Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Internal Control OMB Circular A-123, Appendix A

Similar presentations


Presentation on theme: "Introduction to Internal Control OMB Circular A-123, Appendix A"— Presentation transcript:

1 Introduction to Internal Control OMB Circular A-123, Appendix A
December 2006

2 Agenda Introduction Background on Internal Control Requirements
Objectives and Goals What is Internal Control? Background on Internal Control Requirements Internal Control Legislation and Rules Overview of OMB Circular A-123 and Appendix A Internal Control Over Financial Reporting Definition of Internal Control Over Financial Reporting COSO Framework Identifying Controls Control versus Activity Manual versus Automated Controls Detective versus Preventative Controls Controls Specific for Information Systems General Computer Controls Application Controls Entity Level Controls Overview of USDA’s OMB Circular A-123, Appendix A Assessment Process Planning and Scoping Documentation and Testing Remediation and Validation Reporting and Sustaining Additional Sources of Information

3 Agenda Introduction Background on Internal Control Requirements
Objectives and Goals What is Internal Control? Background on Internal Control Requirements Internal Control Legislation and Rules Overview of OMB Circular A-123 and Appendix A Internal Control Over Financial Reporting Definition of Internal Control Over Financial Reporting COSO Framework Identifying Controls Control versus Activity Manual versus Automated Controls Detective versus Preventative Controls Controls Specific for Information Systems General Computer Controls Application Controls Entity Level Controls Overview of USDA’s OMB Circular A-123, Appendix A Assessment Process Planning and Scoping Documentation and Testing Remediation and Validation Reporting and Sustaining Additional Sources of Information

4 Objectives and Goals Objective
This course has been designed to provide an overview of internal controls as a precursor to beginning the assessment of internal controls that is required under OMB Circular A-123, Appendix A. In this course, we will define internal control, discuss the benefits of internal controls, and discuss the different types of controls. We will also discuss the phases of assessment that each agency will complete in order to comply with Circular A-123, Appendix A. By the end of the course you will be able to: Understand the background of the government’s internal control policies and regulations Distinguish a control from an activity Understand the different types of controls Understand the assessment process required by Circular A-123, Appendix A

5 To assess risk, the following process is used:
What is Risk? Before talking about internal controls, it is important to discuss the concept of risk. RISK is the threat that an event, action, or non-action will have an adverse affect on the ability to achieve one’s objectives. To assess risk, the following process is used: WEBSTER DEFINES RISK CAN WE IDENTIFY SOME ORDINARY DAILY RISKS? ASK TANDEM JUMPING EXAMPLE Inherent risk is the susceptibility of a financial reporting assertion to a material or significant misstatement, assuming that there are no related internal controls. Control risk is the risk that a material or significant misstatement that could occur in an assertion will not be prevented or detected and corrected on a timely basis by the entity's internal control. Detection risk is the risk that management, as part of its A-123, Appendix A assessment, will not timely detect and remediate a material or significant control weakness or other deficiency that should affect (e.g., in the form of a qualification or disclaimer) its annual assurance statement on financial reporting internal controls. Source the Risks Identify the Risks Prioritize the Risks

6 What is Internal Control?
Internal Control = Risk Mitigation Internal control is anything that provides reasonable assurance that a specified unwanted action is prevented or detected. Examples include: Alarm Clock: designed to prevent oversleeping. What are the risks? Speed Limits: designed to prevent aggressive driving. What are the risks? McDonalds Example NASA Examples RISK EXAMPLES: ALARM CLOCK - receiving poor job performance evaluation, missing an important appointment SPEED LIMITS - damage, fines, injury, death PASSWORDS - carries the risk of stealing/misusing information, harming the organization LETS THINK ABOUT THESE EXAMPLES FURTHER: Implementing internal control does not automatically prevent or detect the adverse outcomes (e.g., may still oversleep with the alarm clock, car might be broken into even though doors are locked). Not implementing internal controls does not mean that these adverse outcomes will happen (e.g., may wake up on time without alarm clock, car may not be broken into even though the doors aren’t locked). Bottom Line: Internal controls mitigate the risk of adverse outcomes and we must weigh the costs and rewards of implementing the internal control (e.g., locking your car door is easy and free, therefore most people do it. A car alarm might be worth it if you have an expensive car, sound system, etc. but might not be worth it if your car is on it’s last leg). Log-on Password: designed to prevent unauthorized access to the proprietary information. What are the risks?

