Module 1.3 Management's Responsibility for Enterprise Risk Management and Internal Control PDF

**ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL FRAMEWORK** Enterprise risk management (ERM) and internal control (IC) are components of a governance framework. ERM as a discipline deals with identifying, assessing, and managing risks. Through adequate risk management, agencies can concentrate efforts toward key points of failure and reduce or eliminate the potential for disruptive events. Internal control is a process effected by an entity's oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved. Over the years, government operations have changed dramatically, becoming increasingly complex and driven by changes in technology. At the same time, resources are limited and stakeholders expect greater program integrity, efficiency, and transparency of government operations. Federal leaders and managers are responsible for: - Establishing and achieving goals and objectives - Seizing opportunities to improve effectiveness and efficiency of operations - Providing reliable reporting - Maintaining compliance with relevant laws and regulations - Implementing management practices that effectively identify, assess, respond, and report on risks Risks arise from a variety of external and internal environments. Examples include economic, operational, and organizational change factors, all of which would negatively impact an agency's ability to meet goals and objectives if not resolved. Federal leaders and managers achieve these aims through a governance structure defined through a variety of sources, including laws enacted by Congress and numerous executive directives and agency policies. Most relevant to this discussion, the federal government's core governance processes are defined by Office of Management and Budget (OMB) budget guidance: - OMB Circular A-11 defines the preparation by which the executive branch develops and executes strategic plans, prepares and submits the President's Budget request, assembles Congressional Budget Justifications, conducts performance reviews, and issues Annual Performance Plans and Annual Performance Reports - OMB Circular A-123 provides guidance to federal managers on improving the accountability and effectiveness of federal programs and operations by identifying and managing risks, and establishing requirements to assess, correct, and report on the effectiveness of internal controls The Federal Managers\' Financial Integrity Act (FMFIA) of 1982 and OMB Circular A-123 are at the center of requirements to improve accountability in federal government programs and operations. In July 2016, OMB revised and expanded Circular A-123 to incorporate guidance on ERM and retitled it *Management's Responsibility for Enterprise Risk Management and Internal Control*. The update was based on the need to emphasize the importance for federal agencies to have appropriate risk management processes and systems in place to identify challenges early, to bring them to the attention of agency leadership, and to develop solutions. In the updated circular, OMB further highlighted the need for federal agencies to effectively manage the risks they face toward achieving their strategic objectives and arising from their activities and operations. The expanded responsibilities in Circular A-123 reinforce the purposes of the FMFIA and the Government Performance and Results Act Modernization Act (GPRAMA), and also support improving the efficiency and effectiveness of the government. The policy changes in the July 2016 update of Circular A-123 modernized existing agency management efforts by requiring implementation in fiscal year (FY) 2017 of an ERM capability, coordinated with the strategic planning and strategic review process established by GPRAMA and the internal control processes required by FMFIA and the Government Accountability Office (GAO) *Standards for Internal Control in the Federal Government* (the *Green Book*). The integrated governance structure helped improve mission delivery, reduce costs, and focus corrective actions toward key risks. Enterprise Risk Management and internal control are components of an agency's or organization's governance framework. Leading international standards setters in the fields of risk management and internal control, including the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the International Organization for Standardization (ISO), incorporate internal control as part of the larger risk management process. ERM is viewed as a part of the overall governance process, and internal controls as an integral part of enterprise risk management. ERM involves a portfolio view of risk---consideration of all areas of organizational exposure to risk, such as financial, information technology, acquisitions, human capital, organizational performance, and reputation risk---thus increasing an agency's chances of experiencing fewer unanticipated outcomes and executing a better assessment of risk associated with changes in the environment. The DoD established DoD Instruction (DODI) 5010.40, *Managers' Internal Control Program Procedures*, to implement the FMFIA and OMB Circular A-123 within the Department of Defense. The instruction provides guidance for DoD management to apply in reviewing, assessing, and reporting on the effectiveness of internal controls within their respective organizations. **1.1.3 Federal Managers' Financial Integrity Act of 1982** The FMFIA amended the Accounting and Auditing Act of 1950 to require ongoing evaluations and reports of the adequacy of the systems of internal accounting and administrative control of each executive agency. Specifically, its provisions require each executive agency to provide reasonable assurances that: - Obligations and costs are in compliance with applicable law - Funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation - Revenues and expenditures applicable to agency operations are properly recorded and accounted for to permit the preparation of accounts and reliable financial and statistical reports and to maintain accountability over the assets Section 2 of the FMFIA requires that the head of each executive agency annually submit to the president and Congress: - A statement on whether there is reasonable assurance that the agency's controls are achieving their intended objectives - A report on material weaknesses in the agency's controls **DEFINITION OF ERM** According to OMB Circular A-123:1 *ERM is an effective Agency-wide approach to addressing the full spectrum of the organization's external and internal risks by understanding the combined impact of risks as an interrelated portfolio, rather than addressing risks only within silos. ERM provides an enterprise-wide, strategically aligned portfolio view of organizational challenges that provides better insight about how to most effectively prioritize resource allocations to ensure successful mission delivery.* ***Inherent Risks*** **Inherent risks** are those that exist simply due to the nature and characteristics of a mission, type of program, or activity. They are simply there and cannot be changed or removed, so they must be managed. Inherent risk is often analyzed in the context of an assessable unit (AU), which is a major program, administrative activity, organization, or functional subdivision of an agency. The division of an organization into AUs is designed to represent the appropriate division of responsibilities and size to permit the effective evaluation of systems of internal control. Every element of an organization must be in an AU. When analyzing the inherent risk of an AU, it is important to remember: - The presence of inherent risk does not reflect badly on the manager - An underestimation of risk does reflect badly on the manager - The internal control process is a collegial effort to make your agency as good as it can be. - Managers accomplish this by identifying their risks and managing them. This is not a punitive process. - Managers overcome their identified risks by designing and putting controls in place. Managers are accountable for these actions. To diagnose the inherent risk, the manager must take into consideration what the unit is expected to accomplish considering quality and cost. ***People Risks*** While all the reasons should be considered in any internal control review (ICR), integrity and personal gain issues deserve special consideration because of the potential losses they can cause. ***Control Risks*** **Control risks** are those that involve the characteristics and quality of the internal controls themselves. Generally speaking, there are risks that the controls may not be doing what they are supposed to do, creating vulnerabilities. If they are working, is there residual risk sufficiently significant to warrant additional controls? Some control risks come from the very size and complexity of the federal government. For instance, think of the multiple missions and programs of the Department of Homeland Security or of the numerous laws and rules governing the use of funds. Risks also come from a fast-changing world, such as changes in technology. All agencies and most programs and organization units undergo some change over the span of a year. **WHAT ARE INTERNAL CONTROLS?** Recall that the *Green Book* defines internal control as \"a process effected by an entity's oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity are achieved.\"3 These objectives and related risks can be broadly classified into one or more of the following categories: - **Operations.** Effectiveness and efficiency of operations. - **Reporting.** Reliability of reporting for internal and external use. - **Compliance.** Compliance with applicable laws and regulations. Safeguarding all assets is a subset of the categories of objectives. Management designs an internal control system to provide reasonable assurance regarding the prevention or prompt detection and correction of unauthorized acquisition, use, or disposition of an entity's assets. A number of laws and regulations over the past several decades have mandated various systems of internal control. Individually and collectively, they have strengthened the government's management and control over its programs and activities. **Internal Control over Operations** Management is responsible at all levels for ensuring controls over agency operations or activities are sufficient to ensure efficient and effective achievement of organization goals and objectives with minimum risk. Assessment of the effectiveness of controls over operations is one of the key components (in addition to assessment of controls over financial reporting and information systems) that enables an agency head to render an annual statement of assurance required by the FMFIA. Effective control over operations also enables compliance with laws and regulations. **2.2.2 Internal Control over Reporting (ICOR)** **Tip:** The current title for this process is internal control over reporting (ICOR) but was previously internal control over financial reporting (ICOFR). If you plan to take the CDFM exam, you maybe responsible to know and use the older title. Circular A-123 also addresses ICOFR, a process designed to provide reasonable assurance regarding the reliability of financial reporting. Reliability of financial reporting means that management can reasonably make the following assertions: - All reported transactions actually occurred during the reporting period and all assets and liabilities exist as of the reporting date (existence and occurrence) - All assets, liabilities, and transactions that should be reported