Embed Size (px)
DESCRIPTION
3 Background Office of Management and Budget (OMB) Circular A-123, “Management’s Responsibility for Internal Control”, revised December, 2004 A-123 provides guidance to Federal agencies regarding compliance with the Federal Managers’ Financial Integrity Act of 1982 (FMFIA)
Citation preview
OMB Circular A-123
13th Annual Rutgers Governmental Accounting & Auditing Update ConferenceDecember 18, 2006
Lessons LearnedTerry CarnahanManaging DirectorKPMG Federal Internal Audit Services
2
Agenda
Background
Challenges
Lessons Learned
Just Check the Box ?
Opportunities
3
Background
Office of Management and Budget (OMB) Circular A-123, “Management’s Responsibility for Internal Control”, revised December, 2004
A-123 provides guidance to Federal agencies regarding compliance with the Federal Managers’ Financial Integrity Act of 1982 (FMFIA)
4
Background, con’t
“. . . A-123 defines management’s responsibility for internal control in Federal agencies . . . A-123 and the statute it implements, the FMFIA, are at the center of the existing Federal requirements to improve internal control.”
—Linda SpringerOffice of Management and BudgetDecember 21, 2004*
* “Memorandum to the Chief Financial Officers, Chief Operation Officers, Chief Information Officers, and Program Managers: Revisions to OMB Circular A-123, Management’s Responsibility for Internal Control,” December 21, 2004
5
Internal Control Attestations in the Government
What is Internal Controls over Financial Reporting (ICFR)?
Internal Control is defined as a process, effected by an entity’s
board of directors, management/other personnel, designed to
provide reasonable assurance regarding the achievement of
objectives in the following:Accurate maintenance of records in reasonable detail
Recording of transactions as necessary in preparing financial statements
Assurance that receipts/expenditures have appropriate authorizations
Prevention or detection of unauthorized acquisition
Prevention or detection of unauthorized use of the issuer’s assets
Compliance with applicable laws and regulations
6
Enhancing Internal Control over Financial Reporting/Government Attestations
SEC definition: Internal Control over Financial Reporting (ICOFR)
A process designed to provide reasonable assurance regarding the
reliability of financial reporting and the preparation of financial
statements for external purposes.
COSO Is the Recognized Internal Control Framework for Financial Reporting
COSO control components (accepted by U.S. government and its agencies) incorporated into new A-123
GAO adopted into government standards
7
Integrated Internal Control Framework
ICOFR
ReportingOversight
Technology
Evaluation
8
Challenges
Today, agency managers face three challenges:Compliance with A-123Minimize the cost of compliance by integrating related internal controlsReduce the overall cost of controls and transform operations to improve mission effectiveness
These challenges also present opportunities:Minimize the cost of compliance by integrating related internal controlsReduce the overall cost of controls and transform operations to improve mission effectiveness
9
Lessons Learned
1 Bob Violino, “Sarbox: Year 2”, September 15, 2005, CFO IT Fall 2005 Issue, CFO.com. 2 Richard M. Steinberg, “Resources, Ownership, and Discipline; Key 404 Lessons”, Oct. 18, 2005, Compliance Week3 Larry E. Rittenberg and Patricia K. Miller, “Sarbanes-Oxley Section 404 Work: Looking at the Benefits”, Jan. 2005, IIA Research Foundation
Expensive and chaotic1
Realization that requirements are permanent2
Surprising degree to which information technology contributes to financial processes1
Better understanding and analysis of monitoring controls2
Need to embed ICOFR within programs, operations2
Re-implementation of basic controls2
“Over-identified” key controls3
10
Just Check the Box ? A-123 Compliance
Federal agencies are usually more willing to embrace new initiatives that address program improvementBut, new regulatory compliance initiatives are generally seen as “necessary evils” that distract an agency from its missionCompliance with new regulations often degenerates into “check the box” exercisesThe additional costs associated with A-123 compliance have not helpedAgencies miss-out by just “checking the A-123 box”
A-123 is an opportunity to transform and improve
11
Opportunities
A-123 results in greater focus on strengthening internal controls
High initial A-123 compliance costs
Improved Business PracticesBetter Understanding of CostsLinking Controls to Performance
12
Opportunities
TotalCost of a
ControlIncreasinglyfelt by
Agencies doing A-123
Largely hidden;historically
unknown to Agencies
Improved Business PracticesBetter Understanding of CostsLinking Controls to Performance
13
Opportunities
Control Portfolio mapping
Manual vs. Automated controls
Detective vs. Preventive controls
Improved Business PracticesBetter Understanding of Costs, con’tLinking Controls to Performance
14
Opportunities
Understanding manual controlsCosts of controls relate to actual performanceManual controls-
Labor-intensive (costly); perhaps hundreds of employees involvedIntroduce risk of human errorOften detective, not preventative = no protection against waste
What percentage of an Agency’s Performance costs are related tomanual controls ?
Improved Business PracticesBetter Understanding of Costs, con’tLinking Controls to Performance
15
Opportunities
Controls are important tools for identifying:New opportunities for managing riskNew ways to improve business performance
Controls allow agencies to rethink how they operateA-123 compliance leads to fresh insights into performance and potential cost savingsLinkage between controls and program improvement
A-123 compliance encourages agencies to develop a “portfolio” view of their existing controls
Assessment of quality and quantity of controls from different perspectives: operating units, applications, locations, risks, and objectives
Improved Business PracticesBetter Understanding of CostsLinking Controls to Performance
16
Opportunities
Automated
Manual
Detective Preventive
Existing Control
Current Control Portfolio (at most Agencies)Mostly manual controls that only detect anomalies after-the-fact
Anomalies’ effects (wasted money, time, effort) already felt Result in higher-than-necessary control costs Missed opportunity for control cost-savings
Current Control Portfolio
Improved Business PracticesBetter Understanding of CostsLinking Controls to Performance, con’t
17
Opportunities
Automated
Manual
Detective Preventive
Existing Control
Desired Control PortfolioMostly automated controls that prevent anomalies from occurring or taken effect
Anomalies’ effects (wasted money, time, effort) are never felt Reduce control costs by introducing cost-savingsHelp agencies better manage their risks of doing business
Desired Control Portfolio
Previous ControlFuture (new) Control
Improved Business PracticesBetter Understanding of CostsLinking Controls to Performance, con’t
18
Opportunities
Automated
Manual
Detective Preventive
Existing Control
Warning: Simply automating controls is no cure-allBusiness processes must be well understoodControls must exist at the proper places in a process
Goal: generate relevant information to enable appropriate action
The total costs of controls must be understood
Desired Control Portfolio
Previous ControlFuture (new) Control
Improved Business PracticesBetter Understanding of CostsLinking Controls to Performance, con’t
19
Don’t Just Check the Box
Enhance controls by embedding them in operations (e.g., business units)Maintain rigorous testing processMove beyond compliance to improve business performancesImprove their controls processes by going from manual controls to automated controls (e.g., detective to preventive)Use the controls portfolio as a new “lens” to improve processes
20
The information contained herein for the MEV Independent Validation and Verification Project is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
© (2006) KPMG LLC, a Swiss cooperative. All rights reserved. Printed in USA.
Terry Carnahan
Managing Director
Federal Internal Audit ServicesKPMG LLP(202) [email protected]
