Introduction to Internal Control OMB Circular A-123, Appendix A December 2006

Introduction to Internal ControlOMB Circular A-123, Appendix A

December 2006

2

Agenda

I. IntroductionA. Objectives and GoalsB. What is Internal Control?

II. Background on Internal Control RequirementsA. Internal Control Legislation and RulesB. Overview of OMB Circular A-123 and Appendix A

III. Internal Control Over Financial ReportingA. Definition of Internal Control Over Financial ReportingB. COSO Framework

IV. Identifying Controls A. Control versus ActivityB. Manual versus Automated ControlsC. Detective versus Preventative ControlsD. Controls Specific for Information Systems

1. General Computer Controls2. Application Controls

E. Entity Level ControlsV. Overview of USDA’s OMB Circular A-123, Appendix A Assessment Process

A. Planning and ScopingB. Documentation and TestingC. Remediation and ValidationD. Reporting and Sustaining

VI. Additional Sources of Information

3

Agenda









4

Objectives and Goals

Objective• This course has been designed to provide an overview of internal

controls as a precursor to beginning the assessment of internal controls that is required under OMB Circular A-123, Appendix A.

• In this course, we will define internal control, discuss the benefits of internal controls, and discuss the different types of controls. We will also discuss the phases of assessment that each agency will complete in order to comply with Circular A-123, Appendix A.

By the end of the course you will be able to:• Understand the background of the government’s internal control policies

and regulations• Distinguish a control from an activity• Understand the different types of controls• Understand the assessment process required by Circular A-123,

Appendix A

5

What is Risk?

Before talking about internal controls, it is important to discuss the concept of risk.

RISK is the threat that an event, action, or non-action will have an adverse affect on the ability to achieve one’s objectives.

To assess risk, the following process is used:

Identify the Risks Source the Risks Prioritize the Risks

6

What is Internal Control?

Internal Control = Risk MitigationInternal control is anything that provides reasonable assurance that a specified unwanted action is prevented or detected. Examples include:

Alarm Clock: designed to prevent oversleeping.

What are the risks?

Speed Limits: designed to prevent aggressive driving.

What are the risks?

Log-on Password: designed to prevent unauthorized access to the proprietary information.

What are the risks?

7

What is Internal Control in an Organization?

Internal controls are the policies and procedures that help managers and employees be effective and efficient while avoiding serious problems such as overspending, operational failure, fraud, waste, abuse, and violations of law. They provide reasonable assurance that the following three objectives are met:

Relates to an entity's basic business objectives, including performance goals and safeguarding of an entity’s resources.

Relates to the preparation of reliable financial reporting, including interim and consolidated financial statements, as well as other significant internal and external reports (i.e. budget execution reports, monitoring reports, and reports used to comply with laws and regulations).

Relates to complying with those laws and regulations to which the entity is subject.

Reliability of Financial Reporting

Reliability of Financial Reporting

Compliance with Laws & Regulations

Compliance with Laws & Regulations

Effectiveness & Efficiency of Operations

Effectiveness & Efficiency of Operations

8

What are the Benefits of Good Internal Control?

• Identification and elimination of waste, fraud and abuse

• Reduction of improper or erroneous payments

• Enhanced understanding of risk exposure

• Sustained performance, efficiency and effectiveness

• Reduced level of effort for financial management system implementation or audit

• Improved policies and procedures

• Streamlined processes

• Clear definition of process ownership

• Greater accountability

• Enhanced audit readiness and internal control attestation readiness

• Compliance with laws & regulations

9

Agenda









10

Office of Management and Budget (OMB) and Congressional Oversight

• The role of OMB is to assist the President in the development and implementation of budget, program, management, and regulatory policies. It is an independent component of the Executive Branch.

• Internal control is an integral part of tools currently being used by OMB and Congress to monitor federal Agencies.

