Presentation is loading. Please wait.

Presentation is loading. Please wait.

GAO’s New Green Book: A Revised Internal Control Framework for Government A NASACT WEBINAR February 11, 2015.

Similar presentations


Presentation on theme: "GAO’s New Green Book: A Revised Internal Control Framework for Government A NASACT WEBINAR February 11, 2015."— Presentation transcript:

1 GAO’s New Green Book: A Revised Internal Control Framework for Government A NASACT WEBINAR February 11, 2015

2 Opening Remarks MODERATOR R. Kinney Poynter Executive Director, NASACT SPEAKER Kristen Kociolek Assistant Director, Financial Management and Assurance Team, Government Accountability Office SPEAKER Cecile M. Ferkul Deputy Legislative Auditor (MN) SPEAKER Jeanine Kuwik Director, Internal Control and Accountability, Office of Management and Budget (MN)

3 THIS PAGE INTENTIONALLY LEFT BLANK

4 Going Green Standards for Internal Control in the Federal Government 4

5 Session Objective To discuss GAO’s Standards for Internal Control in the Federal Government (Green Book) 5

6 Green Book Through the Years 1983Present 6

7 What’s in Green Book for the Federal Government? Reflects federal internal control standards required per Federal Managers’ Financial Integrity Act (FMFIA) Serves as a base for OMB Circular A-123 Written for government Leverages the COSO Framework Uses government terms 7

8 What’s in Green Book for State and Local Governments? May be an acceptable framework for internal control on the state and local government level under proposed OMB Uniform Guidance for Federal Awards Written for government Leverages the COSO Framework Uses government terms 8

9 What’s in Green Book for Management and Auditors? Provides standards for management Provides criteria for auditors Can be used in conjunction with other standards, e.g. Yellow Book 9

10 Updated COSO Framework Released May 14, 2013 10

11 The COSO Framework Relationship of Objectives and Components Direct relationship between objectives (which are what an entity strives to achieve) and the components (which represent what is needed to achieve the objectives) COSO depicts the relationship in the form of a cube: The three objectives are represented by the columns The five components are represented by the rows The entity’s organization structure is represented by the third dimension 11 Source: COSO

12 From COSO to Green Book: Harmonization COSO Green Book 12

13 Revised Green Book: Standards for Internal Control in the Federal Government 13 Overview Standards

14 Consists of two sections: Overview Standards Establishes: Definition of internal control Categories of objectives Components and principles of internal control Requirements for effectiveness Revised Green Book: Standards for Internal Control in the Federal Government 14

15 Revised Green Book: Overview Explains fundamental concepts of internal control Addresses how components, principles, and attributes relate to an entity’s objectives Discusses management evaluation of internal control 15 Overview Standards

16 Fundamental Concepts What is internal control in Green Book? OV1.01: Internal control is a process effected by an entity’s management that provides reasonable assurance that the objectives of an entity will be achieved. What is an internal control system in Green Book? OV1.04: An internal control system is a continuous built-in component of operations, effected by people, that provides reasonable assurance, not absolute assurance, that an organization’s objectives will be achieved. 16

17 Overview: Components, Principles, and Attributes Achieve Objectives ComponentsPrinciplesAttributes 17 Overview Standards

18 Revised Green Book: Principles 18

19 Components and Principles 19

20 Component, Principle, Attribute 20

21 Overview: Principles and Attributes 21 Overview Standards In general, all components and principles are required for an effective internal control system Principles and Attributes Entity should implement relevant principles If a principle is not relevant, document the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively Attributes are considerations that can contribute to the design, implementation, and operating effectiveness of principles

22 Overview: Principles and Attributes (cont) OV2.05: The 17 principles support the effective design, implementation, and operation of the associated components and represent requirements necessary to establish an effective internal control system. OV2.07 excerpt: The Green Book contains additional information in the form of attributes... Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover, or include examples of procedures that may be appropriate for an entity. 22

23 Overview: Management Evaluation An effective internal control system requires that each of the five components are: Effectively designed, implemented, and operating Operating together in an integrated manner Management evaluates the effect of deficiencies on the internal control system A component is not effective if related principles are not effective 23 Overview Standards Overview Standards

24 Overview: Additional Considerations The impact of service organizations on an entity’s internal control system Discussion of documentation requirements in the Green Book Applicability to state, local, and quasi-governmental entities as well as not-for-profits Cost/Benefit and Large/Small Entity Considerations 24 Overview Standards Overview Standards

