advisory internal controls over financial reporting (icofr) management’s assertions central pa...

ADVISORY

Internal Controls Over Financial Reporting (ICOFR)Management’s AssertionsCentral PA Chapter of the AGA February 9, 2011

PUBLIC SECTOR

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 2

Contents

Background Federal Managers’ Financial Integrity Act (FMFIA) of 1982 Office of Management and Budget (OMB) Circular No. A-123

Significant Revisions

Management Responsibilities

Accountability Office’s (GAO’s) Green Book

Integrate Compliance into the Internal Control Framework

Annual Assurance Statement

Appendix A, Internal Control Over Financial Reporting (ICOFR)

Sample Assurance Statement on ICOFR

Additional Resources

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A. For internal use only 3

Internal Controls Over Financial Reporting (ICOFR)

“Government should lead by example. We should be as good or better than those we are regulating.”

David Walker, Comptroller General to CongressCFO Magazine, June 2003


BACKGROUND - Overview

In 2002, Congress passed the Sarbanes-Oxley Act (SOX) in response to improper financial reporting issues by a number of publicly traded companies in the United States (Enron/WorldCom)

Among other things, the Act requires publicly traced companies to receive an opinion from independent auditors on their internal controls as they relate to financial reporting.

SOX requirements DID NOT apply to the federal government, the Office of Management and Budget (OMB) revised OMB Circular A-123 in 2004, adding Appendix A, which required the implementation of ICOFR.

Appendix A requires the 24 agencies covered by the Chief Financial Officers Act of 1990 to conduct internal control reviews over their financial reporting processes:

New internal control review process stipulated

New Statement of Assurance

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 1-5

Internal Controls: An Evolution

OMB A-1231981

OMB A-1231981

OMB Q&A1984

OMB Q&A1984

OMB A-1231995

OMB A-1231995

OMB A-1232004

OMB A-1232004

GAO Green Book

1983

GAO Green Book

1983

IG Act1978

FISMA2002

Budget and Accounting Procedures Act of 1950

Sarbanes-Oxley 2002

FMFIA1982

GAO Green Book

1999

GAO Green Book

1999

Superseded

Federal Acts

Guidance

Standards

Non Federal

FDICIA1991

FFMIA1996

CFO Act1990


FMFIA of 1982

Internal accounting and administrative controls of each executive agency shall be established in accordance with standards prescribed by the Comptroller General, and shall provide reasonable assurances that:

Obligations and costs are in compliance with applicable law;

Funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation; and

Revenues and expenditures applicable to agency operations are properly recorded and accounted for to permit the preparation of accounts and reliable financial and statistical reports and to maintain accountability over the assets.

Annually, an agency head must evaluate and report on the control and financial systems that protect the integrity of federal programs.


OMB Circular No. A-123

Defines management’s responsibility for internal controls for federal agencies and government corporations.

Appendix A revision was influenced by the Sarbanes-Oxley Act of 2002 and was based on recommendations by a joint committee:

Required for the 24 Chief Financial Officer (CFO) Act of 1990 agencies;

Strengthen the requirements for conducting management’s assessments of ICOFR; and

Emphasize the need for agencies to integrate and coordinate their internal control assessments with other related assessment activities.

Effective October 1, 2005, for federal fiscal year 2006.

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY 1-8

OMB A-123: Revised Requirements (continued)

Additional Key Management Requirements (Appendix A):• Management must provide a conclusion on the operating effectiveness of internal

control over financial reporting using the framework provided by OMB Circular No. A-123 as of June 30 of each fiscal year

• Suggests establishing a senior management council and a senior assessment team, or body of similar construct

• Determine those financial reports that will be included in the agency’s assessment• Identify significant accounts, classes of transactions, and business processes

that support the agency’s financial reporting processes• Assess the agency’s control environment, risk assessment, control activities,

information and communication, and monitoring processes, as related to financial reporting

• Document the agency’s understanding of its financial reporting business processes• Test a sample of controls to determine if the agency’s internal control over financial

reporting is in place and operating effectively• Maintain a corrective action plan to remediate control deficiency • Monitor the agency’s internal control over financial reporting through periodic testing

of controls throughout the year


Significant Revisions

Mandates FMFIA annual assurance statement to be included within an agency’s Performance Accountability Report (PAR).

Updates internal control standards and changes certain terminology. Integrates related statutes into an agency’s internal control framework. Establishes a Senior Management Council and Senior Assessment

Team. Defines the type of ICOFR deficiencies. Requires management to document its assessment process and test of

controls. Appendix A describes a high-level process to assess, document, and

report.Does not require an audit opinion for internal controls.

© 2005 KPMG LLP, the US member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in U.S.A.FOR INTERNAL USE ONLY

10]\OL

p

GAOs Green Book

`Risk Assessment

Every entity faces a variety of risks from external and internal sources that must be assessed at both the entity and the activity level.

