Internal Control over Financial Reporting

advertisement
Internal Control over
Financial Reporting
OMB Circular A=123, Appendix A
ICOFR = Fed SOX
Mary C. Braun, CPA, CGFM
Management Concepts, Incorporated
Agenda
• Background
• Requirements
• Implementation
Background
• Precipitated from Sarbanes Oxley
• Congress looks at federal government
internal control guidance with a new
focus on financial reporting
• OMB convened a meeting of the CFO
Council and the PCIE
Internal Control Guidance
– 1950 Accounting and Auditing Act
– 1982 Federal Managers’ Financial Integrity
Act
– 1990 Chief Financial Officers Act
– 1994 Government Management Reform
Act
– 1996 Federal Financial Management
Improvement Act
COSO
• Treadway Commission: Internal Control
Guidance
M
Activities
Risk
Assessment
Control Environment
Effects of SOX
• OMB amends Circular A-123 to include
Appendix A: Internal Control over
Financial Reporting
– Defines scope of assessing and
documenting
– Defines process for assessing at entity,
process, transaction and application level
– Requires separate annual assurance
statement to be signed by agency head
Appendix A: ICOFR Goals
Management:
• Acknowledge it responsibility for
establishing and maintaining ICs
• Apply IC objectives to financial reporting:
– Effective and efficient operations
– Reliable financial reporting
– Compliance with laws and regulations
• Understand that ICs exist (or should) at every
level and in every process of the
organization
• Realize that good internal control leads to
financial reporting integrity
OMB Requirements
• Top-down Driven Governance:
– Senior Assessment Team
• End-to-end Documentation of Key
Processes (Minimum Scope:)
– 5 (now 4) Financial Statements (Reports)
• Identification and Testing of Key
Controls
• New Assurance Statement
Divide and Conquer !!
Establish Assessable Units
ICOFR Requirements (1)
• Establish a governance body
– Senior Assessment Team who will:
•
•
•
•
•
•
•
•
Have decision-making leaders as members
Identify material business lines/processes
Narrate and flowchart business process
Identify risks and assess materiality
Document internal controls
Test internal controls
Report on control effectiveness
Develop corrective action plans
Develop Key Control
Assessment Plan
• All key controls are assessed at least
once every three years
• Some more:
– High risk
– Change in:
• Law
• System
• Key personnel
ICOFR Requirements (2)
• Evaluate Internal Control at Entity Level
– GAO-01-1008G: Internal Control
Management and Evaluation Tool
– Use GAO Internal Control Standards
ICOFR Requirements (3)
• Identify key business processes
ICOFR Requirements (3)
• Document key processes:
Customer
Performing Component
Order
Acceptance
Data
Process
Data/
Bill
Perform
Services
Data
File
Service Provider
Acctg
System
AFS
Service
Acctg
System
ICOFR Requirements (4)
• Assess Risk:
Customer
Document from flow charts
Performer
Order
Acceptance
Service Provider
Data/
Bill
Perform
Services
4
5
1
Data
Data
2
Process
3
Service
Acctg
System
Acctg
System
7
AFS
Financial Assertions
•
•
•
•
•
Completeness
Obligations/Rights
Valuation
Existence/Occurrence
Reporting/Presentation
Look for Risk of Misstatement
IT Financial Assertions
•
•
•
•
Completeness
Accuracy
Validity
Restricted Access
ICOFR Requirements (5)
• Identify key controls:
Document from flow charts
Customer
Service Provider
Performer
Order
Acceptance
Data/
Bill
Perform
Services
4
5
1
Data
Data
2
Process
3
Service
Acctg
System
Acctg
System
7
AFS
ICOFR Requirements (5)
• Document key controls:
Risk Analysis
Entity
Preparer
Account Line: Accounts Receivable
Control
Number
1
Account/ Line
Item/Event
IntraGov
Accts Rec
Business Cycle,
Accounting
Application
Assertion
Reimb
R/O
Preliminary
Control Assessment
Risk
Not
reported
Internal
Control
Inherent Currently In
Risk
Place
Track &
high check
Control
Risk
Internal Control
Test Method Used
low
Inspect
Document, document, document
ICOFR Requirements (6)
• Test key controls
– Develop test plan and document
– Establish tolerance level for error,
document
– Identify sample size: OMB
recommendations
– Test and document
• Consider dependencies
– SAS 70 reports???
Identify Material Weaknesses
• At assessable unit level
• At subagency/department level
• At Agency/ Department level
Management has the discretion to make
the determination!
OMB generous with
Material Weakness
definitions
Corrective Action Plans
• Plan well
• Divide corrective steps into small
manageable pieces – SAT should
approve
• Develop realistic target dates
• Monitor progress continuously
Develop Corrective Actions
• Managers: Process Owners develop
corrective actions plans and timelines
• Senior Assessment Team concurs or
non-concurs
• Published in PAR
• Monitored by leadership
• Progress reported on periodically to
OMB
Basis for Assurance
• Deficiencies can be:
–Single deficiency
–Significant deficiency
–Material weakness
• Determines level of assurance
–Cannot be unqualified if material
weakness exists
ICOFR Requirements (7)
• Report on effectiveness of control
over financial reporting:
• Separate statement of assurance
– Prescribed format for statement
– Defined qualifiers: Unqualified
Qualified
No Assurance
Download