Internal Controls: The Basics National Grants Management Association May 17, 2017

Similar documents
Update on the Developments in Government Auditing Standards Yellow Book Revision

What We Heard Report Inspection Modernization: The Case for Change Consultation from June 1 to July 31, 2012

Environmental Protection Agency

Essay Questions. Please review the following list of questions that are categorized by your area of certification. The six areas of certification are:

IAASB Quality Control Project

The Nuclear Regulatory Commission s Oversight of Safety Culture

Anne Johnson U.S. Government Accountability Office. Association of Food and Drug Officials 116 th Annual Educational Conference June 3, 2012

Safety Culture. the core values and behaviors resulting from a collective commitment

Fiscal 2007 Environmental Technology Verification Pilot Program Implementation Guidelines

GAO. NASA PROCUREMENT Contract and Management Improvements at the Jet Propulsion Laboratory. Report to Congressional Requesters

GAO PENSION BENEFIT GUARANTY CORPORATION. Appearance of Improper Influence in Certain Contract Awards. Testimony

Essay Questions five

MARITIME MANAGEMENT MASTER S DEGREE (ONLINE) Train for a leading role in maritime-based organizations.

BUREAU OF LAND MANAGEMENT INFORMATION QUALITY GUIDELINES

2018 Federal Scientists Survey FAQ

Re: JICPA Comments on the PCAOB Rulemaking Docket Matter No. 034

Behaviors That Revolve Around Working Effectively with Others Behaviors That Revolve Around Work Quality

Brief to the. Senate Standing Committee on Social Affairs, Science and Technology. Dr. Eliot A. Phillipson President and CEO

Protection of Privacy Policy

Report to Congress regarding the Terrorism Information Awareness Program

Risky Business: New Compliance Challenges for FDA-Regulated Industry

(AMMA) American Maritime Modernization Association

KKR Credit Advisors (Ireland) Unlimited Company PILLAR 3 DISCLOSURES

II. Statutory and Regulatory Authorities for Underground Coal Mines

g~:~: P Holdren ~\k, rjj/1~

Food Product Standards to Support Exports

Health Based Exposure Limits (HBEL) and Q&As

Melbourne IT Audit & Risk Management Committee Charter

Guidance for Industry

2014 Waste Management Symposium

Incident at Morales. Fred: Chemical Engineer hired by Phaust to design a new plant to manufacture a new paint remover

Lewis-Clark State College No Date 2/87 Rev. Policy and Procedures Manual Page 1 of 7

MINISTRY OF HEALTH STAGE PROBITY REPORT. 26 July 2016

ESEA Flexibility. Guidance for Renewal Process. November 13, 2014

Distribution Restriction Statement Approved for public release; distribution is unlimited.

Lessons Learned from the US Chemical Safety and Hazard Investigations Board. presented at

Upstream Oil and Gas. Spill Prevention, Preparedness, Response, and Recovery. March 2013

261 Gorham Road South Portland, ME Company Profile

Engagements Under Government Auditing Standards

RACE TO THE TOP: Integrating Foresight, Evaluation, and Survey Methods

By RE: June 2015 Exposure Draft, Nordic Federation Standard for Audits of Small Entities (SASE)

General Manager Assurance and Risk Management in Oakton;

Our position. ICDPPC declaration on ethics and data protection in artificial intelligence

Quality and GLP for Histology and Pathology of Drug Safety Studies

The Board is comprised of five members, three of whom are independent directors i.e. Mr Tan Cheng Han, Ms Ooi Chee Kar and Mr Rolf Gerber.

The Partnership Process- Issue Resolution in Action

GSFC CONFIGURATION MANAGEMENT MANUAL

MANAGEMENT DIRECTIVE CONTRACTOR ALERT REPORTING DATABASE (CARD)

Controlling Changes Lessons Learned from Waste Management Facilities 8

Public Safety Interoperable Communications (PSIC)

This policy sets out how Legacy Foresight and its Associates will seek to ensure compliance with the legislation.

Importance of ICH Guidance in Fulfilling Process Validation Requirements

Comments of Shared Spectrum Company

Five-Year Strategic Plan

This version has been archived. Find the current version at on the Current Documents page. Scientific Working Groups on.

