1 December 2006 Audit Project No. 2509 INTERNAL AUDIT SERVICES Internal Controls as they Relate to OMB Circular A-123December 2006Audit Project No. 2509The purpose of this training session is to provide you with information regarding internal controls as they relate to OMB A-123.
2 OMB Circular A-123 Background Management’s Responsibility for Internal ControlIn December 2004, The United States Office of Management and Budget (OMB) released a revised Circular A-123, which stipulates that federal agencies must provide assurance about the adequacy of internal controls and the reliability of financial reporting.The Circular was issued under the authority of the Federal Managers’ Financial Integrity Act of 1982 (FMFIA) and became effective fiscal year 2006.DOE delegated responsibility for implementation of OMB Circular A-123 to its contractors.
3 OMB GuidanceFederal agencies must test, evaluate, and report on the effectiveness of their internal controls over financial reporting, which is similar to what is required of publicly traded companies under Sarbanes-Oxley section 404.Key difference between Sarbanes-Oxley and OMB A-123 is that Federal agencies are not required to have an external audit opinion on their internal controls.
4 Definition of Internal Control Internal control is a process, put in place by management and other personnel, designed to provide reasonable assurance that we will achieve the following objectives:Effectiveness and efficiency of operationsReliability of financial reportingCompliance with applicable laws and regulations
5 FY07 OMB A-123 Team Members Jeffrey Fernandez, OCFO – Attester Minh Huebner, OCFO – ImplementerGrace Huang, OCFO – Project LeadKim Martens, IAS – Testing LeadJohn Chernowski, OIA - Project Team MemberIra Nishibayashi, OIA - Project Team MemberMichele Mock, OCFO – Project Team MemberRose Katsus, OCFO – Project Team MemberLauretta Corsair, OCFO – Project Team MemberRosalyn Height, OCFO – Project Team MemberRich Nosek, IT – Project Team Member
7 COSO Framework of Internal Control Control Environment – Sets the tone of the organization, influencing the controlconsciousness of its people. It is the foundation for all other components of internal control,providing discipline and structure.Risk Assessment - Internal control should provide for an assessment of the risks the Labfaces from both external and internal sources in order to determine how risks shouldbe managed.Control Activities -Internal control activities help ensure that management's directives arecarried out. The control activities should be effective and efficient in accomplishingcontrol objectives. Includes policies and procedures.Monitor Performance - Internal control monitoring should assess the quality ofperformance over time and ensure that the findings of audits and other reviews arepromptly resolved.Information and Communication - Information should be recorded and communicatedto management and others within the entity who need it and in a form and within a timeframe that enables them to carry out their internal control and other responsibilities.
8 Five Control Components All 5 of the internal control components work together to establish a strong internal control structure.
9 Control Environment Control Environment This component is the foundation of good internal control. Management establishes the control environment and sets the tone at the top.
10 Risk Assessment Risk Assessment Control Environment Perform Risk assessment is the key to internal control design. Performing risk assessments allows you to identify risk, analyze risk and manage risk by either mitigating exposure to risk by implementing controls or accepting the risk.
11 Control Activities Risk Assessment Control Environment Perform ImplementActivitiesPerformRisk AssessmentControls reduce risk.
12 Two Types of Control Activities Preventive controls are designed to provide reasonable assurance that onlyvalid transactions are recognized, approved and submitted for processing.They are applied before the processing activity occurs. This type of control isgenerally more effective in a strong control environment than detectivecontrols.Detective controls are designed to provide reasonable assurance that errorsand irregularities are discovered and corrected on a timely basis. DetectiveControls normally are performed after processing has been completed. Theyare particularly important in an environment that has relatively weakpreventive techniques.
13 Monitor Performance Performance Risk Assessment Control Environment ImplementActivitiesMonitorPerformancePerformRisk Assessment
14 Information and Communication ControlEnvironmentImplementActivitiesMonitorPerformanceInformationCommunicationandPerformRisk Assessment
15 Limitations of an Internal Control Structure Errors may arise from misunderstandings ofinstructions, mistakes of judgment, fatigue, etc.Controls that depend on the segregation of duties maybe circumvented by collusion.Management may override the structureCompliance may deteriorate over timeEven the best designed ICS cannot be 100% effective 100% of the time.Also, ICS design could also be limited by cost considerations. Why spend $1 million to protect just $100,000? How about purchasing buyer total authority for small dollar purchases. If total dollars of these purchases are material in total, client could establish internal controls to detect errors or fraud after the fact, I.e.,Use of Sampling in performing control activities relates to design.