7 What is Internal Control in an Organization?
Internal controls are the policies and procedures that help managers and employees be effective and efficient while avoiding serious problems such as overspending, operational failure, fraud, waste, abuse, and violations of law. They provide reasonable assurance that the following three objectives are met: Relates to an entity's basic business objectives, including performance goals and safeguarding of an entity’s resources. Effectiveness & Efficiency of Operations Relates to the preparation of reliable financial reporting, including interim and consolidated financial statements, as well as other significant internal and external reports (i.e. budget execution reports, monitoring reports, and reports used to comply with laws and regulations). Instructor Notes: A majority of the audience may be from Advisory, as a result it is important to provide a high level review of internal controls to set the stage for the rest of the course. If Assurance participants are in the audience, this is an excellent opportunity to encourage them to share their experiences around internal controls. Reliability of Financial Reporting Relates to complying with those laws and regulations to which the entity is subject. Compliance with Laws & Regulations

8 What are the Benefits of Good Internal Control?
Identification and elimination of waste, fraud and abuse Reduction of improper or erroneous payments Enhanced understanding of risk exposure Sustained performance, efficiency and effectiveness Reduced level of effort for financial management system implementation or audit Improved policies and procedures Streamlined processes Clear definition of process ownership Greater accountability Enhanced audit readiness and internal control attestation readiness Compliance with laws & regulations Instructor Notes: Other Benefits Better understanding of controls will lead to more effective remediation strategy Elimination of manual “work-arounds”

9 Agenda Introduction Background on Internal Control Requirements
Objectives and Goals What is Internal Control? Background on Internal Control Requirements Internal Control Legislation and Rules Overview of OMB Circular A-123 and Appendix A Internal Control Over Financial Reporting Definition of Internal Control Over Financial Reporting COSO Framework Identifying Controls Control versus Activity Manual versus Automated Controls Detective versus Preventative Controls Controls Specific for Information Systems General Computer Controls Application Controls Entity Level Controls Overview of USDA’s OMB Circular A-123, Appendix A Assessment Process Planning and Scoping Documentation and Testing Remediation and Validation Reporting and Sustaining Additional Sources of Information

10 Office of Management and Budget (OMB) and Congressional Oversight
The role of OMB is to assist the President in the development and implementation of budget, program, management, and regulatory policies. It is an independent component of the Executive Branch. Internal control is an integral part of tools currently being used by OMB and Congress to monitor federal Agencies. Performance and Accountability Report (PAR) – contains Administrator's assurance statement on internal and financial management controls Program Assessment Rating Tool (PART) – developed to assess and improve program performance so that the Federal government can achieve better results President’s Management Agenda (PMA) – aggressive strategy for improving the management of the Federal government. Contains seven government-wide and nine Agency-specific goals for improvement. Includes a “scorecard” OMB's Mission OMB's predominant mission is to assist the President in overseeing the preparation of the federal budget and to supervise its administration in Executive Branch agencies. In helping to formulate the President's spending plans, OMB evaluates the effectiveness of agency programs, policies, and procedures, assesses competing funding demands among agencies, and sets funding priorities. OMB ensures that agency reports, rules, testimony, and proposed legislation are consistent with the President's Budget and with Administration policies. In addition, OMB oversees and coordinates the Administration's procurement, financial management, information, and regulatory policies. In each of these areas, OMB's role is to help improve administrative management, to develop better performance measures and coordinating mechanisms, and to reduce any unnecessary burdens on the public. Some examples of the ways agencies are being reviewed are through: The PAR E&Y The PART The PART was developed to assess and improve program performance so that the Federal government can achieve better results. A PART review helps identify a program’s strengths and weaknesses to inform funding and management decisions aimed at making the program more effective. The PART therefore looks at all factors that affect and reflect program performance including program purpose and design; performance measurement, evaluations, and strategic planning; program management; and program results. Because the PART includes a consistent series of analytical questions, it allows programs to show improvements over time, and allows comparisons between similar programs. A HIGH SCORE DOES NOT NECESSARILY MEAN INCREASED FUNDING but it’s published as part of the President’s Budget ExpectMore.gov is a new website that reports on Federal program performance and what is being done to improve results. It launched on February 6th. There are nearly 800 PART program assessments available on ExpectMore.gov. PMA The President's Management Agenda, announced in the summer of 2001, is an aggressive strategy for improving the management of the Federal government. It focuses on five areas of management weakness across the government where improvements and the most progress can be made. agency objectives Scorecards – fm, human capital, IT & procurement (FY 07 internal controls) – CFO Signs – This year someone in NASA will certify