have been included and no unauthorized transactions or balances are included (completeness) - All assets are legally owned by the agency and all liabilities are legal obligations of the agency (rights and obligations) - All assets and liabilities have been properly valued, and where applicable, all costs have been properly allocated (valuation) - The financial report is presented in the proper form and any required disclosures are present (presentation and disclosure) - The transactions are in compliance with applicable laws and regulations (compliance) - All assets have been safeguarded against fraud and abuse - Documentation for internal control, all transactions, and other significant events is readily available for examination OMB Circular A-123, Appendix A was updated in 2018. Prior to this update, Appendix A was prescriptive and rigorous in what agencies had to implement to provide reasonable assurance over ICOFR. This update balances that rigor by giving agencies the flexibility to decide which control activities are necessary to achieve reasonable assurance over internal controls and processes that support overall data quality contained in agency reports. This change aligns Appendix A with the 2014 update to the GAO *Green Book* in part, by expanding the scope from ICOFR to include ICOR. It provides a methodology for agency management to assess, document, and report on ICOR and requires agencies to consider ICOR in addition to other controls in their existing annual assurance statements. The overall relationship among the subcategories of reporting objectives can be described as: - Internal financial and nonfinancial reporting objectives. - External financial and nonfinancial reporting objectives. **Internal Control over Financial Systems (ICOFS)** Defense financial managers need to be aware of internal control over information systems, especially related to the management and use of financial systems. The *Federal Information System Controls Audit Manual* (FISCAM), originally issued by GAO in January 1999, presents a methodology for performing information system control audits of federal and other governmental entities in accordance with professional standards. FISCAM: - Is a top-down, risk-based evaluation that considers materiality and significance in determining effective and efficient audit procedures - Includes narrative that is designed to provide a basic understanding of the methodology, general controls and business process application controls addressed by FISCAM - May be used as a basis for the independent evaluation of a federal agency's information security program required by the Federal Information Security Management Act (FISMA). - FISMA requires that each year each agency shall have performed an independent evaluation of the information security program and practices of that agency to determine the effectiveness of such program and practices. **THE *GREEN BOOK*---GAO *STANDARDS FOR INTERNAL*** ***CONTROL IN THE FEDERAL GOVERNMENT*** The GAO *Green Book*, updated in September 2014, defines the standards for internal control in the federal government. FMFIA requires federal executive branch entities to establish internal control in accordance with these standards. The standards provide criteria for assessing the design, implementation, and operating effectiveness of internal control in federal government entities to determine whether an internal control system is effective. The *Green Book* defines the standards through components, principles, and attributes and explains why they are integral to an entity's internal control system. The *Green Book* is structured as follows: - Overview: - Section 1: Overview of the fundamental concepts of internal control - Section 2: Discussion of internal control components, principles, and attributes; how these relate to an entity's objectives; and the three categories of objectives - Section 3: Discussion of the evaluation of the entity's internal control system's design, implementation, and operation - Section 4: Additional considerations that apply to all components in an internal control system - A discussion of the requirements for each of the five components and 17 principles, as well as discussion of the related attributes, including documentation requirements The *Green Book* defines internal control as \"a process effected by an entity's oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved.\"2 These objectives and related risks can be broadly classified into one or more of the following three categories: - Effectiveness and efficiency of operations including the use of the entity's resources - Reliability of financial reporting, including reports on budget execution, financial statements, and other reports for internal and external use - Compliance with applicable laws and regulations Internal control serves as the first line of defense in safeguarding assets. In short, internal control helps managers achieve desired results through effective stewardship of public resources. Internal control should be designed to provide reasonable assurance regarding prevention of, or prompt detection of, unauthorized acquisition, use, or disposition of an agency's assets, but no internal control can provide absolute assurance that all agency objectives will be met. An internal control system is a continuous built-in component of operations, effected by people, that provides reasonable assurance, not absolute assurance, that an entity's objectives will be achieved. Factors outside the control or influence of management can affect the entity's ability to achieve all of its objectives. For example, a natural disaster can affect an organization's ability to achieve its objectives. Therefore, once in place, effective internal control provides reasonable, not absolute, assurance that an