1 / 98

Agenda

IT Audit Requirements & Management Controls Jack Heyman, CPA, CISA, CGFM, CIPP, CAP Your Internal Controls. Agenda. Introduction Comments Regulation / Guidance Internal Controls COSO A-123 SAS 55 Yellow Book SAS 112. 1. Comments.

yoshi-byers
Télécharger la présentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IT Audit Requirements & Management ControlsJack Heyman, CPA, CISA, CGFM, CIPP, CAPYour Internal Controls

  2. Agenda Introduction Comments Regulation / Guidance Internal Controls COSO A-123 SAS 55 Yellow Book SAS 112 1

  3. Comments • “Over 800 pages of statutory text govern the daily decisions of Federal managers …” • Representative Platts • Chairman, Subcommittee on Government Management, Finance, and Accountability (June 22, 2005) 2

  4. Comments • “Internal controls are the checks and balances that help managers detect and prevent problems. They can be as simple as computer passwords or having a manager sign off on a time sheet, or as complex as installing software to track spending and detect spikes that signal trouble. • Internal controls provide a foundation for accountability; and, while they are important in the private sector, sound controls are imperative in government. Public trust depends on nothing less. • Representative Platts • Chairman, Subcommittee on Government Management, Finance, and Accountability (February 16, 2005) 3

  5. Comments • “Events of recent years have dispelled the myth that internal control is but a mere academic exercise or is of interest only to accountants or auditors. High profile fraud and mismanagement in the private sector, and the Federal government’s own financial reporting problems, have resulted in an increased focus on management’s responsibility for internal control.” • February 2005, Subcommittee on Government Management, Finance, and Accountability 4

  6. Comments • “Government should lead by example. We should be as good or better than those we are regulating.” • David Walker, Comptroller General to Congress (CFO Magazine, June 2003) 5

  7. Comments • “The policy changes in this circular are intended to strengthen the requirements for conducting management’s assessment of internal control over financial reporting. The circular also emphasizes the need for agencies to integrate and coordinate internal assessments with other internal control-related activities” • Linda Springer, Controller • Office of Management and Budget • December 21, 2004 6

  8. Regulation / Guidance • Budget & Accounting Procedures Act of 1950 • Internal controls have been talked about for almost 60 years. • Inspector General Act of 1978, as amended • OMB A-123 Management’s Responsibility for Internal Control (1981) • Federal Managers Financial Integrity Act of 1982 • OMB A-50 Audit Follow Up (1982) • GAO Green Book (1983) 7

  9. Regulation / Guidance • CFO Act of 1990 • Financial statement audits for approximately 225 agencies. • Government Performance and Results Act of 1993 • Government Management Reform Act of 1994 • OMB A-123 Management’s Responsibility for Internal Control revised (1995) • Federal Financial Management Improvement Act of 1996 • Clinger-Cohen Act of 1996 • GAO Green Book revised (1999) 8

  10. Regulation / Guidance • Reports Consolidation Act of 2000 • OMB Bulletin 01-02 Audit Requirements for Federal Financial Statements (2000) • Federal Information Security Management Act of 2002 • Includes PIA • Improper Payments Information Act of 2002 • Accountability of Tax Dollars Act of 2002 • Another 78 agencies must have financial statement audits. • OMB A-123 Management’s Responsibility for Internal Control revised (2004) • OMB A-136 Financial Reporting Requirements (2004) 9

  11. Regulation / Guidance • NIST 800-18 Security Plans • NIST 800-30 Risk Assessments • NIST 800-34 Contingency Planning • NIST 800-37 Certification and Accreditation • NIST 800-47 Interconnected Systems • NIST 800-50 Security Awareness • NIST 800-53a Controls (low, moderate, and high) • NIST 800-60 Control categories • NIST FIPS 199 Security Categorization • OMB M 06-16 Where and why do we have to follow NIST standards? 10

  12. Internal controls OMB A-123 Authority: Federal Managers’ Financial Integrity Act of 1982 as codified in 31 U.S.C. 3512 References A-123 to provide guidance on how to implement. 11

  13. Internal controls “Agencies and individual Federal managers must take systematic and proactive measures to:” Develop internal control oriented management. Assess the adequacy of internal control in programs and operations. Separately assess and document internal control. Identify needed improvements. Take corrective action. Report annually through management assurance statements. Source: A-123 Revised dated December 21, 2004. 12

