Treasury Board

advertisement
RDIMS
1113156
Policy on Internal Control the federal perspective
Presentation to the Ontario Chapter - Financial Management Institute
September 19th, 2012
Sharon Smith
Director, Financial Management Policy
Office of the Comptroller General of Canada
Purpose
•
Provide an overview of the Policy on Internal Control
(PIC)
•
Provide an update on its status and implementation
•
Provide an overview of how to do an assessment of
effectiveness of internal controls
2
Background
•
The Policy on Internal Control (PIC) flows from the Federal Accountability Action Plan to
strengthen accountability and transparency in financial controls, reporting and disclosure:
 Supporting Deputy Heads (DHs) as Accounting Officers who are responsible for the
“measures taken to maintain effective systems of internal controls” (section 16.4 of the FAA)
 Clarifying DHs responsibilities and expectations in this area
 Maintaining Canada’s position as a leader in financial reporting and disclosure
•
The PIC is a foundational component of the new TB FM framework articulated around four
policies:
 Policy on Financial Management Governance (effective April 2009)
 Policy on Internal control (effective April 2009)
 Policy on Stewardship of Financial Management Systems (effective January 2010)
 Policy on Financial Resource Management, Information and Reporting (effective June 2010)
Note there are about 25 new Directives and 12 standards in this suite plus a Policy Framework on Financial
Management
3
Drivers for the Policy on Internal Control
• Position Canada among leading jurisdictions -Lessons learned
from Sarbanes-Oxley -New developments and practices in the
private sector
• Alignment with Accounting Officer responsibilities under the
Financial Administration Act and commitment of the Federal
Accountability Action Plan (2006)
• Support accountabilities of key players and CFO Model
• Next step in government commitment to control-based audits of
departmental financial statements
• Provide necessary oversight of controls to manage key risks and
mitigate against errors, fraud, mismanagement or other
irregularities to safeguard public resources - Alignment with
increasingly risk-based management approaches
Policy on Internal Control - requirements
•
Reaffirms the responsibility of Deputy Heads, as accounting officers, for ensuring
the maintenance of effective risk-based systems of internal control
•
With a focus on internal controls over financial reporting requires that Deputy Heads:
– ensure the completion of an annual risk-based assessment of the departmental
system of internal control over financial reporting (ICFR)
– ensure the establishment of an action plan to address any necessary
adjustments
– include a summary of the assessment results and action plan to be attached as
an Annex to a revised Statement of Management Responsibility accompanying
the annual financial statements and signed by the DH and the Chief Financial
Officer (CFO)
– engage the Departmental Audit Committee or equivalent as appropriate on
assessment plans and associated results
5
Internal Control over Financial Reporting
• Internal Controls over Financial Reporting (ICFR) aim at mitigating
risks over reliability of departmental annual financial statements
• Effective ICFR aim to provide reasonable assurances that:
– Transactions are appropriately authorized
– Financial records are properly maintained
– Assets are safeguarded against fraud, abuse, waste, loss and
mismanagement
– Applicable laws, regulations and policies are followed
6
Levels of departmental internal controls
DM as accounting officer
Broad system of internal control
System of IC
ADMs
CFO
System of
ICFM
System of internal control in
their area of responsibility
System of internal control over
financial management
System of
ICFR
Policy requirements focus
on ICFR
Roles and responsibilities
•
Deputy Heads (DH)
–
–
•
Chief Financial Officers (CFOs)
–
–
–
•
Lead departmental role for internal audit (incl. a key source of expertise)
No internal audit required under the PIC
PIC assessment results can inform future internal audit plans
Internal audit findings can be leveraged to support the assessment under the PIC
Chief Information Officers (CIO)
–
–
•
Responsible for maintaining effective systems of ICs in the programs for which they are responsible
Contribute to the assessment of key risks and controls in their area of responsibility
Chief Audit Executives (CAE)
–
–
–
–
•
Lead departmental role for financial management (incl. a key source of expertise)
Lead and coordinate the planning and execution of the assessments and the Annex
Sign the Statement of Management of Responsibility which includes the Annex
Senior Departmental Managers
–
–
•
As accounting officer, the DH is responsible for measures taken to maintain effective systems of ICs
Sign the Statement of Management of Responsibility which includes the Annex
Lead departmental role for IT infrastructure and system applications (incl. a key source of expertise)
Contribute to assessments of IT systems and application controls
Departmental Audit Committees (where applicable)
–
–
Provide objective advice and recommendations to Deputy Heads
Timing and scope of engagement to be determined by the Deputy Head
8
What the policy means
• The policy is not about advocating for more controls (often
too many controls) - rather that the right controls are in
place and working properly
• It is not about assessing all controls - rather it focuses on
key controls based on risks as well as ensuring that these
