implementing a strong and effective internal control program for the state of north carolina october...
TRANSCRIPT
Implementing a Strong and Effective Internal Control Program for the State of North Carolina
Implementing a Strong and Effective Internal Control Program for the State of North Carolina
October 15, 2008 David McCoy State Controller October 15, 2008 David McCoy State Controller
22
AgendaAgenda
• What is EAGLE?What is EAGLE?
• Why is EAGLE Important to North Carolina?Why is EAGLE Important to North Carolina?
• EAGLE Implementation EffortsEAGLE Implementation Efforts
• EAGLE Methodology: Top-Down, Risk-BasedEAGLE Methodology: Top-Down, Risk-Based
• Lessons LearnedLessons Learned
33
What is EAGLE?What is EAGLE?
• During 2004 the State Controller outlined his strategic During 2004 the State Controller outlined his strategic vision for implementing a statewide internal control and vision for implementing a statewide internal control and accountability program for North Carolina – a program accountability program for North Carolina – a program similar to the one imposed on the private sector similar to the one imposed on the private sector through the Sarbanes-Oxley legislation in 2002.through the Sarbanes-Oxley legislation in 2002.
• The State Controller formed at Statewide Internal The State Controller formed at Statewide Internal Control Task force – consisting of representatives from Control Task force – consisting of representatives from all three branches of government, the University all three branches of government, the University System, and the Community College System.System, and the Community College System.
• The Statewide Internal Control Task Force presented The Statewide Internal Control Task Force presented recommendations, in the form of proposed legislative recommendations, in the form of proposed legislative action, to the State Controller.action, to the State Controller.
44
What is EAGLE?What is EAGLE?
• Recommended legislative action received the support Recommended legislative action received the support of the State Auditor.of the State Auditor.
• The Task Force’s recommendations lead to the The Task Force’s recommendations lead to the passage of House Bill 1551 during 2007 session of the passage of House Bill 1551 during 2007 session of the General Assembly.General Assembly.
– Established internal control standards for State Established internal control standards for State governmentgovernment
– Increased fiscal accountability within State Increased fiscal accountability within State governmentgovernment
• EAGLE, which stands for EAGLE, which stands for EEnhancing nhancing AAccountability in ccountability in GGovernment through overnment through LLeadership and eadership and EEducation, ducation, resulted from the actions taken by the North Carolina resulted from the actions taken by the North Carolina General Assembly.General Assembly.
55
What is EAGLE?What is EAGLE?
• EAGLE leverages two widely accepted frameworks:EAGLE leverages two widely accepted frameworks:
– COSO model for internal controlCOSO model for internal control
– COBIT framework for information technology COBIT framework for information technology controlscontrols
66
Why is EAGLE Important to North Carolina?Why is EAGLE Important to North Carolina?• Enhances Public Accountability to the State’s Key Enhances Public Accountability to the State’s Key
Stakeholders – Our Taxpayers. Stakeholders – Our Taxpayers.
• Enhances Accountability to other Stakeholders – including Enhances Accountability to other Stakeholders – including the Federal Government and bond rating agencies. the Federal Government and bond rating agencies.
• Creates a competitive advantage for federal and Creates a competitive advantage for federal and foundation dollars.foundation dollars.
• Fosters a general notion that government should be as Fosters a general notion that government should be as good as or better than those it regulates.good as or better than those it regulates.
• Cost-savings may be realized through identifying ways to Cost-savings may be realized through identifying ways to make business processes more efficient and effective.make business processes more efficient and effective.
77
Why is EAGLE Important to North Carolina?Why is EAGLE Important to North Carolina?
All too confusing and overdone… All too confusing and overdone… Except when we get in troubleExcept when we get in trouble
Must do it… Must do it… But how do we do it better?But how do we do it better?
Keep Us Out of TroubleKeep Us Out of Trouble Make Our Agencies BetterMake Our Agencies Better
goalgoalInaccurate Financial Reporting
CatastrophicReputational
Consequences
Larger Fines and Settlements
Budget Constraints
Expanded Regulation
Enhanced and
Coordinated Risk
Management Activities
Ability to Deliver
Efficient and Cost
Effective Services
Improved Risk Reporting and
Disclosure
Enhanced Technologies
State Auditor Findings Standardized
Procedures Across State
Agencies
Reduced Total
Operating Expenses
88
EAGLE ImplementationEAGLE Implementation• Five-person team dedicated to the EAGLE Program, Five-person team dedicated to the EAGLE Program,
complemented by staff in the Agency Accounting Section of the complemented by staff in the Agency Accounting Section of the Office of the State Controller’s Statewide Accounting Division.Office of the State Controller’s Statewide Accounting Division.