25 Revised Green Book: Standards Control Environment Risk Assessment Control Activities Information and Communication Monitoring 25 Overview Standards

26 Revised Green Book: Standards Explains principles for each component Includes further discussion of considerations for principles in the form of attributes 26 Overview Standards

27 Control Environment 27

28 Risk Assessment 28

29 Control Activities 29

30 Information & Communication 30

31 Monitoring 31

32 Controls Across Components 32

33 Other Key Considerations Standards vs. Framework Documentation Requirements Overview lists in OV4.08 the documentation requirements found in the principles which represent the minimum level of documentation necessary for an effective internal control system. 33

34 Documentation Requirements Excerpt from OV2.06: If management determines a principle is not relevant, management supports that determination with documentation that includes the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively. 34

35 Documentation Requirements (cont.) Control Environment 3.09: Management develops and maintains documentation of its internal control system. Control Activities 12.02: Management documents in policies the internal control responsibilities of the organization. 35

36 Documentation Requirements (cont.) Monitoring 16.09: Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues. 17.05: Management evaluates and documents internal control issues and determines appropriate corrective actions for internal control deficiencies on a timely basis. 17.06: Management completes and documents corrective actions to remediate internal control deficiencies on a timely basis. 36

37 Accessibility of Green Book Comments raised during exposure identified new need - How do we make the Green Book more accessible to our user community? 37

38 The Green Book layout Changed the layout of the Green Book itself to make it more user friendly: Introduced a highlights page Facsimile page Graphics throughout the overview and standards 38

39 Highlights Page 39

40 Facsimile Page 40

41 Cube as Navigation Aid 41

42 The Green Book in Action Relationship between the Green Book and Yellow Book 42

43 Green Book and Yellow Book Can be used by management to understand requirements Can be used by auditors to understand criteria 43

44 The Yellow Book: Framework for Audits Findings are composed of Condition (What is) Criteria (What should be) Cause Effect (Result) Recommendation (as applicable) 44

45 Linkage Between Criteria (Yellow Book) and Internal Control (Green Book) Green Book provides criteria for the design, implementation, and operating effectiveness of an effective internal control system 45

46 The Yellow Book: Framework for Audits Findings are composed of Condition (What is) Criteria (What should be) Cause Effect (Result) Recommendation (as applicable) 46

47 Linkage Between Findings (Yellow Book) and Internal Control (Green Book) Findings may have causes that relate to internal control deficiencies 47

48 Effective Date Green Book effective beginning fiscal year 2016 and for the FMFIA reports covering that year. Management, at its discretion, may elect early adoption of the Green Book. 48

49 Where to Find the Green Book The Green Book is on GAO’s website at: www.gao.gov/greenbook www.gao.gov/greenbook For technical assistance, contact us at: greenbook@gao.gov greenbook@gao.gov 49

50 THIS PAGE INTENTIONALLY LEFT BLANK

51 O L A Adopting the Green Book in Minnesota…moving on from COSO Cecile Ferkul, Deputy Legislative Auditor Jeanine Kuwik, Director of Internal Controls and Accountability

52 O L A Not a Major Change for Minnesota No FrameworkCOSOGreen Book

53 O L A Before 2007 COSO used by auditors But, auditors did not expect much management involvement in internal controls “Entity management has not conducted a formal assessment of the risk factors that could impact their ability to produce the financial statements. Management is aware of the implications of misrepresenting the financial statements and takes precautions to prevent that.”

54 O L A Before 2007 The auditors  assessed risks  identified the control activities

55 O L A Auditing Standards Change Prompted by Crisis SOX AICPA Super Suite Federal Single Audit Illustration by J. T. Morrow

56 O L A Starting in 2007 1)Financial Reporting 2)Federal Compliance 3)Financial operations We took a firm stand: Agency management needed to ensure they understood and assessed the risks and show us they had appropriate and sufficient internal controls They needed to have all elements of COSO, including risk assessment

57 O L A Maturity Model 2 Ad Hoc Repeatable Defined Managed Optimized 5 4 3 1 Most agencies were below 3

58 O L A Infamous Finding One Management had not adequately assessed risks related to  Financial reporting  Federal compliance  Financial operations

59 O L A Reactions Shock Resistance Delay

60 O L A A Significant Audit Minneapolis Veterans Home

61 O L A A Significant Audit Legislative hearings focused on management’s responsibility to have effective internal controls

62 O L A The Result? New legislation in 2009 “The head of each executive agency is responsible for designing, implementing, and maintaining an effective internal control system”

