FMFIA and Internal Controls NOAA Finance Conference May 10, 2007

1

FMFIA and Internal Controls

NOAA Finance Conference May 10, 2007

2

Outline Purpose Internal Controls (I/C) Legislative Requirements for (I/C) OMB Circular A-123 OMB Circular A-136 Audit and Internal Control Process Reporting Requirements Audit and Internal Control Finding Process

3

Purpose

To provide an understanding of FMFIA and internal controls and why they are important to all NOAA staff (not just the accountants).

Also, provide an understanding of the financial reporting requirements and annual audit process.

4

Internal Controls

5

So what are Internal Controls? An integral component of an organization’s

management that provides reasonable assurance that the following objectives are being achieved: Effectiveness and efficiency of operations, Reliability of financial reporting, and Compliance with applicable laws and regulations.

6

So what are Internal Controls?

Internal Controls ensure that what should happen does happen! Policy Procedures Authorizations Chain of custody Devices (locks)

7

So what are Internal Controls?

Management’s first line of defense in preventing or detecting

noncompliance or abuse.

8

Why are Internal Controls Important?

They help ensure proper accountability forValidity and reliability of data;Efficiency and economy of all activities;Compliance with laws and regulations; Achievement of agency objectives, andSafeguarding of assets.

9

Why are Internal Controls Important?

Controls are fundamental to the successful accomplishment of your mission.

10

How am I responsible?

Management is responsible for having an effective system of internal controls, but we all have a role in the effective implementation of these controls.

People are what make internal controls work.

11

Types of Internal Controls

1. Managerial Include overall policy, planning & internal

review functions. 2. Program/Operational

Involve agency activities that relate to the mission or role of the agency/program.

These controls focus on program performance and economy and efficiency of operations.

12


3. AccountingRelates to the safeguarding assets and the

reliability of financial reports. 4. Administrative

Applies to actions leading to the authorization of transactions and events based on compliance with established policy and procedures.

13


5. FinancialApplies to activities and processes involving

the authorization and payment or collection of money.

The focus is on the accountability of funds, authorization, and safeguards to protect money.

14

Internal Control Environment

General Control ActivitiesReasonable Assurance

Balance between cost and benefit of a control.

Supportive Attitude Positive and supportive attitude towards controls.

Competent Personnel Personnel have the skills and knowledge to

perform their job.

15


Control Objectives The purpose of the control and the specific targets

to be achieved are clearly understood. What is the control trying to prevent?

Control Techniques Mechanisms used to achieve control objectives.

Testing is conducted on control objectives to determine if the objective is effective and efficient.

16


Control Techniques consist of:Documentation

Written policies and procedures.

Recording of transactions Accurate and timely recording of transactions.

Execution of transactions Authorized and executed by persons acting within

the scope of their authority.

17


Segregation of Duties No individual should control over all aspects of a transaction

or event.

Supervision Work should be reviewed and approved by person other than

the preparer.

Security Physical control over vulnerable assets

Limit access to authorized individuals Periodic reviews/inventories to account for resources.

18


Internal Control Activities

General Control Activities

Specific Control Activities

• Reasonable Assurance• Supportive Attitude• Competent Personnel• Control Objectives

• Documentation• Recording of Transactions• Execution of Transactions• Segregation of Duties• Supervision• Security

• Control Techniques

19

Key Points

People are what make internal controls work. We all have a responsibility for internal controls.

The cost of an internal control should not exceed the benefit derived from the control.

The Internal Control Environment sets the tone for the organization. It determines how efficient and effective the controls

will be in safeguarding assets, deterring waste, fraud, abuse and mismanagement.

20

Legislative Requirement for Internal Controls

21

Legislative Requirements

Key Legislation Federal Manager’s Financial Integrity Act (FMFIA) of

1982 (“Integrity Act”) Agency heads must annually evaluate internal controls and

report Section 2: Assurance on overall adequacy and effectiveness of

internal controls within the agency and on financial reporting. Section 4: Whether financial management systems

conform to government-wide requirements Implemented by OMB Circular A-123

22

Legislative Requirements

Key LegislationChief Financial Officers Act of 1990 (“CFO

Act”) Executive Branch departments, agencies, and

entities required to submit audited financial statements and interim financial statements.

Implemented by OMB Circular A-136.

23

OMB Circular A-123

24

OMB Circular A-123 Prescribes policies and standards for

evaluating, improving, and reporting on internal controls.

Implements the Federal Manager’s Financial Integrity Act (FMFIA) of 1982 (“Integrity Act”) Agencies must annually evaluate and report on

Section 2 -Adequacy and effectiveness of internal controls

Section 4 – Financial management systems

25

What’s new? Major revision to A-123, December 2004

Addition of Appendix A Requires a separate assurance statement on the

effectiveness of the internal controls over financial reporting.