• As a result of the magnitude and scope of the legislation, a As a result of the magnitude and scope of the legislation, a decision was made to implement of EAGLE in a phased decision was made to implement of EAGLE in a phased approach:approach:
– Phase I: Phase I:
• Internal Control over Financial ReportingInternal Control over Financial Reporting
– Future Phases: Future Phases:
• Compliance with applicable Laws and RegulationsCompliance with applicable Laws and Regulations
• Efficiency and Economy of OperationsEfficiency and Economy of Operations
99
EAGLE ImplementationEAGLE Implementation• The Office of the State Controller issued a Request The Office of the State Controller issued a Request
for Proposal to assist in the development of the for Proposal to assist in the development of the EAGLE Program. Ernst & Young was awarded the EAGLE Program. Ernst & Young was awarded the contract.contract.
• Ernst & Young partnered with the Office of the State Ernst & Young partnered with the Office of the State Controller to co-develop an internal control guidance Controller to co-develop an internal control guidance manual and assessment tools, and to provide manual and assessment tools, and to provide statewide training on the EAGLE Program.statewide training on the EAGLE Program.
• All state agencies were required to appoint an All state agencies were required to appoint an Internal Control Officer to serve as the liaison Internal Control Officer to serve as the liaison between the agency they represent and the Office of between the agency they represent and the Office of the State Controller.the State Controller.
1010
EAGLE ImplementationEAGLE Implementation• A decision was made to rollout Phase I of the EAGLE Program into three A decision was made to rollout Phase I of the EAGLE Program into three
groups:groups:
• Group 1 Group 1
– Training: March 31, 2008Training: March 31, 2008
– Targeted Completion Date: July 31, 2008Targeted Completion Date: July 31, 2008
• Group 2Group 2
– Training: October 22, 2008Training: October 22, 2008
– Targeted Completion Date: July 31, 2009Targeted Completion Date: July 31, 2009
• Group 3Group 3
– Training: Fall 2009 (Date to be determined)Training: Fall 2009 (Date to be determined)
– Targeted Completion Date: July 31, 2010Targeted Completion Date: July 31, 2010
• Group 1 included15 state agencies and universities. Group 2 consists of all Group 1 included15 state agencies and universities. Group 2 consists of all remaining state agencies and universities. Group 3 will consist of all remaining state agencies and universities. Group 3 will consist of all community colleges.community colleges.
1111
EAGLE ImplementationEAGLE Implementation
• Group 1 agencies were asked to form an Group 1 agencies were asked to form an agency assessment team – led by the agency’s agency assessment team – led by the agency’s Internal Control Officer.Internal Control Officer.
• EAGLE Team provides on-site assistance to EAGLE Team provides on-site assistance to agencies as they complete their self-agencies as they complete their self-assessment deliverables. assessment deliverables.
• EAGLE Team monitors the results of an EAGLE Team monitors the results of an agency’s implementation efforts through a web-agency’s implementation efforts through a web-based documentation tool – utilizing Microsoft’s based documentation tool – utilizing Microsoft’s SharePoint software. SharePoint software.
1212
EAGLE ImplementationEAGLE Implementation
• Agencies are responsible for uploading their Agencies are responsible for uploading their milestone deliverables to the EAGLE milestone deliverables to the EAGLE SharePoint website. The EAGLE Team SharePoint website. The EAGLE Team reviews this documentation and provides reviews this documentation and provides agencies with feedback.agencies with feedback.
• For FY 2008, Group 2 and Group 3 agencies For FY 2008, Group 2 and Group 3 agencies continued to complete the traditional Annual continued to complete the traditional Annual Self-Assessment of Internal Controls Self-Assessment of Internal Controls Questionnaire. Questionnaire.