  14. Internal controls A-123 makes references to a host of other regulations to follow such as: FISMA IPIA GPRA CFO Act 13

  15. Internal controls What are internal controls? Compliance with Laws and Regulations. Reliability of Financial Data. Effectiveness and Efficiency of operations. The above is mentioned everywhere (e.g. CFOC A-123 Implementation guide, many SASs, A-123, Greenbook, etc.) 14

  16. Internal controls A-123 Applicability: Compliance with A-123 AND Appendix A Agencies listed within the CFO Act of 1990, as amended by the Government Management Reform Act of 1994 (cited in OMB Circular A-136). (ABOUT 225 AGENCIES) Compliance with A-123 (NOT Appendix A) Executive agencies, as well as independent agencies and government corporations within the executive branches of the Federal government. 15

  17. COSO COSO’s influence on the industry: • National Commission on Fraudulent Financial Reporting (Treadway Commission) was formed in 1985 from the following 5 organizations: • FEI – Financial Executives International • AAA – American Accounting Association • AICPA – American Institute of CPAs • IIA – Institute of Internal Auditors • IMA – Institute of Management Accountants 16

  18. COSO COSO’s influence on the industry: • In 1987, the Treadway Commission issued the Report of the National Commission on Fraudulent Financial Reporting, which emphasized: • Importance of control environment • Codes of conduct • Competent and involved audit committees • Active and objective internal audit function 17

  19. COSO COSO’s influence on the industry: • In September 1992, COSO issued the Internal Control Integrated Framework. • Control Environment – tone of the organization • Risk Assessment – assessing the risks of the organization • Control Activities – policies and procedures • Information and Communication – timely communication throughout the organization • Monitoring – quality control over a period of time 18

  20. COSO COSO’s influence on the industry: • In September 2004, COSO issued the Enterprise Risk Management – Integrated Framework (ERM). 19

  21. COSO 20

  22. SAS 55 SAS 55 .02 “In all audits, the auditor should obtain an understanding of internal control sufficient to plan the audit by performing procedures to understand the design of controls relevant to an audit of financial statements and determining whether they have been placed in operation. In obtaining this understanding, the auditor considers how an entity’s use of information technology and manual procedures may affect controls relevant to the audit. The auditor then assesses control risk for the assertions embodied in the account balance, transaction class, and disclosure components of the financial statements.” 21

  23. SAS 55 SAS 55 .04 “Alternatively, the auditor may assess control risk at the maximum level because he or she believes controls are unlikely to pertain to an assertion or are unlikely to be effective, or because evaluating the effectiveness of controls would be inefficient.” Remember: SAS 103 – 112 now come into play…. 22

  24. Yellow Book Note: Yellow Book (GAGAS) engagements are subjected to additional AICPA standards for both fieldwork and reporting aspects. 23

  25. SAS 112 1 “It is applicable whenever an auditor expresses an opinion on financial statements.” “Requires the auditor to communicate, in writing, to management and those charged with governance, significant deficiencies and material weaknesses identified in an audit.” 24

  26. SAS 112 5 - 6 25

  27. SAS 112 9 “The auditor must evaluate identified control deficiencies and determine whether these deficiencies, individually or in combination, are significant deficiencies or material weaknesses. The significance of a control deficiency depends on the potential for a misstatement, not on whether a misstatement actually has occurred. Accordingly, the absence of identified misstatement does not provide evidence that identified control deficiencies are not significant or material weaknesses.” 26

  28. SAS 112 13 “Multiple control deficiencies that affect the same financial statement account balance or disclosure increase the likelihood of misstatement and may, in combination, constitute a significant deficiency or material weakness, even though such deficiencies are individually insignificant.” 27

  29. SAS 112 14 “… the auditor also should evaluate the possible mitigating effects of effective compensating controls …” “Although compensating controls mitigate the effects of a control deficiency,they do not eliminate the control deficiency.” 28

  30. SAS 112 18 • “Deficiencies in the following areas ordinarilyare at least significant deficiencies in internal control: • Controls over the selection and application of accounting principles; • Antifraud programs and controls; • Controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; initiate, authorize, record, and process journal entries into the general ledger; and record recurring and nonrecurring adjustments to the financial statements.” 29