– Performance and Accountability Report (PAR) – contains Administrator's assurance statement on internal and financial management controls

– Program Assessment Rating Tool (PART) – developed to assess and improve program performance so that the Federal government can achieve better results

– President’s Management Agenda (PMA) – aggressive strategy for improving the management of the Federal government. Contains seven government-wide and nine Agency-specific goals for improvement. Includes a “scorecard”

11

Internal Control Policy

Legislative / Regulatory Authorities Internal Control RequirementsFederal Managers' Financial Integrity Act (FMFIA) of 1982

Requires that agency CFOs develop and maintain an integrated system of internal controls and requires GAO to issue internal control standards

Federal Financial Management Improvement Act of 1996 (FFMIA)

Requires that Federal financial management (FM) systems have reliable data and comply with financial management requirements

Federal Information Security Management Act of 2002 (FISMA)

Requires agencies to ensure the adequacy and effectiveness of information security controls by conducting annual reviews and reporting results to OMB

Improper Payments Information Act of 2002 (IPIA)

Provides for estimates and reports of improper payments by Federal agencies

CFO Act of 1990 Requires that agency CFOs develop and maintain an integrated and controlled accounting and FM system

Government Performance and Results Act of 1993 (GPRA)

Requires agencies to clarify their missions, set strategic and annual performance goals, and report on performance toward these goals

Inspector General Act of 1978 Requires IGs to report on internal controls when conducting a performance audit

OMB Circular A-123 Requires monitoring and improvement of internal controls associated with programs

OMB Circular A-127 Outlines requirements for FM system controls

OMB Circular A-130 Establishes the policy for the management of Federal information resources

12

OMB Circular A-123

• Issued under authority of FMFIA; entitled, “Management Accountability and Control”

• Provides guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on management controls

• Requires annual reporting on the effectiveness of management controls

• Provides the basis for an Agency head's annual assessment and report on internal controls required by FMFIA

13

Revised OMB Circular A-123

• Circular A-123 was revised in December 2004

• Renamed “Management’s Responsibility for Internal Control”

• Changes developed by Chief Financial Officers Council (CFOC) and the President’s Council on Integrity and Efficiency (PCIE)

• Adopts certain concepts from the Sarbanes-Oxley Act of 2002

• Strengthens management requirements for assessing controls over financial reporting with the addition of Appendix A, “Internal Controls over Financial Reporting”

• Took effect FY 2006 – initial report was due in the November 2006 Performance and Accountability Report (PAR)

14

Overview of Revised Circular OMB A-123

The Revised Circular A-123 includes the following Appendices:

• Appendix A – Internal Control over Financial Reporting

• Appendix B – Improving Management of Government Charge Card Programs (Issued Revised Appendix B – April 2006)

– Increases frequency of review and scope of spending and transaction limits – Limits authorization and blocking card use for ‘high risk merchant category codes”

• Appendix C – Requirements for Effective Measurement and Remediation of Improper Payments (Issued August 2006)

– Requires a review of all programs and activities to identify those which may be susceptible to significant erroneous payments and obtaining a statistically valid estimate of the annual amount of improper payments

– Requires implementation of a plan to reduce erroneous payments and the reporting of estimates of the annual amount of improper payments and the progress made in reducing them

15

Revised OMB Circular A-123, Appendix A Requirements

• ASSESS internal control over financial reporting using the Committee of Sponsoring Organizations (COSO)/GAO Framework

• ESTABLISH a governance structure

• DOCUMENT the design of controls of material accounts and assess their effectiveness as of June 30

- This includes entity-level controls and process/transaction-level controls, including Information Technology (IT)

• TEST the operating effectiveness of internal controls

OMB Circular A-123, Appendix A requires Agencies to:

16

Revised OMB Circular A-123, Appendix A Requirements (continued)

• INTEGRATE internal control throughout the entire agency and through the entire cycle of planning, budgeting, management, accounting, and auditing

• SIGN an annual Statement of Assurance in the Performance Accountability Report (PAR) certifying effectiveness of internal control within the Agency

- Assurance Statement must assert to the effectiveness of the internal controls as of June 30 and be issued in the Performance and Accountability Report by November 15

- Signed by the Secretary of Agriculture

• CORRECT deficiencies in internal control over financial reporting- Agencies must create and execute corrective action plans to promptly and effectively

resolve material weaknesses and other significant deficiencies

17

Why All the Trouble?