Gender pay gap reporting tight for time

Agency Information Collection Activities; Proposed Collection; Comment Request; Good

Rulemaking Hearing Rules of the Tennessee Department of Health Bureau of Health Licensure and Regulation Division of Emergency Medical Services

Charter of the Regional Technical Forum Policy Advisory Committee

Written Statement of. Dr. Sandra Magnus Executive Director American Institute of Aeronautics and Astronautics Reston, Virginia

Safety recommendations for nuclear power source applications in outer space

Comments of Cisco Systems, Inc.

NORTHWESTERN UNIVERSITY PROJECT NAME JOB # ISSUED: 03/29/2017

TECHNOLOGY MANAGEMENT

SECTION SUBMITTAL PROCEDURES PART 1 - GENERAL 1.1 RELATED DOCUMENTS

How to Establish and Manage a Technology Transfer Office

SURGERY STRATEGIC CLINICAL NETWORK EVIDENCE DECISION SUPPORT PROGRAM. New ideas & Improvements

Standards and Quality In Research Laboratories. By Geoff Visser SABS Research Fellow And Prof Roy Ramphal - UNISA

Discovery: From Concept to the Patient - The Business of Medical Discovery. Todd Sherer, Ph.D.

SECTION SUBMITTAL PROCEDURES

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA ALBEMARLE COMMISSION HERTFORD, NORTH CAROLINA

LLOYDS BANKING GROUP MATTERS RESERVED TO THE BOARDS (LLOYDS BANKING GROUP PLC, LLOYDS BANK PLC, BANK OF SCOTLAND PLC & HBOS PLC)

Phase 2 Executive Summary: Pre-Project Review of AECL s Advanced CANDU Reactor ACR

Truckee Fire Protection District Board of Directors

Score grid for SBO projects with an economic finality version January 2019

Assuring a Successful Inspection How to Effectively Deal with Challenging Inspectional Issues

2018 ASB Update January 24, 2018

2017 NIMS Update. John Ford, National Integration Center

Oil and Natural Gas Roundtable Highlights

Gerald G. Boyd, Tom D. Anderson, David W. Geiser

PGNiG. Code. of Responsible Gas and Oil Production

INTERNATIONAL ATOMIC ENERGY AGENCY J8-TM INFORMATION SHEET. Technical Meeting on. Safety Culture Oversight and Assessment

Training that is standardized and supports the effective operations of NIIMS.

Checklist. Please read Circular No (CR) before completing the checklist.

MISSISSIPPI STATE UNIVERSITY Office of Planning Design and Construction Administration

(Docket ID: BLM ; LLW X.Ll PNOOOOJ

International Cooperation in Strengthening Nuclear Security Capacities within Public Company Nuclear Facilities of Serbia

Assessing the Welfare of Farm Animals

Integrated Reporting WG

SLAVERY AND HUMAN TRAFFICKING

Overview. How is technology transferred? What is technology transfer? What is Missouri S&T technology transfer?

Arie Rip (University of Twente)*

Staffordshire Police

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Office of the Director of National Intelligence. Data Mining Report for Calendar Year 2013

HOUSE OF COMMONS JOB DESCRIPTION

LUXOTTICA GROUP CORPORATE SOCIAL RESPONSIBILITY. June 13, 2017

Industry & Govt Changes Post Macondo. Charlie Williams Chief Scientist Shell Executive Director - Center for Offshore Safety

Claudio Pincus, President, The Quantic Group R. Owen Richards, President, Quantic Regulatory Services Daniel Pincus, Consultant, The Quantic Group

Other Approaches to Civil-Military Integration: The Chinese and Japanese Arms Industries. March OTA-BP-ISS-143 GPO stock #

Transcription:

Internal Controls: The Basics National Grants Management Association May 17, 2017 Page 1

Agenda Establish a fundamental understanding of internal control Describe the five components of internal control and the associated principles Discuss internal control deficiencies identified in GAO reports 2

Internal Control Definition Internal Control Internal control is a process effected by an entity s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved. (Para. OV1.01) 3

Internal Control and Objectives Put simply, internal control is a process used by management to help an entity achieve its objectives. 4

Internal Control and Objectives (cont.) Objectives What is to be accomplished? 5

Internal Control through the Years 6

Statutory Authority Per the Federal Managers' Financial Integrity Act of 1982 (FMFIA), GAO is required to set the Standards for Internal Control in the Federal Government (Green Book). Per FMFIA, the Office of Management and Budget (OMB) is required to issue evaluation guidance (Circular A-123, Management s Responsibility for Internal Control). 7