11 Internal Control Policy
Legislative / Regulatory Authorities Internal Control Requirements Federal Managers' Financial Integrity Act (FMFIA) of 1982 Requires that agency CFOs develop and maintain an integrated system of internal controls and requires GAO to issue internal control standards Federal Financial Management Improvement Act of 1996 (FFMIA) Requires that Federal financial management (FM) systems have reliable data and comply with financial management requirements Federal Information Security Management Act of 2002 (FISMA) Requires agencies to ensure the adequacy and effectiveness of information security controls by conducting annual reviews and reporting results to OMB Improper Payments Information Act of 2002 (IPIA) Provides for estimates and reports of improper payments by Federal agencies CFO Act of 1990 Requires that agency CFOs develop and maintain an integrated and controlled accounting and FM system Government Performance and Results Act of 1993 (GPRA) Requires agencies to clarify their missions, set strategic and annual performance goals, and report on performance toward these goals Inspector General Act of 1978 Requires IGs to report on internal controls when conducting a performance audit OMB Circular A-123 Requires monitoring and improvement of internal controls associated with programs OMB Circular A-127 Outlines requirements for FM system controls OMB Circular A-130 Establishes the policy for the management of Federal information resources FMR Vol. 9: Financial Management Requirements - Internal Controls: Overall Evaluation Process - “The activities that are included in the internal controls evaluation process include establishing AU (discrete organizational or functional components: the Centers and HQ); conducting risk assessments (done by AU points of contact); self assessments (incorporated COSO Framework); QAV (by OQA), internal controls reviews; and implementing corrective action plans”.

12 OMB Circular A-123 Issued under authority of FMFIA; entitled, “Management Accountability and Control” Provides guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on management controls Requires annual reporting on the effectiveness of management controls Provides the basis for an Agency head's annual assessment and report on internal controls required by FMFIA OMB Circular A-123 provides guidelines for improving the accountability and effectiveness of federal government programs and operations by establishing, assessing, correcting, and reporting on management controls. Institute and Management Office is in charge of OMB A-123. OMB has updated this circular in December 2004 to focus on financial reporting and places an emphasis on the need for Agencies to integrate and coordinate IC assessments with other IC related activities.

13 Revised OMB Circular A-123
Circular A-123 was revised in December 2004 Renamed “Management’s Responsibility for Internal Control” Changes developed by Chief Financial Officers Council (CFOC) and the President’s Council on Integrity and Efficiency (PCIE) Adopts certain concepts from the Sarbanes-Oxley Act of 2002 Strengthens management requirements for assessing controls over financial reporting with the addition of Appendix A, “Internal Controls over Financial Reporting” Took effect FY 2006 – initial report was due in the November 2006 Performance and Accountability Report (PAR)

14 Overview of Revised Circular OMB A-123
The Revised Circular A-123 includes the following Appendices: Appendix A – Internal Control over Financial Reporting Appendix B – Improving Management of Government Charge Card Programs (Issued Revised Appendix B – April 2006) Increases frequency of review and scope of spending and transaction limits Limits authorization and blocking card use for ‘high risk merchant category codes” Appendix C – Requirements for Effective Measurement and Remediation of Improper Payments (Issued August 2006) Requires a review of all programs and activities to identify those which may be susceptible to significant erroneous payments and obtaining a statistically valid estimate of the annual amount of improper payments Requires implementation of a plan to reduce erroneous payments and the reporting of estimates of the annual amount of improper payments and the progress made in reducing them

15 Revised OMB Circular A-123, Appendix A Requirements
OMB Circular A-123, Appendix A requires Agencies to: ASSESS internal control over financial reporting using the Committee of Sponsoring Organizations (COSO)/GAO Framework ESTABLISH a governance structure DOCUMENT the design of controls of material accounts and assess their effectiveness as of June 30 - This includes entity-level controls and process/transaction-level controls, including Information Technology (IT) TEST the operating effectiveness of internal controls OMB A-123 Revision Evaluation of Internal Controls at the Entity level Internal control at the entity level refers to those elements of the five components of internal control that have an overarching or pervasive effect on the agency. Evaluation of Internal Controls at the Process level The new requirement calls the identification and evaluation, including assessment of the design and operating effectiveness of the controls, at the account, disclosure, and related processes level (including transactions and systems). Agencies should consider qualitative as well as quantitative measures to determine material items. Encompasses quarterly and annual financial statements and other significant reports that are deemed material.