• It’s the law• Every employee in USDA has an impact on financial

management and, ultimately, financial reporting• Over time, the metrics that evolve to monitor internal control

areas will provide insight for key business decisions (e.g., programs and budgets)

• Documentation provides a communication tool for management and improve ability to train employees and share with interested stakeholders (e.g., auditors, oversight organizations)

18

Agenda









19

Internal Control over Financial Reporting

• Internal control over financial reporting is a process designed to provide reasonable assurance regarding reliability of financial reporting. The process starts at the initiation of a transaction and ends with reporting

• Internal control over a complete process involves controls at every step of the process including

– controls over transaction initiation,– maintenance of records, – recording of transactions, and – final reporting

• Internal control over financial reporting also includes – entity level controls, – information technology controls, and– operational and compliance controls

The specific focus of OMB Circular A-123, Appendix A is internal control over financial reporting

20

Management Responsibilities

Management is responsible for establishing and maintaining internal control and documentation. Management must:

– consistently apply the internal control standards of OMB Circular A-123, Appendix A (i.e., the COSO Framework’s five components)

– develop and maintain activities for the three objectives of OMB A-123 (i.e., the COSO/GAO Framework)

– maintain up-to-date controls documentation on an on-going basis– Provide a certification Statement related to the the adequacy of controls

(signed by Secretary of USDA)

21

COSO Internal Control Framework

COSO is the Recognized Internal Control Framework for Financial Reporting

– Per OMB, “Internal control standards and the definition of internal control are based on GAO, Standards for Internal Control in the Federal Government, November 1999, ‘Green Book’”

– GAO's ‘Green Book’ has adopted many of the internal control concepts provided by the Commission of Sponsoring Organizations of the Treadway Commission (COSO), which provides a suitable criteria against which to evaluate and report on the effectiveness of the entity's Internal Control

– COSO is the framework used by commercial entities in complying with the Sarbanes Oxley Act

22

Control Activities

Policies/procedures that ensure management directives are carried out.

Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties.

Monitoring

Assessment of a control system’s performance over time.

Combination of ongoing and separate evaluation.

Management and supervisory activities.

Internal audit activities.

Control Environment

Sets tone of organization-influencing control consciousness of its people.

Factors include integrity, ethical values, competence, authority, responsibility.

Foundation for all other components of control.

Information and Communication

Pertinent information identified, captured and communicated in a timely manner.

Access to internal and externally generated information.

Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action.

Risk Assessment

Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives, forming the basis for determining control activities.

All five components must be in placefor a control to be effective.


• Five COSO Components of Internal Controls

23


• Monitoring of Controls : The processes to assess the effectiveness of internal control performance over time to ensure that controls continue to operate effectively as intended, and they are modified as appropriate for changes in conditions.

• Information and Communication: The systems that support the identification, capture and exchange of information in a form and time frame that enables people to carry out their responsibilities.

• Control Activities: The policies and procedures that help ensure that management directives are carried out.

• Risk Assessment: The process for identifying, analyzing and managing

relevant risks.

• Control Environment: The foundation for all other components of internal control, providing discipline and structure. It sets the tone of an organization, influencing the control consciousness of its people.

24

Agenda









25

Control versus Activity

• Control activities: Control activities consist of policies and procedures that help to ensure that management directives are implemented – Controls can be either preventative or detective, – Controls can be either manual or automated, and – Controls help to ensure that financial reporting is accurate

• Examples include approvals, authorizations, reconciliations, reviews and segregation of duties

• Activity: An activity is something that is done in the normal course of business and is necessary to process a transaction. Not all activities are controls– Activity only qualifies as a control if it is either preventative or

detective of financial statement errors• Examples of activities include completing a form, entering

data, or running a report

It is important to be able to distinguish between a control and activity:

26

Control versus Activity Exercise

Description Control or Activity?

1. A suspense report is generated and sent to a manager. ?

2. User fee calculations are calculated by the system and are set up to mirror terms of the contract. Any changes must be approved and reviewed by the appropriate level of management.

