OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting Tools Presented By: Anda Coiner, Accounting – Program Support Branch (304) ;

Policy Management is responsible for establishing and maintaining internal control to achieve the objectives of effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations.

Policy (Continued) Management shall consistently apply internal control standards to meet each of the internal control objectives and to assess internal control effectiveness.

Applicability 24 CFO Act Agencies

Sources of Information The assessment of Internal Control can be performed using a variety of information sources. Management has primary responsibility for assessing and monitoring controls and should use other sources as a supplement to its own judgment

Sources of Information - Examples Audits of Financial Statements Reviews of Financial Systems Annual Evaluations and reports pursuant to FISMA and OMB Circular No. A-130 Knowledge Gained from Daily Operations and Systems Management Reviews IG and GAO Reports (Audits, Inspections, Reviews, Investigations) Program Evaluations

Assessment, Documentation and Reporting Tools Appendix A of OMB Circular No. A-123 GAO G – Internal Control Management and Evaluation Tool Treasury’s Catalog of Transactions Treasury’s Test Plan Template

Assessment, Documentation and Reporting Tools (Continued) Provides a methodology for agency management to assess, document, and report on the internal controls over financial reporting

Assessment, Documentation and Reporting Tools (Continued) 1.Establish a Senior Assessment Team –Provides oversight of the assessment process –Ensures objectives are clearly communicated –Ensures that the assessment is carried out in a through, effective, and timely manner –Identifies staff to perform assessment –Determines scope of the assessment (financial reports) –Determines assessment design and methodology

Assessment, Documentation and Reporting Tools (Continued) 2.Evaluate Internal Control at the Entity Level (5 Components of Internal Control) –Control Environment Obtain sufficient knowledge to understand management’s attitude awareness, and actions concerning the control environment

Assessment, Documentation and Reporting Tools (Continued) 2.Evaluate Internal Control at the Entity Level (Continue) –Control Environment (Continued) Integrity and Ethical Standards. Commitment to Competence, management philosophy and operating style, Organizational structure, Assignment of authority and responsibility, Human Resource Policies and Practices

Assessment, Documentation and Reporting Tools (Continued) 2.Evaluate Internal Control at the Entity Level (Continued) –Risk Assessment Complexity or Magnitude of Programs, Operations, Transactions, etc., Accounting Estimates, Related Party Transactions, Extent of Manual Processes, Changes in Operating Environment

Assessment, Documentation and Reporting Tools (Continued) 2.Evaluate Internal Control at the Entity Level (Continued) –Control Activities Policies and Procedures, Management Objectives, Planning and Reporting Systems, Analytical Review and Analysis, Segregation of Duties, Safeguarding of Records, and Physical and Access Controls

Assessment, Documentation and Reporting Tools (Continued) 2.Evaluate Internal Control and the Entity Level (Continued) –Information and Communication Type and Sufficiency of Reports Produced, Manner in which Information Systems Development is Managed, Disaster Recovery, Communication of Employees’ Control related Duties and Responsibilities, how incoming communication is handled

Assessment, Documentation and Reporting Tools (Continued) 2.Evaluate Internal Control and the Entity Level (Continued) –Monitoring Self Assessments by Management, Evaluations by the IG or External Auditor, Direct Testing

Assessment, Documentation and Reporting Tools (Continued) 2.Evaluate Internal Control and the Entity Level (Continued) –GAO G – Internal Control Management and Evaluation Tool is useful in evaluating and documenting the 5 components of internal control Each section contains a list of major factors as well as points and sub-points to consider when completing the assessment process. – Search for Report Number – GAO G

Assessment, Documentation and Reporting Tools (Continued) 3.Determine Significant Accounts or Groups of Accounts –Identify those that individually or collectively could have a material effect on the financial report. (Consider both Qualitatively and Quantitatively) Treasury has identified 7 ‘Core’ Financial Processes –Budget and Finance, Accounting, Purchasing, Accounts Payable & Payments, Sales, A/R, & Collections, Manage Assets & Liabilities, Reporting & Information, and Information Technology

Assessment, Documentation and Reporting Tools (Continued) 4.Identify and Evaluate Major Classes of Transactions –Identify the major classes of transactions that materially affect those accounts Treasury has identifued 119 individual transactions for testing.

