Updated COSO Framework & Green Book Effective Dates COSO: Updated Framework will supersede original Framework at the end of the transition period (December 15, 2014) Green Book: GAO's 2014 revision will be effective beginning with fiscal year 2016 What is COSO? COSO (Committee of Sponsoring Organizations) of the Treadway Commission American Accounting Association (AAA) American Institute of Certified Public Accountants (AICPA) Financial Executives International (FEI) Institute of Management Accountants (IMA) The Institute of Internal Auditors (IIA) What is the Green Book? Standards for Internal Control in the Federal Government Government Accountability Office (GAO) Comptroller General of the United States “May also be adopted by state, local, and quasigovernmental entities as a framework for an internal control system” OK so why should I care? Auditors are required to gain an understand of control framework: COSO Internal Control Framework The Green Book Federal Grants & Single Audit The new “Super Circular” adds additional emphasis on internal controls Link to the Yellow Book 2011 Yellow Book – ¶A.04 discusses that in addition to the COSO framework – Standards for Internal Control in the Federal Government (aka the Green Book) provides definitions and fundamental concepts pertaining to internal control at the federal level and may be useful to auditors at other levels of government. The related “Internal Control Management and Evaluation Tool” based on federal internal control standards, provides a systematic, organized, and structured approach to assessing the internal control structure. 7 Internal Controls (200.303) Topic •Strong Emphasis on Internal Controls •Mentioned 103 times in the 12/26/2013 Federal Register notice Uniform Guidance Synopsis •References “Standards for Internal Controls in the Federal Government”, issued by the Comptroller General (also known as the “Green Book”) and “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) What Does This Mean? •While OMB has clarified in an FAQ that there is no expectation that we have to explicitly follow these referenced guidelines (as long as we have effective internal controls in place), it is unclear what the audit community will expect. Internal Controls (200.303) The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Components of Internal Control Update principles of effective internal control Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities 1. 2. 3. 4. 5. Demonstrates commitment to integrity and ethical values Exercises oversight responsibility Establishes structure, authority and responsibility Demonstrates commitment to competence Enforces accountability 6. 7. 8. 9. Specifies suitable objectives Identifies and analyzes risk Assesses fraud risk Identifies and analyzes significant change 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies Update principles of effective internal control (continued) Control Environment 1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. How Various Controls Effect Principles, e.g., Control Environment Component Principle Controls embedded in other components may effect this principle 1. A CPA firm demonstrates a commitment to integrity and ethical values Information Technology staff tests for data breaches of personally identifiable information continuously Control Environment Management obtains and reviews data and information underlying potential deviations captured in reports generated immediately upon occurrence Information & Communication Risk manager separately evaluates Control Environment, considering employee behaviors and whistleblower hotline results and reports thereon Monitoring Activities Update principles of effective internal control (continued) Risk Assessment 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives. 9. The organization identifies and assesses changes that could significantly impact the system of internal control. How Various Controls Effect Principles, e.g., Component Risk Assessment Principle Controls embedded in other components may effect this principle The Controller identifies risks to the achievement of the objectives across the office and analyzes risks as a basis for determining how the risks should be managed. As part of the meetings with senior staff on goals and objectives, risks are noted and potential controls against those risks are brainstormed and initiated if approved by the audit committee. Risk Assessment The result of the brainstorming is communicated to staff as part of semiannual reviews Information & Communication A dashboard of risks is established and is updated with each batch cycle. Employee reviews are completed timely. Monitoring Activities Update principles of effective internal control (continued) Control Activities 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11. The organization selects and develops general control activities over technology to support the achievement of objectives. 