63 O L A The Result? The creation of the Internal Control & Accountability Unit in Minnesota Management and Budget

64 THIS PAGE INTENTIONALLY LEFT BLANK

65 Minnesota Adoption of the Green Book February 11, 2015 Jeanine Kuwik Internal Control & Accountability Director

66 History of Internal Control Legislation Included in the Governor’s 2010-2011 budget recommendations Passed by the Legislature in the 2009 session (Minn. Statute Section 16A.057) Originally budgeted for up to 6 staff

67 MS 16A.057 Responsibilities Adopt statewide internal control standards and policies Coordinate agency training and assistance Share internal audit resources Monitor Office of the Legislative Auditor reports Report biennially on the executive branch system of internal controls and internal audit

68 Monthly Internal Control Bulletin NOTE: Actual bulletin can be accessed at: http://mn.gov/mmb/images/September%2520ICB%25202014.docx http://mn.gov/mmb/images/September%2520ICB%25202014.docx

69 Agency Head Responsibilities “The head of each executive agency must annually certify that the agency head has reviewed the agency’s internal control systems, and that these systems are in compliance with standards and policies established by the commissioner [of Minnesota Management and Budget].” We began the certification process in 2012 by requiring each agency head to certify that he/she had assess the agency’s control environment using the control environment self-assessment tool.

70 Control Environment – Green Book Implications Revised (i.e. tweaked) our guidance to conform to the 5 Green Book CE principles 1.Demonstrate Commitment to Integrity and Ethical Values 2.Exercise Oversight Responsibility 3.Establish Structure, Responsibility and Authority 4.Demonstrate Commitment to Competence 5.Enforce Accountability

71 Control Environment Tool Promotes high, agency level look at controls Contains 20 goals/control objectives that model exemplary control behaviors Lists recommended controls that allow agencies to demonstrate an effective control environment Contains references to related Minnesota statues, laws, rules, and policies

72 CE Self-Assessment Tool Control Environment Self - Assessment Tool Purpose: Agency-wide Control Environment Self-Assessment Tool Target Audience: Agency Senior Management Frequency of Review/Completion: Annually Item # A: GoalB: Control ObjectiveC: Recommended Controls 1 D: Assessment Rank 1-3 1 - Excellent, 2 - Adequate, 3 - Inadequate E: Action Taken/Controls Implemented F: Action Items/Areas Needing Improvement G: Target Completion date H: Responsible Party I: References 2 CONTROL ENVIRONMENT: Demonstrates Commitment to Integrity and Ethical Values and Enforces Accountability 1Agency management fosters and encourages an agency culture that emphasizes the importance of integrity and ethical values. Agency senior management has set the proper “tone at the top” by emphasizing the importance of ethical behavior through formal and informal communication, including implementation of the Code of Conduct Policy. A. Management fosters and encourages ethical behavior through training and communication (e.g., ethics/code of conduct training). MS 43A.38, Code of Ethics MS 16C.04, Code of Ethics for Procurement Blank B. The agency head and other applicable senior staff have signed the code of conduct certification. MMB Statewide Operating Policy 0103-01, Code of Conduct Blank C. Ethics-related communications and training materials are periodically re-evaluated and updated as necessary.* 2The agency's positive culture promotes appropriate moral and ethical behavior in dealings with co-workers. Employees know what kind of behavior is acceptable. Agency management has communicated appropriate ethical and moral behavioral standards, disciplinary actions for unacceptable behavior and a method for employees to comfortably report questionable behavior. A. Applicable employees have current Code of Conduct certifications on file. MMB Statewide Operating Policy 0103-01, Code of Conduct Blank B. All employees are made aware of the Code of Ethics statute. MS 43A.38, Code of Ethics Blank C. The types of disciplinary actions that can be taken are widely communicated, including penalties for misappropriation or misuse of funds. MS 13.09, Data Practices, Penalties MS 15.43, Acceptance of Advantage by State Employee, Penalty MS 43A.39, Compliance with Law MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required Blank D. The agency has established a communication mechanism for employees to raise ethical concerns or potential Code of Conduct violations without fear of retaliation. Employees are made aware of both internal and external (e.g., MMB Human Resources, OLA, etc.) resources for seeking advice on ethical/code of conduct issues. MS 181. 932, Disclosure of Information by Employees (Whistleblower Protection Statute) MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required MMB Statewide Operating Policy 0103-01, Code of Conduct Blank E. The agency has a formal internal process for investigating and resolving alleged wrongdoings, conflicts of interest or code of conduct concerns from employees, recipients, customers, vendors and other outside parties. MR 3900.9500, Reporting and Investigating Conflicts of Interest MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required Blank F. As necessary, management takes appropriate action in response to instances of wrongdoing, conflicts of interest, ethical and Code of Conduct violations. MR 3900.9500, Reporting and Investigating Conflicts of Interest MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required Blank G. Management has developed a formal risk assessment plan to ensure key objectives and the reputation of the agency are protected. MS 16A.057, Internal Controls and Internal Auditing MMB Guide to Risk Assessment and Control Activities Actual tool can be accessed at: http://mn.gov/mmb/images/http://mn.gov/mmb/images/ Control%2520Environment%2520Self-Assessment%2520Tool.xlsx