16 Revised OMB Circular A-123, Appendix A Requirements (continued)
INTEGRATE internal control throughout the entire agency and through the entire cycle of planning, budgeting, management, accounting, and auditing SIGN an annual Statement of Assurance in the Performance Accountability Report (PAR) certifying effectiveness of internal control within the Agency - Assurance Statement must assert to the effectiveness of the internal controls as of June 30 and be issued in the Performance and Accountability Report by November 15 - Signed by the Secretary of Agriculture CORRECT deficiencies in internal control over financial reporting - Agencies must create and execute corrective action plans to promptly and effectively resolve material weaknesses and other significant deficiencies OMB A-123 Revision Evaluation of Internal Controls at the Entity level Internal control at the entity level refers to those elements of the five components of internal control that have an overarching or pervasive effect on the agency. Evaluation of Internal Controls at the Process level The new requirement calls the identification and evaluation, including assessment of the design and operating effectiveness of the controls, at the account, disclosure, and related processes level (including transactions and systems). Agencies should consider qualitative as well as quantitative measures to determine material items.

17 Why All the Trouble? It’s the law Every employee in USDA has an impact on financial management and, ultimately, financial reporting Over time, the metrics that evolve to monitor internal control areas will provide insight for key business decisions (e.g., programs and budgets) Documentation provides a communication tool for management and improve ability to train employees and share with interested stakeholders (e.g., auditors, oversight organizations)

18 Agenda Introduction Background on Internal Control Requirements
Objectives and Goals What is Internal Control? Background on Internal Control Requirements Internal Control Legislation and Rules Overview of OMB Circular A-123 and Appendix A Internal Control Over Financial Reporting Definition of Internal Control Over Financial Reporting COSO Framework Identifying Controls Control versus Activity Manual versus Automated Controls Detective versus Preventative Controls Controls Specific for Information Systems General Computer Controls Application Controls Entity Level Controls Overview of USDA’s OMB Circular A-123, Appendix A Assessment Process Planning and Scoping Documentation and Testing Remediation and Validation Reporting and Sustaining Additional Sources of Information

19 Internal Control over Financial Reporting
The specific focus of OMB Circular A-123, Appendix A is internal control over financial reporting Internal control over financial reporting is a process designed to provide reasonable assurance regarding reliability of financial reporting. The process starts at the initiation of a transaction and ends with reporting Internal control over a complete process involves controls at every step of the process including controls over transaction initiation, maintenance of records, recording of transactions, and final reporting Internal control over financial reporting also includes entity level controls, information technology controls, and operational and compliance controls

20 Management Responsibilities
Management is responsible for establishing and maintaining internal control and documentation. Management must: consistently apply the internal control standards of OMB Circular A-123, Appendix A (i.e., the COSO Framework’s five components) develop and maintain activities for the three objectives of OMB A-123 (i.e., the COSO/GAO Framework) maintain up-to-date controls documentation on an on-going basis Provide a certification Statement related to the the adequacy of controls (signed by Secretary of USDA) OMB 123 states that you should leverage as much as you can. ISO – should be included the relate the scientific to the financial I/C is everyone’s responsibility but managers are held accountable Responses to employees should be walked through the process

21 COSO Internal Control Framework
COSO is the Recognized Internal Control Framework for Financial Reporting Per OMB, “Internal control standards and the definition of internal control are based on GAO, Standards for Internal Control in the Federal Government, November 1999, ‘Green Book’” GAO's ‘Green Book’ has adopted many of the internal control concepts provided by the Commission of Sponsoring Organizations of the Treadway Commission (COSO), which provides a suitable criteria against which to evaluate and report on the effectiveness of the entity's Internal Control COSO is the framework used by commercial entities in complying with the Sarbanes Oxley Act The assessment of the effectiveness of internal control over financial reporting has to be based on suitable criteria (AS 2, AT 501 and Draft AT 501)