Consists of two sections: Overview Standards Establishes: Definition of internal control Categories of objectives Components and principles of internal control Requirements for evaluating effectiveness 8

Overview: Components, Principles, and Attributes Achieve Objectives Overview Standards Components Principles Attributes 9

Types of Objectives Management groups objectives into one or more of the following three categories (Para. OV2.18): Operations - Effectiveness and efficiency of operations (Para. OV2.19) Reporting - Reliability of reporting for internal and external use (Para. OV2.21) Compliance - Compliance with applicable laws and regulations (Para. OV2.22) 10

The Five Components Five Components of Internal Control (Para. OV2.04) Control Environment Risk Assessment Control Activities Information and Communication Monitoring 11

The Internal Control Cube 12

Components and Principles 13

Control Environment Control Environment - The foundation for an internal control system. It provides the discipline and structure to help an entity achieve its objectives. (Para. OV2.04) 14

Control Environment (cont.) The control environment component contains the following five principles: The oversight body and management should demonstrate a commitment to integrity and ethical values. (Para. 1.01) The oversight body should oversee the entity s internal control system. (Para. 2.01) Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity s objectives. (Para. 3.01) Management should demonstrate a commitment to recruit, develop, and retain competent individuals. (Para. 4.01) Management should evaluate performance and hold individuals accountable for their internal control responsibilities. (Para. 5.01) 15

Control Environment Red Flags Examples that could indicate an internal control deficiency and require further analysis: Personnel do not understand what behavior is acceptable or unacceptable. Top management is unaware of actions taken at the lower level of the entity. It is difficult to determine the entities or individuals that have responsibility for programs or particular parts of a program. The entity s structure is inefficient or dysfunctional. Management displays a lack of concern for internal control and is unresponsive to internal control deviations or recommendations to improve internal control. 16

Risk Assessment Risk Assessment - Assesses the risks facing the entity as it seeks to achieve its objectives. This assessment provides the basis for developing appropriate risk responses. (Para. OV2.04) 17

Risk Assessment (cont.) The risk assessment component contains the following four principles: Management should define objectives clearly to enable the identification of risks and define risk tolerances. (Para. 6.01) Management should identify, analyze, and respond to risks related to achieving the defined objectives. (Para. 7.01) Management should consider the potential for fraud when identifying, analyzing, and responding to risks. (Para. 8.01) Management should identify, analyze, and respond to significant changes that could impact the internal control system. (Para. 9.01) 18

Risk Assessment Red Flags Examples that could indicate an internal control deficiency and require further analysis: Management has not reassessed the risk related to recent major changes for example, new responsibilities, reorganization, cuts in funding, and expansion of programs. The agency or program does not have well-defined objectives. The agency or program does not have adequate performance measures. Management has not considered previous issues with fraud, waste, or abuse in the agency s risk assessment. The agency is unable to prioritize work appropriately. The agency is unaware of obstacles to its mission. The agency is not able to overcome obstacles to its mission efficiently or at all. 19

Control Activities Control Activities - The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system, which includes the entity s information system. (Para. OV2.04) 20

Control Activities (cont.) The control activities component contains the following three principles: Management should design control activities to achieve objectives and respond to risks. (Para. 10.01) Management should design the entity s information system and related control activities to achieve objectives and respond to risks. (Para. 11.01) Management should implement control activities through policies. (Para. 12.01) 21

Control Activities Red Flags Examples that could indicate an internal control deficiency and require further analysis: Employees are unaware of policies and procedures, but do things the way they have always been done. Operating policies and procedures have not been developed or are outdated. Key documentation is often lacking or does not exist. Key steps in a process are not being performed. Personnel and management are uncertain why processes are being performed or how processes are related to and support program goals. 22

Information and Communication Information and Communication The quality information management and personnel communicate and use to support the internal control system. (Para. OV2.04) 23

Information and Communication (cont.) The information and communication component contains the following three principles: Management should use quality information to achieve the entity s objectives. (Para. 13.01) Management should internally communicate the necessary quality information to achieve the entity s objectives. (Para. 14.01) Management should externally communicate the necessary quality information to achieve the entity s objectives. (Para. 15.01) 24

