2Effective Dates COSO: Green Book: Updated Framework will supersede original Framework at the end of the transition period (December 15, 2014)Green Book:GAO's 2014 revision will be effective beginning with fiscal year 2016
3What is COSO?COSO (Committee of Sponsoring Organizations) of the Treadway CommissionAmerican Accounting Association (AAA)American Institute of Certified Public Accountants (AICPA)Financial Executives International (FEI)Institute of Management Accountants (IMA)The Institute of Internal Auditors (IIA)
4What is the Green Book?Standards for Internal Control in the Federal GovernmentGovernment Accountability Office (GAO)Comptroller General of the United States“May also be adopted by state, local, and quasi-governmental entities as a framework for an internal control system”
5OK so why should I care?Auditors are required to gain an understand of control framework:COSO Internal Control FrameworkThe Green BookFederal Grants & Single AuditThe new “Super Circular” adds additional emphasis on internal controlsObtain an understanding of those controls and determine they are designed and implemented. And refers to those components of internal control within COSO and have been adopted by the Green book.
6Link to the Yellow Book 2011 Yellow Book – ¶A.04 discusses that in addition to the COSO framework – Standards for Internal Control in the Federal Government (aka the Green Book) provides definitions and fundamental concepts pertaining to internal control at the federal level and may be useful to auditors at other levels of government. The related “Internal Control Management and Evaluation Tool” based on federal internal control standards, provides a systematic, organized, and structured approach to assessing the internal control structure.
7Uniform Guidance Synopsis Internal Controls ( )TopicStrong Emphasis on Internal ControlsMentioned 103 times in the 12/26/2013 Federal Register noticeUniform Guidance SynopsisReferences “Standards for Internal Controls in the Federal Government”, issued by the Comptroller General (also known as the “Green Book”) and “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)What Does This Mean?While OMB has clarified in an FAQ that there is no expectation that we have to explicitly follow these referenced guidelines (as long as we have effective internal controls in place), it is unclear what the audit community will expect.
8Internal Controls (200.303) The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
10Update principles of effective internal control Control EnvironmentDemonstrates commitment to integrity and ethical valuesExercises oversight responsibilityEstablishes structure, authority and responsibilityDemonstrates commitment to competenceEnforces accountabilityRisk AssessmentSpecifies suitable objectivesIdentifies and analyzes riskAssesses fraud riskIdentifies and analyzes significant changeControl ActivitiesSelects and develops control activities11. Selects and develops general controls over technologyDeploys through policies and proceduresInformation & CommunicationUses relevant informationCommunicates internallyCommunicates externallyMonitoring ActivitiesConducts ongoing and/or separate evaluationsEvaluates and communicates deficiencies
11Update principles of effective internal control (continued) Control EnvironmentThe organization demonstrates a commitment to integrity and ethical values.The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
12How Various Controls Effect Principles, e.g., Control EnvironmentComponentPrincipleControls embedded in other components may effect this principle1. A CPA firm demonstrates a commitment to integrity and ethical valuesInformation Technology staff tests for data breaches of personally identifiable information continuouslyControl EnvironmentManagement obtains and reviews data and information underlying potential deviations captured in reports generated immediately upon occurrenceInformation & CommunicationRisk manager separately evaluates Control Environment, considering employee behaviors and whistleblower hotline results and reports thereonMonitoring Activities
13Update principles of effective internal control (continued) Risk Assessment6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.9. The organization identifies and assesses changes that could significantly impact the system of internal control.
14How Various Controls Effect Principles, e.g., ComponentPrincipleControls embedded in other components may effect this principleRisk AssessmentThe Controller identifies risks to the achievement of the objectives across the office and analyzes risks as a basis for determining how the risks should be managed.As part of the meetings with senior staff on goals and objectives, risks are noted and potential controls against those risks are brainstormed and initiated if approved by the audit committee. Risk AssessmentThe result of the brainstorming is communicated to staff as part of semi-annual reviewsInformation & CommunicationA dashboard of risks is established and is updated with each batch cycle.Employee reviews are completed timely.Monitoring Activities
15Update principles of effective internal control (continued) Control Activities10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.11. The organization selects and develops general control activities over technology to support the achievement of objectives.The organization deploys control activities through policies that establish what is expected and procedures that put policies into place.
