Presentation Transcript

1. Internal Control Considerations in a Shared Services Environment

2. Introductions Speakers:      Adam Goldberg, Executive Architect, Office of Financial Innovation and Transformation, U.S. Department of the Treasury Gil Hawk, Chief Information Officer, USDA National Finance Center Francois Barnard, Senior Manager, MorganFranklin Moderator: Geoff Harkness, Managing Director, MorganFranklin 2
3. Agenda Topics of discussion: - Introduction to shared services - What is the future for shared services in the federal government? Internal control considerations from a shared services provider/federal center of excellence perspective - Internal control considerations from a user agency perspective What is SSAE16 and what does it mean to the parties in a shared services arrangement? 3

4. Internal Controls and Shared services

   the future for shared services in the federal government
5. The Case for Financial ManagementShared Services Reduce risk of failed systems implementations (cost avoidance) Free up agency resources to focus on mission-based programs Ensure greater standardization of data which allows for more Transparency Enable better decision-making through improved data analytics Make adoption of new government-wide requirements easier Deliver greater efficiencies and cost savings for the federal government 5
6. 6
7. 7

8. USDA National Finance Center

   A Shared service Center of Excellence
9. Shared Service Provider A shared service provider: Provision one or more business capabilities or services from a common platform to one or more Partner Agencies/customers. Strive to deliver best value in the Federal Government for the specific service. Guarantee high level of quality and reliability to maintain trust and confidence by customers. 9
10. Benefits of Shared Services Implementation of the Shared Services Strategy and “Shared First” principles will produce a number of beneficial outcomes: Eliminate inefficient spending that results from duplicative systems Enhance awareness and adoption of available shared services across the government Promote agility and innovation within agencies by improving speed, flexibility and responsiveness Focus more agency resources on core mission requirements rather than administrative support services Spur the adoption of best practices and best-in-class ideas and innovations Reduce the support costs of redundant IT resources Improve cost efficiencies and streamline through shared commodity IT 10
11. NFC’s Business Model Cross-Service (Shared Services) Provider Employee-Centric Services Agency Support Services Economy Act Contracts Benefits for a cost “Breakeven” “Best Value” Internal Other Federal Commercial 11
12. NFC’s Business Portfolio Human Resources Line of Business Payroll/Personnel Human Resource Services Office of Personnel Management Services Direct Premium Remittance FEHB Clearinghouse Health Care Reform – High Risk Individuals (PCIP) Customer-Specific Services Data Center Hosting Applications Operations 12
13. NFC’s Business Lines Payroll/Personnel Personnel, time & attendance, payroll, and payroll accounting reporting Since 1983, system functions have grown 400% If annual costs had increased by inflation alone, the average rate would be $42 higher this year Background Services USDA and 170 other Federal organizations in all three Federal branches of Government Coverage is 655,000 employees Personnel Offices 4,137 Operates as one of four approved e-Payroll providers 13
14. Evolution of NFC Services EmpowHR 9.0 PPS Database Change EPIC Web webTA EmpowHR 8.8 OPM Shared Services Center Selection OPM Clearinghouse System Employee Personal Page TCP/IP Applications Direct Premium Remittance System Multiple Payroll/Personnel Databases Thrift Savings Plan System Electronic Access/ customer data entry First Cross- Servicing client 35 Departments/Agencies Serviced 170 EmpowHR 8.8 OPM Shared Services Center Selection OPM Clearinghouse System Employee Personal Page TCP/IP Applications Direct Premium Remittance System Multiple Payroll/Personnel Databases Thrift Savings Plan System Electronic Access/ customer data entry First Cross- Servicing client 163,000 W-2s Processed 700,000 OPM Shared Services Center Selection OPM Clearinghouse System Employee Personal Page TCP/IP Applications Direct Premium Remittance System Multiple Payroll/Personnel Databases Thrift Savings Plan System Electronic Access/ customer data entry First Cross- Servicing client OPM Clearinghouse System Employee Personal Page TCP/IP Applications Direct Premium Remittance System Multiple Payroll/Personnel