NYS INTERNAL CONTROL REVIEW PROGRAMS WHAT YOU NEED TO KNOW ABOUT
78 Slides834.45 KB
NYS INTERNAL CONTROL REVIEW PROGRAMS WHAT YOU NEED TO KNOW ABOUT COSO 2013 New York State Internal Control Association
GUIDANCE UPDATES
DOB BPRM ITEM B-350 Effective January 4, 2018, the New York State Division of the Budget’s Budget Policy & Reporting Manual Item B-350 states the system of internal control should be developed using the 2013 COSO framework incorporated in the Office of the State Comptroller’s Standards for Internal Control in New York State Government.
OSC STANDARDS Per the March 2016 revision of the Office of the State Comptroller’s Standards for Internal Control in New York State Government: COSO presented an update to its Internal Control – Integrated Framework. This latest revision incorporates COSO’s recommended changes to the Framework in order to enhance the fundamental concepts and enable New York State government organizations to effectively and efficiently
WHAT DOES THIS MEAN TO MY AGENCY NYSICA received an overwhelming number of questions from members asking how to implement the COSO 2013 Framework at their agency.
INTERNAL CONTROL WORKGROUP
WORKGROUP SERIES NYSICA reached out to all Internal Control Officers of member agencies, asking for volunteers that 1) had implemented COSO 2013 at their agency and/or 2) earned the COSO Internal Control Certificate. We received 14 volunteers! The workgroup met for a series of five meetings to create guidance for all agency Internal Control
THANK YOU TO ALL WORKGROUP PARTICIPANTS Jack Amodeo Paul Bellinger Mallory Cail Linda Donahue Laurel Jolliffe Robin E. LaPlante Gretchen Robinson Thomas Lukacs Brian Shoemaker Janet L. Oberstein Michael Shollar Mary Peck Thomas VerGow Joanne Pinheiro
WORKGROUP RESULTS 1. Internal Control Component and Evaluation Guide 2. Component and Evaluation Template Review Principle Principle
INTERNAL CONTROL REVIEW COMPONENT AND PRINCIPLE EVALUATION GUIDE Designed to provide guidance on how to adapt and apply COSO 2013 Framework to your government agency structure. The term ‘agency’ can be substituted throughout the guide (and today’s presentation) with public authority, university, board, commission, council, etc. as it applies to your specific government entity.
COMPONENT AND PRINCIPLE EVALUATION TEMPLATE Adapted from this year’s Item B-350 Attachment E, to provide an example of how to document the determination of the effectiveness of internal control. Management may use, revise, or tailor the Component and Principle Evaluation Template as they deem fit, or they may develop a different means of documentation. The template is not required.
DISCLAIMER Following the guide will help you review and evaluate your agency’s internal control system, but it cannot guarantee an unqualified audit opinion will be achieved. Some language has been changed and examples have been added to aid you in applying the components, principles, and points of focus to state government operations. These examples are for illustrative purposes to guide you in interpreting a component, principle, or point of focus. They are not intended to be an all-inclusive list.
NYSICA has published these documents for you on the Library tab of our website: www.nysica.com
COSO 2013 FRAMEWORK WHAT DO YOU NEED TO KNOW?
Control Environment Risk Assessment Control Activities Information & Communicati on 1. Demonstrates commitment to integrity and ethical values 6. Specifies suitable objectives 10. Selects and develops control activities 13. Uses relevant information 2. Exercises oversight responsibility 7. Identifies and analyzes risk 3. Establishes structure, authority and responsibility 8. Assesses fraud risk 4. Demonstrates commitment to competence 9. Manages risk during change 5. Enforces accountability 11. Selects and develops general controls over technology 12. Deploys controls through policies and procedures 14. Communicates internally 15. Communicates externally Monitoring Activities 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies
EFFECTIVE SYSTEM OF INTERNAL CONTROL
WHAT IS REQUIRED FOR AN EFFECTIVE SYSTEM OF INTERNAL CONTROL Suitable & Relevan t Present & Functioni ng Operatin g Together Effectiv e System of Internal Control
SUITABLE AND RELEVANT The COSO 2013 Framework views all 5 components and 17 principles of internal control as suitable and relevant to all entities. If management determines a principle is NOT suitable or relevant, management must support its determination with the rationale of how, in the absence of that principle, the associated component can be present and functioning.
PRINCIPLES TRANSLATED TO AGENCIES The guide translates government operations. the principles into The most significant translation is Principle 2: The Board of Directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
PRINCIPLES TRANSLATED TO AGENCIES The guide translates government operations. the principles into The most significant translation is Principle 2: The Board of Directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
PRINCIPLES TRANSLATED TO AGENCIES The guide translates government operations. the principles into The most significant translation is Principle 2: The Agency Commissioner demonstrates independence from agency leadership and exercises oversight of the development and performance of internal control.