16How Various Controls Effect Principles, e.g., ComponentPrincipleControls embedded in other component s may effect this principleControl ActivitiesThe Controller selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.Every two years, the Controller rotates duties among the divisional managers not only to provide them with a broader experience but also to lower the risk of financial reporting fraud. Staff enjoys the rotation as they are not working the same job repeatedly. Control ActivityA report is developed predicting payables over the next 30 days and disseminated to fiscal officers. The payables are compared to encumbrances.Information & CommunicationThe Comptroller reviews payables that are unusual, or above $5,000 or infrequent.Monitoring Activities
17Information & Communication Update articulates principles of effective internal control (continued)Information & Communication13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.The organization communicates with external parties regarding matters affecting the functioning of internal control.
18Update principles of effective internal control (continued) Monitoring Activities16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
19How Various Controls Effect Principles, e.g., ComponentPrincipleControls embedded in other components may effect this principleMonitoring ActivitiesThe Controller selects, develops, and performs ongoing and / or separate evaluations to ascertain whether the components of internal control are present and functioning.The quality assurance division reports are also transmitted to the division where the problem occurred. Corrective action is taken. If no corrective action is accomplished, the employee’s personnel file contains the issue and if repeated, could be grounds for termination.Control ActivityStatistical reports on uses of personally identifiable activity are reported to employees on a monthly basis. All employees are trained semi-annually on when / how / who can access PIIInformation & CommunicationReports on detections of improper use of personally identifiable information by employees are escalated to a senior review board that investigates all activities and reacts to breaks in accordance with state law.Monitoring Activities
20COSO & Green Book Required to address when implementing: 5 elements of control17 principlesPoints of focus (not required)COSO – 87Green Book – 47 (attributes)
21Example Attribute Component – Risk Assessment Principle- “Management should identify, analyze, & respond to risk relate to objectives”Attributes to Principle:Identification of RisksAnalysis of RisksResponse to Risks7.02 Management identifies risks throughout the entity to provide a basis for analyzing risks. Risk assessment is the identification and analysis of risks related to achieving the defined objectives to form a basis for designing risk responses. Principle 7 - Identify, Analyze, and Respond to Risks Identification of Risks Risk Assessment Page 38 GAO G Federal Internal Control Standards 7.03 To identify risks, management considers the types of risks that impact the entity. This includes both inherent and residual risk. Inherent risk is the risk to an entity in the absence of management’s response to the risk. Residual risk is the risk that remains after management’s response to inherent risk. Management’s lack of response to either risk could cause deficiencies in the internal control system Management considers all significant interactions within the entity and with external parties, changes within the entity’s internal and external environment,23 and other internal and external factors to identify risks throughout the entity. Internal risk factors may include the complex nature of an entity’s programs, its organizational structure, or the use of new technology in operational processes. External risk factors may include new or amended laws, regulations, or professional standards; economic instability; or potential natural disasters. Management considers these factors at both the entity and transaction levels to comprehensively identify risks that affect defined objectives.24 Risk identification methods may include qualitative and quantitative ranking activities, forecasting and strategic planning, and consideration of deficiencies identified through audits and other assessments7.05 Management analyzes the identified risks to estimate their significance, which provides a basis for responding to the risks. Significance refers to the effect on achieving a defined objective Management estimates the significance of the identified risks to assess their effect on achieving the defined objectives at both the entity and transaction levels. Management estimates the significance of a risk by considering the magnitude of impact, likelihood of occurrence, and nature of the risk. Magnitude of impact refers to the likely magnitude of deficiency that could result from the risk and is affected by factors such as the size, pace, and duration of the risk’s impact. Likelihood of occurrence refers to the level of possibility that a risk will occur. The nature of the risk involves factors such as the degree of subjectivity involved with the risk and whether the risk arises from fraud or from complex or unusual 23See paras through 9.03 for further discussion of changes in the internal control system. 