Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing a Strong and Effective Internal Control Program for the State of North Carolina October 15, 2008 David McCoy State Controller October 15,

Similar presentations


Presentation on theme: "Implementing a Strong and Effective Internal Control Program for the State of North Carolina October 15, 2008 David McCoy State Controller October 15,"— Presentation transcript:

1 Implementing a Strong and Effective Internal Control Program for the State of North Carolina October 15, 2008 David McCoy State Controller October 15, 2008 David McCoy State Controller

2 2 2 Agenda What is EAGLE?What is EAGLE? Why is EAGLE Important to North Carolina?Why is EAGLE Important to North Carolina? EAGLE Implementation EffortsEAGLE Implementation Efforts EAGLE Methodology: Top-Down, Risk-BasedEAGLE Methodology: Top-Down, Risk-Based Lessons LearnedLessons Learned

3 3 3 What is EAGLE? During 2004 the State Controller outlined his strategic vision for implementing a statewide internal control and accountability program for North Carolina – a program similar to the one imposed on the private sector through the Sarbanes-Oxley legislation in 2002.During 2004 the State Controller outlined his strategic vision for implementing a statewide internal control and accountability program for North Carolina – a program similar to the one imposed on the private sector through the Sarbanes-Oxley legislation in The State Controller formed at Statewide Internal Control Task force – consisting of representatives from all three branches of government, the University System, and the Community College System.The State Controller formed at Statewide Internal Control Task force – consisting of representatives from all three branches of government, the University System, and the Community College System. The Statewide Internal Control Task Force presented recommendations, in the form of proposed legislative action, to the State Controller.The Statewide Internal Control Task Force presented recommendations, in the form of proposed legislative action, to the State Controller.

4 4 4 What is EAGLE? Recommended legislative action received the support of the State Auditor.Recommended legislative action received the support of the State Auditor. The Task Forces recommendations lead to the passage of House Bill 1551 during 2007 session of the General Assembly.The Task Forces recommendations lead to the passage of House Bill 1551 during 2007 session of the General Assembly. –Established internal control standards for State government –Increased fiscal accountability within State government EAGLE, which stands for Enhancing Accountability in Government through Leadership and Education, resulted from the actions taken by the North Carolina General Assembly.EAGLE, which stands for Enhancing Accountability in Government through Leadership and Education, resulted from the actions taken by the North Carolina General Assembly.

5 5 5 What is EAGLE? EAGLE leverages two widely accepted frameworks:EAGLE leverages two widely accepted frameworks: –COSO model for internal control –COBIT framework for information technology controls

6 6 6 Why is EAGLE Important to North Carolina? Enhances Public Accountability to the States Key Stakeholders – Our Taxpayers.Enhances Public Accountability to the States Key Stakeholders – Our Taxpayers. Enhances Accountability to other Stakeholders – including the Federal Government and bond rating agencies.Enhances Accountability to other Stakeholders – including the Federal Government and bond rating agencies. Creates a competitive advantage for federal and foundation dollars.Creates a competitive advantage for federal and foundation dollars. Fosters a general notion that government should be as good as or better than those it regulates.Fosters a general notion that government should be as good as or better than those it regulates. Cost-savings may be realized through identifying ways to make business processes more efficient and effective.Cost-savings may be realized through identifying ways to make business processes more efficient and effective.

7 7 7 Why is EAGLE Important to North Carolina? All too confusing and overdone… Except when we get in trouble Must do it… But how do we do it better? Keep Us Out of Trouble Make Our Agencies Better goal Inaccurate Financial Reporting Catastrophic Reputational Consequences Larger Fines and Settlements Budget Constraints Expanded Regulation Enhanced and Coordinated Risk Management Activities Ability to Deliver Efficient and Cost Effective Services Improved Risk Reporting and Disclosure Enhanced Technologies State Auditor Findings Standardized Procedures Across State Agencies Reduced Total Operating Expenses

8 8 8 EAGLE Implementation Five-person team dedicated to the EAGLE Program, complemented by staff in the Agency Accounting Section of the Office of the State Controllers Statewide Accounting Division.Five-person team dedicated to the EAGLE Program, complemented by staff in the Agency Accounting Section of the Office of the State Controllers Statewide Accounting Division. As a result of the magnitude and scope of the legislation, a decision was made to implement of EAGLE in a phased approach:As a result of the magnitude and scope of the legislation, a decision was made to implement of EAGLE in a phased approach: –Phase I: Internal Control over Financial ReportingInternal Control over Financial Reporting –Future Phases: Compliance with applicable Laws and RegulationsCompliance with applicable Laws and Regulations Efficiency and Economy of OperationsEfficiency and Economy of Operations