Databases Thrift Savings Plan System Electronic Access/ customer data entry First Cross- Servicing client 4,017,569 Lines of Code 20,000,000+ Employee Personal Page TCP/IP Applications Direct Premium Remittance System Multiple Payroll/Personnel Databases Thrift Savings Plan System Electronic Access/ customer data entry First Cross- Servicing client 1,000 DPRS Accounts 31,799 Direct Premium Remittance System Multiple Payroll/Personnel Databases Thrift Savings Plan System Electronic Access/ customer data entry First Cross- Servicing client 76,200 Payroll/Personnel Help Desk Calls 65,161 Multiple Payroll/Personnel Databases Thrift Savings Plan System Electronic Access/ customer data entry First Cross- Servicing client Thrift Savings Plan System Electronic Access/ customer data entry First Cross- Servicing client 1,300 EmpowHR 3,800 Help Desk Calls Electronic Access/ customer data entry First Cross- Servicing client 1983 1987 1989 1990 1998-99 2000 2005 2006 2008-12
15. Payroll/Personnel Payee Growth
16. Average Billed Rate vs. Rate of Inflation (Base Year = 2004)
17. webTA Rates
18. NFC’s Business Lines (cont’d) Human Resources Line of Business (HR LoB) Human Resources Life Cycle “From Hire to Retire” Strategize and Plan Position Management Recruiting and Hiring Development, Performance Management,and Compensation Separating Background Servicing USDA, LoC, DHS, DoJ, GPO with EmpowHR Business area includes entire employee life cycle Operates as one of five Federal Shared Service Centers 18
19. NFC’s HRLOB Strategic Solution General Support Systems
20. HRLOB Rates
21. NFC’s Business Lines (cont’d) Office of Personnel Management Government-wide Benefit Systems Direct Premium Remittance servicing 120,000 annual premiums Federal Employee Health Benefits Clearinghouse supporting 4.2M enrollees High Risk Insurance Pool servicing 20 + states 21
22. NFC’s Business Lines (cont’d) Agency Specific Services Provides for USDA and external customers: Complete data center services Application development and maintenance services Employee support services Bulk mailing services Security services 22
23. Customer Profile Several components within the Legislative Branch Several components within the Judicial Branch Approximately half of small agencies Payroll covers 35% of civilian Federal staff Benefits recordkeeping for 90% Federal and beyond 23
24. Why NFC? We deliver quality customer service Platform for future value added Helpdesk for full suite of services Data warehouses – reporting and analytics Disaster recovery – fully tested Best cost/value
25. Bringing a New Customer On-board System demonstration Fit-gap Session with the customer Functional Requirements Document (FRD) Level-of-effort & cost estimates for implementation Reviews the costs with the customer System development Develop/test/edit conversion & load scripts for data conversion Load customer data into the Quality Assurance (QA) Testing in QA
26. Bringing a New Customer On-board (con’t) Load customer data into Customer User Acceptance Test (CUAT) Conduct training on the product for customer CUAT testing Resolve any defects from testing Customer approval to Go Live Move customer into production environment for Go Live
27. NFC’s Management Controls Program Management controls Essential for enhancing business integrity, minimizing business risks, and operating in an “effective, efficient, secure, auditable, and well-controlled” (EESAC) environment in support of National Finance Center (NFC) goals and objectives. Objectives of internal controls Effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations “Management control activities are not stand-alone management practices, but rather are woven into the day-to-day operational responsibilities of agency management.” (OMB)
28. Management Responsibilities Conduct risk assessments of operational activities. Ensure key management controls are developed, documented, maintained, implemented, evaluated, improved, and reported on. Ensure adherence to NFC-wide management controls. Assess effectiveness of management controls on an ongoing basis and annually document assessment process. Report possible material weaknesses, significant deficiencies, and/or non-conformances to the general control standards and the financial management system requirements.
29. Assessing Controls A-123, Assessment of Internal Controls over Financial Reporting Annual FISMA self-assessment Assessment and Authorization (formerly C&A) Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization
30. Summary Shared services allow customers to focus on their main mission areas