controls are proportionate to and balanced with the risks
they aim to mitigate
• It is not about audits - rather it is a self-assessment by
management taking into account risks
• It is not about certifying that all risks related to financial
reporting have been eliminated - rather it is about
demonstrating that key controls over financial reporting
are well managed in support of continuous improvement
What well managed means
Financial Statements
Start with annual financial statements - Identify key accounts - key risks and materiality
 Set scope and develop assessment plan
Testing
3 levels of controls
 Design effectiveness:
– key controls documented
– in place as designed
– aligned with risks
Entity level (tone from
the top)
General IT level
 Operational effectivenesss:
– key controls functioning over time
Business process
level
Statement of Management of Responsibility
• “Management is also responsible for maintaining an effective
system of ICFR designed to provide reasonable assurance that
financial information is reliable, assets are safeguarded and that
transactions are properly authorized”
• “The system of ICFR is designed to mitigate risks to a reasonable
level based on an on-going process to identify key risks, to assess
effectiveness of associated key controls, and to make any
necessary adjustments”
• “an assessment for the year ended March 31,20XX was
completed in accordance with the Policy on Internal Control and
the results and action plan are summarized in the annex”
11
Annex to the Statement of Management
Responsibility
• Annex enables readers to understand the organization’s overall
environment and demonstrates the measures taken to maintain an
effective system of ICFR within this context
• Provides an overarching perspective on the department’s status in
assessing their system of ICFR, any remedial actions required and
planned future assessments
Sections:
1. Introduction – departmental overview, financial highlights and key
organizational changes
2. Control Environment - Key positions and responsibilities as well
as measures taken to set the “tone from the top”
3. Assessment Approach - Assessment scope and methodology
4. Assessment Results - Significant findings
5. Action Plan - Significant actions to be taken and timelines
12
Government-wide implementation plan
• A 3 year phased-in approach for the new Statement of
Management Responsibility and its summary document (annex)
– 2009-10: Largest departments that have completed readiness
assessments for undertaking control-based audits of their
financial statements
– 2010-11: Departments that already have audited financial
statements
– 2011-12: Other departments
• Departments can tailor the scope and pace of their annual
assessments, including developing multi-year assessment plans
13
OCG-TBS enabling role
• Chair DCFO Advisory Committees
–
–
–
–
•
•
•
•
•
Sharing best practices
Address strategic issues
Policy clarity and specific challenges
Co-Chair PIC managers’ Working Group
Guidelines on developing the Annex
Practical Toolkit on Assessments
Workshop
Strategy for Small Departments
Use of GCPedia (Wiki style resource)
Status and context after 3 years
•
•
Completed 3 year transitional implementation
Maturity advanced across government – OAG Spring 2011
Chapter on Financial Management, Control and Risk Management
concluded that TBS and the 7 selected large departments audited on their
progress under the PIC had made satisfactory overall progress and that
more work remained to be completed.
•
•
•
•
Upcoming 5 year review of the FM policy suite opportunity to consider future adaptations
Cost containment and savings – effective controls key to
reliable financial information for tough decisions
Consolidation of services – Alternative Service review –
Shared Services Canada is first new delivery hub
Small departments capacity
15
CCA/PIC Approach for Small Departments
• Objective is to support small departments by
leveraging core control audits in support of sound
management of internal controls / core controls
• This approach aims to:
a)
b)
c)
Add value and consistency to management’s oversight of its
controls
Streamline process to gain efficiencies
Minimize reporting burden
Note that the PIC continues to apply
16
Leveraging: What does it mean?
• CCA and PIC use different methods but both support sound
and efficient management of internal controls
• Policy on Internal Control does not mandate the details of
“annual risk-based assessments” → ability to use CCA
• For sound management oversight departments consider risk
from both PIC and CCA perspective which is informed by:
– Corporate risk framework and risk history;
– Nature of mandate and complexity; and
– Composition and materiality of the financial accounts.
• Additional oversight under the PIC can be tailored as needed
17
Service arrangements
•
Service arrangements becoming more prominent as
departments and the federal government seek to generate
efficiencies, leverage expertise and manage risks
– Recent examples: establishment of Shared Services Canada, Budget
2012 “Modernizing and Reducing the Back Office” initiatives,
implementation of the Directive on Internal Support Services
•
Adds complexities on accountabilities for internal controls
•
Starting Point: The entity is responsible for the design and
effectiveness of the controls that they directly manage
18
Service arrangements
Two typical scenarios:
1. Services from other government departments:
Recipients departments draw assurance from the annex of the