9 9 9 EAGLE Implementation The Office of the State Controller issued a Request for Proposal to assist in the development of the EAGLE Program. Ernst & Young was awarded the contract.The Office of the State Controller issued a Request for Proposal to assist in the development of the EAGLE Program. Ernst & Young was awarded the contract. Ernst & Young partnered with the Office of the State Controller to co-develop an internal control guidance manual and assessment tools, and to provide statewide training on the EAGLE Program.Ernst & Young partnered with the Office of the State Controller to co-develop an internal control guidance manual and assessment tools, and to provide statewide training on the EAGLE Program. All state agencies were required to appoint an Internal Control Officer to serve as the liaison between the agency they represent and the Office of the State Controller.All state agencies were required to appoint an Internal Control Officer to serve as the liaison between the agency they represent and the Office of the State Controller.

10 10 EAGLE Implementation A decision was made to rollout Phase I of the EAGLE Program into three groups:A decision was made to rollout Phase I of the EAGLE Program into three groups: Group 1Group 1 –Training: March 31, 2008 –Targeted Completion Date: July 31, 2008 Group 2Group 2 –Training: October 22, 2008 –Targeted Completion Date: July 31, 2009 Group 3Group 3 –Training: Fall 2009 (Date to be determined) –Targeted Completion Date: July 31, 2010 Group 1 included15 state agencies and universities. Group 2 consists of all remaining state agencies and universities. Group 3 will consist of all community colleges.Group 1 included15 state agencies and universities. Group 2 consists of all remaining state agencies and universities. Group 3 will consist of all community colleges.

11 11 EAGLE Implementation Group 1 agencies were asked to form an agency assessment team – led by the agencys Internal Control Officer.Group 1 agencies were asked to form an agency assessment team – led by the agencys Internal Control Officer. EAGLE Team provides on-site assistance to agencies as they complete their self- assessment deliverables.EAGLE Team provides on-site assistance to agencies as they complete their self- assessment deliverables. EAGLE Team monitors the results of an agencys implementation efforts through a web- based documentation tool – utilizing Microsofts SharePoint software.EAGLE Team monitors the results of an agencys implementation efforts through a web- based documentation tool – utilizing Microsofts SharePoint software.

12 12 EAGLE Implementation Agencies are responsible for uploading their milestone deliverables to the EAGLE SharePoint website. The EAGLE Team reviews this documentation and provides agencies with feedback.Agencies are responsible for uploading their milestone deliverables to the EAGLE SharePoint website. The EAGLE Team reviews this documentation and provides agencies with feedback. For FY 2008, Group 2 and Group 3 agencies continued to complete the traditional Annual Self-Assessment of Internal Controls Questionnaire.For FY 2008, Group 2 and Group 3 agencies continued to complete the traditional Annual Self-Assessment of Internal Controls Questionnaire.

13 13 EAGLE Methodology: Top-Downed, Risk-Based Overview © 2007 Ernst & Young.

14 14 EAGLE Methodology: Top-Downed, Risk-Based Risk Assessment In a top-down approach, the organization begins by identifying, understanding, and evaluating the risk at a financial statement level.In a top-down approach, the organization begins by identifying, understanding, and evaluating the risk at a financial statement level. At the financial statement and process level, the organization identifies those accounts and processes that possess the quantitative (i.e. materiality) and qualitative factors for higher or lower risk to determine the final scope.At the financial statement and process level, the organization identifies those accounts and processes that possess the quantitative (i.e. materiality) and qualitative factors for higher or lower risk to determine the final scope. Advantages of a Top-Down, Risk-Based Approach: By using a Top-Down, Risk-Based approach, the agencies within the State of North Carolina focus the majority of their internal control efforts on those highest risk areas and avoids performing excess work on the lowest risk areas. By using a Top-Down, Risk-Based approach, the agencies within the State of North Carolina focus the majority of their internal control efforts on those highest risk areas and avoids performing excess work on the lowest risk areas. © 2007 Ernst & Young.

