Presentation on theme: "2007 Activities Reviewing and Compiling control points for Site AART Presented to : Process Owners By Grace Huang, Project Manager OMB Circular A-123 (Appendix."— Presentation transcript:
2007 Activities Reviewing and Compiling control points for Site AART Presented to : Process Owners By Grace Huang, Project Manager OMB Circular A-123 (Appendix A) Implementation
What is OMB Circular A-123? Provides Federal managers guidance on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on management controls* Appendix A was added late 2005 with a focus of the management process for assessing internal control over financial reporting * From “Purpose and Authority” of Circular No. A-123
Assurance reporting at different levels DOE Headquarters Assurance Statement Chicago Field Office Roll up Site A-123 Assessment and Reporting Tool (AARTs) Assurance Statement LBNLSite AART
Material accounts Balance sheet Other Liabilities Accounts Payables Other Non- intragovernmental assets General Property, Plant, and Equipment Stmt of Net Costs World Class Scientific Research Capacity Reimbursable Programs Stmt of Financing Depreciation and Amortization Major processes Entity Controls Process Controls Budget to Close Procure to Pay Enterprise Resource Management Project to Asset Quote to Cash
FY07 Timelines MilestonesDue Dates Internal Control training 10/1/2006 through 12/15/2006 Revised Site AART toolkit Mid December Review of Site AART data (including Financial Statement Assertion linkage) 12/15/2006 through 2/15/2007 OMBA-123 Webpage development 11/1/2006 through 12/31/2006 1st Quarterly reporting 1/5/2007 (tentative) Realignment of FY 2006 Data for new Site AART features 2/15/07 through 5/15/2007 Testing 2/15/2007 through 7/31/2007 2nd Quarterly reporting 4/6/2007 (tentative) Remediation of controls 2/15/2007 through 6/15/2007 3rd Quarterly reporting 7/6/2007 (tentative)
FY07 Timelines (Continued) MilestonesDue Dates Preliminary assurance reporting 8/10/2007 (tentative) Final assurance reporting 8/27/2007 (tentative) Periodic assessment team meeting Ongoing Quarterly Steering Committee meeting Ongoing Periodic status report to CFO Ongoing
New/Changed process? Note any significant process change that may have been prompted by or resulted in any of the following New regulations requiring additional controls to ensure compliance Organizational changes in which new leadership has implemented new procedures or directives Existing automated processes changed to manual ones Process owners are required to discuss any of the above with the implementation team
Why Hours required for testing activities in FY2006 Agreed controls required clarification or revisions Required resources to track the revised controls
How to Review the controls under the sub-processes rated “Moderate” and “Low” risks Based on the way the control is worded, conclude the following: What does the control accomplish (its objective)? Is the control objective preventive, detective, or both in nature (Control Set Mode)? Mark the key control(s) with two asterisks at the end of the sentence and list the key control(s) first Re-rate the Control Set Design Effectiveness based on the new definition of the rating
Key Controls/Controls Set Key Controls are: Controls that have the greatest and most critical impact in mitigating risk occurrence A control Set is A logical grouping of controls designed to mitigate a common risk statement
Control Set Design Effectiveness Rating FY 2007 (New)FY 2006 (Old) 3 Significant Design Deficiency High probability of the risk occurring Material Weakness More than a remote likelihood of material misstatement of Financial Statement 4 Design Deficiency More than a remote possibility of the risk occurring Reportable Condition More than a remote likelihood and more than inconsequential misstatement of Financial Statement 5 Minor Design Deficiency Only a remote possibility of the risk occurring Control Deficiency The control will prevent or detect a misstatement of Financial Statements 6 Designed Effectively Less than a remote possibility of the risk occurring Designed Effectively The control will prevent or detect a misstatement of Financial Statements
Control Set Design Considerations Design Effectiveness Rating Decisions should consider: Degree of automation of the control set Type and mode of control set Frequency of execution of the control set Existence of compensating controls Risk Assessment rating Relative exposure Potential for risk occurrence
How to Design Effectiveness Rationale (An example) for a rating of 6 (control set designed effectively): Control set contains both manual and automated controls directly linked to key risks. The control set provides for preventive and detective controls to mitigate the risk and provides for identification of issues should the risk occur. The number of controls also appears adequate based on the level of risk.
How to Project team will determine the following for review: The direct impact on the DOE entity-wide financial statements if the control is not able to mitigate the risk(s) involved DOE entity-wide statements –Balance Sheet –Statement of Net Costs –Statement of Financing In the event that the impact on the entity- wide financial statement is indirect, reference “Indirect impact”
How to The five financial statement assertions (project team will complete this for review): P resentation and disclosure Is it recorded in the right place? E xistence or occurrence Did it happen and when? R ights and obligations Do we own or owe what we think we do? C ompleteness and accuracy Is anything missing? V aluation or allocation Are the numbers right?
How to Revising controls When? It is not possible to form a clear, concise control objective which addresses how the risk involved may be averted or detected Lack of specificity in the Risk/Control set Underlying business processes have changed prompting the controls to be changed or eliminated Controls as worded are inaccurate depiction of the actual business processes and procedures The Control Set Type (Auto vs. Manual) and Frequency have changed
How to A risk/control set – before and after Example (before): Risk: Improper orders can occur Control: Procurement supervisors review the purchase requisitions for any unallowable items and assign transactions to buyers. Buyers review transactions then source requisitions into purchase orders and place orders with vendors.
How to A risk/control set – before and after Example (After): Risk: Prohibited items may be ordered via LBNL Procurement systems Controls: Procurement supervisors review the purchase requisitions for any unallowable items. The DPU Supervisor signs off on monthly statement and reviews the backup documentation. Buyers review and approve those purchase orders within their delegated signature authority. SAS approvers review for any prohibited items and approve the requisitions.
How to How is after different from before? A more clear control objective – prevents unallowable costs from incurring by preventing and/or detecting the requisition of prohibited items Specific reference to multiple processes in which the control objective is achieved
Our goals To address the feedback from DOE HQ OMB A-123 Project Management Team (PMT) : Most risk statements are detailed and well formed, but some lack specificity While the control activities are defined, it is difficult to discern the control objectives. To streamline effort for FY07 implementation activities by striving for more clear and concise control objectives
Optional/Recommended Efficiency Opportunities Identifier While the control set design may be effective, A-123 evaluations should also assess efficiency where possible. If during the course of the evaluation opportunities to improve the efficiency of controls are identified, record a “Yes” in the Efficiency Opportunities Column (Col. V). The nature of the potential efficiency should be recorded in the detailed A-123 Documentation.
Design Efficiency Opportunities Automation of manual controls Elimination of duplicative controls Consolidation of multiple controls into a more effective control Alteration of control frequency Transition from detective to preventive controls Alignment of numbers and complexity of controls with level of risk