73 CE Self-Assessment Tool Control Environment Self - Assessment Tool Purpose: Agency-wide Control Environment Self-Assessment Tool Target Audience: Agency Senior Management Frequency of Review/Completion: Annually Item # A: GoalB: Control ObjectiveC: Recommended Controls 1 D: Assessment Rank 1-3 1 - Excellent, 2 - Adequate, 3 - Inadequate E: Action Taken/Controls Implemented F: Action Items/Areas Needing Improvement G: Target Completion date H: Responsible Party I: References 2 CONTROL ENVIRONMENT: Demonstrates Commitment to Integrity and Ethical Values and Enforces Accountability 1Agency management fosters and encourages an agency culture that emphasizes the importance of integrity and ethical values. Agency senior management has set the proper “tone at the top” by emphasizing the importance of ethical behavior through formal and informal communication, including implementation of the Code of Conduct Policy. A. Management fosters and encourages ethical behavior through training and communication (e.g., ethics/code of conduct training). MS 43A.38, Code of Ethics MS 16C.04, Code of Ethics for Procurement Blank B. The agency head and other applicable senior staff have signed the code of conduct certification. MMB Statewide Operating Policy 0103-01, Code of Conduct Blank C. Ethics-related communications and training materials are periodically re-evaluated and updated as necessary.* 2The agency's positive culture promotes appropriate moral and ethical behavior in dealings with co-workers. Employees know what kind of behavior is acceptable. Agency management has communicated appropriate ethical and moral behavioral standards, disciplinary actions for unacceptable behavior and a method for employees to comfortably report questionable behavior. A. Applicable employees have current Code of Conduct certifications on file. MMB Statewide Operating Policy 0103-01, Code of Conduct Blank B. All employees are made aware of the Code of Ethics statute. MS 43A.38, Code of Ethics Blank C. The types of disciplinary actions that can be taken are widely communicated, including penalties for misappropriation or misuse of funds. MS 13.09, Data Practices, Penalties MS 15.43, Acceptance of Advantage by State Employee, Penalty MS 43A.39, Compliance with Law MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required Blank D. The agency has established a communication mechanism for employees to raise ethical concerns or potential Code of Conduct violations without fear of retaliation. Employees are made aware of both internal and external (e.g., MMB Human Resources, OLA, etc.) resources for seeking advice on ethical/code of conduct issues. MS 181. 932, Disclosure of Information by Employees (Whistleblower Protection Statute) MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required MMB Statewide Operating Policy 0103-01, Code of Conduct Blank E. The agency has a formal internal process for investigating and resolving alleged wrongdoings, conflicts of interest or code of conduct concerns from employees, recipients, customers, vendors and other outside parties. MR 3900.9500, Reporting and Investigating Conflicts of Interest MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required Blank F. As necessary, management takes appropriate action in response to instances of wrongdoing, conflicts of interest, ethical and Code of Conduct violations. MR 3900.9500, Reporting and Investigating Conflicts of Interest MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required Blank G. Management has developed a formal risk assessment plan to ensure key objectives and the reputation of the agency are protected. MS 16A.057, Internal Controls and Internal Auditing MMB Guide to Risk Assessment and Control Activities Ribbon identifies the specific related Green Book control environment principle(s), such as “Demonstrates Commitment to Integrity and Ethical Values”

