OMB A-123 2016 Update - AGA
-
Upload
khangminh22 -
Category
Documents
-
view
0 -
download
0
Transcript of OMB A-123 2016 Update - AGA
OMB A-123 2016 Update
Mark Reger Office of Federal Financial Management Office of Management and Budget
Management’s Responsibility for Internal Controls and Enterprise Risk Management
March 29, 2016
2
Evolution of Management Controls
CXO/Operations Support
• The Federal Managers Financial Integrity Act of 1982 (FMFIA) requires
• the General Accountability Office (GAO) to prescribe standards of internal control in the Federal Government, more commonly known as the Green Book.
• OMB to establish guidelines for agencies to evaluate their systems of internal control to determine FMFIA compliance, more commonly known as OMB Circular No. A-123, Management’s Responsibility for Internal Control.
• Between 1982 and 2004 OMB A-123 focused on “management controls” across all business lines and operations.
• In 2004, OMB A-123 focused on financial reporting and avoided “Sarbanes Oxley” legislation to require internal control audits in the Federal Government.
• Since 2004 • OMB A-123 has become known only as a financial reporting and compliance
requirement. • Private sector embraces Enterprise Risk Management
• Now the federal government moves towards ERM.
3
A-123 History
• 1981 – OMB First Issued Circular No. A-123, Internal Control Systems
• 1982 – OMB Issued Internal Control Guidelines and the Federal Managers Financial Integrity Act was enacted
• 1983 – OMB Issued an Updated Circular No. A-123, Internal Control Systems
• 1986 – OMB Updated A-123 to Require Management Control Plans to guide efforts
• 1995 – OMB updated A-123, Management Accountability and Control to reflect GPRA, CFO Act, IG Act
• 2004 – OMB updated A-123, Management’s Responsibility for Internal Control to reflect new internal control requirements for publicly-traded companies contained in the Sarbanes-Oxley Act of 2002; added Appendix A, Internal Control Over Financial Reporting.
• 2005 - CFO Council Issued A-123 Appendix A Implementation Guide and OMB Required Appendix A Implementation Plans
• 2006-OMB First Issued A-123 Appendix B for Government Charge Cards and Appendix C for Improper payments (Appendix C updates 2006 to 2014)
• 2013 – OMB First Issued A-123 Appendix D for Compliance with the Federal Financial Management Improvement Act
• 2014 – OMB updated A-11, Preparation, Submission, and Execution of the Budget and includes Enterprise Risk Management and Internal Control
1980 1985 1990 1995 2000 2005 2010 2015
4
New A-123 Structure
OMB Circular 123/Appendix A Financial
Reporting
Appendix B, Charge Cards
Appendix C, Improper Payments
Appendix D, FFMIA
Compliance
OMB Circular A-123
Internal Control and Enterprise Risk Management
Appendix A, Reporting
Appendix B, Charge Cards
Appendix C, Improper Payments
Appendix D, FFMIA
Compliance
A-123 Today A-123 Tomorrow
Agency and Industry Input
5
• GAO Green Book Advisory Council, included CFO Council Representation (7/2013 to 9/2014)
• DOC, State, NSF, DOJ, DHS/IRS • Three Agency Workgroups (11/2013 to 3/2014)
• USDA, DOJ, Ed • CFO Council ERM Forum (April 2014) • CFO Council ERM Project (2/2014 to 2/2015)
• HHS, Ed • AGA Forum on Internal Control (9/2014) • President’s Management Council Briefing (5/2015) • Provided A-123 to Agencies for Comment (6/2015) • Partnership for Public Service ERM Event of
Excellence (6/2015, 9/2015) • CFO’s, CRO’s, GAO, Inspectors General
6
Assessing Internal Control
• Updated Integrated Internal Control Framework. Agencies need to integrate and coordinate risk management and internal control efforts across the enterprise and between management silos.
• Assessment of Entity Level Controls. Internal control at the entity level refers to the Green Book ‘s five components of internal control must be effectively designed, implemented, and operating, and operating together in an integrated manner, for an internal control system to be effective. The Green Book’s 17 principles support the effective design, implementation, and operation of the associated components and represent requirements necessary to establish an effective internal control system.
• Updated Sources of Documentation. The agency head's assessment of internal control can be documented using a variety of information sources.
Green Book Components of Internal Control and Principles
7
Correcting Internal Control Deficiencies
• Corrective Action Options. All control deficiencies pose some level of risk to an organization. The risk level could be minimal or material, and is determined by management’s risk tolerance. There are a number of possible corrective action options which could include: – Acceptance – Avoidance – Risk mitigation – Transfer/sharing
• Corrective Action Requirements.
• Cooperative Audit Resolution and the Role of an Audit
Committee.