  31. SAS 112 19 • Each of the following is an indicator of a control deficiency that should be regarded asat least a significant deficiency and a strong indicator of a material weakness in internal control: • Ineffective oversight of the entity’s financial reporting and internal control by those charged with governance.; • Restatement of previously issued financial statements to reflect the correction of a material misstatement; • Identification by the auditor of a material misstatement in the financial statements for the period under audit that was not initially identified by the entity’s internal control; • An ineffective internal audit function or risk assessment function at an entity for which such functions are important to the monitoring or risk assessment component of internal control, such as for very large or highly complex entities. 30

  32. SAS 112 19 • Each of the following is an indicator of a control deficiency that should be regarded asat least a significant deficiency and a strong indicator of a material weakness in internal control: • For complex entities in highly regulated industries, an ineffective regulatory compliance function; • Identification of fraud of any magnitude on the part of senior management; • Failure by management or those charged with governance to assess the effect of a significant deficiency previously communicated to them and either correct it or conclude that it will not be corrected; • An ineffective control environment. 31

  33. SAS 112 32 • The following are examples of circumstances that may be control deficiencies, significant deficiencies, or material weaknesses: • Inadequate design of internal control over a significant account or process; • Inadequate documentation of internal control; • Insufficient control consciousness within the organization; • Absent or inadequate segregation of duties; • Absent or inadequate controls over safeguarding of assets; • Inadequate design of IT general and application controls; • Employees or management who lack qualifications and training; • Inadequate design of monitoring controls; and • Absence of internal process for reporting deficiencies 32

  34. SAS 112 32 • The following are examples of circumstances that may be control deficiencies, significant deficiencies, or material weaknesses: • Failure in the operation of effectively designed controls (e.g. dual authorization); • Failure to perform reconciliations of significant accounts; • Undue biases on the part of management; • Management override of controls; and 33

  35. Internal Controls

  36. What is Risk? RISK is the threat that an event, action, or non-action will have an adverse affect on the ability to achieve one’s objectives. To assess risk, the following process is used: Source the Risks Prioritize the Risks Identify the Risks

  37. What is Internal Control? Internal Control = Risk Mitigation Internal control is anything that provides reasonable assurance that a specified unwanted action is prevented or detected. Examples include: Alarm Clock: designed to prevent oversleeping. What are the risks? Speed Limits: designed to prevent aggressive driving. What are the risks? Log-on Password: designed to prevent unauthorized access to the proprietary information. What are the risks?

  38. What is Internal Control in an Organization? Internal controls are the policies and procedures that help managers and employees be effective and efficient while avoiding serious problems such as overspending, operational failure, fraud, waste, abuse, and violations of law. They provide reasonable assurance that the following three objectives are met: Relates to an entity's basic business objectives, including performance goals and safeguarding of an entity’s resources. Effectiveness & Efficiency of Operations Relates to the preparation of reliable financial reporting, including interim and consolidated financial statements, as well as other significant internal and external reports (i.e. budget execution reports, monitoring reports, and reports used to comply with laws and regulations). Reliability of Financial Reporting Relates to complying with those laws and regulations to which the entity is subject. Compliance with Laws & Regulations

  39. What are the Benefits of Good Internal Control? • Identification and elimination of waste, fraud and abuse • Reduction of improper or erroneous payments • Enhanced understanding of risk exposure • Sustained performance, efficiency and effectiveness • Reduced level of effort for financial management system implementation or audit • Improved policies and procedures • Streamlined processes • Clear definition of process ownership • Greater accountability • Enhanced audit readiness and internal control attestation readiness • Compliance with laws & regulations

  40. Office of Management and Budget (OMB) and Congressional Oversight • The role of OMB is to assist the President in the development and implementation of budget, program, management, and regulatory policies. It is an independent component of the Executive Branch. • Internal control is an integral part of tools currently being used by OMB and Congress to monitor federal Agencies. • Performance and Accountability Report (PAR)– contains Secretary's assurance statement on internal and financial management controls • Program Assessment Rating Tool (PART)– developed to assess and improve program performance so that the Federal government can achieve better results • President’s Management Agenda (PMA)– aggressive strategy for improving the management of the Federal government. Contains seven government-wide and nine Agency-specific goals for improvement. Includes a “scorecard”