31. Internal Control Considerations in a Shared Services Environment

    User AGENCY AND SHARED SERVICES PROVIDER PERSPECTIVE
32. Internal Control ConsiderationsOverview FISMA requires that user agencies maintain and periodically assess the protections over the information collected or maintained by or on behalf of the user agency The American Institute of Certified Public Accounts (AICPA) provides guidance through standards on performing an objective and independent assessment of the effectiveness of the protections maintained by the shared services providers Outsourcing tasks or functions to a shared services provider does not eliminate the risks associated with those activities, nor compliance with requirements
33. Internal Control ConsiderationsUser Agency Perspective Assessing the effectiveness of the applicable internal controls maintained at the shared services providers will require an assessment Conducting an on-site assessment will require the consent and cooperation of the shared services providers The ability to conduct on-site assessments (‘right to audit’ clause), if any, at a shared services provider is usually defined within the contractual agreement (MOU, RA, SLA etc.) Shared services providers may be reluctant to provide the necessary access to their operations
34. Internal Control ConsiderationsShared Services Providers Perspective User agencies continue to increase their due diligence and governance over the services they are receiving from their shared services providers Allowing on-site assessments will most likely prove disruptive and impractical Being able to measure the effectiveness of shared services provider’s environment once and provide that information to many agencies can avoid the disruption on-site assessments may cause Demonstrating an effective and well controlled environment will help satisfy the user agencies requirements around the due diligence of the services being provided
35. Internal Control ConsiderationsService Organization Reports (SOC reports) The assessment can address both the effectiveness of controls over financial reporting (SOC 1) or specific compliance or operational requirements (SOC 2, SOC 3) The SOC reports allow the shared services provider to meet the needs of their clients
36. Service Organization Reports
37. Service Organization Reports(Continued)
38. Service Organization Reports(Continued)
39. Service Organization Reports Trust Principles The Trust Services Principles include the following: Security - The system is protected against unauthorized access (both physical and logical) Availability - The system is available for operation and use as committed or agreed (including Business Continuity) Integrity – System processing is complete, accurate, timely, and authorized Confidentiality – Information designated as confidential is protected as committed or agreed Privacy – Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles GAPP issued by the AICPA and Canadian Institute of Chartered Accountants.
40. Service Organization Reports(SOC) Reports - Which SOC Report?

41. SSAE 16

42. SSAE 16 Responsibilities - Shared Services Provider Under the standard a shared services provider has five primary responsibilities: Prepare and present a complete and accurate description of the system(s) being used (not just controls/control environment) Specify the control objectives of the system(s) and include those control objectives in the description of the system Identify the risks that threaten the achievement of the control objective(s) Design, implement and maintain controls to provide reasonable assurance that the control objectives will be achieved Provide a written assertion to accompany the description as to the completeness and accuracy of the information provided as well as the criteria used as a basis for making the assertion
43. SSAE 16 Responsibilities – User Agencies Under the standard a user agency has the following responsibilities: Verify that the report and the period covered is applicable to the services provided by the service organization Read and understand the description of the service organization’s system and confirm that it provides adequate information to understand the flows of transactions through the service organization and where errors could occur Review results of the report and apply information accordingly Retain the report and assessment as test evidence   Determine impact of reported control weaknesses on clients assertions/control objectives Make sure that applicable Complementary User Entity Controls (CUECs) are in place and operational User agencies should assess any services provided to the shared services provider and passed through to the user agency that may not be covered by the SSAE 16 report (‘carve outs’/ subservice organizations)
44. SSAE 16 Assessing Test Failures The potential impact of test failures noted within the SSAE 16 report should be evaluated Compensating controls may already exist within the report, that may help reduce the overall impact In addition, the user agencies should also be able to leverage CUECs, where appropriate A test failure do not automatically translate to control failure
45. SSAE 16 Responsibilities – User Agencies Complementary User Entity Controls (CUECs) Formerly known as User Control Considerations (UCCs) Describe controls that are the responsibility of the user agency, and deemed out of scope of the SOC1 report If CUECs are not designed and operating effectively at the user organization, the control objectives in the SOC1 report may not be met Conversely, CUECs may compensate/mitigate control weaknesses at the service provider It is the responsibility of the user agency to document these controls and provide evidence of their operational effectiveness to their auditor
46. References AICPA. (2010). Service Organization Controls: Managing Risks by Obtaining a Service Auditor’s Report [White Paper]. Retrieved from http://www.aicpa.org/interestareas/informationtechnology/resources/trustservices/downloadabledocuments/10957-378%20soc%20whitepaper.pdf

47. Questions & Answers

48. Thank You