Assessment, Documentation and Reporting Tools (Continued) 4.Identify and Evaluate Major Classes of Transactions (Continued) –Transaction Examples Cash Reconciliation (AC-6) Budgetary to Proprietary Relationships (AC-7) Reconciliation of Intra/Inter Governmental Transactions (AC-9) System & Maintenance of System Application Security (IT-2) Verify Systems Software Change Control Procedure (IT-3)

Assessment, Documentation and Reporting Tools (Continued) 5.Gain Understating of Control Design to Achieve Management Assertions –Inquires of Agency Personnel –Inspection of Documents, Reports, or Electronic Files –Observation of the application of the control (‘Walk-Through’) Controls are ‘Effective’, ‘Moderately Effective’ or ‘Not Effective”

Assessment, Documentation and Reporting Tools (Continued) 6.Test Controls and Assess Compliance to Support Management Assertions –Determine the extent to which the controls were applied, the consistency of their application, and who applied them. Test plans should be developed at the Transaction Level. Examples of how testing can be performed – Inquiry, Inspection, Observation, and Re-performance

Assessment, Documentation and Reporting Tools (Continued) 6.Test Controls and Assess Compliance to Support Management Assertions (Continued) –Test Plans must be documented and should include the following components: (Treasury has developed a template) Test Objective and Expected Results Type of Assertion provided by the Control Type of Test Sample Size Testing Procedures Test Results

Assessment, Documentation and Reporting Tools (Continued) 7.Overall Assessment –Statement of Assurance Overall Conclusion as to the Design and Operation of the Internal Controls over Financial Reporting Include whether the controls are operating effectively or whether material weaknesses exist in the design or operation –OMB Circular A-123 includes an example of the Statement of Assurance

Questions ? Anda Coiner, Accounting – Program Support Branch (304) ;

SAS-70 – Agency Internal Control Considerations Overview Examples

Overview Designed with the expectation that certain internal controls would be implemented by customer agencies. The application of such controls by the customer agencies is necessary to achieve all control objectives in ARC’s SAS 70 Report

Examples Specific Agency Control considerations are provided for Control Objectives (CO) 1-3, 5-6, 8-12 and 18

CO 1 – Obligations CO 2 – Disbursements CO 3- Unfilled Customer Orders, Receivables and Cash Receipts CO 4 – Deposits CO 5 – Payroll Accruals CO 6 – Payroll Disbursements CO 8 – Accruals CO 9 – Government-Wide Reporting CO 10 – Administrative Spending CO 11 – Budget CO 12 – Manual Journal Entries CO 18 – System Access Examples (Continued )

Obligations –Properly approve and accurately enter obligations into the procurement and travel systems in the proper period –Send valid requests to record manual obligations to ARC in a timely manner –Review open obligation reports for completeness accuracy and validity –Restrict customer agency access to authorized individuals

Disbursements –Approve invoices for payment and send approved invoices to ARC in a timely manner –Approve travel vouchers and accurately enter the vouchers into GovTrip in the proper period –Review financial reports provided by ARC to ensure disbursement transactions are complete and accurate

Unfilled Customer Orders, Receivables and Cash Receipts –Monitor and pursue collection of delinquent balances –Review unfilled customer orders, re3ceivable and advance reports for completeness, accuracy and validity

Payroll Accruals and Payroll Disbursements –Review financial reports to ensure that payroll accruals and disbursements are complete and accurate –Verify that payroll processed by third-party providers is complete and accurate

Accruals –Review open accrual reports for completeness, accuracy, and validity –Approve and send revenue and expense accruals to ARC in a timely manner

Government Wide Reporting –Review Financial Reports prepared for external use are complete, accurate, and submitted in a timely manner –Provide certification of FACTS II

Administrative Spending –Properly approve and accurately enter obligations into the procurement and travel systems in the proper period –Send valid requests to record manual obligations –Review open obligations reports for completeness, accuracy and validity

Budget –Review financial reports to ensure that budget entries are complete and accurate –Send approved budget –Communicate customer agency required levels of budget and spending controls –Communicate OMB apportionment status –Monitor usage of BA under CR

System Access –Review and approve users for appropriateness

QUESTIONS ? Anda Coiner, Accounting – Program Support Branch (304) ;