organization will achieve its objectives. To help ensure that controls are appropriate and cost-effective, agencies should consider the extent and cost of controls relative to the importance and risk associated with a given program. The *Green Book* applies to all of an entity's objectives: operations, reporting, and compliance. However, these standards are not intended to limit or interfere with duly granted authority related to legislation, rulemaking, or other discretionary policy making in an organization. In implementing the standards in the *Green Book*, management is responsible for designing the policies and procedures to fit an entity's circumstances and building them in as an integral part of the entity's operations. GAO'S framework for internal control includes five components, which represent the highest level of the hierarchy of standards for internal control in the federal government. They must be effectively designed, implemented, and operating together in an integrated manner for an internal control system to be effective. The five components of internal control are: 1. **Control environment.** The foundation for an internal control system. It provides the discipline and structure to help an entity achieve its objectives. 2. **Risk assessment.** Assesses the risks facing the entity as it seeks to achieve its objectives. This assessment provides the basis for developing appropriate risk responses. 3. **Control activities.** The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system, which includes the entity's information system. 4. **Information and communication.** The quality information management and personnel communicate and use to support the internal control system. 5. **Monitoring.** Activities management establishes and operates to assess the quality of performance over time and promptly resolve the findings of audits and other reviews. The framework also includes 17 internal control principles, aligned under the five components. The *Green Book* contains additional information regarding internal control standards in the form of attributes, which further explain the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover, or include examples of procedures that may be appropriate for an entity. Management has a responsibility to understand the attributes and exercise judgment in fulfilling the requirements of the standards. The *Green Book*, however, does not prescribe how management designs, implements, and operates an internal control system. Next, we\'ll review the 17 GAO internal control principles aligned under the respective internal control components. **Control Environment** The control environment component includes principles 1--5: 1. The oversight body and management should demonstrate a commitment to integrity and ethical values. 2. The oversight body should oversee the entity's internal control system. 3. Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity's objectives. 4. Management should demonstrate a commitment to recruit, develop, and retain competent individuals. 5. Management should evaluate performance and hold individuals accountable for their internal control responsibilities. **Risk Assessment** The risk assessment component includes principles 6--9: 6. Management should define objectives clearly to enable the identification of risk and define risk tolerances. 7. Management should identify, analyze, and respond to risks related to achieving the defined objectives. 8. Management should consider the potential for fraud when identifying, analyzing, and responding to risks. 9. Management should identify, analyze, and respond to significant changes that could impact the internal control system. **Control Activities** The control activities component includes principles 10--12: 10. Management should design control activities to achieve objectives and respond to risks. 11. Management should design the entity's information system and related control activities to achieve objectives and respond to risks. 12. Management should implement control activities through policies. **Information and Communication** The information and communication component includes principles 13--15: 13. Management should use quality information to achieve entity's objectives. 14. Management should internally communicate the necessary quality information to achieve the entity's objectives. 15. Management should externally communicate the necessary quality information to achieve the entity's objectives. **Monitoring** The monitoring component includes principles 16 and 17: 16. Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. 17. Management should remediate identified internal control deficiencies on a timely basis. ***Categories and Reporting of Internal Control Deficiencies*** Categories of internal control deficiencies include: - **Control deficiency.** This type of deficiency exists when the design, implementation, or operation of a control does not allow management or personnel, in the normal course of performing their assigned functions, to achieve control objectives and address related risks. As the definition suggests, control deficiencies can be classified as deficiencies in design, implementation, or operation. Control deficiencies are reported internally within the organization and not externally. Progress against corrective action plans must be periodically assessed and reported to agency management. - **Significant deficiency.** A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance. Significant deficiencies are also reported internally within the organization and not externally and progress against corrective action plans must be periodically assessed and reported to agency management. - **Material weakness.