aga gulf region pdt coso and the green book: an...

5/4/2015

1

AGA Gulf Region PDT

COSO and the Green Book: An Enhanced Internal Control

Framework

Isabelle Dikland, Director, MorganFranklin Consulting

Timothy Grace, Director, MorganFranklin Consulting

May 6, 2015

© MorganFranklin Consulting, LLC. All Rights Reserved. 2

Agenda

• Introductions

• Background

• Green Book Revisions

• Internal Control Overview

• Standards

• Documentation Requirements

• Service Organizations

• Questions and Answers

• Resources

2

5/4/2015

2

The Government Accountability Office (GAO) is required to issue standards for internal control in

the government

• Standards for Internal Control in the Federal Government (“The Green Book”) –

November 1999

o Reflects federal internal control standards required for the Federal Managers’

Financial Integrity Act (FMFIA)

o Serves as a base for OMB Circular No. A-123

o Leverages private sector guidance issued by the Committee of Sponsoring

Organizations (COSO), the 1992 COSO Framework

3

Background: GAO Green Book

3 © MorganFranklin Consulting, LLC. All Rights Reserved.

1983 Present

© MorganFranklin Consulting, LLC. All Rights Reserved. 4

Background: Updated COSO Framework

• Released May 14, 2013

• Relationship of Objectives and Components

• Direct relationship between objectives

(which are what an entity strives to

achieve) and the components (which

represent what is needed to achieve the

objectives)

• COSO cube

o Three objectives represented by

columns

o Five components represented by

rows

o Entity’s organization structure is

represented by the third dimension

4

5/4/2015

3

Revisions - From COSO to The Green Book

5

2013 COSO Framework

Update

2013/2014 Green Book

Revision

© MorganFranklin Consulting, LLC. All Rights Reserved.

Green Book: Reasons for Revisions


Updated Green Book Issued September 2014

5/4/2015

4

1. GAO performs preliminary revision

2. Green Book Advisory Council, comprised of members from the following entities:

3. Exposure Draft distributed for review and comment by the Public

4. Comment Period can be extended if significant volume of salient comments received. For most recent version:

• 43 comment letters resulting in 527 comments

• Major themes of comments

o Clarification of requirements

o Definition of key terms

o Applicability to state, local, and not-for-profit organizations

o Documentation requirements

o Editorial suggestions

5. Revisions are not an ad hoc process but a deliberative one

6. Final Green Book issued September 2014

7

• Federal agency management (nominated by OMB)

• Inspector general

• State and Local Government

• Private Sector

• Academia

• Independent public accounting firms

Green Book: Revision Process


Green Book: What did / did not Change?

8

What Did NOT Change What did Change

• Core definition of internal control

• Changes in operating environments

considered

• Three categories of objectives and five

components of internal control

• Operations and reporting objectives

expanded

• Each of the five components of internal

control are required for effective internal

control

• Fundamental concepts underlying five

components articulated as principles

• Important role of judgment in designing,

implementing and operating an internal

control system and evaluating its

effectiveness

• Additional consideration given to

operations, compliance, and non-financial

reporting objectives


5/4/2015

5

Green Book Revision: Standards for Internal Control in the Federal Government

9

Standards

Standards

Overview


Overview: Fundamental Concepts

10

What is Internal Control?

• “Internal control comprises the plans, methods, policies, and procedures

used to fulfill the mission, strategic plan, goals, and objectives of the

organization. Internal control serves as the first line of defense in safeguarding

assets. In short, internal control helps federal managers achieve desired results

through effective stewardship of public resources.”

What is an Internal Control System?

• “An internal control system is a continuous built-in component of operations,

effected by people, that provides reasonable, not absolute assurance, that an

organization’s objectives will be achieved.”

• Emphasis on reasonable assurance and flexibility in achieving it.


5/4/2015

6

Overview: Establishing an Internal Control System

• All components, principles, and attributes are relevant for an effective internal control system

• 5 Components

• Entity should implement relevant principles

• Attributes contribute to the design implementation and operating effectiveness of principles

11

Control Objectives

Components

Principles

Attributes


Overview: Evaluation of an Internal Control System

12

Framework to Evaluate an Internal Control System

• An effective internal control system provides reasonable assurance that the

organization will achieve its objectives, and requires that each of the five

components are:

o Effectively designed, implemented, and operating

o Operating together in an integrated manner

• Management evaluates the effect of deficiencies on the internal control system

• A component is likely to not be effective if related principles are not effective

Attributes Principles Components


5/4/2015

7

Standards: Objectives, Components, and Principles

13

Objectives

Components

• Principles

• Attributes


Standards: Objectives

1. Operations – Effectiveness and Efficiency of Operations

2. Reporting – Reliability of Reporting for Internal and External Use

• External Financial Reporting Objectives Agency Financial Report

• External Nonfinancial Reporting Objectives Management Assurance

Statement

• Internal Financial and Nonfinancial Reporting Objectives Reporting on

Aging of Receivables (financial), Staffing Reports (nonfinancial)

3. Compliance – Compliance with Applicable Laws and Regulations

14

Safeguarding of Assets

• Subset of 3 categories of objectives

• Prevention or prompt detection of unauthorized acquisition, use, or disposition of an entity’s assets


