Internal Control over Financial Reporting OMB Circular A=123, Appendix A ICOFR = Fed SOX Mary C. Braun, CPA, CGFM Management Concepts, Incorporated Agenda • Background • Requirements • Implementation Background • Precipitated from Sarbanes Oxley • Congress looks at federal government internal control guidance with a new focus on financial reporting • OMB convened a meeting of the CFO Council and the PCIE Internal Control Guidance – 1950 Accounting and Auditing Act – 1982 Federal Managers’ Financial Integrity Act – 1990 Chief Financial Officers Act – 1994 Government Management Reform Act – 1996 Federal Financial Management Improvement Act COSO • Treadway Commission: Internal Control Guidance M Activities Risk Assessment Control Environment Effects of SOX • OMB amends Circular A-123 to include Appendix A: Internal Control over Financial Reporting – Defines scope of assessing and documenting – Defines process for assessing at entity, process, transaction and application level – Requires separate annual assurance statement to be signed by agency head Appendix A: ICOFR Goals Management: • Acknowledge it responsibility for establishing and maintaining ICs • Apply IC objectives to financial reporting: – Effective and efficient operations – Reliable financial reporting – Compliance with laws and regulations • Understand that ICs exist (or should) at every level and in every process of the organization • Realize that good internal control leads to financial reporting integrity OMB Requirements • Top-down Driven Governance: – Senior Assessment Team • End-to-end Documentation of Key Processes (Minimum Scope:) – 5 (now 4) Financial Statements (Reports) • Identification and Testing of Key Controls • New Assurance Statement Divide and Conquer !! Establish Assessable Units ICOFR Requirements (1) • Establish a governance body – Senior Assessment Team who will: • • • • • • • • Have decision-making leaders as members Identify material business lines/processes Narrate and flowchart business process Identify risks and assess materiality Document internal controls Test internal controls Report on control effectiveness Develop corrective action plans Develop Key Control Assessment Plan • All key controls are assessed at least once every three years • Some more: – High risk – Change in: • Law • System • Key personnel ICOFR Requirements (2) • Evaluate Internal Control at Entity Level – GAO-01-1008G: Internal Control Management and Evaluation Tool – Use GAO Internal Control Standards ICOFR Requirements (3) • Identify key business processes ICOFR Requirements (3) • Document key processes: Customer Performing Component Order Acceptance Data Process Data/ Bill Perform Services Data File Service Provider Acctg System AFS Service Acctg System ICOFR Requirements (4) • Assess Risk: Customer Document from flow charts Performer Order Acceptance Service Provider Data/ Bill Perform Services 4 5 1 Data Data 2 Process 3 Service Acctg System Acctg System 7 AFS Financial Assertions • • • • • Completeness Obligations/Rights Valuation Existence/Occurrence Reporting/Presentation Look for Risk of Misstatement IT Financial Assertions • • • • Completeness Accuracy Validity Restricted Access ICOFR Requirements (5) • Identify key controls: Document from flow charts Customer Service Provider Performer Order Acceptance Data/ Bill Perform Services 4 5 1 Data Data 2 Process 3 Service Acctg System Acctg System 7 AFS ICOFR Requirements (5) • Document key controls: Risk Analysis Entity Preparer Account Line: Accounts Receivable Control Number 1 Account/ Line Item/Event IntraGov Accts Rec Business Cycle, Accounting Application Assertion Reimb R/O Preliminary Control Assessment Risk Not reported Internal Control Inherent Currently In Risk Place Track & high check Control Risk Internal Control Test Method Used low Inspect Document, document, document ICOFR Requirements (6) • Test key controls – Develop test plan and document – Establish tolerance level for error, document – Identify sample size: OMB recommendations – Test and document • Consider dependencies – SAS 70 reports??? Identify Material Weaknesses • At assessable unit level • At subagency/department level • At Agency/ Department level Management has the discretion to make the determination! OMB generous with Material Weakness definitions Corrective Action Plans • Plan well • Divide corrective steps into small manageable pieces – SAT should approve • Develop realistic target dates • Monitor progress continuously Develop Corrective Actions • Managers: Process Owners develop corrective actions plans and timelines • Senior Assessment Team concurs or non-concurs • Published in PAR • Monitored by leadership • Progress reported on periodically to OMB Basis for Assurance • Deficiencies can be: –Single deficiency –Significant deficiency –Material weakness • Determines level of assurance –Cannot be unqualified if material weakness exists ICOFR Requirements (7) • Report on effectiveness of control over financial reporting: • Separate statement of assurance – Prescribed format for statement – Defined qualifiers: Unqualified Qualified No Assurance