1313
EAGLE Methodology: Top-Downed, Risk-BasedEAGLE Methodology: Top-Downed, Risk-BasedOverviewOverview
Identifying Controls
Entity-Level Controls
Identifying Risk(Including risk of fraud)
Consolidated Financial Statements
Consolidated Account
Process / Class of Transaction
Location
Account Component
Consolidated Account
Process / Class of Transaction
Location
Account Component
Prioritized Risks
Ma
teri
alit
y &
Ris
k C
rite
ria
Higher Risk Lower RiskLower Risk Higher Risk
Direct ELCs
Monitoring Controls
Indirect ELCs
Information Technology General
Controls
Transaction Level Controls
Direct ELCs
Monitoring Controls
Indirect ELCs
Information Technology General Controls
Transaction Level Controls(manual, IT-dependent manual, application controls)
Control Population
“Right” Combination of Controls
Efficient Testing Strategy and Execution“risk control failure” + “evidence requirements”
Conclude on Design and Operating Effectiveness
Supports Reliable Financial Reporting
Top-Down, Risk-Based Approach
5 C
OS
O C
om
po
nen
ts
5 C
OS
O C
om
po
nen
tsIde
nti
fy F
inan
cia
l R
epo
rtin
g E
lem
ents
Ide
nti
fy w
her
e ri
sks
re
sid
e
Le
verag
e
En
tity Le
vel C
on
trols
Selec
t the
“Rig
ht”
Co
ntro
ls
Identifying Controls
Entity-Level Controls
Identifying Risk(Including risk of fraud)
Consolidated Financial Statements
Consolidated Account
Process / Class of Transaction
Location
Account Component
Consolidated Account
Process / Class of Transaction
Location
Account Component
Prioritized Risks
Ma
teri
alit
y &
Ris
k C
rite
ria
Higher Risk Lower Risk
Identifying Risk(Including risk of fraud)
Consolidated Financial Statements
Consolidated Account
Process / Class of Transaction
Location
Account Component
Consolidated Account
Process / Class of Transaction
Location
Account Component
Prioritized Risks
Ma
teri
alit
y &
Ris
k C
rite
ria
Higher Risk Lower RiskLower Risk Higher Risk
Direct ELCs
Monitoring Controls
Indirect ELCs
Information Technology General
Controls
Transaction Level Controls
Direct ELCs
Monitoring Controls
Indirect ELCs
Information Technology General Controls
Transaction Level Controls(manual, IT-dependent manual, application controls)
Control Population
“Right” Combination of Controls
Efficient Testing Strategy and Execution“risk control failure” + “evidence requirements”
Conclude on Design and Operating Effectiveness
Supports Reliable Financial Reporting
Top-Down, Risk-Based Approach
5 C
OS
O C
om
po
nen
ts
5 C
OS
O C
om
po
nen
tsIde
nti
fy F
inan
cia
l R
epo
rtin
g E
lem
ents
Ide
nti
fy w
her
e ri
sks
re
sid
e
Le
verag
e
En
tity Le
vel C
on
trols
Selec
t the
“Rig
ht”
Co
ntro
ls
© 2007 Ernst & Young.
1414
EAGLE Methodology: Top-Downed, Risk-Based EAGLE Methodology: Top-Downed, Risk-Based Risk AssessmentRisk Assessment
• In a top-down approach, the In a top-down approach, the organization begins by identifying, organization begins by identifying, understanding, and evaluating the risk understanding, and evaluating the risk at a financial statement level.at a financial statement level.
• At the financial statement and process At the financial statement and process level, the organization identifies those level, the organization identifies those accounts and processes that possess accounts and processes that possess the quantitative (i.e. materiality) and the quantitative (i.e. materiality) and qualitative factors for higher or lower qualitative factors for higher or lower risk to determine the final scope.risk to determine the final scope.
Advantages of a Top-Down, Risk-Based Advantages of a Top-Down, Risk-Based
Approach:Approach:
By using a Top-Down, Risk-Based By using a Top-Down, Risk-Based approach, the agencies within the State approach, the agencies within the State of North Carolina focus the majority of of North Carolina focus the majority of their internal control efforts on those their internal control efforts on those highest risk areas and avoids highest risk areas and avoids performing excess work on the lowest performing excess work on the lowest risk areas. risk areas.
© 2007 Ernst & Young.
1515
EAGLE Methodology: Top-Downed, Risk-BasedEAGLE Methodology: Top-Downed, Risk-BasedDesign Effectiveness - Controls IdentificationDesign Effectiveness - Controls Identification• After the agencies have completed the After the agencies have completed the
risk assessment and identified those risk assessment and identified those accounts and processes in scope, the accounts and processes in scope, the flow of transactions is documented to flow of transactions is documented to gain an understanding of the highest gain an understanding of the highest risks within those processes.risks within those processes.