15 15 EAGLE Methodology: Top-Downed, Risk-Based Design Effectiveness - Controls Identification After the agencies have completed the risk assessment and identified those accounts and processes in scope, the flow of transactions is documented to gain an understanding of the highest risks within those processes.After the agencies have completed the risk assessment and identified those accounts and processes in scope, the flow of transactions is documented to gain an understanding of the highest risks within those processes. For those risks that exist in the transaction processing, the organization identifies those internal controls that either prevent or detect an error from occurring.For those risks that exist in the transaction processing, the organization identifies those internal controls that either prevent or detect an error from occurring. EAGLEs Phase I Implementation Approach: In Phase I, Group 1 agencies will focus on the internal control design efforts only in those accounts and processes identified as high risk in Year 1. However, in Year 2 Group 1 must include the moderate risk accounts and processes. Groups 2 and 3 will focus on both high and moderate accounts and processes in their Year 1 efforts. In Phase I, Group 1 agencies will focus on the internal control design efforts only in those accounts and processes identified as high risk in Year 1. However, in Year 2 Group 1 must include the moderate risk accounts and processes. Groups 2 and 3 will focus on both high and moderate accounts and processes in their Year 1 efforts. © 2007 Ernst & Young.

16 16 EAGLE Methodology: Top-Downed, Risk-Based Operating Effectiveness – Execution and Evaluation Supports Reliable Financial Reporting Efficient Testing Strategy and Execution risk control failure + evidence requirements Conclude on Design and Operating Effectiveness After the agencies have completed the documentation of the processes and identified the right combination of controls, a testing strategy is designed to focus efforts on those controls that have been designed to prevent or detect errors of the highest risk processes.After the agencies have completed the documentation of the processes and identified the right combination of controls, a testing strategy is designed to focus efforts on those controls that have been designed to prevent or detect errors of the highest risk processes. Advantages of a Top-Down, Risk-Based Approach: By using a Top-Down, Risk-Based approach, the agency focuses the testing and self-assessment effort to allow the organization the ability to better time and schedule the testing over the course of the entire reporting period by testing the lower risk controls earlier in the year and the highest risk controls closer to year-end. By using a Top-Down, Risk-Based approach, the agency focuses the testing and self-assessment effort to allow the organization the ability to better time and schedule the testing over the course of the entire reporting period by testing the lower risk controls earlier in the year and the highest risk controls closer to year-end. © 2007 Ernst & Young.

17 17 Lessons Learned You must have strong executive leadership and support of your program.You must have strong executive leadership and support of your program. Recognize and manage program risk. Implement your program in phases – start with a small group of state agencies and focus only on the high risk areas in Year 1.Recognize and manage program risk. Implement your program in phases – start with a small group of state agencies and focus only on the high risk areas in Year 1. Establish a target date for completion of the self-assessment; however, provide a recommended timeline for the completion of each milestone to keep agencies on target.Establish a target date for completion of the self-assessment; however, provide a recommended timeline for the completion of each milestone to keep agencies on target. Provide agencies with a concise list of the required procedures to be performed for each milestone.Provide agencies with a concise list of the required procedures to be performed for each milestone. Training is essential. At the beginning of each milestone, provide customized, one-on-one training with each agency assessment team.Training is essential. At the beginning of each milestone, provide customized, one-on-one training with each agency assessment team. Review the deliverables for each milestone to ensure that agencies remain on track – provide constructive feedback.Review the deliverables for each milestone to ensure that agencies remain on track – provide constructive feedback. Understand the importance of your IT environment and the challenges it brings as you implement your program.Understand the importance of your IT environment and the challenges it brings as you implement your program.

18 18 Contact information: Ben McLawhorn, CISA, CISM, CFE Risk Mitigation Services Manager North Carolina Office of the State Controller 1410 Mail Service Center Raleigh, NC Phone: (919) Fax: (919) For additional information on EAGLE, please visit our website: Contact information: Ben McLawhorn, CISA, CISM, CFE Risk Mitigation Services Manager North Carolina Office of the State Controller 1410 Mail Service Center Raleigh, NC Phone: (919) Fax: (919) For additional information on EAGLE, please visit our website:


Download ppt "Implementing a Strong and Effective Internal Control Program for the State of North Carolina October 15, 2008 David McCoy State Controller October 15,"

Similar presentations


Ads by Google