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into place. How Various Controls Effect Principles, e.g., Component Control Activities Principle Controls embedded in other component s may effect this principle The Controller selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. Every two years, the Controller rotates duties among the divisional managers not only to provide them with a broader experience but also to lower the risk of financial reporting fraud. Staff enjoys the rotation as they are not working the same job repeatedly. Control Activity A report is developed predicting payables over the next 30 days and disseminated to fiscal officers. The payables are compared to encumbrances. Information & Communication The Comptroller reviews payables that are unusual, or above $5,000 or infrequent. Monitoring Activities Update articulates principles of effective internal control (continued) Information & Communication 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 15. The organization communicates with external parties regarding matters affecting the functioning of internal control. Update principles of effective internal control (continued) Monitoring Activities 16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. How Various Controls Effect Principles, e.g., Component Monitoring Activities Principle Controls embedded in other components may effect this principle The Controller selects, develops, and performs ongoing and / or separate evaluations to ascertain whether the components of internal control are present and functioning. The quality assurance division reports are also transmitted to the division where the problem occurred. Corrective action is taken. If no corrective action is accomplished, the employee’s personnel file contains the issue and if repeated, could be grounds for termination. Control Activity Statistical reports on uses of personally identifiable activity are reported to employees on a monthly basis. All employees are trained semi-annually on when / how / who can access PII Information & Communication Reports on detections of improper use of personally identifiable information by employees are escalated to a senior review board that investigates all activities and reacts to breaks in accordance with state law. Monitoring Activities COSO & Green Book Required 5 elements of control 17 principles Points to address when implementing: of focus (not required) COSO – 87 Green Book – 47 (attributes) Example Attribute Component – Risk Assessment Principle- “Management should identify, analyze, & respond to risk relate to objectives” Attributes to Principle: Identification of Risks Analysis of Risks Response to Risks Documentation Requirements If management determines a principle is not relevant, management supports that determination with documentation that includes the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively. Documentation Requirements Control Management develops and maintains documentation of its internal control system. Control Environment Activities Management documents in policies the internal control responsibilities of the organization. Documentation Requirements Monitoring Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues. Management evaluates and documents internal control issues and determines appropriate corrective actions for internal control deficiencies on a timely basis. Management completes and documents corrective actions to remediate internal control deficiencies on a timely basis. Control Considerations - CE Establishment of formal Code of Conduct Communicates appropriate ethical and moral behavior, penalties, and how to communicate when becoming aware of any potential issue. Conflicts of interest – including dealing with suppliers Establishment of formal Code of Conduct Proper hiring & Training program (commitment to excellence) Including P&P for hiring, training, promoting, discipline, termination Control Considerations - CE Key areas of authority & responsibility are defined & communicated Establishment of Internal audit function Establishment of fraud/ethics hotline Properly designed and report to proper levels of the government. Control Considerations - RA Brainstorm – included appropriate levels of the organization (always include IT) This means “not” just finance/business Identify risk associated with compliance, operation, & reporting Should not be a once and done approach Should consider both entity-wide and activity-level objectives; and internal/external risk Control Considerations - RA Maintain list of items from (brainstorming) Assess likelihood and significance (benchmark to your entities risk appetite) Identify corresponding control to address those (significant/likely or combination ) Update list with additional areas identified while performing monitoring activities Control Considerations - RA Principle 8 - The organization considers the potential for fraud in assessing risks t Added emphasis on fraud Resources: “Managing the Business Risk of Fraud: A Practical Guide” the achievement of objectives IT’S FREE!!!! http://www.acfe.com/ uploadedfiles/acfe_we bsite/content/docume nts/managingbusiness-risk.pdf Currently in the process of revision. Control Considerations - CA Control Considerations - CA Don’t forget IT General Controls Password(s) Segregation of Duties Approvals Change Management Controls Control Considerations - MA Ongoing monitoring – regular management and supervisory activities, comparisons, reconciliations, and other routine actions Separate evaluations – can be conducted by management or others such as internal auditors or management consultants Control Considerations – I/C Established communication exist to provide appropriate information to individuals related to their responsibility and role in internal controls process. Communication channels exist for employees and management to report issue up the chain to ensure appropriate action is taken. Appropriate information is generated to support internal controls. Large vs Small Entity OV4.04 The 17 principles apply to both large and small entities. However, smaller entities may have different implementation approaches than larger entities. Smaller entities typically have unique advantages, which can contribute to an effective internal control system. These may include a higher level of involvement by management in operational processes and direct interaction with personnel. Smaller entities may find informal staff meetings effective for communicating quality information, whereas larger entities may need more formal mechanisms—such as written reports, intranet portals, or periodic formal meetings—to communicate with the organization.