Information and Communication Red Flags Examples that could indicate an internal control deficiency and require further analysis: When top management needs information, there is an excessive rush to assemble the information, or the process is handled through ad hoc mechanisms (e.g., the information was not readily available). Key information requests for basic information on the status of operations from external stakeholders (e.g., Congress or GAO) are difficult for the agency to respond to and require extra resources or special efforts. Management is using poor quality information or outdated information for making decisions. Staff are frustrated by requests for information because it is timeconsuming and difficult to provide the information. Management does not have reasonable assurance that the information it is using is accurate. Personnel are unaware of separate communication lines for reporting confidential information. 25

Monitoring Monitoring - Activities management establishes and operates to assess the quality of performance over time and promptly resolve the findings of audits and other reviews. (Para. OV2.04) 26

Monitoring (cont.) The monitoring component contains the following two principles: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. (Para. 16.01) Management should remediate identified internal control deficiencies on a timely basis. (Para. 17.01) 27

Monitoring Red Flags Examples that could indicate an internal control deficiency and require further analysis: Management does not evaluate a program on an ongoing basis. Significant problems exist in controls and management was not aware of those problems until a big problem occurred or until an outside party brought it to its attention. There are unresolved problems with the other components: control environment, risk assessment, control activities, and information and communications. Previously identified engagement findings are not being resolved adequately or timely. Management misses key deadlines and was not aware that it would not be able to meet deadlines. 28

Evaluating the Effectiveness of an Internal Control System An effective internal control system provides reasonable assurance that the entity will achieve its objectives. An effective internal control system has o each of the five components of internal control effectively designed, implemented, and operating and o the five components operating together in an integrated manner. o The 17 principles support the effective design, implementation, and operation of the associated components and represent requirements necessary to establish an effective internal control system. Page 29

Remediating Deficiencies Management assigns responsibility and delegates authority to remediate the internal control deficiency. When determining the appropriate corrective actions to remediate an internal control deficiency, management considers the significance of the deficiency. Identifying the root cause of a deficiency can result in more meaningful corrective actions, which can help prevent the deficiency from recurring. Page 30

Remediating Deficiencies (cont.) Management completes and documents corrective actions to remediate internal control deficiencies on a timely basis. Management, with oversight from the oversight body, monitors the status of remediation efforts so that they are completed on a timely basis. Management and the oversight body determine when the entity has sufficiently completed the corrective actions needed to remediate the deficiency. Page 31

GAO Internal Control Findings Legal Services Corporation: Improvements Needed in Controls over Grant Awards and Grantee Program Effectiveness (GAO-10-540) LSC management had not consistently focused on key human capital issues. (Control environment) Control weaknesses hindered LSC s ability to oversee grantees and ensure compliance. (Monitoring and risk assessment) Controls over grant application review and award process need improvement. (Control activities) Page 32

GAO Internal Control Findings (continued) Legal Services Corporation: Improved Internal Controls Needed in Grants Management and Oversight (GAO-08-37) Internal control weaknesses impeded LSC s ability to adequately assure grant funds are used as intended and in compliance with laws and regulations. LSC s control activities for monitoring do not provide reasonable assurance that grant funds are being used properly and in compliance with laws and regulations. LSC did not identify control weaknesses at 9 entities. Page 33

GAO Internal Control Findings (continued) Grants Management: Actions Needed to Address Persistent Grant Closeout Timeliness and Undisbursed Balance Issues (GAO-16-362) OMB issued updated guidance on grant closeouts, but lacks specificity on tracking and reporting undisbursed balances in expired grant accounts. (Information and communication) Grants Management: EPA Has Taken Steps to Improve Competition for Discretionary Grants but Could Make Information More Readily Available (GAO-17-161) Information on EPA discretionary grants on publicly available websites is either difficult to identify or incomplete. (Information and communication) Page 34

GAO Internal Control Findings (continued) Indian Affairs: Key Actions Needed to Ensure Safety and Health at Indian School Facilities (GAO-16-313) Lack of updated and comprehensive inspection guidance and inconsistent inspection practices hinder Indian Affairs ability to collect complete and accurate information on inspected schools. (Control activities and information and communication) Indian Affairs is not consistently monitoring whether schools have established required safety committees. (Monitoring) Page 35

Where to Find The Yellow Book is available on GAO s website at: www.gao.gov/yellowbook The Green Book is available on GAO s website at: www.gao.gov/greenbook For technical assistance, contact us at: yellowbook@gao.gov or greenbook@gao.gov or call (202) 512-9535 Page 36

Contact Information Kim McGatlin mcgatlink@gao.gov 202-512-9366 Page 37

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback