What’s New In GAO’s Revised Greenbook

Association of Government Accountants, KC Chapter Fall 2014 Professional Development Seminar November 10, 2014

Michael A. Fiene Chief, USDA/FSA-Internal Control and Planning Office

Agenda

•GAO Greenbook (Theory)

•Practical Applications

•Enterprise Risk Management (ERM)

2

Which Presentation?

GAO Greenbook

Or

Preparing to Retire the “Cheapskate” Way

GAO Greenbook (Theory)

4

GAO Green Book (Theory)

• COSO updated its guidance in 2013 • Provides greater detail and depth

• Retains the 5 components of internal control

• Presents 17 new principles that enumerate

management responsibilities

5

GAO Green Book (Theory)

GAO Green Book (Theory)

Effective and Efficient Operations

Accurate Reporting

Compliance with Laws and Regulations

COSO Cube

7

GAO Green Book (Theory)

Highlights Page Sample Page

11/04/2014 8

GAO Green Book (Theory)

New: Components are aligned to Principles and Attributes

11/04/2014 9

GAO Green Book (Theory)

Financial Non-Financial Ex

tern

al

External Financial Reports

External Non-Financial

Reports

Inte

rnal

Internal Financial Reports

Internal Non-Financial

Reports

10

GAO Green Book (Theory)

Control Environment Principles 1) The oversight body and management should

demonstrate a commitment to integrity and ethical values.

2) The oversight body should oversee the entity’s internal control system.

3) Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives.

4) Management should demonstrate a commitment to recruit, develop, and retain competent individuals.

5) Management should evaluate performance and hold individuals accountable for their internal control responsibilities.

11/04/2014 11

New: Principle 2, explicitly states oversight body should oversee the entity’s internal control system.

GAO Green Book (Theory)

Risk Assessment Principles 6. Management should define objectives clearly to enable

the identification of risks and define risk tolerances. 7. Management should identify, analyze, and respond to

risks related to achieving the defined objectives. 8. Management should consider the potential for fraud

when identifying, analyzing, and responding to risks. 9. Management should identify, analyze, and respond to significant

changes that could impact the internal control system.

New: Principle 8, explicitly states Management should consider the potential for fraud in its risk assessment

11/04/2014 12

GAO Green Book (Theory)

Control Activities Principles 10.Management should design control activities to

achieve objectives and respond to risks. 11.Management should design the entity’s information

system and related control activities to achieve objectives and respond to risks.

12.Management should implement control activities through policies.

New: Language very similar but modified to remove the word “should” in several places to more clearly state Management’s responsibility for

designing and implementing an effective internal control system.

11/04/2014 13

GAO Green Book (Theory)

Information and Communication Principles 13.Management should use quality information to achieve

the entity’s objectives. 14.Management should internally communicate the

necessary quality information to achieve the entity’s objectives.

15.Management should externally communicate the necessary quality information to achieve the entity’s objectives.

New: Emphasis on the “quality” of information.

11/04/2014 14

GAO Green Book (Theory)

Monitoring Principles 16.Management should establish and operate monitoring

activities to monitor the internal control system and evaluate the results.

17.Management should remediate identified internal control deficiencies on a timely basis.

New: The attributes provide guidance on establishing a baseline for monitoring as well as establishing ongoing monitoring that is built into the entity’s operations, performed continually and is responsive to change.

11/04/2014 15

Practical Applications

16

GAO Green Book

GAO Green Book: Practical Applications

Risk Assessment Principles 6. Management should define objectives clearly to enable

the identification of risks and define risk tolerances. 7. Management should identify, analyze, and respond to

risks related to achieving the defined objectives. 8. Management should consider the potential for fraud

when identifying, analyzing, and responding to risks. 9. Management should identify, analyze, and respond to significant

changes that could impact the internal control system.

New: Principle 8, explicitly states Management should consider the potential for fraud in its risk assessment

11/04/2014 17

The New Greenbook

18

GAO Green Book: Practical Applications

Control Objective Risk All collections and disbursements of fund balance with Treasury are recorded and are recorded accurately in the general ledger

All collections and disbursements of fund balance with Treasury are not recorded and/or are not recorded accurately in the general ledger

Recorded FSA direct loans are valid and are approved/authorized by management

Recorded FSA direct loans are not valid and/or are not approved/authorized by management

All FSA direct loans are recorded and are recorded accurately in the general ledger

All FSA direct loans are not recorded and/or are not recorded accurately in the general ledger

19

GAO Green Book: Practical Applications

Risk Assessment Principles 6. Management should define objectives clearly to enable

the identification of risks and define risk tolerances. 7. Management should identify, analyze, and respond to

risks related to achieving the defined objectives. 8. Management should consider the potential for fraud

when identifying, analyzing, and responding to risks. 9. Management should identify, analyze, and respond to significant

changes that could impact the internal control system.

New: Principle 8, explicitly states Management should consider the potential for fraud in its risk assessment

11/04/2014 20

21

Low Risk

22

High Risk

23

GAO Green Book: Practical Applications

Monitoring Principles 16.Management should establish and operate monitoring

activities to monitor the internal control system and evaluate the results.

17.Management should remediate identified internal control deficiencies on a timely basis.

New: The attributes provide guidance on establishing a baseline for monitoring as well as establishing ongoing monitoring that is built into the entity’s operations, performed continually and is responsive to change.

11/04/2014 24

GAO Green Book: Practical Applications

•Ongoing Monitoring Occurs when the routine operations of an organization provides feedback to those responsible for the effectiveness of the internal control system

•Separate Evaluations

Designed to evaluate controls periodically and are not ingrained in the routine operations of the organization

25

The New Greenbook

26

GAO Green Book: Practical Applications

27

GAO Green Book: Practical Applications

28

“Monitoring promotes good control operation. When people who are responsible for internal control know their work is subject to oversight through monitoring, they are more likely to perform their duties properly over time.” COSO Guidance on Monitoring Internal Control Systems, January, 2009

Enterprise Risk Management (ERM)

29

GAO Green Book

GAO Green Book: ERM

Effective and Efficient Operations

Accurate Reporting

Compliance with Laws and Regulations

Strategic

Effective and Efficient Operations

Accurate Reporting

Compliance with Laws and Regulations

30

COSO I/C Framework COSO ERM Framework

GAO Green Book: ERM

Clarify technical terminology to ensure that program managers can understand and use internal controls properly; Replace “check the box” compliance approaches with risk management based approaches to support agency missions; Introduce Enterprise Risk Management (ERM); and Build on internal controls over financial reporting, while at the same time reducing compliance burdens to focus on program controls

Proposed Revisions to OMB Circular A-123

11/04/2014 31

Implementing ERM and a

Broader View of Risk

GAO Green Book: ERM

270.24 – What is Enterprise Risk Management (ERM)? 270.25 – What are the key roles of risk managers at an agency? 270.26 – Why is ERM a best practice and how is it relevant to strategic reviews? 270.27 – What other guidance does OMB provide agencies regarding risk management concepts discussed in this Circular? 270.28 – What is the difference between internal control and risk? 270.29 – What is the difference between OMB Circular A-123 and Enterprise Risk Management?

OMB’s Direction (A-11, ERM Direction) –

11/04/2014 32

Questions?

GAO Greenbook

Or

Preparing to Retire the “Cheapskate” Way