service provider concerning the management of their control areas
2. Service arrangement with external (non–federal government) third
party:
Departments can require a CSAE 3416 report to obtain an
independent opinion of the design and operating effectiveness on
the internal controls related to the services provided
19
Highlights from a practical workshop: How to do a
risk-based assessment
A.
B.
C.
D.
E.
Executing a risk assessment (scoping)
Developing an assessment plan
Documenting key controls and processes
Design effectiveness testing
Operating effectiveness testing
20
Assessment of ICFR - Process Overview
Financial Statement decomposition
Key BP Identification
Identify Key risks and key accounts
Assessment planning and scoping
Documentation
Documentation
Validation of documentation with process owners
Address documentation gaps and issues
Identify key controls at all level and alignment with risks
Test of Design
Process Walkthroughs
Remediation
O.E.T
Operating Effectiveness testing
Remediation
Monitoring
Ongoing Monitoring and periodic risk-based retesting
Note: Reporting - Develop summary of results and Action Plan to SoMR
21
Scoping
A—Internal control over financial reporting
Decomposing the financial statement into key
accounts (cont’d)
Factor
Definition
Account size
Dollar value in relation to MPP
Business volume
Number of transactions in a given period
Transaction
complexity and
uniformity
Nature of transactions, similarities between
transactions
IT dependencies
Account requires computer systems to perform
automated calculations and controls.
22
Scoping
A—Internal control over financial reporting
Decomposing the financial statement into key
accounts (cont’d)
Factor
Definition
Decentralized
process
Account transactions and controls are performed
in multiple locations, business units and divisions
by various people or systems
Level of judgment
required
Calculations, analyses or provisions require the
use of judgment-based assumptions.
Likelihood of error
Account has a history of error and reprocessing,
or is susceptible to error by its nature.
Vulnerability to fraud
Account is by its nature vulnerable to fraud
(e.g. cash transactions).
23
Scoping
Information technology general controls (ITGCs)
ITGCs relationship to application controls
– ITGCs are used to manage and control a
company’s information technology activities.
– ITGCs are pervasive controls. The degree to
which an organization can rely on the integrity of
information processing and the effectiveness of
application controls (automated) in computer
applications (e.g. SAP, GX, Freebalance) depends
on the effectiveness of the ITGCs.
24
Scoping
Entity-level controls (ELCs)
• Main components
– Directions set by senior management
– Organizational culture
– Organizational values and ethics
– Governance mechanisms
– Tools and activities that enable employees to
effectively manage risk (communication, training
and professional development)
25
Documentation
A – How to document controls?
• To be considered complete and to ensure a proper
understanding by all potential readers, the following items
must be included in the description of a control:
– When, Who, What, How?
– Preventative or detective?
– Manual or automated?
– Evidence of the control performed (signature, initials,
mark, date, etc.)
26
Documentation
C – Walkthrough
• Once the controls have been documented, their
design must be validated by means of a
walkthrough.
• The walkthrough is a control occurrence test used
to verify that the documentation describes what
actually happens in the course of daily operations.
• Usually, for an internal control project, 20% to
30% of control descriptions require some
modification following a walkthrough.
27
Key success factors
–
–
–
–
Tone at the top (have senior management involved);
Dedicated project lead and solid plan;
Access to key people (process and control owners);
Team members with experience in assessment of internal
control.
Do not underestimate the time required:
• for the documentation validation with the control and process
owners;
• for the documentation adjustment following the validation with
the walkthroughs; and
• for the remediation phase.
28
S1-3:
Process
Overview
Process
Overview
Design
Effectiveness
Testing (DET)
Operating
Effectiveness
Testing (OET)
Reporting
Identification of Key controls at all level and
alignment with risk to financial reporting
Conclusion &
Remediation
Process
Walkthroughs(DET)
Testing Strategy
Sampling Strategy
Remediation
Results /Conclusion
Result Reporting
Action Plan
29
Session 1: Design Effectiveness Testing
Design effectiveness
refers to whether controls are properly designed to achieve control
objectives and if they operate as designed.
INTERNAL
CONTROL
OBJECTIVES
• Desired conditions which, if achieved, minimize loss,
unauthorized use or misappropriation to occur. In
relation to control’s ability to preserve validity of the
financial statement assertions.
RISK
• Likelihood and impact of an event that would result
in material misstatement.
• Need to consider Financial Statement Assertions.
KEY CONTROL
ACTIVITY
• Key controls activities are processes that if not
operating appropriately could potentially cause a
material misstatement in the financial statements.
30
Design Effectiveness Testing Overview
1.0 Starting Point
Identify Control Objectives
based on Process
Descriptions
1.1 Assess Risks to
Financial Reporting for
each Financial Statement
Assertion
1.3 Test of Design (DET)
Procedures
1.2 Identify Key Control
Activities
1.4 Perform Walkthrough
1.5 Conclusion
Ending Point
1.6 Remediation Plan
31
1. Assess Risks to Financial Reporting
OBJECTIVE
Assess risks related to various financial statement assertions to
identify areas where key internal controls will need to be validated..
Existence/ Occurrence
• Only valid or authorized transactions are
processed (policies, procedures, delegation)
Completeness
• All transactions have been processed and are
reported (i.e., no omissions)
Valuation & Allocation
• Transactions or account balances are valued
using an appropriate methodology
Presentation &
Disclosure
• Components of financial statements are
properly classified (by account) & described
Rights & Obligations
• Assets represent the rights of the entity, and
liabilities its obligations, as of a given date.
Accuracy
• All valid transactions are accurate, & consistent
with originating transaction data.
32
1. Assess Risks to Financial Reporting
Assess Risks as
High, Medium, or Low
IMPACT
LIKELIHOOD
potential effect on the
organization if it arises
probability that a risk
can occur
Factors
Factors
Materiality
•Financial resources
•Human resources
•Physical resources
IMPACT
Significance
•Corporate objectives
•Relationships
•Central agencies
•Parliament
•Public
•Media
•Obligations to others
•Sensitive information
•Third party oversight
MED
MED/
HIGH
MED/
HIGH
HIGH
HIGH
LOW/
MED
MED
MED/
HIGH
HIGH
HIGH
LOW/M
ED
MED
MED
MED/
HIGH
MED/
HIGH
LOW
LOW/
MED
MED
MED
MED/
HIGH
LOW
LOW
LOW/
MED
LOW/
MED
MED
Inherent
•Past performance
•Time since last review
•Economic condition
•Competence
•Morale
•Complexity
•Liquidity of assets
•Extent of automation
•Pressure to meet objectives
Change
•Roles and responsibilities
•Staff levels
•Operation methods
•Budgets
•Turnover of staff
•Automation
•Changes in funding levels
LIKELIHOOD
33
2. Key Control Activities Identification
Application Controls vs. ITGCs
ITGCs
IT General Controls apply to all
systems components, processes,
and data for a given organization.
Intended to ensure the proper
infrastructure and implementation
of applications, as well as the
integrity of program, data files, and
computer operations.
Application controls relate to
transactions and data pertaining
to each system. Intended to
ensure completeness and
accuracy of records and validity
of the entries made resulting
from programmed processing
activities.
Application
Controls
34
2. Key Control Activities Identification
Identify key control activities that could be relied upon to reduce the
assessment risks to financial reporting.
Enable achievement of
key control objectives,
such as compliance,
reliability of reporting,
etc.
Enable achievement of
an essential internal
control objective
A control
activity is
«key» if
Directly manages
important risks to the
achievement of financial
statement assertions
objectives
(CSPS)
35
3.2 Design Effectiveness Testing - Walkthrough
Review of audit trail (e.g. Walk Through )
validate the application of controls such sign-off by the
appropriate authority of key documents, existence of control
documents such as checklist, mandatory forms, etc.
Get understanding
of process (inquiry)
Confirm
understanding and
operation of controls
Confirm flow of
information and
transactions
Examine, gather and
file documentation
36
3.3 Design Effectiveness Testing – Potential Issues
1.
2.
• Control apparently exists but cannot be evidenced
• There is extensive access to the system for some users
3.
• Some individual have incompatible responsibilities (S.34
and S.33 of FAA) – Segregation of duties
4.
• IT system and some controls are under the responsibility
of a third party
5.
• Key control activities did not catch error during
walkthrough
37
3.4 DET - Remediation Plan
Identify any remediation plan to address any gaps or issues of design identified
to this point including missing details on
who, what, where, when and how
How is the
conduct of the
control in
evidence?
When is the
control carried
out, i.e. what is
the frequency
(annual,
monthly, daily
etc.)?
Who is responsible for the
exercise of the control?
HOW
WHO
WHEN
WHAT
WHERE
Where is the control carried out, i.e.
HQ, Region, specific location, etc.
What is the nature
of the control, i.e.
reconciliation,
management review
and approval etc.?
38
Session 2: Operating Effectiveness Testing
Tests of operating effectiveness are intended to demonstrate the
reliability of the controls over a period of time in reducing related
financial reporting risks.
Important to gather sufficient documented
evidence to enable a conclusion whether or not
the controls are operating in practice.
Objectives:
• Effective controls are expected to prevent or detect and
correct material misstatements.
• This means that after all internal control testing is
completed, there remains a lower risk of undetected
material control weaknesses.
• In that case, effective controls are expected to lower the
risk of material misstatement in the financial statements.
39
S1-3:
Process Overview
Operating
Effectiveness
Testing Overview
DEVELOP A TESTING PLAN
DEVELOP SAMPLE STRATEGY
PERFORM TESTING
RESULTS AND REMEDIATION PLAN
40
S1-3:Effectiveness
Process Overview
4.1 Operating
Testing - Methods
Testing Plan depends on type of controls
ITGCs and Application controls can be tested
during Design Effectiveness Testing phase for
operating effectiveness
(See Matrix B2)
ITGCs
testing
Program changes
and User Access
IT
Application
Testing
Processing of data
– 1 test
Testing of
other
controls
Dependent on
frequency
(slide 34)
41
4.2 Operating Effectiveness Testing - Sampling
PLAN FOR OVERALL SAMPLING