24See paras through for further discussion of level of controls. Analysis of Risks Risk Assessment Page 39 GAO G Federal Internal Control Standards transactions. The oversight body may oversee management’s estimates of significance so that risk tolerances have been properly defined Risks may be analyzed on an individual basis or grouped into categories with related risks and analyzed collectively. Regardless of whether risks are analyzed individually or collectively, management considers the correlation among different risks or groups of risks when estimating their significance. The specific risk analysis methodology used can vary by entity because of differences in entities’ missions and the difficulty in qualitatively and quantitatively defining risk tolerances.7.08 Management designs responses to the analyzed risks so that risks are within the defined risk tolerance for the defined objective. Management designs overall risk responses for the analyzed risks based on the significance of the risk and defined risk tolerance. These risk responses may include the following: • Acceptance - No action is taken to respond to the risk based on the insignificance of the risk. • Avoidance - Action is taken to stop the operational process or the part of the operational process causing the risk. • Reduction - Action is taken to reduce the likelihood or magnitude of the risk. • Sharing - Action is taken to transfer or share risks across the entity or with external parties, such as insuring against losses Based on the selected risk response, management designs the specific actions to respond to the analyzed risks. The nature and extent of risk response actions depend on the defined risk tolerance. Operating within the defined risk tolerance provides greater assurance that the entity will achieve its objectives. Performance measures are used to assess whether risk response actions enable the entity to operate within the defined risk tolerances. When risk response actions do not enable the entity to operate within the defined risk tolerances, management may need to revise risk responses or reconsider defined risk tolerances. Management may need to conduct periodic risk assessments to evaluate the effectiveness of the risk response actions.
22Documentation Requirements If management determines a principle is not relevant, management supports that determination with documentation that includes the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively.
23Documentation Requirements Control EnvironmentManagement develops and maintains documentation of its internal control system.Control ActivitiesManagement documents in policies the internal control responsibilities of the organization.
24Documentation Requirements MonitoringManagement evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues.Management evaluates and documents internal control issues and determines appropriate corrective actions for internal control deficiencies on a timely basis.Management completes and documents corrective actions to remediate internal control deficiencies on a timely basis.
25Control Considerations - CE Establishment of formal Code of ConductCommunicates appropriate ethical and moral behavior, penalties, and how to communicate when becoming aware of any potential issue.Conflicts of interest – including dealing with suppliersProper hiring & Training program (commitment to excellence)Including P&P for hiring, training, promoting, discipline, termination
26Control Considerations - CE Key areas of authority & responsibility are defined & communicatedEstablishment of Internal audit functionEstablishment of fraud/ethics hotlineProperly designed and report to proper levels of the government.
27Control Considerations - RA Brainstorm – included appropriate levels of the organization (always include IT)This means “not” just finance/businessIdentify risk associated with compliance, operation, & reportingShould not be a once and done approachShould consider both entity-wide and activity-level objectives; and internal/external risk
28Control Considerations - RA Maintain list of items from (brainstorming)Assess likelihood and significance (benchmark to your entities risk appetite)Identify corresponding control to address those (significant/likely or combination )Update list with additional areas identified while performing monitoring activities
29Control Considerations - RA Principle 8 - The organization considers the potential for fraud in assessing risks tAdded emphasis on fraudResources: “Managing the Business Risk of Fraud: A Practical Guide” the achievement of objectives
30IT’S FREE. http://www. acfe IT’S FREE!!!! Currently in the process of revision.
32Control Considerations - CA Don’t forget ITGeneral ControlsPassword(s)Segregation of DutiesApprovalsChange Management Controls
33Control Considerations - MA Ongoing monitoring – regular management and supervisory activities, comparisons, reconciliations, and other routine actionsSeparate evaluations – can be conducted by management or others such as internal auditors or management consultants
34Control Considerations – I/C Established communication exist to provide appropriate information to individuals related to their responsibility and role in internal controls process.Communication channels exist for employees and management to report issue up the chain to ensure appropriate action is taken.Appropriate information is generated to support internal controls.
35Large vs Small EntityOV4.04 The 17 principles apply to both large and small entities. However, smaller entities may have different implementation approaches than larger entities. Smaller entities typically have unique advantages, which can contribute to an effective internal control system. These may include a higher level of involvement by management in operational processes and direct interaction with personnel. Smaller entities may find informal staff meetings effective for communicating quality information, whereas larger entities may need more formal mechanisms—such as written reports, intranet portals, or periodic formal meetings—to communicate with the organization.