A DEPARTMENTAL PERSPECTIVE Drive Value through Compliance with the Green Book – Stop Checking the Box

United States Department of Agriculture Organization Chart

The Journey Drive Value through Compliance with the Green Book – Stop Checking the Box

What We Found Internal control activities are very compartmentalized and siloed Component agencies and staff offices are at varying levels of maturity with their risk management and internal control programs Internal control is still viewed by some as a financial activity/responsibility Component agencies and staff offices want some structure and more training to implement their risk management and internal control programs

Drive Value through Compliance with the Green Book – Stop Checking the Box

What We’ve Accomplished Inter-agency workshops identified potential areas for integration Identified specific training needs Broad-based communication efforts (focusing on outside of the financial community) In Progress - Revising our Departmental Regulation and manual with stakeholder involvement

Drive Value through Compliance with the Green Book – Stop Checking the Box Future State New Risk Management Framework will: –Provide senior management with actionable information that supports executive-level risk management decision-making –Establish a Tone-at-the-Top that reflects maintaining an effective Internal Control System is a shared responsibility across many organizational levels (e.g., executives, managers, agency staff) –Facilitate and support an integrated approach to maintaining internal controls over operations, reporting & compliance

AN AGENCY PERSPECTIVE Drive Value through Compliance with the Green Book – Stop Checking the Box

FEMA Risk Management and Compliance (RM&C) Division A-123  Activities: Conduct tests of design (TOD) and tests operational effectiveness (TOE) of internal control, remediation and verification and validation (V&V), and continuous monitoring. Conference Spending  Activities: Coordinates with requesting personnel to process travel and conference requests with the goal of reducing costs, gather supporting documentation for expenses, and periodically report metrics to DHS. USA Spending  Activities: Report Assistance Prime Awardee data to USASpending.gov twice per month. A-133  Activities: Coordinate between auditor and auditee, provide audit advise, communicate issues and results with the necessary Federal agencies and regulation authorities, and obtain or conduct audit quality control reviews. IPERIA  Activities: Assess and report on improper payment findings in accordance with OMB Circular A- 123 Appendix C, the Improper Payments Elimination and Recovery Act of 2010 (IPERA), Improper Payments Elimination and Recovery Improvement Act of 2012 (IPERA), and DHS guidance. Financial Statement Audit Support  Activities: Performs risk assessments of audit activities to target processes for pre- audit review. RM&C also fosters ongoing dialogue with auditors to coordinate and discuss draft NFRs prior to issuance. A-123IPERIA Financial Statement Audit Support USA Spending Conference Spending A-133

Evolving Requirements and Duties Resources Available Enhanced ELC Requirements Fraud Risk Program Continuous Monitoring Technology Staff Resources Evolving Requirements and Duties from The New Green Book Landscape is changing with a focus on continuous monitoring rather than annual assessments. –Department is revising guidance and the DHS playbook for internal control programs. DHS is seeking a clean audit opinion on internal controls for FY Additional requirements and duties are being added to existing processes. –Continuous Monitoring. –Fraud Risk. –Enhanced ELC Requirements. Facing Pressure with resource constraints. –Need to streamline process. –Discover efficient ways of doing business to be more effective.

Audit Remediation Document Inputs Work inputs being performed by different teams and processes Automated Consolidation Dashboard Analytic Outputs Assessments NFR and Audit Process Risk Areas Real-time visual display of data for decision making and risk management RM&C Process Improvement Efforts SharePoint Tool Benefits: Efficiencies Collaboration Standardization Business intelligence Version control Automated DHS submissions Analytics

Data Analytics Bringing processes together in one centralized space. Providing real-time information to senior leaders in order to make actionable data driven decisions instead of ad-hoc reports and briefings that take weeks to produce. Facilitates reporting objective in the COSO framework.

How These Processes and Tools Relate to The New Green Book Principles Control Environment Risk Assessment Control Activities Information and Communication Monitoring Improves oversight and accountability with performance metrics. Establishes a structure to allow program offices to conduct internal control assessments and share the responsibility of maintaining an effective internal control program throughout the agency. Improves oversight and accountability with performance metrics. Establishes a structure to allow program offices to conduct internal control assessments and share the responsibility of maintaining an effective internal control program throughout the agency. Document both qualitative and quantitative risk analysis for current year and multi year planning purposes. Provides more time for analysis and responding to change. Document both qualitative and quantitative risk analysis for current year and multi year planning purposes. Provides more time for analysis and responding to change. Improves control activities with collaborative remediation plans. Improves data integrity with the standardization of business processes. Communicates internal control status, results, and documentation both internally and externally. Improves data integrity with the standardization of business processes. Communicates internal control status, results, and documentation both internally and externally. Performs ongoing monitoring of the control environment using real- time dashboards and briefing decks. Provides a platform to remediate deficiencies and monitor progress. Performs ongoing monitoring of the control environment using real- time dashboards and briefing decks. Provides a platform to remediate deficiencies and monitor progress.

Next Steps Promoting the tools and templates developed for risk management processes to other agency stakeholders as a way of increasing organizational efficiencies and strengthening internal controls. Collaborating with other DHS Components on sharing the tools an templates developed as well as best business practices to strengthen DHS for the FY 2016 audit. Training FEMA program offices on maintaining an effective internal control environment and performing their own assessments. –Increasing accountability by sharing performance metrics across the agency.