  41. Internal Control Policy

  42. OMB Circular A-123 • Issued under authority of FMFIA; entitled, “Management Accountability and Control” • Provides guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on management controls • Requires annual reporting on the effectiveness of management controls • Provides the basis for an Agency head's annual assessment and report on internal controls required by FMFIA

  43. Revised OMB Circular A-123 • Circular A-123 was revised in December 2004 • Renamed “Management’s Responsibility for Internal Control” • Changes developed by Chief Financial Officers Council (CFOC) and the President’s Council on Integrity and Efficiency (PCIE) • Adopts certain concepts from the Sarbanes-Oxley Act of 2002 • Strengthens management requirements for assessing controls over financial reporting with the addition of Appendix A, “Internal Controls over Financial Reporting” • Took effect FY 2006 – initial report was due in the November 2006 Performance and Accountability Report (PAR)

  44. Overview of Revised Circular OMB A-123 The Revised Circular A-123 includes the following Appendices: • Appendix A – Internal Control over Financial Reporting • Appendix B – Improving Management of Government Charge Card Programs (Issued Revised Appendix B – April 2006) • Increases frequency of review and scope of spending and transaction limits • Limits authorization and blocking card use for ‘high risk merchant category codes” • Appendix C – Requirements for Effective Measurement and Remediation of Improper Payments (Issued August 2006) • Requires a review of all programs and activities to identify those which may be susceptible to significant erroneous payments and obtaining a statistically valid estimate of the annual amount of improper payments • Requires implementation of a plan to reduce erroneous payments and the reporting of estimates of the annual amount of improper payments and the progress made in reducing them

  45. Revised OMB CircularA-123, Appendix A Requirements OMB Circular A-123, Appendix A requires Agencies to: • ASSESSinternal control over financial reporting using the Committee of Sponsoring Organizations (COSO)/GAO Framework • ESTABLISHa governance structure • DOCUMENTthe design of controls of material accounts and assess their effectiveness as of June 30 - This includes entity-level controls and process/transaction-level controls, including Information Technology (IT) • TESTthe operating effectiveness of internal controls

  46. Revised OMB Circular A-123, Appendix A Requirements (continued) • INTEGRATEinternal control throughout the entire agency and through the entire cycle of planning, budgeting, management, accounting, and auditing • SIGNan annual Statement of Assurance in the Performance Accountability Report (PAR) certifying effectiveness of internal control within the Agency - Assurance Statement must assert to the effectiveness of the internal controls as of June 30 and be issued in the Performance and Accountability Report by November 15 • CORRECTdeficiencies in internal control over financial reporting - Agencies must create and execute corrective action plans to promptly and effectively resolve material weaknesses and other significant deficiencies

  47. Internal Control over Financial Reporting The specific focus of OMB Circular A-123, Appendix A is internal control over financial reporting • Internal control over financial reporting is a process designed to provide reasonable assurance regarding reliability of financial reporting. The process starts at the initiation of a transaction and ends with reporting • Internal control over a complete process involves controls at every step of the process including • controls over transaction initiation, • maintenance of records, • recording of transactions, and • final reporting • Internal control over financial reporting also includes • entity level controls, • information technology controls, and • operational and compliance controls

  48. Management Responsibilities Management is responsible for establishing and maintaining internal control and documentation. Management must: • consistently apply the internal control standards of OMB Circular A-123, Appendix A (i.e., the COSO Framework’s five components) • develop and maintain activities for the three objectives of OMB A-123 (i.e., the COSO/GAO Framework) • maintain up-to-date controls documentation on an on-going basis • Provide a certification Statement related to the the adequacy of controls (signed by Secretary)

  49. Manual versus Automated Controls Controls may be either: • Manual – implemented through human action • Example: General Ledger entries must be reviewed and authorized by accountant who signs off on an approved document • Automated – implemented through system action • Example: Users must have a valid user id and password to access a system

  50. Detective versus Preventative Controls Controls may be either: • Detective – provide evidence that an error or exception has occurred • Example: Reviews, analyses, reconciliations, periodic physical inventories, audits, and surveillance cameras are all examples of detective controls • Preventative– are proactive in that they attempt to deter or prevent undesirable events from occurring • Example: Separation of duties, proper authorization, passwords, and physical control over custody of assets are all examples of preventative controls

More Related