74 CE Self-Assessment Tool Control Environment Self - Assessment Tool Purpose: Agency-wide Control Environment Self-Assessment Tool Target Audience: Agency Senior Management Frequency of Review/Completion: Annually Item # A: GoalB: Control ObjectiveC: Recommended Controls 1 D: Assessment Rank 1-3 1 - Excellent, 2 - Adequate, 3 - Inadequate E: Action Taken/Controls Implemented F: Action Items/Areas Needing Improvement G: Target Completion date H: Responsible Party I: References 2 CONTROL ENVIRONMENT: Demonstrates Commitment to Integrity and Ethical Values and Enforces Accountability 1Agency management fosters and encourages an agency culture that emphasizes the importance of integrity and ethical values. Agency senior management has set the proper “tone at the top” by emphasizing the importance of ethical behavior through formal and informal communication, including implementation of the Code of Conduct Policy. A. Management fosters and encourages ethical behavior through training and communication (e.g., ethics/code of conduct training). MS 43A.38, Code of Ethics MS 16C.04, Code of Ethics for Procurement Blank B. The agency head and other applicable senior staff have signed the code of conduct certification. MMB Statewide Operating Policy 0103-01, Code of Conduct Blank C. Ethics-related communications and training materials are periodically re-evaluated and updated as necessary.* 2The agency's positive culture promotes appropriate moral and ethical behavior in dealings with co-workers. Employees know what kind of behavior is acceptable. Agency management has communicated appropriate ethical and moral behavioral standards, disciplinary actions for unacceptable behavior and a method for employees to comfortably report questionable behavior. A. Applicable employees have current Code of Conduct certifications on file. MMB Statewide Operating Policy 0103-01, Code of Conduct Blank B. All employees are made aware of the Code of Ethics statute. MS 43A.38, Code of Ethics Blank C. The types of disciplinary actions that can be taken are widely communicated, including penalties for misappropriation or misuse of funds. MS 13.09, Data Practices, Penalties MS 15.43, Acceptance of Advantage by State Employee, Penalty MS 43A.39, Compliance with Law MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required Blank D. The agency has established a communication mechanism for employees to raise ethical concerns or potential Code of Conduct violations without fear of retaliation. Employees are made aware of both internal and external (e.g., MMB Human Resources, OLA, etc.) resources for seeking advice on ethical/code of conduct issues. MS 181. 932, Disclosure of Information by Employees (Whistleblower Protection Statute) MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required MMB Statewide Operating Policy 0103-01, Code of Conduct Blank E. The agency has a formal internal process for investigating and resolving alleged wrongdoings, conflicts of interest or code of conduct concerns from employees, recipients, customers, vendors and other outside parties. MR 3900.9500, Reporting and Investigating Conflicts of Interest MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required Blank F. As necessary, management takes appropriate action in response to instances of wrongdoing, conflicts of interest, ethical and Code of Conduct violations. MR 3900.9500, Reporting and Investigating Conflicts of Interest MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required Blank G. Management has developed a formal risk assessment plan to ensure key objectives and the reputation of the agency are protected. MS 16A.057, Internal Controls and Internal Auditing MMB Guide to Risk Assessment and Control Activities Goal indicates the desired behavior, such as “Goal 1: Agency management fosters and encourages an agency culture that emphasizes the importance of integrity and ethical values”

