Applying Internal Controls Using the New Green Book - GFOA-PA
Transcription
Applying Internal Controls Using the New Green Book - GFOA-PA
Applying Internal Controls Using the New Green Book Jennifer CruverKibi, CPA Presentation Highlights 1. Internal control basics 2. What is the Green Book and why should it be used? 3. Breaking down the Green Book 4. How to apply the Green Book with limited staffing 2 Internal Control Basics Internal control is a process used by management to help an entity achieve its objectives. Internal control helps an entity: - Run its operations efficiently and effectively - Report reliable information about its operations - Comply with applicable laws and regulations 3 1 Internal Control Basics Management’s objectives - Operate effectively and efficiently - Provide reliable financial reporting - Comply with applicable laws and regulations Internal controls = practical tools to ensure these objectives are met - How can management reasonably assert it is meeting its objectives? 4 Internal Control Basics There are inherent limitations on internal control: - The cost of controls should not exceed their benefits - Risk of “management override” - Risk of collusion to circumvent controls 5 Internal Control Basics Internal control is a process driven by management and employees. Responsibility of internal control is as follows: - Primary = Management (key beneficiary) - Ultimate = Board - Indirect = Independent Auditor 6 2 Internal Control Basics Predisposition to fraud = The Fraud Triangle - Only element employers can control is opportunity - Poor internal control creates opportunity for fraud 7 What is the Green Book? Released by GAO – Standards for Internal Control in the Federal Government 2014 Revision. - www.gao.gov/greenbook Provides standards for management and criteria for auditors Revision is first since 1999 and continues to set the standards for an effective internal control system for federal entities. 8 What is the Green Book? Supersedes previous GAO’s version and effective beginning fiscal years 2016 for Federal Managers’ Financial Integrity Act reports covering that year. Adopted key concepts from the 2013 COSO, Internal Control – Integrated Framework, and adapts them for a government environment. 9 3 What is the Green Book? Presents 17 new principles, arranged by 5 components, that elaborate on management responsibilities in implementing and overseeing an effective internal control environment. Establishes: Definition of internal control Categories of objectives Components and principles of internal control Requirements for effectiveness 10 Why Consider Using the Green Book? While Green Book is specifically applicable to federal entities, it may be applied to state and local governments as a framework for internal control system. Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards) identifies Green Book as best practice for organizations for meeting requirement of establishing and maintaining effective internal control that provides assurance that entity is managing federal awards in compliance with regulations and terms and conditions of federal awards. 11 Why Consider Using the Green Book? • All 17 principles apply to both large and small entities, so may choose to apply Green Book standards as a framework for an internal control system. • Written for government • Leverages the COSO Framework • Uses government terms • Smaller entities may have different implementation approaches than larger entities. • Provides standards for management • Provides criteria for auditors 12 4 13 Breaking Down the Green Book What is internal control in Green Book? - OV1.01: internal control is a process affected by an entity’s management that provides reasonable assurance that the objectives of an entity will be achieved. What is an internal control system in Green Book? - OV1.04: an internal control system is a continuous built-in component of operations, effected by people, that provides reasonable assurance, not absolute assurance, that an organization’s objectives will be achieved. 14 Breaking Down the Green Book 15 5 Breaking Down the Green Book 16 Breaking Down the Green Book: Control Environment 1. The oversight body and management should demonstrate a commitment to integrity and ethical values. - Tone at the top - Standards of conduct - Adherence to standards of conduct 2. The oversight body should oversee the entity’s internal control system. - Oversight structure - Oversight for the IC system - Input for remediation of deficiencies 17 Breaking Down the Green Book: Control Environment 3. Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives. - Organizational structure - Assignment of responsibility and delegation of authority - Documentation of IC system 18 6 Breaking Down the Green Book: Control Environment 4. Management should demonstrate a commitment to recruit, develop, and retain competent individuals. - Expectations of competence - Recruitment, development, and retention of individuals - Succession and contingency plan and preparation 5. Management should evaluate performance and hold individuals accountable for their internal control responsibilities. - Enforcement of accountability - Consideration of excessive pressures 19 Breaking Down the Green Book: Risk Assessment 6. Management should define objectives clearly to enable the identification of risks and define risk tolerances. - Definitions of objectives - Definitions of risk tolerances 7. Management should identify, analyze, and respond to risks related to achieving the defined objectives. - Identification of risks - Analysis of risks - Response to risks 20 Breaking Down the Green Book: Risk Assessment 8. Management should consider the potential for fraud when identifying, analyzing, and responding to risks. - Types of fraud - Fraud risk factors - Response to fraud risks 9. Management should identify, analyze, and respond to significant changes that could impact the internal control system. - Identification of change - Analysis of response to change 21 7 Breaking Down the Green Book: Control Activities 10. Management should design control activities to achieve objectives and respond to risks. - Response to objectives and risks - Design of appropriate types of control activities – common categories are: • • • • • • • • Top-level reviews of actual performance Reviews by management at the functional or activity level Management of human capital Controls over information processing Physical control over vulnerable assets Establishment and review of performance measures and indicators Segregation of duties Proper execution of transactions 22 Breaking Down the Green Book: Control Activities 10. Management should design control activities to achieve objectives and respond to risks (Continued). - Design of appropriate types of control activities common categories (Continued): • Accurate and timely recording of transactions • Access restrictions to and accountability for resources and records • Appropriate documentation of transactions and internal control - Design of control activities at various levels • Entity-level controls • Transaction controls - Segregation of duties 23 Breaking Down the Green Book: Control Activities 11. Management should design the entity’s information system and related control activities to achieve objectives and respond to risks. - Design the entity’s information system • Does the system meet entity’s objectives and risks? • Does the system meet operational process’s information requirements? • Does the system meet information processing objectives ? Completeness Accuracy Validity 24 8 Breaking Down the Green Book: Control Activities 11. Management should design the entity’s information system and related control activities to achieve objectives and respond to risks (Continued). - Design appropriate types of control activities • General controls Security management Logical and physical access Configuration management Segregation of duties Backup and recovery • Application controls Use of IT to initiate, authorize, record, process, and report transactions 25 Breaking Down the Green Book: Control Activities 11. Management should design the entity’s information system and related control activities to achieve objectives and respond to risks (Continued). - Design of IT infrastructure - Design of security management - Design of IT acquisition, development, and maintenance 26 Breaking Down the Green Book: Control Activities 12. Management should implement control activities through policies. - Documentation of responsibilities through policies - Periodic review of control activities 27 9 Breaking Down the Green Book: Information and Communication 13. Management should use quality information to achieve the entity’s objectives. - Identification of information requirements - Relevant data from reliable sources - Data processed into quality information 14. Management should internally communicate the necessary quality information to achieve the entity’s objectives. - Communication throughout the entity - Appropriate methods of communication 28 Breaking Down the Green Book: Information and Communication 15. Management should externally communicate the necessary quality information to achieve the entity’s objectives - Communication with external parties - Appropriate methods of communication 29 Breaking Down the Green Book: Monitoring 16. Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. - Establishment of a baseline - IC system monitoring - Evaluation of results 17. Management should remediate identified internal control deficiencies on a timely basis. - Reporting of issues - Evaluation of issues - Corrective actions 30 10 Other Considerations: Service Organizations Management still retains responsibility for the performance of processes assigned to service organizations. Therefore, management needs to determine extent of oversight. Some considerations are: - The nature of services outsourced - The service organization’s standards of conduct and internal controls - The quality and frequency of the service organization’s enforcement of adherence to standards of conduct by its personnel 31 How to Apply Green Book: Control Environment Tone at the Top - Corporate culture = honesty and integrity Policy and practice should match Swift and appropriate disciplinary action NO “see no evil, hear no evil” Assign responsibility - Hold people accountable, with reasonable expectations - Ensure responsibilities are effectively communicated to employees - Documentation of responsibilities are important, especially for succession planning 32 How to Apply Green Book: Control Environment Recruit and develop - Be selective with hiring • Do they fit corporate culture? • Mandatory background checks • Education degrees - Keep up-to-date job descriptions - Provide frequent and relevant training - Meaningful review of performance periodically 33 11 How to Apply Green Book: Risk Assessment Have well-defined objectives Evaluate changes in operating environment and assess effects on internal controls: - New information system/changes in technology Rapid growth in programs/increased demand in services New departments, programs or services New accounting pronouncements Don’t forget about FRAUD risks!! 