8
Reporting on Internal Control
• FMFIA Section 2, Internal Control Over Operations – FMFIA Section 2, Internal
Control Over Financial Reporting
• FMFIA Section 4, Financial System Conformance
• FFMIA, Section 803 (a) Requirements – Federal Financial Management
System Requirements; – Applicable accounting
standards; and – The USSGL at the transaction
level.
• Internal Control Over Operations (FMFIA Section 2)
• Internal Control Over Financial
Reporting and Compliance with the FFMIA – FMFIA Section 2, Internal
Control Over Financial Reporting
– FMFIA Section 4, Financial System Conformance
Assurance Statement Reporting Today
Assurance Statement Reporting Tomorrow
9
Moving From Compliance to Managing Risks
CXO/Operations Support
• Compliance with New GAO Internal Control Standards
• Treating Risk as only Negative • Heavy Emphasis on Financial
Reporting • Regarding Risk Management as
Separate • Check the Box on 3 Year A-123
Assessments
• Risk Based Approach with New Internal Control Standards
• Defining risk as both positive (e.g., taking on risk to improve government services) and negative
• Balanced Emphasis on Financial Reporting and Mission Support
• Integrating Risk Management and Internal Control
• Manage Risks Across Organizational Structures
Check the Box (A-123 Today)
Proactively Managing Risks (A-123 Tomorrow)
A-123: The Foundation for ERM
10
Strategic Decisions
(OMB A-11)
Budget Decisions (OMB A-11)
Program Management (OMB A-11)
Operational Control Objectives Reporting Control Objectives Compliance Control Objectives Risk Assessments
Cross Agency Priority Goals Agency Priority Goals Fed Stat
Policy President’s Budget Congressional Justification
Mission/Vision Goals Setting Objective Setting Strategic Reviews
CXO/Operations Support (OMB A-123)
Risks and Uncertainty
• Strategic • Operational • Reputational • Financial • Etc.
Relationship of Enterprise Risk Management to Internal Control
11
Governance
ERM
Internal Controls
• First Introduced in OMB Circular A-11, FY 2014
• A-123 and A-11 introduce an ERM Framework to support performance management and better guide internal controls
Source: COSO
Best Practices 1. ERM and A-123 should co-exist but not as stand-alone activities 2. Senior management buy-in of ERM value is essential 3. Implement a Risk Management Framework and phased ERM
Implementation approach 4. Establish an objective organizational accountability structure 5. Establish/leverage formal governing bodies where they exist 6. Establish a culture of risk reward 7. Make better use of data analytics 8. Quantify the impact of past risk events 9. Engage performance, strategic, risk management, budget activities
simultaneously 10. Document risk decisions and the rationale for managing risk
13
13
Next Steps: Enterprise Risk Management Playbook
CXO/Operations Support
I. Introduction II. Enterprise Risk Management Framework III. Enterprise Risk Management Governance Structure IV. Managing Risks On A Portfolio Basis Across An Agency V. Best Practices VI. Tools and Templates
Implementing an ERM Framework
14
• Drafted by the ERM Steering Committee
• Draft will be socialized with groups such as the Partnership for Public Service and the CXO Councils
• Provides a guide on where to get started with ERM
• Designed as reference to be used to develop tools, templates, and promote best practices
• Similar to OMB’s 2004 Internal Control Process and CFOC’s A-123 Implementation Guide Products
15
Next Steps: ERM Training
CXO/Operations Support
What is Enterprise Risk Management? What is a CRO and what are the roles and responsibilities of the CFO and other CXOs (i.e., good governance)? What does success look like? What are the best practices? How do I get started? How to build ERM into existing processes rather than add on?
Overview of ERM Standards. Comparisons between COSO and ISSO (not vs.). The link between ERM and Internal Control Standards. What are the tools and templates of ERM? Do I have to do it all at once, what’s a sample maturity model?
Strategic Foresight. What role do inspector generals play in ERM? What are the road rules for management engagement of inspector generals in ERM?
Enterprise Risk Management Model
16
Risk Environment/Context
Extended Enterprise
Administration Policy
State and Local Governments
Communicate and Learn
1. Establish Context
4. Develop Alternatives
2. Identify Risks
3. Analyze and Evaluate
5. Respond To Risks
6. Monitor and Review
OMB A-123, Appendix A, Internal Control Over Reporting
Coming Summer 2016
17
Source: COSO
External Financial Reporting
External Non-
Financial Reporting
Internal Financial Reporting
Internal Non-
Financial Reporting
• Internal Control Over Reporting Objectives
• Entity Level Controls • Reports to be included in the
assessment (e.g., USA Spending)
• Service Organizations • Fraud • Evaluating Control Deficiencies