** A significant deficiency that the agency head determines to be significant enough to report outside of the Agency as a material weakness. In the context of the *Green Book*, non-achievement of a relevant internal control principle and related component results in a material weakness. Material weaknesses and a summary of corrective actions must be reported to OMB and Congress through the AFR, PAR, or other management reports. Progress against corrective action plans must be periodically assessed and reported to agency management. Circular A-123 also describes material weaknesses in internal control over certain areas. A material weakness in internal control over *operations* might include, but is not limited to, conditions that: - Impact the operating effectiveness of entity-level controls - Impair fulfillment of essential operations or mission - Deprive the public of needed services - Significantly weaken established safeguards against fraud, waste, loss, unauthorized use, or misappropriation of funds, property, other assets, or conflicts of interest A material weakness in internal control over *reporting* is a significant deficiency, in which the agency head determines significant enough to impact internal or external decision-making and reports outside of the agency as a material weakness. A material weakness in internal control over *external financial reporting* is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis. A material weakness in internal control over *compliance* is a condition where management lacks a process that reasonably ensures preventing a violation of law or regulation that has a direct and material effect on financial reporting or significant effect on other reporting or achieving agency objectives. **DoD and OSD Statement of Assurance Report Contents** All DoD and OSD components will annually provide: - An operations statement of assurance that provides reasonable assurance of the effectiveness of internal controls over operations. The DoD and OSD components will consider internal control deficiencies disclosed by all sources including management studies; DoD component audits, inspections, investigations, or internal review reports; and Inspector General and GAO reports. This statement of assurance is based on management's assessment of the effectiveness of their internal controls as of the date signed for that fiscal year. - An explicit level of assurance on the effectiveness of internal controls over financial reporting as of June 30, for those DoD and OSD components specified in the Managers' Internal Control Program and FIAR guidance - An explicit level of assurance on the effectiveness of internal controls over financial systems, for those components specified in the Managers' Internal Control Program guidance and FIAR guidance. The DoD and OSD component statement of assurance will have one cover memorandum. Those DoD and OSD components providing levels of assurance for financial reporting and financial systems will report assurance in subsections to the statement of assurance cover memorandum. Each assurance level explicitly stated in the statement of assurance must meet one of three levels of assurance: - **Unmodified statement of assurance.** An unmodified statement of assurance provides reasonable assurance that ICs are effective with no material weaknesses reported or that the IFMS is in conformance with federal requirements. Each unmodified statement should describes how the level of assurance is supported and how assessments were conducted. - **Modified statement of assurance.** A modified statement of assurance provides reasonable assurance that ICs are effective with the exception of one or more material weakness or the IFMS is not in conformance with federal requirements. The statement of assurance must cite the material weaknesses in internal management controls that preclude an unmodified statement. - **Statement of no assurance.** A statement of no assurance provides that no assurance can be provided that ICs are effective because few or no assessments were conducted, the noted material weaknesses are pervasive across many key operations, or the IFMS is substantially noncompliant with federal requirements. The DoD and OSD component statement of assurance will be in the format prescribed by the Managers' Internal Control Program and FIAR guidance, which will describe how the level of assurance is supported and how assessments were conducted. When the level of assurance is modified for operations, the format provided by the Managers' Internal Control Program guidance must include: - Uncorrected material weaknesses (current year disclosures and prior year disclosures) and the summary of the corrective action plans for resolution. The summary will provide milestone timelines that will correct a material weakness. Although the actions that should correct the material weakness may still be in development, the material weaknesses must be reported with current status as of the date the statement of assurance is signed. - Material weaknesses corrected in the current year (current year disclosures and prior year disclosures corrected in the current year) and the summary of the corrective actions taken. Each corrected material weakness will include, as the last milestone, a validation step that evaluates and certifies the effectiveness of the corrective actions. When there is no level of assurance (i.e., no assurance) for operations internal controls, the statement of assurance must include all uncorrected material weaknesses. DoD and OSD components will report the level of assurance for financial reporting and financial system internal controls in accordance with guidance from the Office of the Under Secretary of Defense (Comptroller) or OUSD(C).

Module 1.3 Management's Responsibility for Enterprise Risk Management and Internal Control PDF

Document Details

Tags

Related

Summary

Full Transcript