75 CE Self-Assessment Tool Control Environment Self - Assessment Tool Purpose: Agency-wide Control Environment Self-Assessment Tool Target Audience: Agency Senior Management Frequency of Review/Completion: Annually Item # A: GoalB: Control ObjectiveC: Recommended Controls 1 D: Assessment Rank 1-3 1 - Excellent, 2 - Adequate, 3 - Inadequate E: Action Taken/Controls Implemented F: Action Items/Areas Needing Improvement G: Target Completion date H: Responsible Party I: References 2 CONTROL ENVIRONMENT: Demonstrates Commitment to Integrity and Ethical Values and Enforces Accountability 1Agency management fosters and encourages an agency culture that emphasizes the importance of integrity and ethical values. Agency senior management has set the proper “tone at the top” by emphasizing the importance of ethical behavior through formal and informal communication, including implementation of the Code of Conduct Policy. A. Management fosters and encourages ethical behavior through training and communication (e.g., ethics/code of conduct training). MS 43A.38, Code of Ethics MS 16C.04, Code of Ethics for Procurement Blank B. The agency head and other applicable senior staff have signed the code of conduct certification. MMB Statewide Operating Policy 0103-01, Code of Conduct Blank C. Ethics-related communications and training materials are periodically re-evaluated and updated as necessary.* 2The agency's positive culture promotes appropriate moral and ethical behavior in dealings with co-workers. Employees know what kind of behavior is acceptable. Agency management has communicated appropriate ethical and moral behavioral standards, disciplinary actions for unacceptable behavior and a method for employees to comfortably report questionable behavior. A. Applicable employees have current Code of Conduct certifications on file. MMB Statewide Operating Policy 0103-01, Code of Conduct Blank B. All employees are made aware of the Code of Ethics statute. MS 43A.38, Code of Ethics Blank C. The types of disciplinary actions that can be taken are widely communicated, including penalties for misappropriation or misuse of funds. MS 13.09, Data Practices, Penalties MS 15.43, Acceptance of Advantage by State Employee, Penalty MS 43A.39, Compliance with Law MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required Blank D. The agency has established a communication mechanism for employees to raise ethical concerns or potential Code of Conduct violations without fear of retaliation. Employees are made aware of both internal and external (e.g., MMB Human Resources, OLA, etc.) resources for seeking advice on ethical/code of conduct issues. MS 181. 932, Disclosure of Information by Employees (Whistleblower Protection Statute) MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required MMB Statewide Operating Policy 0103-01, Code of Conduct Blank E. The agency has a formal internal process for investigating and resolving alleged wrongdoings, conflicts of interest or code of conduct concerns from employees, recipients, customers, vendors and other outside parties. MR 3900.9500, Reporting and Investigating Conflicts of Interest MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required Blank F. As necessary, management takes appropriate action in response to instances of wrongdoing, conflicts of interest, ethical and Code of Conduct violations. MR 3900.9500, Reporting and Investigating Conflicts of Interest MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required Blank G. Management has developed a formal risk assessment plan to ensure key objectives and the reputation of the agency are protected. MS 16A.057, Internal Controls and Internal Auditing MMB Guide to Risk Assessment and Control Activities Recommended Controls or specific actions needed, such as “A. Management fosters and encourages ethical behavior through training and communication” and “B. The agency head and other applicable senior staff have signed the code of conduct certification”

76 CE Self-Assessment Tool Control Environment Self - Assessment Tool Purpose: Agency-wide Control Environment Self-Assessment Tool Target Audience: Agency Senior Management Frequency of Review/Completion: Annually Item # A: GoalB: Control ObjectiveC: Recommended Controls 1 D: Assessment Rank 1-3 1 - Excellent, 2 - Adequate, 3 - Inadequate E: Action Taken/Controls Implemented F: Action Items/Areas Needing Improvement G: Target Completion date H: Responsible Party I: References 2 CONTROL ENVIRONMENT: Demonstrates Commitment to Integrity and Ethical Values and Enforces Accountability 1Agency management fosters and encourages an agency culture that emphasizes the importance of integrity and ethical values. Agency senior management has set the proper “tone at the top” by emphasizing the importance of ethical behavior through formal and informal communication, including implementation of the Code of Conduct Policy. A. Management fosters and encourages ethical behavior through training and communication (e.g., ethics/code of conduct training). MS 43A.38, Code of Ethics MS 16C.04, Code of Ethics for Procurement Blank B. The agency head and other applicable senior staff have signed the code of conduct certification. MMB Statewide Operating Policy 0103-01, Code of Conduct Blank C. Ethics-related communications and training materials are periodically re-evaluated and updated as necessary.* 2The agency's positive culture promotes appropriate moral and ethical behavior in dealings with co-workers. Employees know what kind of behavior is acceptable. Agency management has communicated appropriate ethical and moral behavioral standards, disciplinary actions for unacceptable behavior and a method for employees to comfortably report questionable behavior. A. Applicable employees have current Code of Conduct certifications on file. MMB Statewide Operating Policy 0103-01, Code of Conduct Blank B. All employees are made aware of the Code of Ethics statute. MS 43A.38, Code of Ethics Blank C. The types of disciplinary actions that can be taken are widely communicated, including penalties for misappropriation or misuse of funds. MS 13.09, Data Practices, Penalties MS 15.43, Acceptance of Advantage by State Employee, Penalty MS 43A.39, Compliance with Law MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required Blank D. The agency has established a communication mechanism for employees to raise ethical concerns or potential Code of Conduct violations without fear of retaliation. Employees are made aware of both internal and external (e.g., MMB Human Resources, OLA, etc.) resources for seeking advice on ethical/code of conduct issues. MS 181. 932, Disclosure of Information by Employees (Whistleblower Protection Statute) MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required MMB Statewide Operating Policy 0103-01, Code of Conduct Blank E. The agency has a formal internal process for investigating and resolving alleged wrongdoings, conflicts of interest or code of conduct concerns from employees, recipients, customers, vendors and other outside parties. MR 3900.9500, Reporting and Investigating Conflicts of Interest MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required Blank F. As necessary, management takes appropriate action in response to instances of wrongdoing, conflicts of interest, ethical and Code of Conduct violations. MR 3900.9500, Reporting and Investigating Conflicts of Interest MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required Blank G. Management has developed a formal risk assessment plan to ensure key objectives and the reputation of the agency are protected. MS 16A.057, Internal Controls and Internal Auditing MMB Guide to Risk Assessment and Control Activities Agencies are asked to rank their status using a scale of 1 to 3