• For those risks that exist in the For those risks that exist in the transaction processing, the organization transaction processing, the organization identifies those internal controls that identifies those internal controls that either prevent or detect an error from either prevent or detect an error from occurring.occurring.
EAGLE’s Phase I Implementation EAGLE’s Phase I Implementation
Approach:Approach:
In Phase I, Group 1 agencies will focus In Phase I, Group 1 agencies will focus on the internal control design efforts only on the internal control design efforts only in those accounts and processes in those accounts and processes identified as high risk in Year 1. identified as high risk in Year 1. However, in Year 2 Group 1 must include However, in Year 2 Group 1 must include the moderate risk accounts and the moderate risk accounts and processes. Groups 2 and 3 will focus on processes. Groups 2 and 3 will focus on both high and moderate accounts and both high and moderate accounts and processes in their Year 1 efforts. processes in their Year 1 efforts.
© 2007 Ernst & Young.
1616
EAGLE Methodology: Top-Downed, Risk-Based EAGLE Methodology: Top-Downed, Risk-Based Operating Effectiveness – Execution and EvaluationOperating Effectiveness – Execution and Evaluation
Supports Reliable Financial ReportingSupports Reliable Financial Reporting
Efficient Testing Strategy and ExecutionEfficient Testing Strategy and Execution
““risk control failure” + “evidence requirements”risk control failure” + “evidence requirements”
Conclude on Design and Operating EffectivenessConclude on Design and Operating Effectiveness
• After the agencies have completed the documentation of the processes and After the agencies have completed the documentation of the processes and identified the “right” combination of controls, a testing strategy is designed to identified the “right” combination of controls, a testing strategy is designed to focus efforts on those controls that have been designed to prevent or detect focus efforts on those controls that have been designed to prevent or detect errors of the highest risk processes.errors of the highest risk processes.
Advantages of a Top-Down, Risk-Based Approach:Advantages of a Top-Down, Risk-Based Approach:
By using a Top-Down, Risk-Based approach, the agency focuses the testing By using a Top-Down, Risk-Based approach, the agency focuses the testing and self-assessment effort to allow the organization the ability to better time and self-assessment effort to allow the organization the ability to better time and schedule the testing over the course of the entire reporting period by and schedule the testing over the course of the entire reporting period by testing the lower risk controls earlier in the year and the highest risk controls testing the lower risk controls earlier in the year and the highest risk controls closer to year-end.closer to year-end.
© 2007 Ernst & Young.
1717
Lessons LearnedLessons Learned• You must have strong executive leadership and support of your program.You must have strong executive leadership and support of your program.
• Recognize and manage program risk. Implement your program in phases – Recognize and manage program risk. Implement your program in phases – start with a small group of state agencies and focus only on the high risk start with a small group of state agencies and focus only on the high risk areas in Year 1.areas in Year 1.
• Establish a target date for completion of the self-assessment; however, Establish a target date for completion of the self-assessment; however, provide a recommended timeline for the completion of each milestone to keep provide a recommended timeline for the completion of each milestone to keep agencies on target.agencies on target.
• Provide agencies with a concise list of the required procedures to be Provide agencies with a concise list of the required procedures to be performed for each milestone.performed for each milestone.
• Training is essential. At the beginning of each milestone, provide customized, Training is essential. At the beginning of each milestone, provide customized, one-on-one training with each agency assessment team.one-on-one training with each agency assessment team.
• Review the deliverables for each milestone to ensure that agencies remain on Review the deliverables for each milestone to ensure that agencies remain on track – provide constructive feedback.track – provide constructive feedback.
• Understand the importance of your IT environment and the challenges it Understand the importance of your IT environment and the challenges it brings as you implement your program.brings as you implement your program.
1818
Contact information:Contact information:
Ben McLawhorn, CISA, CISM, CFEBen McLawhorn, CISA, CISM, CFERisk Mitigation Services ManagerRisk Mitigation Services ManagerNorth Carolina Office of the State ControllerNorth Carolina Office of the State Controller1410 Mail Service Center1410 Mail Service CenterRaleigh, NC 27699-1410Raleigh, NC 27699-1410Email: Email: [email protected]@ncosc.net Phone: (919) 981-5409Phone: (919) 981-5409Fax: (919) 981-5567Fax: (919) 981-5567
For additional information on EAGLE, please visit our For additional information on EAGLE, please visit our website: website: http://www.ncosc.net/eaglehttp://www.ncosc.net/eagle