Requires management to perform direct testing of the internal controls in place in order to support the new assurance statement.

New assurance statement as of June 30 will be part of the Performance and Accountability Report (PAR) which includes agency performance measures and audited financial statements as of September 30.

26

Why was A-123 revised?

Passage of Sarbanes-Oxley Act of 2002 (SOX) Requires that management of publicly-traded

companies strengthen their processes for assessing and reporting on internal controls over financial reporting.

27

Why was A-123 revised?

SOX served as the push for the Federal government to re-evaluate its current policies relating to internal controls over financial reporting and management’s responsibilities.

No government wide policy concerning audits of federal internal controls.

28

Why was A-123 revised? “Empty” Clean Opinions

Intent of the CFO Act was that annual financial statements would flow from, and be a routine by-product of an effective system of internal controls.

Years of preparing financial statements have shown that this is not a reality.

“Heroic” efforts to manually compile financial statements because financial systems are unable to produce financial statements.

29

Why was A-123 revised? No consistency between agencies as to

type of internal control audits and opinion issued by auditors.Only eleven of the 24 CFO agencies reported

an audit of internal controls.Audit opinions referenced a variety of internal

control criteria.

30

OMB Circular A-136

31

OMB Circular A-136

Provides guidance on financial reporting for Executive Branch departments, agencies, and entities.

Establishes requirement to submit audited financial statements, interim financial statements, and Performance and Accountability Reports

(PAR) under the Chief Financial Officers Act of 1990 (“CFO Act”).

32

Key Points

OMB Circular A-123 implements FMFIAAnnual assertion on adequacy and

effectiveness of internal controls. OMB Circular A-136 implements the CFO

ActQuarterly financial statementsAnnually, independent audit of agency

financial statements

33

Audit and Internal Control Process

34


Annual audit and internal control process which consists of:FMFIA Program Reviews (OMB-123)

Program Internal Control Reviews Management Control Reviews

OMB A-123, Appendix A ReviewsFinancial statement audit by KPMG (OMB-

136)

35


CFO Act of 1990

FMFIA

OMB A-136OMB A-123 & Appendix A

PAR

OMB Circulars

Aud

it P

roce

ssInternal C

ontrol Process

36


FMFIA Program Reviews (OMB A-123) Test internal controls related to a non-financial

program or process. Requires testing internal controls over financial

reporting (OMB A-123, Appendix A).

Annual Financial Statement Audit (OMB A-136) Annual Departmental audit by KPMG

Conducts the audit on behalf of the DOC Office of Inspector General.

37


FMFIA Program Reviews (OMB A-123)Program Internal Control Review Management Control Review (MCR)

38


FMFIA Program Reviews (OMB A-123)Program Internal Control Review

Comprehensive look at the internal controls for a selected program.

Conducted by the Financial Policy & Compliance Division/Office of the CFO.

Independence from program area.

39


Program Internal Control ReviewReviewing background information and

document the process cycle under review.Analyzing the control environment.

Organizational structure, Policy and procedures, Planning, and Organizational checks and balances.

40


Program Internal Control ReviewTesting internal controls.

Focuses on written requirements and actions. Testing verifies that actions have been taken as

planned.Evaluating the Internal Controls

What did the evidence tell us? Is there compliance with the policy and

procedures?

41


Program Internal Control ReviewReport findings.

Make recommendations and request corrective actions.

OCFO monitor corrective actions on a quarterly basis.

Corrective actions will be reviewed by internal auditor for completeness.

42


Management Control Review Evaluate internal controls of a specific activity

(within a program or process). Guidance issued by Financial Policy & Compliance

Division/Office of the CFO. Available on the Finance Office web site.

http://www.corporateservices.noaa.gov/~finance/Internal%20Controls.html

43


Management Control Review Conducted by Line and Staff Offices

Self-assessment of their internal controls.

Allows management to determine if A positive and supportive environment exists; Laws, regulations, policies and procedures are being

followed as directed; Internal controls exist and they are cost effective; and Corrective actions are needed.

44


Management Control Review Steps for conducting a MCR consists of:

Conducting a risk assessment; Reviewing internal controls; Reporting findings; and Monitoring

Developing corrective action plan, Implementing corrective actions, and Reporting progress to OCFO.

45

Key Points

FMFIA Program Reviews (OMB-123) consist of:Program Internal Control Reviews (CFO)Management Control Reviews (LO/SO)

Annual financial statement audit (OMB-136) conducted by KPMG. Independent CPA firm contracted by OIG.

46

Reporting Requirements

47


Annual audit and internal control process which consists of:FMFIA Program Reviews (OMB-123)

Program Internal Control Reviews Management Control Reviews

OMB A-123, Appendix A ReviewsFinancial statement audit by KPMG (OMB-

136).