77 CE Self-Assessment Tool Control Environment Self - Assessment Tool Purpose: Agency-wide Control Environment Self-Assessment Tool Target Audience: Agency Senior Management Frequency of Review/Completion: Annually Item # A: GoalB: Control ObjectiveC: Recommended Controls 1 D: Assessment Rank 1-3 1 - Excellent, 2 - Adequate, 3 - Inadequate E: Action Taken/Controls Implemented F: Action Items/Areas Needing Improvement G: Target Completion date H: Responsible Party I: References 2 CONTROL ENVIRONMENT: Demonstrates Commitment to Integrity and Ethical Values and Enforces Accountability 1Agency management fosters and encourages an agency culture that emphasizes the importance of integrity and ethical values. Agency senior management has set the proper “tone at the top” by emphasizing the importance of ethical behavior through formal and informal communication, including implementation of the Code of Conduct Policy. A. Management fosters and encourages ethical behavior through training and communication (e.g., ethics/code of conduct training). MS 43A.38, Code of Ethics MS 16C.04, Code of Ethics for Procurement Blank B. The agency head and other applicable senior staff have signed the code of conduct certification. MMB Statewide Operating Policy 0103-01, Code of Conduct Blank C. Ethics-related communications and training materials are periodically re-evaluated and updated as necessary.* 2The agency's positive culture promotes appropriate moral and ethical behavior in dealings with co-workers. Employees know what kind of behavior is acceptable. Agency management has communicated appropriate ethical and moral behavioral standards, disciplinary actions for unacceptable behavior and a method for employees to comfortably report questionable behavior. A. Applicable employees have current Code of Conduct certifications on file. MMB Statewide Operating Policy 0103-01, Code of Conduct Blank B. All employees are made aware of the Code of Ethics statute. MS 43A.38, Code of Ethics Blank C. The types of disciplinary actions that can be taken are widely communicated, including penalties for misappropriation or misuse of funds. MS 13.09, Data Practices, Penalties MS 15.43, Acceptance of Advantage by State Employee, Penalty MS 43A.39, Compliance with Law MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required Blank D. The agency has established a communication mechanism for employees to raise ethical concerns or potential Code of Conduct violations without fear of retaliation. Employees are made aware of both internal and external (e.g., MMB Human Resources, OLA, etc.) resources for seeking advice on ethical/code of conduct issues. MS 181. 932, Disclosure of Information by Employees (Whistleblower Protection Statute) MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required MMB Statewide Operating Policy 0103-01, Code of Conduct Blank E. The agency has a formal internal process for investigating and resolving alleged wrongdoings, conflicts of interest or code of conduct concerns from employees, recipients, customers, vendors and other outside parties. MR 3900.9500, Reporting and Investigating Conflicts of Interest MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required Blank F. As necessary, management takes appropriate action in response to instances of wrongdoing, conflicts of interest, ethical and Code of Conduct violations. MR 3900.9500, Reporting and Investigating Conflicts of Interest MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required Blank G. Management has developed a formal risk assessment plan to ensure key objectives and the reputation of the agency are protected. MS 16A.057, Internal Controls and Internal Auditing MMB Guide to Risk Assessment and Control Activities Plenty of room for agencies to insert what actions they have already taken, and comment on any areas still needing improvement.