Key locations where there
may be high risk, high levels
of complexity or other factors;

Numbers of tests of specific
key controls;

Testing frequency and time
period; and

Random sampling strategy on
risk basis.
Sampling refers to the
process of selecting some
units from a population,
with two main steps:
1) How many to select
2) Which ones to select
42
4.4 Operating Effectiveness Testing - Steps
If errors are showing up after a small number of sample items
STOP TESTING
Is it isolated/unique or is it the result of a true control breakdown?
If control is operationally
ineffective
=
Re-test only when remedied
for a sufficient period of
time
For isolated/unique errors
=
Perform test on 2
additional sample items
Brief and validate initial findings
with process owners/business
partners
43
5.1 Operating Effectiveness Testing – Deficiencies
• Isolated error found in control test
1.
• Non-Isolated error found in control test
2.
3.
• Reliability of controls for part of the year
cannot be confirmed
44
5.3 Operating
Effectiveness
Testing – Report
2.4 Conclusion
& Reporting=
1. Analyze results
and identify need of
remediation, as
necessary
6. Monitor the
implementation of
the action plan
until resolved
5. Prepare and
send report to
senior
management
Summary annex
to the
departmental
statement of
management
responsibility
4. Update flowchart
and matrix as
necessary
2. Brief and
validate results
with process
owners
3. Have process
owner prepare
action plan for
implementing the
remediation
45
Expected benefits of the PIC
• Opportunity to showcase how well the department is being
managed as well as to demonstrate progress and improvements
• More effective and efficient departmental systems of internal
controls, with potential for economies and reduced risks
• Opportunity to engage and collaborate at all levels in support of
continuous improvement related to risk management
• Foundational to other initiatives such as quarterly financial reports
and potential controls-based audits of financial statements
• Instrumental to support Deputy Heads as accounting officers
• Increase public confidence and trust through strengthened
accountability and transparency, including reliability of financial
statements – maintaining Canada’s position as a leader in financial
reporting and disclosure.
46
More information
Sharon Smith, Director
 [email protected]
Margaret Cross, Senior Analyst
 [email protected]
Olga Dupuis, Senior Analyst
 [email protected]
GCPedia http://www.gcpedia.gc.ca/wiki/PIC
Download
Related flashcards

Accountants

13 cards

Scottish accountants

27 cards

British accountants

45 cards

Canadian accountants

72 cards

Create Flashcards