?

3. The Accounts Payable manager reviews the Accounts Payable aging monthly to ensure payments are recorded.

?

4. Unliquidated obligations are aged to identify outstanding items. ?

5. Collections are entered into the system.

?

Activity

Control

Activity

Control

Activity

27

Manual versus Automated Controls

Controls may be either:

• Manual – implemented through human action• Example: General Ledger entries must be reviewed and

authorized by accountant who signs off on an approved document

• Automated – implemented through system action• Example: Users must have a valid user id and password to

access a system

28

Detective versus Preventative Controls

Controls may be either:

• Detective – provide evidence that an error or exception has occurred

• Example: Reviews, analyses, reconciliations, periodic physical inventories, audits, and surveillance cameras are all examples of detective controls

• Preventative – are proactive in that they attempt to deter or prevent undesirable events from occurring

• Example: Separation of duties, proper authorization, passwords, and physical control over custody of assets are all examples of preventative controls

29

Control Exercise

• It is a detective control rather than preventative because it detects errors after you have input the words; it cannot prevent you from misspelling the word!

• It is unlike the preventative control in the Save function, which will not save the file if the file name contains “/” or “?”

What sort of control is it: detective or preventative?

Spell Check is a function that you have used in Microsoft Word. How might this be viewed as a control?

30

Control Exercise (continued)

• It is designed to detect spelling errors only, not typos. For example, it will not detect the typo of “art” instead of “arc” or “cat” instead of “car.” These are actual words which are not misspelled.

What kind of errors is it designed to address?

• It is automated, but it must be turned on. It cannot detect errors if it is not activated, so there is a manual element involved.

Is it a manual or automated control?

Continuing with the Spell Check example…

31

Control Activities Specific for Information Systems

There are two types of Information System Controls:

• General Computer Controls (GCCs): Pervasive, over-arching controls that affect every transaction. Used to manage and control the organization’s information technology infrastructure.

• Application Controls: Controls that cover the processing of data within an application or computer program.

OMB Circular A-123 states, “general and application controls over information systems are interrelated; both are needed to ensure complete and accurate information processing.”

PCMS (Purchase Card Application)

Oracle Database

Operating system (e.g., AIX)

LAN (e.g., Desktop/NT)

General Computer Controls

ApplicationControls

32

Control Activities Specific for Information Systems:General Computer Controls

General Computer Controls should be designed to ensure that:

• The overall IT environment is well-controlled

• The IT organization is fit for its purpose, and there is proper management control over information systems

• Critical processing can be restored timely in the event of a prolonged outage (data / systems are backed up)

• New applications and changes to existing applications are properly authorized and only approved modifications are moved to the production environment

• Physical and logical security controls restrict access to data, systems and sensitive facilities

33

Control Activities Specific for Information Systems:General Computer Controls (continued)

Examples of General Computer Controls include:• Monitoring of Adherence to Entity-wide Security Program • Data Processing Policies and Procedures • Continuity of Operations Plan (COOP)• Regularly Scheduled and Documented Change Control Board Meetings• Properly Completed and Maintained Access Request Forms

What must be assessed?• Security Planning and Management• Change Control• Segregation of Duties• Access Controls• Service Continuity• System Software

34

Control Activities Specific for Information Systems:Application Controls

Application Controls should be designed to ensure that:

• Financially significant applications process data and report results as intended

• Business processes may be enabled by one or more applications

• Ideally, computerized application controls are programmed into the application to ensure Completeness, Accuracy, Validity and Restricted Access

• Many common applications (e.g. SAP and PeopleSoft) have configurable controls

• Controls over ensuring on-going data quality should also be considered (i.e. problem reporting, management and resolution)

35

Control Activities Specific for Information Systems:Application Controls (continued)

Examples of Application Controls include:

• Automated controls built into the application (computerized edit checks and required passwords)

• Manual controls surrounding the application (manual reconciliations of interfaced applications, management sign-offs, and reviews of audit logs)

What must be assessed?• Input Controls (access restrictions, validity checking, source documents)• Processing Controls (integrity controls, error messages, job scheduling)• Output Controls (report generation and distribution, manual review of reports for

obvious errors)

36

Exercise: General versus Application Controls

Are the following controls General Computer Controls or Application Controls?