78 CE Self-Assessment Tool Control Environment Self - Assessment Tool Purpose: Agency-wide Control Environment Self-Assessment Tool Target Audience: Agency Senior Management Frequency of Review/Completion: Annually Item # A: GoalB: Control ObjectiveC: Recommended Controls 1 D: Assessment Rank 1-3 1 - Excellent, 2 - Adequate, 3 - Inadequate E: Action Taken/Controls Implemented F: Action Items/Areas Needing Improvement G: Target Completion date H: Responsible Party I: References 2 CONTROL ENVIRONMENT: Demonstrates Commitment to Integrity and Ethical Values and Enforces Accountability 1Agency management fosters and encourages an agency culture that emphasizes the importance of integrity and ethical values. Agency senior management has set the proper “tone at the top” by emphasizing the importance of ethical behavior through formal and informal communication, including implementation of the Code of Conduct Policy. A. Management fosters and encourages ethical behavior through training and communication (e.g., ethics/code of conduct training). MS 43A.38, Code of Ethics MS 16C.04, Code of Ethics for Procurement Blank B. The agency head and other applicable senior staff have signed the code of conduct certification. MMB Statewide Operating Policy 0103-01, Code of Conduct Blank C. Ethics-related communications and training materials are periodically re-evaluated and updated as necessary.* 2The agency's positive culture promotes appropriate moral and ethical behavior in dealings with co-workers. Employees know what kind of behavior is acceptable. Agency management has communicated appropriate ethical and moral behavioral standards, disciplinary actions for unacceptable behavior and a method for employees to comfortably report questionable behavior. A. Applicable employees have current Code of Conduct certifications on file. MMB Statewide Operating Policy 0103-01, Code of Conduct Blank B. All employees are made aware of the Code of Ethics statute. MS 43A.38, Code of Ethics Blank C. The types of disciplinary actions that can be taken are widely communicated, including penalties for misappropriation or misuse of funds. MS 13.09, Data Practices, Penalties MS 15.43, Acceptance of Advantage by State Employee, Penalty MS 43A.39, Compliance with Law MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required Blank D. The agency has established a communication mechanism for employees to raise ethical concerns or potential Code of Conduct violations without fear of retaliation. Employees are made aware of both internal and external (e.g., MMB Human Resources, OLA, etc.) resources for seeking advice on ethical/code of conduct issues. MS 181. 932, Disclosure of Information by Employees (Whistleblower Protection Statute) MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required MMB Statewide Operating Policy 0103-01, Code of Conduct Blank E. The agency has a formal internal process for investigating and resolving alleged wrongdoings, conflicts of interest or code of conduct concerns from employees, recipients, customers, vendors and other outside parties. MR 3900.9500, Reporting and Investigating Conflicts of Interest MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required Blank F. As necessary, management takes appropriate action in response to instances of wrongdoing, conflicts of interest, ethical and Code of Conduct violations. MR 3900.9500, Reporting and Investigating Conflicts of Interest MS 609.456, Subd. 2, Reporting to State Auditor and Legislative Auditor Required Blank G. Management has developed a formal risk assessment plan to ensure key objectives and the reputation of the agency are protected. MS 16A.057, Internal Controls and Internal Auditing MMB Guide to Risk Assessment and Control Activities Final column provides references to related state laws, rules, and policies (i.e. we didn’t just make this stuff up!)

79 Risk Assessment Assessment plans required beginning in 2013 Agencies decide which processes need formal risk assessments, but must consider: – Items material to the CAFR – Major single audit programs – Major sources and uses of funding (financial) – Areas critical to agency mission (operational) Risk assessments currently underway in most agencies

80 Risk Assessment – Green Book Implications Currently revising policy, procedures, and guidance to conform to the Green Book principles – Four risk assessment principles – Three control activities principles

81 Risk Assessment/Control Activities Potential Issues Biggest sticking point is Principle 11, due to Minnesota’s recent IT consolidation – Principle 11 – Management should design control activities for the entity’s information system Other principles being discussed – Principle 6 – Management should define objectives clearly … and define risk tolerances – Principle 8 – Management should consider the potential for fraud

82 Other Green Book Components Information and Communication – Embedded in all other components – Must make this component implicit in all guidance Monitoring – Still to be determined

83 Questions? Minnesota Management and Budget (MMB) Internal Control and Accountability Unit Jeanine.Kuwik@state.mn.us http://mn.gov/mmb/internalcontrol/

84 Question & Answer Session MODERATOR R. Kinney Poynter Executive Director, NASACT SPEAKER Kristen Kociolek Assistant Director, Financial Management and Assurance Team, Government Accountability Office SPEAKER Cecile M. Ferkul Deputy Legislative Auditor (MN) SPEAKER Jeanine Kuwik Director, Internal Control and Accountability, Office of Management and Budget (MN)

85 THIS PAGE INTENTIONALLY LEFT BLANK

86 GAO’s New Green Book: A Revised Internal Control Framework for Government THANK YOU FOR ATTENDING


Download ppt "GAO’s New Green Book: A Revised Internal Control Framework for Government A NASACT WEBINAR February 11, 2015."

Similar presentations


Ads by Google