Control ActivitiesThese policies and

procedures help ensure management directives

are carried out.

MonitoringInternal control systems need to be monitored – a process that assesses the

quality of the system’s performance over time.

Information and CommunicationPertinent information must be

identified, captured,and communicated in a form and time frame that supports all other control components.

Control EnvironmentThe control environment

sets the tone of anorganization, influencing

the control consciousnessof its people.


Reduce Compliance Cost via Integration

Management can integrate multiple compliance initiatives into a single process, thereby fulfilling numerous regulatory requirements cost effectively.

FISMA FFMIA GPRA

IPIA FMFIASingleAuditAct

IG Act ClingerCohen

CFO Act

Source: KPMG LLP (U.S.), 2005

The cost of compliance with controls initiatives (e.g., A-123, FISMA, etc.) is high.

The commercial sector’s experience with Sarbanes-Oxley provides some perspective

• Average $ spent

• Average time taken

• Average FTE’s utilized

• Planned $ to be spent

• Planned time to execute

• Planned resources


Management’s Steps to Compliance

Deliverables

Document Controls:• Entity-level Framework• Process-level Flowcharts

and/or Narratives• Internal Control Matrix:

Objectives, Risks & Controls

Identify and Correct Deficiencies• Categorization of Deficiencies• Corrective Action Plans• Remediated Controls

Documentation

Report on Internal Control:• Assurance Letters• Conclusion of Effectiveness• FMFIA Annual Assurance

Statement

Plan and Scope the Evaluation: • Scoping Document• Assessment Process

Documentation

Evaluate Design and Operating Effectiveness• Test approach and test plans • Test Results• Internal Control Matrix:

Assessment of Design and Operating Effectiveness

• List of Design or Operating Deficiencies


Annual Statement of Assurance

FMFIA Annual Assurance Statement previously included:• Section 2, Internal Controls Achieved Objectives; and

• Section 4, Conformance with System Requirements.

OMB Circular No. A-123 consolidates these statements of assurance:• Overall adequacy and effectiveness of internal controls, both financial, operational, and compliance;

• Each annual statement prepared pursuant to Section 4 shall include a separate report on whether the agency's accounting system conforms to the principles, standards, and related requirements prescribed by the Comptroller General; and

• Under the revised A-123, includes a Statement of Assurance on the ICOFR.


Appendix A - ICOFR

Applies to all three internal control objectives:• Operational;

• Financial (including the assessment of ICOFR); and

• Compliance.

OMB Circular No. A-123, Appendix A provides a methodology for agency

management to assess, document, and report on their ICOFR. .


Appendix A – ICOFR – Management’s Steps

Defines the boundaries of the assessment. Establish assessment process. Identify significant financial reports. Define materiality. Identify significant accounts, relevant financial report assertions, and major transaction cycles. Link the accounts and cycles.

Plan & Scope the Evaluation1

Document and obtain an understanding of controls for all significant accounts, groups of accounts, and transactions.

Document Controls2

Evaluate design and operating effectiveness of internal control over financial reporting at the entity, process, transaction, or application level and document results of evaluation.

Evaluate Design & Operating Effectiveness3

Identify, accumulate and evaluate design and operating control deficiencies; communicate findings and correct deficiencies.

Identify & Correct Deficiencies 4

Prepare management’s written assurance on the effectiveness of internal control over financial reporting.

Report on Internal Control5

If required, prepare for independent auditor to conduct the internal control audit and attestation on management’s assertion.

Independent Audit of Internal Control 6

Under theCircular, thisstep is optional.


Appendix A – ICOFR - Scope

Objectives of ICOFR• Should provide reasonable assurance to enable management to make the following

assertions:

• Existence and occurrence; Completeness; Rights and obligations; Valuation; Presentation and disclosure; Compliance;

• Assets are safeguarded against fraud and abuse; and

• Documentation for internal control, all transactions, and other significant events is readily available for examination.

Definition of Financial Reporting• An agency needs to determine the scope of financial.


Current Chatter: Loud and Confusing

Growing (Unfunded) Costs

Additional Legislation

Software Provider Claims

Consulting Firm Promises

GAO and Congressional

Concerns

More Accountability

A-123 Requirements

Media

Forums and ProfessionalAssociations

MarketplacePerplexity


Challenges

Today, agency managers face three major challenges:

1. Compliance with laws and requirements

2. Minimize the cost of compliance by integrating related internal controls

3. Reduce the overall cost of controls and transform operations to improve mission effectiveness

These challenges also present opportunities to:• Minimize the cost of compliance by integrating related internal controls

• Reduce the overall cost of controls and transform operations to improve mission effectiveness


Risk and Internal Controls

Objectives

Risk

Measuring Risk

Risk and Internal Control

Self Assessment


Internal Controls Lessons Learned

Expensive and chaotic to change controls or systems

Realization that requirements are permanent

Surprising degree to which information technology contributes to all operations and financial processes

Better understanding and analysis of monitoring controls and what controls can do for you

Need to embed internal controls within programs and operations

Re-implementation of basic controls

“Over-identified” key controls


Just Check the Box? Compliance

Federal agencies are usually more willing to embrace new initiatives that address program improvement

However, new regulatory compliance initiatives are generally seen as “necessary evils” that distract an agency from its mission

Compliance with new regulations often degenerates into “check the box” exercises

Agencies miss out by just “checking the box”

Compliance is an opportunity to transform and improve.


