Cycle, Accounting Application Assertion Risk
Inherent Risk
Internal Control
Currently In Place
Control Risk
Internal Control Test Method Used
Risk Analysis
Account Line: Accounts Receivable
Document, document, document
high1 Reimb R/O Track & check low Inspect
Preliminary Control Assessment
![Page 23: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/23.jpg)
Develop Key Control Assessment Schedule
• All key controls are assessed at least once every three years
• Some more:– High risk– Change in:
• Law• System• Key personnel
![Page 24: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/24.jpg)
Control Testing Options:3-Year Plan
ControlRisk
Risk TestLow
Hig
h
Develop Corrective Action Plan
If:
Changes in:-Personnel?-Process?-System?
Yes
Annually for 3 years
No
Rotate to 3-year plan
![Page 25: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/25.jpg)
Testing Phase
• Entity-Level Assessment
• Control Testing:– Process level– Transaction level– Include automated systems– Remember service providers
![Page 26: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/26.jpg)
Entity-Level Assessment
• Evaluate Internal Control at Entity Level– GAO-01-1008G: Internal Control
Management and Evaluation Tool– Use GAO Internal Control Standards
![Page 27: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/27.jpg)
Control Testing• Test key controls
– Develop test plan and document– Decide on the appropriate test method– Establish tolerance level for error,
document– Identify sample size:
OMB recommendations– Test and document
• Consider dependencies– Service provider process controls – SAS 70 reports???
![Page 28: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/28.jpg)
Reporting Phase
• Identifying Material Weaknesses
• Developing Corrective Action Plans
• Preparing Statement of Assurance
![Page 29: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/29.jpg)
Identify Material Weaknesses
• At assessable unit level• At subagency/department level• At Agency/ Bureau/ Department level
Management has the discretion to make the determination!
OMB generous withMaterial Weaknessdefinitions
![Page 30: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/30.jpg)
Basis for Assurance
• Deficiencies can be:
–Single deficiency
–Significant deficiency
–Material weakness
• Determines level of assurance
–Cannot be unqualified if material weakness exists
![Page 31: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/31.jpg)
Develop Corrective Actions
• Managers: Process Owners develop corrective actions plans and timelines
• Governance body concurs or non-concurs
• Published in Annual Financial Report (PAR) for feds
• Should be monitored by leadership• Fed report periodically on progress to
Office of Management and Budget
![Page 32: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/32.jpg)
Corrective Action Plans
• Plan well
• Divide corrective steps into small manageable pieces – governance body should approve
• Develop realistic target dates
• Monitor progress continuously
![Page 33: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/33.jpg)
Statement of Assurance
• Report on effectiveness of internal control• Separate statements of assurance:
– for operations and administration– for systems (Sec 4)– for financial reporting
• Report options:– Prescribed format for statement– Defined qualifiers: Unqualified
QualifiedNo Assurance
![Page 34: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/34.jpg)
Internal Control Reporting
![Page 35: Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated](https://reader036.vdocument.in/reader036/viewer/2022062511/5516371e550346a2308b6288/html5/thumbnails/35.jpg)