22 COSO Internal Control Framework
Five COSO Components of Internal Controls Instructor Notes: Control Environment is the organizational structure and culture created by management and employees to sustain organizational support for effective internal control. The control environment is often called the “tone at the top” and is critical to the success or failure of all the other pieces of the internal control framework. Specific elements of the control environment that should be considered include: • Integrity and ethical standards; • Commitment to competence; • Management philosophy and operating style; • Organizational structure • Assignment of authority and responsibility; • Human resource policies and practices Risk Assessment: Management should identify internal and external risks that may prevent the organization from meeting its objectives. The results of this assessment at the agency-wide level will drive the extent of testing and review performed at the process, transaction, or application level. Some significant circumstances or events that can affect risk include: • Complexity or magnitude of programs, operations, transactions, etc; • Accounting estimates; • Related party transactions; • Extent of manual processes or applications; • Decentralized versus centralized accounting and reporting functions; • Changes in operating environment; • New personnel or significant personnel changes; • New or revamped information systems; • Significant new or changed programs or operations; • New technology; and • New or amended laws, regulations, or accounting standards. Control Activities include policies, procedures and mechanisms in place that help ensure that agency objectives are met and that management's assertions in its financial reporting are valid. Control activities, both manual and automated, are the day-to-day controls that form the core of internal controls. Examples are: • Policies and procedures; • Management objectives (clearly written and communicated throughout the agency); • Planning and reporting systems; • Analytical review and analysis; • Segregation of duties; • Safeguarding of records; and • Physical and access controls. Information and Communication: Relevant, reliable, and timely information should be communicated to relevant personnel at all levels within an organization. This component ensures that internal controls are flexible enough to respond to changes in the control environment on an ongoing basis. Examples include; • The type and sufficiency of reports produced; • The manner in which information systems development is managed; • Disaster recovery; • Communication of employees' control related duties and responsibilities; and • How incoming external communication is handled. Monitoring: Periodic reviews, reconciliations or comparison of data should be included as part of the regular assigned duties of personnel. Monitoring is the process that ensures the control structure is operating as planned and fills all remaining gaps that exist in the internal control structure. Examples of duties include; • Self assessments by management; • Evaluations by the IG or external auditor; and • Direct testing.

23 COSO Internal Control Framework
Monitoring of Controls : The processes to assess the effectiveness of internal control performance over time to ensure that controls continue to operate effectively as intended, and they are modified as appropriate for changes in conditions. Information and Communication: The systems that support the identification, capture and exchange of information in a form and time frame that enables people to carry out their responsibilities. Control Activities: The policies and procedures that help ensure that management directives are carried out. Risk Assessment: The process for identifying, analyzing and managing relevant risks. Control Environment: The foundation for all other components of internal control, providing discipline and structure.   It sets the tone of an organization, influencing the control consciousness of its people.

24 Agenda Introduction Background on Internal Control Requirements
Objectives and Goals What is Internal Control? Background on Internal Control Requirements Internal Control Legislation and Rules Overview of OMB Circular A-123 and Appendix A Internal Control Over Financial Reporting Definition of Internal Control Over Financial Reporting COSO Framework Identifying Controls Control versus Activity Manual versus Automated Controls Detective versus Preventative Controls Controls Specific for Information Systems General Computer Controls Application Controls Entity Level Controls Overview of USDA’s OMB Circular A-123, Appendix A Assessment Process Planning and Scoping Documentation and Testing Remediation and Validation Reporting and Sustaining Additional Sources of Information

25 Control versus Activity
It is important to be able to distinguish between a control and activity: Control activities: Control activities consist of policies and procedures that help to ensure that management directives are implemented Controls can be either preventative or detective, Controls can be either manual or automated, and Controls help to ensure that financial reporting is accurate Examples include approvals, authorizations, reconciliations, reviews and segregation of duties Activity: An activity is something that is done in the normal course of business and is necessary to process a transaction. Not all activities are controls Activity only qualifies as a control if it is either preventative or detective of financial statement errors Examples of activities include completing a form, entering data, or running a report

26 Control versus Activity Exercise
Description Control or Activity? 1. A suspense report is generated and sent to a manager. ? 2. User fee calculations are calculated by the system and are set up to mirror terms of the contract. Any changes must be approved and reviewed by the appropriate level of management. 3. The Accounts Payable manager reviews the Accounts Payable aging monthly to ensure payments are recorded. 4. Unliquidated obligations are aged to identify outstanding items. 5. Collections are entered into the system. Activity Control Control Suggestions for Enhancement to Become a Control Add: This report is investigated and the necessary corrections are made. Add: The aging is reviewed monthly and substantiation issues are escalated and resolved in a timely manner. Add: The system tests the mathematical accuracy of the collection amount entered according to type of account and amount of collection. Activity Activity