1. Only authorized personnel have access to data center (example locked doors and access cards)

?

2. Validation check over an input field preventing letters being entered in a number field

?

3. The system prevents contracts from being awarded unless sufficient budget authority is available

?

4. System Development Life Cycle methodology has been developed ?

General

Application

Application

General

37

Entity Level Controls

• Definition: Entity Level Controls are controls that management has in place to ensure that the appropriate controls exist throughout the organization, including at the individual agencies. Examples include management’s tone at the top, risk assessment, centralized processing, controls monitoring and the USDA period-end financial reporting process.

• Responsibility: Entity Level Controls are assessed at both the agency and department level.

• Purpose: Entity Level Controls can have a pervasive effect on the overall control effectiveness of the organization therefore the assessment of entity-level controls is essential to the overall evaluation of controls.

Entity Level Controls

38

Agenda









39

USDA’s Approach to the FY07 A-123, Appendix A Assessment Process

Oct 2006 – Dec 2006 (3 months)

Dec 2006 – Jul 2007 (8 months)

Sept 2006 – Aug 2007(12 months)

Aug 2007 – Nov 2007(4 months)

Phase I – Planning &

Scoping

Phase II – Documentation & Testing

Phase III – Remediation & Validation

Phase IV – Reporting & Sustaining

Sept Oct Nov Dec Jan Feb Mar Apr May Jun AugJul Sept Oct DecNov

2006 2007

40

Overview of A-123 Assessment: Planning and Scoping

Planning and Scoping Activities• Establish A-123 governance structure• Determine and communicate the FY07 A-123

assessment timeline and methodology (Department’s Top-Down Approach)

• Determine the scope of the significant financial reports

• Determine the cycles, processes, and systems in scope for each of USDA’s Agencies and Staff Offices for the FY07 assessment based on materiality

• Develop / update standard templates to be used for documentation and testing of controls over financial reporting

Oct 2006 – Dec 2006

Phase I – Planning &

Scoping

41

Overview of A-123 Assessment: Documentation and Testing

Documentation and Testing ActivitiesDocumentation• Identify and document entity level controls• Identify and document process level manual and application

controls• Identify and document General Computer Controls (GCCs)• Assess the design effectiveness of controls. Controls not

designed effectively are considered to be control gaps

Testing• Develop test plans for key controls that have been determined to

be designed effectively• Perform testing of entity level, manual, application, and general

computer controls to assess operating effectiveness. Controls that fail testing are considered to be deficiencies

• Document the results of testing, including any identified deficiencies

Dec 2006 – Jul 2007

Phase II – Documentation &

Testing

42

Overview of A-123 Assessment: Remediation and Validation

Remediation and Validation Activities• Classify the significance of any control gaps or deficiencies

• Document Remediation / Corrective Action Plans for identified control gaps and deficiencies

• Implement Corrective Action Plans. Re-test remediated controls and document results

Sept 2006 – Aug 2007

Phase III – Remediation &

Validation

43

Overview of A-123 Assessment: Reporting and Sustaining

Reporting and Sustaining Activities• Draft and submit Agency and Staff Office

Certification Statements for their FY07 assessment of internal control over financial reporting

• Analyze impact of Agency and Staff Office’s control deficiencies on the Department’s annual assurance statement

• Draft and finalize the Department’s Annual Assurance Statement for internal controls over financial reporting as of June 30, 2007 for inclusion in the FY07 Performance and Accountability Report

• Continue with monitoring, remediation, and reporting of controls

Aug 2007 – Nov 2007

Phase IV – Reporting & Sustaining

44

Agenda









45

Additional Sources of Information

Refer to www.whitehouse.gov for OMB Circular A-123 guidance including the Appendix A Implementation Guide

USDA’s FY06 Implementation Guide can be found in QuickPlace under “Reference Materials”

Documents

Introduction to Internal Control OMB Circular A-123, Appendix A December 2006