16 Internal Control Myths and Facts Internal control starts with a strong set of policies and procedures.Internal control: That’s why we have internal auditors!Internal control is a finance thing.Internal controls are essentially negative, like a list of “thou-shalt-nots.”Internal controls take time away from our core activities of research, operations, and customer service.FACTS:Internal control starts with a strong control environment.While internal auditors play a key role in the system of control, management is the primary owner of internal control.Internal control is integral to every aspect of business.Internal control makes the right things happen the first time.Internal controls should be built “into,” not “onto” business processes.Source: Institute of Internal Auditors, 2003
17 Your Role as Process Owner Acknowledge your responsibility for the control structure within your business processesIdentify, prioritize and review risks and controlsRemove obstacles for compliance; remedy control deficienciesPerform self-assessments and document test workEducate your personnel about OMB requirementsReinforce internal focus on controls within your areaSurface any risks, concerns or issues promptly to allow adequate attention for correction (don’t wait for an audit!)Fix control gaps as soon as possible
18 Entity + Process Controls = Assurance Entity ControlsEntity Controls relate to the organization as a whole and are not specific to processes.Ensure the integrity and effectiveness of the organization and its leadership.Entity Controls focus on 5 Standard Entity Areas (COSO).Process ControlsProcess Controls ensure the integrity and accuracy of the business transactions as they impact the financial statements.In some cases, Process Controls supplement Entity Controls to mitigate risk.Need to have a tone at the top and good business processes.Adapted from DOE A-123 All Hands Training
19 OMB Entity Control Areas and Sub-Categories DOE guidance lists these entity areas and their sub-categories as areas that should be evaluated by the assessment team. For FY07, sub-categories identified as Low or Medium risk will require testing.Source: A-123 All Hands Training
20 Process Cycles and Processes DOE guidance lists these process cycles and their sub-processes as areas that should be evaluated by the assessment team. For FY07, sub-processes identified as Low or Medium risk will require testing.
21 Example: Procure to Pay Process Cycle and Processes/Sub-Processes This is the Procure to Pay process cycle and sub-processes. For FY07, The Evaluation Team will evaluate activities that could lead to material mistatement of LBNL’s financial statements.
22 Inherent RiskDOE’s approach to A-123 is based on evaluating controls to offset inherent risk.Inherent Risk is the chance that a material misstatement will occur because there are no related internal controls in place.Risks should be identified to cover the end to end process and should consider financial statement assertions (PERCV).DOE guidance states that a risk based approach should be used to evaluate activities. Inherent risks are those activities that have a greater risk of occurring because there are no internal controls in place.
24 Example of Process Risk Statement Process: Payable Management Sub-Process: DisbursingRisk Statement:Invalid or duplicate Payment may be made in excess of approved contractamount, resulting in loss to DOE (if not detected) and an increase in improperpayments reported to DOE (if later detected).Relation to PERCV:Existence and occurrence: Liabilities/Payables recorded do not exist.Rights and Obligations: Liabilities/Payables do not reflect valid obligations of the entity.Valuation or allocation: Expenses/Payments are inappropriately recorded/valued in financial statements.Adapted from A-123 All Hands Training
25 Example of Process Cycle Controls Process: Payable Management Sub-Process: DisbursingRisk Statement:Invalid or duplicate Payment may be made in excess of approved contractamount, resulting in loss to DOE (if not detected) and an increase in improperpayments reported to DOE (if later detected).Controls:System automatically closes contracts when receipts and invoices have been posted and paid equal to the amount of the contract.Invoices in excess of contract are automatically rejected with the reason code indicating that the contract is complete.Rejected invoices are sent back to appropriate departments for follow-up.Adapted from A-123 All Hands Training
26 Example of Entity Controls Adapted from A-123 All Hands TrainingAdapted from A-123 All Hands Training
28 Dual-Purpose TestingA-123 employs a two step dual purpose testing approach.1. Determining whether a control failure occurred (control operation); and2. Determining whether the risk actually occurred (impact) as a result of thecontrol failure, where reasonable and appropriate.
29 Types of Tests Inquiry – ask a question – Interview staff to validate knowledge of a policy or requirement– Conduct a survey to obtain or validate informationInspection – did it happen– Review sample of source documents for evidence of control execution– Review exception reports and related documentation to identifypreventive control failures and validate follow-up for risk occurrence– Reconcile process/system documentation to actual operationObservation – watch it happen– Monitor personnel to validate execution of manual controls– Observe occurrence of automated controls (e.g. popup warnings)Re-performing – make it happenEnter a valid transaction to test control operation
30 Significant Operational Deficiency Operating Effectively OMB Test RatingsTest Ratings: Effective in FY 2007, test results will be scored on a scale of 3 to 7.34567Significant Operational DeficiencyHIGH probability of risk occurring.OperationalDeficiencyMORE than a REMOTE possibility of the risk occurring.Minor OperationalONLY a REMOTE possibility of the risk occurring.N/AOperating EffectivelyLESS than a REMOTE possibility of the risk occurring.
31 Communicating Internal Control Weaknesses Reportable
32 Sample Assurance Statement Internal Control Certification:Revised OMB A-123: Sample Assurance StatementFiscal Year 2XXXAnnual Assurance Statement on Internal Control over Financial ReportingThe [Agency’s] management is responsible for establishing and maintaining effective internal control over financial reporting, which includes safeguarding of assets and compliance with applicable laws and regulations. The [Agency] conducted its assessment of the effectiveness of the [Agency’s] internal control over financial reporting in accordance with OMB Circular A-123, Management’s Responsibility for Internal Control. Based on the results of this evaluation, the [Agency] can provide reasonable assurance that the internal control over financial reporting as of June 30, 2XXX was operating effectively and no material weaknesses were found in the design or operation of the internal controls over financial reporting._____________________________Head of AgencyAdapted from A-123 All Hands Training