27 Manual versus Automated Controls
Controls may be either: Manual – implemented through human action Example: General Ledger entries must be reviewed and authorized by accountant who signs off on an approved document Automated – implemented through system action Example: Users must have a valid user id and password to access a system

28 Detective versus Preventative Controls
Controls may be either: Detective – provide evidence that an error or exception has occurred Example: Reviews, analyses, reconciliations, periodic physical inventories, audits, and surveillance cameras are all examples of detective controls Preventative – are proactive in that they attempt to deter or prevent undesirable events from occurring Example: Separation of duties, proper authorization, passwords, and physical control over custody of assets are all examples of preventative controls

29 Control Exercise Spell Check is a function that you have used in Microsoft Word.   How might this be viewed as a control? What sort of control is it: detective or preventative? It is a detective control rather than preventative because it detects errors after you have input the words; it cannot prevent you from misspelling the word! It is unlike the preventative control in the Save function, which will not save the file if the file name contains “/” or “?”

30 Control Exercise (continued)
Continuing with the Spell Check example… What kind of errors is it designed to address? It is designed to detect spelling errors only, not typos.   For example, it will not detect the typo of “art” instead of “arc” or “cat” instead of “car.”   These are actual words which are not misspelled. Is it a manual or automated control? It is automated, but it must be turned on.   It cannot detect errors if it is not activated, so there is a manual element involved.

31 Control Activities Specific for Information Systems
There are two types of Information System Controls: General Computer Controls (GCCs): Pervasive, over-arching controls that affect every transaction. Used to manage and control the organization’s information technology infrastructure. Application Controls: Controls that cover the processing of data within an application or computer program. OMB Circular A-123 states, “general and application controls over information systems are interrelated; both are needed to ensure complete and accurate information processing.” PCMS (Purchase Card Application) Oracle Database Operating system (e.g., AIX) LAN (e.g., Desktop/NT) General Computer Controls Application Controls

32 Control Activities Specific for Information Systems: General Computer Controls
General Computer Controls should be designed to ensure that: The overall IT environment is well-controlled The IT organization is fit for its purpose, and there is proper management control over information systems Critical processing can be restored timely in the event of a prolonged outage (data / systems are backed up) New applications and changes to existing applications are properly authorized and only approved modifications are moved to the production environment Physical and logical security controls restrict access to data, systems and sensitive facilities

33 Examples of General Computer Controls include:
Control Activities Specific for Information Systems: General Computer Controls (continued) Examples of General Computer Controls include: Monitoring of Adherence to Entity-wide Security Program Data Processing Policies and Procedures Continuity of Operations Plan (COOP) Regularly Scheduled and Documented Change Control Board Meetings Properly Completed and Maintained Access Request Forms What must be assessed? Security Planning and Management Change Control Segregation of Duties Access Controls Service Continuity System Software

34 Control Activities Specific for Information Systems: Application Controls
Application Controls should be designed to ensure that: Financially significant applications process data and report results as intended Business processes may be enabled by one or more applications Ideally, computerized application controls are programmed into the application to ensure Completeness, Accuracy, Validity and Restricted Access Many common applications (e.g. SAP and PeopleSoft) have configurable controls Controls over ensuring on-going data quality should also be considered (i.e. problem reporting, management and resolution)

35 Examples of Application Controls include:
Control Activities Specific for Information Systems: Application Controls (continued) Examples of Application Controls include: Automated controls built into the application (computerized edit checks and required passwords) Manual controls surrounding the application (manual reconciliations of interfaced applications, management sign-offs, and reviews of audit logs) What must be assessed? Input Controls (access restrictions, validity checking, source documents) Processing Controls (integrity controls, error messages, job scheduling) Output Controls (report generation and distribution, manual review of reports for obvious errors)

36 Exercise: General versus Application Controls
Are the following controls General Computer Controls or Application Controls? 1. Only authorized personnel have access to data center (example locked doors and access cards) ? 2. Validation check over an input field preventing letters being entered in a number field 3. The system prevents contracts from being awarded unless sufficient budget authority is available 4. System Development Life Cycle methodology has been developed General Application Application General