48


FMFIA Program Reviews (OMB A-123) Program Internal Control Reviews (OCFO)

Written report issued by July 31 (or sooner). Draft report issued to program area for comments before Final

report is issued. Final report sent to Line Office CFO and Program area.

Departmental data call August/September. Included in the FMFIA Report as of September 30. Quarterly monitoring of corrective actions.

49


FMFIA Program Reviews (OMB A-123) Management Control Reviews (LO/SO)

Completed by June 30 with written report issued by July 31.

Data call by DOC August/September FMFIA Report as of September 30. Quarterly monitoring of corrective actions.

50


OMB A-123, Appendix ACompleted August 31 for internal control in

place as of June 30.Assurance statement dated September 30. Included in the PAR as of September 30.Quarterly monitoring of corrective actions.

51


Financial Statement AuditQuarterly financial statements submitted to

DOC by: 1st Quarter – January 11 2nd Quarter – April 11 3rd Quarter – July 11 4th Quarter – October 11

52


Financial Statement AuditAudit conducted by KPMG April to November.Opinion issued on the financial statements as

of September 30.PAR issued by November 15 (includes auditor

opinion).

53


Financial Audit (KPMG)

(OMB A-136)

FMFIA Program Reviews

(OMB A-123)

OMB A-123 Appendix A

NOAA FMFIAReport

DOC FMFIA Report

DOC Financial Statements

DOC Performance & Accountability Report (PAR) DOC Appendix A

Assurance Stmt.

54

Audit and Internal Control Finding Process

55

Audit and Internal Control Findings Process

FMFIA Program Reviews (OMB-123)Program Internal Control Reviews

Findings issued by NOAA CFO and monitored by the Financial Policy & Compliance Division (FPCD)/OCFO.

Quarterly monitoring. Request for updates on progress to remedy finding sent

out by the15th of the month following the end of a quarter. The due date is two weeks later.

56


Management Control Reviews Findings issued by LO/SO. Monitored by both FPCD/OCFO and LO/SO. Quarterly monitoring.

OMB A-123, Appendix A Reviews Findings issued by NOAA CFO and monitored by

FPCD/OCFO. Quarterly monitoring.

57


Annual Financial Statement Audit KPMG issues draft Notice of Finding &

Recommendation (NFR) Verify factual accuracy as much as possible before issuance

of NFR form Distribute (simultaneously) to:

Bureau liaison (OCFO) Commerce Office of Inspector General (OIG) Commerce Office of Financial Management (OFM)

58


Annual Financial Statement Audit Response requirements to NFR by Responsible Party

In written format within one week of distribution Signed and dated Supporting documentation provided for “disagree” responses KPMG replies to “disagree” responses in written format

within one week of receipt of response

KPMG does not have to accept a non-concurrence response to a NFR.

59


Corrective Action Plans (CAPs)Once the Internal Control or Management

Letter has been issued, a CAP needs to be developed for all findings.

CAPs need to address the finding even though you still may not agree with the finding.

60


Developing Corrective Action Plans (CAPs) Use format provided with Internal Control or

Management Letter. Clearly state actions to be taken to remedy the finding

with corresponding dates. Provide overall date of completion.

Monitoring by FPCD/OCFO. FMFIA Program Reviews – quarterly. OMB 123, Appendix A – quarterly. Annual Financial Audit (KPMG) – monthly.

61

Annual KPMG Audit Process

Draft Notice of Finding

(NFR)

Comment & Concurrence

Period

KPMG Auditor

Final NFR

Draft Mgmt. Letter

Comment Period

Final Mgmt. Letter

Corrective Action Plan

(CAP)

Implement Corrective

Actions

Monthly Updates to

CFO

NOAA A-123

Auditor

KPMG Auditor

Review

June - Nov Nov - Dec Jan - June

62

Key Points

Corrective Action Plan (CAP) must be developed for findings. FMFIA Program Reviews – quarterly monitoring Annual audit (management letter) – monthly

KPMG does not have to accept a non-concurrence response.

The time to request changes to a finding is when it is presented; too late after the issuance of the final report or management letter.

63

How can I learn more?

OMB Circular A-123 http://www.whitehouse.gov/omb/financial/

offm_circulars.html Implementation Guide for OMB Circular

A-123 Appendix A http://www.cfoc.gov/documents/

Implementation_Guide_for_OMB_Circular_A-123.pdf

64

How can I learn more?

OMB Circular A-136http://www.whitehouse.gov/omb/circulars/a136/a136_revised_2006.pdf

GAO: Standards for Internal Control in the Federal Government http://www.gao.gov/special.pubs/ai00021p.pdf

65

Questions?

FMFIA and Internal Controls NOAA Finance Conference May 10, 2007

Documents

Transcript of FMFIA and Internal Controls NOAA Finance Conference May 10, 2007