Driving Value From Compliance

The results of the analyses (top-down and bottom-up) will help agencies identify opportunities to• Improve the quality of controls and better manage risks

• Improve mission performance

• Reduce the ongoing cost of compliance over time

• Develop better operations insights

Applying the agency’s prioritization framework to those opportunities helps to identify priority initiatives for both immediate and future change – and make the business case for change


Deriving Value from Compliance

• Agencies can build on the foundation of compliance to improve both controls and business processes.

• Over time, agencies can achieve both risk management and program improvement by transforming compliance initiatives into efficient and sustainable efforts that enable them to identify cost-saving opportunities and improve operations.

Program Improvement

Comply

Transform Operations

Integrate Compliance

Realize Opportunities

Ris

k M

anag

emen

t


Deriving Value from Compliance –Understanding the Controls Portfolio

• A portfolio view helps managers understand the scope, magnitude, and impact of controls across their agency.

• Documenting and managing the controls portfolio enables managers to assess the quantity and quality of controls.

• The portfolio is mapped by attribute (automated or manual, detective or preventive) and analyzed to assess which controls need to evolve to support changes in agency programs.

Automated

Manual

PreventiveIncreasedRisk and

Cost

Lower Risk and Cost

Detective

Control Portfolio X


Deriving Value from Compliance –Understanding the Cost of Controls

Performance

Ongoing Assessmentand Monitoring

Total Cost

Largely “Hidden”

Increasingly Visible

Although the performance cost of control tends to be larger than the cost related to control assessment, the more visible cost is the costs associated

with self assessments and independent reviews.


Deriving Value from Compliance –Transformation and Program Improvement

Integrating and Sustaining Compliance

• Implement an efficient, sustainable process that integrates and evaluates its internal control environment on a periodic basis

• Consider employing documentation standards, planning, and documentation templates, questionnaires, and work plans, and automated tools


Deriving Value from Compliance –Transformation and Program Improvement

Integrating and Balancing Risk with Program Improvement


Opportunities

Automated

Manual

Detective Preventive

Existing Control

Desired Control Portfolio• Mostly automated controls that prevent anomalies from occurring or taking effect

• Anomalies’ effects (wasted money, time, effort) are never felt

• Reduce control costs by introducing cost-savings

• Help agencies better manage their risks of doing business

Desired Control Portfolio

Previous Control

Future (new) Control

Improved Business PracticesBetter Understanding of CostsLinking Controls to Performance, cont.


Move to Sustainability

The question: “How do we comply with A-123?” Becomes…

“How can we use controls as a new lens to support the integrity and value of information in an ever-changing business?”

Today

• Project oriented

• Viewed in isolation

• Managed disparately

• Separated from the flow of business

• Owned by compliance

• Manual and detective

Tomorrow

• “The way we do business”

• Dynamic and action-oriented

• Integrated into processes

• Process and data centric

• Owned by the “business”

• Automated and preventive

What happens when?

• People leave

• Processes are improved

• New systems are implemented

• Businesses are sold/acquired

• Processes are outsourced


Summary

• Implementing an approach to ongoing compliance with a focus on efforts to best use scarce resources can reduce compliance risk and cost over time.

• High-level and detailed analyses of the controls portfolio can help identify areas to enhance risk management, reduce compliance costs, reprogram funds for mission needs, and improve performance

• Transforming compliance will likely take many months or years• During each step of transformation, seek to balance controls

improvements with improved business performance• Alignment of people, processes, systems, risk and controls, along

with the appropriate tone at the top can help shape ongoing compliance issues as opportunities rather than problems


Contact Information

Terry L. Carnahan, CGFM, CPAManaging Director, KPMG LLP

McLean, VA OfficePhone: (703) 286-8560

E-mail: [email protected]

Mr. Carnahan is a Managing Director in KPMG’s Federal Internal Audit Services practice. He is responsible for, and involved in, internal control assessments of Federal, State and local government entities. Prior to joining KPMG, Mr. Carnahan worked for the District of Columbia Government, as well as for the U.S. Government Accountability Office for over 20 years, where he directed and managed risk-based audits of government programs and operations on various levels.

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.

advisory internal controls over financial reporting (icofr) management’s assertions central pa...

Documents

kpmg llp

internal use only41

swiss cooperative

internal control reviews

financial reporting

chief financial officers

budget omb circular

omb qa1984omb