5/4/2015

8

Standards: Five Components and Seventeen Principles


Standards: Control Environment – Principles and Attributes

16

1. Commitment to integrity and ethical values

• Tone at the top

• Establishment of standards of conduct

• Evaluate adherence to standards of conduct

2. Exercise oversight responsibility

• Establish oversight structure

• Provide oversight for internal control system

• Provide input for remediation of deficiencies

3. Establish structure, authority, and

responsibility

• Establish organizational structure

• Assign responsibility and delegate authority

• Document internal control system

4. Demonstrate commitment to competence • Establish expectations of competence

• Attract, develop, and retain individuals

• Plan and prepare for succession

5. Enforce accountability

• Enforce accountability for performance of internal

control responsibilities

• Consider excessive pressures


5/4/2015

9

Standards: Risk Assessment – Principles and Attributes

17

6. Define objectives and risk tolerances

• Define objectives in specific and measurable terms

• Define risk tolerances for objectives

7. Identify, analyze, and respond to risk

• Identify risks throughout the entity

• Analyze risks to estimate their significance

• Design risk responses

8. Assess fraud risk • Consider types of fraud

• Consider fraud risk factors

• Respond to fraud risks

9. Identify, analyze and respond to change • Identify changes that could significantly impact the

entity’s internal control system

• Analyze and respond to identified changes


Standards: Control Activities – Principles and Attributes

18

10. Design control activities

• Respond to objectives and risks

• Design the types of control activities

• Design control activities at various levels

• Consider segregation of duties

11. Design activities for the information system

• Design the entity’s information system

• Design appropriate types of control activities

• Design the information technology infrastructure

• Design security management

• Design IT acquisition, development, and maintenance

12. Implement Control Activities • Document responsibilities through policies

• Periodically review control activities to determine

continued relevance, redesign when necessary, and

communicate as appropriate


5/4/2015

10

Standards: Information and Communication – Principles and Attributes

19

13. Use quality information

• Identify information requirements

• Obtain relevant data from reliable sources

• Process data into quality information

14. Communicate internally

• Communicate quality information throughout the

entity using established reporting lines

• Select appropriate methods of communication

15. Communicate externally • Communicate with external parties using established

reporting lines

• Select appropriate methods of communication


Standards: Monitoring – Principles and Attributes

20

16. Perform Monitoring Activities

• Establish a baseline for monitoring the internal control system

• Monitor the internal control system through ongoing

monitoring and separate evaluations

• Evaluate and document the results

17. Remediate Deficiencies

• Report internal control issues to appropriate parties on a timely

basis

• Evaluate and document internal control issues and determine

corrective action approach

• Complete and document corrective actions to remediate

internal control deficiencies


5/4/2015

11


Standards: Component, Principle, Attribute

21


Standards: Principle can be effected by controls in other components

22

5/4/2015

12

Principal/ Attribute: Specified Documentation Requirements

• Management must determine the level of documentation needed to assess the effectiveness

of internal control

• Documentation is essential – It enables monitoring and enables the assurance process

• Green Book specifies the minimum level of documentation required for an entity’s internal

control system:

o Control Environment: 3.12 – Management should develop and maintain

documentation of its internal control system

o Control Activities: 12.03 – Management should document in policies the internal

control responsibilities of the organization

o Monitoring: 16.12 – Management should evaluate and document the results of

ongoing monitoring and separate evaluations to identify internal control issues

o Monitoring: 17.07 – Management should evaluate and document internal control

issues and determine appropriate corrective actions for internal control deficiencies on

a timely basis

o Monitoring: 17.09 – Management should complete and document corrective actions

and remediate internal control deficiencies on a timely basis


Additional Consideration: Service Organizations

• Service Organizations are external parties that perform certain operational processes

for the department/agency

• Management retains responsibility for the performance of processes aligned to service

organizations

• Management needs to understand the controls each service organization has

designed, implemented, and operates, and how the service organization’s internal

control system impacts the entity’s internal control system

• Management considerations for the determination of the extent of oversight controls

required:

o Controls identified by auditors

o Nature of services outsourced

o Service organization’s standard of conduct

o Magnitude and level of complexity of entity’s operations

o Availability and content of SSAE16 Report


5/4/2015

13

Components Operating Together in an Integrated Manner

An effective internal control system provides reasonable assurance that the organization will

achieve its objectives, and requires that each of the give components are:

• Effectively designed, implemented, and operating

• Operating together in an integrated manner


Key Resources for Additional Information

• GAO Green Book Page: http://www.gao.gov/assets/670/665712.pdf

• Green Book Issued September 2014

• COSO: http://www.coso.org/

• 2013 Framework Executive Summary

• Thought Leadership Papers


http://www.gao.gov/assets/670/665712.pdf

http://www.gao.gov/assets/670/665712.pdf

http://www.coso.org/



5/4/2015

14

MorganFranklin is an execution-oriented business consulting and technology solutions company.

We deliver financial management, performance improvement, and technology enablement solutions to

industry and government clients.

Business Facts

• Founded in 1998

• Headquartered in the Washington, D.C.

• National presence and international reach

• Diverse full-time workforce comprised of industry, global consulting, Big Four,

and government professionals

• Technical excellence: CPA, CIA, CISA, CISSP, MCSE, RCDD, MBA, Ph.D., PMP

• Fast access to a powerful network of trusted partners with solid industry experience

• Unique blend of industry and government clients

• Industry recognition as a top consulting firm in the U.S.

• Recognized for industry-leading workplace best practices

27

About MorganFranklin


Questions & Answers

aga gulf region pdt coso and the green book: an...

Documents