37 Entity Level Controls Definition: Entity Level Controls are controls that management has in place to ensure that the appropriate controls exist throughout the organization, including at the individual agencies. Examples include management’s tone at the top, risk assessment, centralized processing, controls monitoring and the USDA period-end financial reporting process. Responsibility: Entity Level Controls are assessed at both the agency and department level. Purpose: Entity Level Controls can have a pervasive effect on the overall control effectiveness of the organization therefore the assessment of entity-level controls is essential to the overall evaluation of controls. Entity Level Controls

38 Agenda Introduction Background on Internal Control Requirements
Objectives and Goals What is Internal Control? Background on Internal Control Requirements Internal Control Legislation and Rules Overview of OMB Circular A-123 and Appendix A Internal Control Over Financial Reporting Definition of Internal Control Over Financial Reporting COSO Framework Identifying Controls Control versus Activity Manual versus Automated Controls Detective versus Preventative Controls Controls Specific for Information Systems General Computer Controls Application Controls Entity Level Controls Overview of USDA’s OMB Circular A-123, Appendix A Assessment Process Planning and Scoping Documentation and Testing Remediation and Validation Reporting and Sustaining Additional Sources of Information

39 USDA’s Approach to the FY07 A-123, Appendix A Assessment Process
Sept Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sept Oct Nov Dec 2006 2007 Phase I – Planning & Scoping Oct 2006 – Dec 2006 (3 months) Phase II – Documentation & Testing Dec 2006 – Jul 2007 (8 months) Phase III – Remediation & Validation Sept – Aug 2007 (12 months) Phase IV – Reporting & Sustaining Aug – Nov 2007 (4 months)

40 Overview of A-123 Assessment: Planning and Scoping
Planning and Scoping Activities Establish A-123 governance structure Determine and communicate the FY07 A-123 assessment timeline and methodology (Department’s Top-Down Approach) Determine the scope of the significant financial reports Determine the cycles, processes, and systems in scope for each of USDA’s Agencies and Staff Offices for the FY07 assessment based on materiality Develop / update standard templates to be used for documentation and testing of controls over financial reporting Phase I – Planning & Scoping Oct 2006 – Dec 2006

41 Overview of A-123 Assessment: Documentation and Testing
Documentation and Testing Activities Documentation Identify and document entity level controls Identify and document process level manual and application controls Identify and document General Computer Controls (GCCs) Assess the design effectiveness of controls. Controls not designed effectively are considered to be control gaps Testing Develop test plans for key controls that have been determined to be designed effectively Perform testing of entity level, manual, application, and general computer controls to assess operating effectiveness. Controls that fail testing are considered to be deficiencies Document the results of testing, including any identified deficiencies Phase II – Documentation & Testing Dec 2006 – Jul 2007

42 Overview of A-123 Assessment: Remediation and Validation
Phase III – Remediation & Validation Remediation and Validation Activities Classify the significance of any control gaps or deficiencies Document Remediation / Corrective Action Plans for identified control gaps and deficiencies Implement Corrective Action Plans. Re-test remediated controls and document results Sept – Aug 2007

43 Overview of A-123 Assessment: Reporting and Sustaining
Reporting and Sustaining Activities Draft and submit Agency and Staff Office Certification Statements for their FY07 assessment of internal control over financial reporting Analyze impact of Agency and Staff Office’s control deficiencies on the Department’s annual assurance statement Draft and finalize the Department’s Annual Assurance Statement for internal controls over financial reporting as of June 30, 2007 for inclusion in the FY07 Performance and Accountability Report Continue with monitoring, remediation, and reporting of controls Phase IV – Reporting & Sustaining Aug – Nov 2007

44 Agenda Introduction Background on Internal Control Requirements
Objectives and Goals What is Internal Control? Background on Internal Control Requirements Internal Control Legislation and Rules Overview of OMB Circular A-123 and Appendix A Internal Control Over Financial Reporting Definition of Internal Control Over Financial Reporting COSO Framework Identifying Controls Control versus Activity Manual versus Automated Controls Detective versus Preventative Controls Controls Specific for Information Systems General Computer Controls Application Controls Entity Level Controls Overview of USDA’s OMB Circular A-123, Appendix A Assessment Process Planning and Scoping Documentation and Testing Remediation and Validation Reporting and Sustaining Additional Sources of Information

45 Additional Sources of Information
Refer to for OMB Circular A-123 guidance including the Appendix A Implementation Guide USDA’s FY06 Implementation Guide can be found in QuickPlace under “Reference Materials”


Download ppt "Introduction to Internal Control OMB Circular A-123, Appendix A"

Similar presentations


Ads by Google