34 How to Apply Green Book: Control Activities Segregation of duties is very important and there is no “one size fits all”. Some considerations for small staff: - Consider using Governing body/Finance Committee as a resource - Consider involving non-finance personnel or even volunteers/interns, but make sure to adequately train them - Consider “delegating up” for top level reviews, just ensure adequate training (consider KISS principle) - Consider rotating duties and cross-training - Perform analytical reviews - Watch out for workload overload 35 How to Apply Green Book: Control Activities Other considerations - IT security • • • • - Cyber criminals are not picky! Computer and mobile device security Password policy Data encryption Use of 3rd party vendors Consider use of positive pay for disbursements. Dual signature for check signers and check sequencing Always lock up cash 36 12 How to Apply Green Book: Control Activities Examples of segregation of duties: Receipts - Billing Recording revenue in the accounting records Receipt of payments Initial recording of collections Preparation of deposits and timely cash deposits Posting of receipts in the accounting records Timely reconciliation of bank statement Reconciling accounts receivable sub ledger with general ledger 37 How to Apply Green Book: Control Activities Other Financial Controls over Receipts - Immediate restrictive endorsement of checks rec’d Timely depositing of funds rec’d Locking up undeposited funds Additional safeguards: • Security cameras • Security personnel - Cash receipts log or equivalent • Periodic reconciliation to deposits • Periodic reconciliation to accounting records 38 How to Apply Green Book: Control Activities Examples of segregation of duties: Disbursements - Purchase request Purchase authorization Receiving Recording of accounts payable Approval of vendor invoices Check writing (or initiation of electronic transfer) Recording of disbursements and relief of accounts payable Delivery of checks to vendors Reconciliation of bank account 39 13 How to Apply Green Book: Control Activities Other Financial Controls over Disbursements - Limiting access to credit cards and regular monitoring of usage - Have written policies on credit card usage and make sure policies are in practice - Pre-numbered checks in sequential order - Prohibit advance signing of checks - Limiting or prohibiting signature stamps (locked when not in use) - Prohibiting the writing of checks made payable to cash - Updating authorized signature cards 40 How to Apply Green Book: Control Activities Other Financial Controls over Disbursements (Cont’d) - Proper physical security over unused checks Appropriate authorization prior to check preparation Properly training those with authorization ability Requiring two signatures Mailing checks promptly after signature Lock up checks held overnight Properly voiding checks Writing off old checks 41 How to Apply Green Book: Control Activities Examples of segregation of duties: Payroll - Authorization of pay rates and changes Entering master employee data into the payroll system Authorizing timekeeping information Processing payroll Distributing payroll Transferring funds to the payroll bank account Reconciling the payroll bank account Posting payroll to the general ledger 42 14 How to Apply Green Book: Control Activities Other Financial Controls over Payroll - Policies and procedures for timekeeping and payroll processing - Utilizing a separate bank account for payroll - Proper physical security over unused payroll checks - Pre-numbered checks in sequence - Holding unclaimed payroll checks - Detailed payroll register 43 How to Apply Green Book: Control Activities Other Financial Controls over Payroll (Cont’d) - Timesheets/timecards - Review and approval of payroll tax returns - Review the posting of payroll from the payroll register to general ledger - Authorization of salaries by designated official 44 How to Apply Green Book: Information and Communication Communicate where policies and procedures are maintained Communicate expectations and job responsibilities Communication should be multi-directional Formal whistleblower policy Fraud tip hotline 45 15 How to Apply Green Book: Monitoring Monitoring should be routine and ongoing - Always question whether the controls are functioning as they are designed/intended Resolve issues as they arise! Two options: - Fix the problem (control) - Eliminate the problem (control) 46 Contact Information Jennifer CruverKibi, CPA Senior Manager (717) 232-1230 jcruverkibi@md-cpas.com 47 16