ROLES AND RESPONSIBILITIES
EVERYONE HAS A ROLE IN EFFECTING THE SYSTEM OF INTERNAL CONTROL Board of Directors Agency Leadership Directors and Managers Supervisors Staff Internal Control Officer
BOARD OF DIRECTORS* * This role becomes the agency’s top executive (commissioner) if the agency does not have a Board of Directors. 1. Should discuss with agency leadership the state of the agency’s system of internal control and provide oversight as needed. 2. Needs to establish its policies and expectations of how members should provide oversight of the agency’s internal control system. 3. Should be apprised of risks to the achievement of the agency’s objectives, the assessments of internal control deficiencies, and how management assesses the effectiveness of internal controls. 4. Should challenge agency leadership; ask questions, as necessary; and seek input and support from internal control officer, internal auditors, external auditors, and others.
AGENCY LEADERSHIP 1. Should create a positive control environment that supports strong governance, ethical values, integrity, competence, morale, and structure throughout the agency. 2. Should set the agency’s expectation for internal controls, ensuring management is aware of those expectations, and evaluating management’s effectiveness at maintaining and supporting the system of internal controls. 3. Should focus their monitoring activities on the major divisions of the agency and place emphasis on monitoring the achievements of the agency’s goals.
DIRECTORS AND MANAGERS 1. Should ensure employees have the necessary skills, knowledge, and training to reasonably ensure they can carry out their work. 2. Should develop internal controls for compliance with agency policies and procedures as well as applicable laws, rules, and regulations. 3. Should periodically review their processes and procedures to ensure that proper internal controls are in place and being followed. 4. Need to introduce new controls and strengthen internal controls when weaknesses or opportunities for improvement are identified. 5. Should focus monitoring activities on assessible units with emphasis on achieving the agency’s goals.
SUPERVISORS 1. Should ensure internal controls are operating as intended for compliance with agency policies and procedures as well as applicable laws, rules, and regulations. 2. Need to implement new internal controls or strengthen existing controls when weaknesses or opportunities for improvement are identified. 3. Should monitor activities and transactions in their unit to ensure that staff members are performing their assigned responsibilities, control activities are functioning properly, the unit is accomplishing its goals, the unit’s control environment is appropriate, communication is open and sufficient, and risks and opportunities are identified and properly addressed.
STAFF 1. Should have an understanding of internal controls and control concepts supporting the system of internal controls within their unit. 2. Should comply with agency policies and procedures as well as applicable laws, rules, and regulations. 3. Should be focused on monitoring their own work to ensure it is done properly. 4. Should correct errors identified before work is referred to higher levels for review.
INTERNAL CONTROL OFFICER 1. Responsible for establishing and maintaining an internal control review program to ensure internal controls are in place and for promoting compliance with agency policies; procedures; and applicable laws, rules, and regulations. 2. Responsible for educating and training agency staff on internal controls and control concepts.
INTERNAL AUDIT 1. Responsible for assessing the adequacy and effectiveness of agency internal controls and reporting weaknesses and opportunities for improvement to management as they are identified.
EFFECTIVE SYSTEM OF INTERNAL CONTROL (Continued)
PRESENT The determination that each component and principle exists in the design and implementation of the system of internal control to achieve specified objectives. Design Implementation Present Present
Persuasive evidence must exist that proves controls are selected and developed to effect the components and related principles. When evaluating the design of an internal control, management determines if controls individually, and in combination with other controls, are capable of achieving an objective and addressing related risks.
FUNCTIONING The determination that each component and principle continues to exist in the conduct of the system of internal control to achieve specified objectives. Conduct Functionin g
Persuasive evidence must exist that proves controls are deployed to effect the components and related principles.
LEVEL OF PERFORMANCE A principle being present and functioning does not imply that the agency achieves the highest level of performance in applying that particular principle. Management exercises judgment in balancing the cost and benefit of designing, Design Implementation Conduct Present Present Functioning
DOCUMENTATION Persuasive evidence must exist that proves controls are selected, developed, and deployed to effect the components and related principles. This evidence should be kept and made available upon audit.
PRESENT AND FUNCTIONING EXAMPLES
CONTROL ENVIRONMENT 1. The agency demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. 3. Management establishes - with board oversight - structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The agency demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5. The agency holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Principle 1: The agency demonstrates a commitment to integrity and ethical values Present Functioning Design Implementation Conduct Agency The codes are Ethics training is targeted, establishes a published in a on-going, and tailored to code of ethics centralized location the needs of each and a code of available to all separate group within the conduct. staff. agency. The codes are well Ethics Officer maintain an advertised by intranet site with clearly agency leadership. posted contact information and resources, including templates for various requests.
Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control Design The agency performs risk assessments. Present Implementation The agency commissioner (or board of directors as appropriate) reviews the assessment of risks including potential impact of changes, fraud and management override. Functioning Conduct The agency commissioner (or board) appropriately questions and reacts to risks identified, including developing high-level policy to address risk.
Principle 3: Management establishes structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives Present Design Implementation The agency The agency issues creates a formal, a formal, documented documented organization organization structure. structure. Functioning Conduct Current organization charts are reviewed and approved by management. The approved organization charts are made available to all agency staff. Organization charts depict clear structure, reporting lines, and authorities.
Principle 4: The agency demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives Present Functioning Design Implementation Conduct The agency The agency Training needs are tailored develops a administers to each group within the training policy or mandatory training agency. annual plan(s). courses and Attendance/completion of supports training is tracked. continuous training Training courses are and development reviewed annually for of staff. continued relevancy and/or new offerings. Training courses are offered in a variety of formats.
Principle 5: The agency holds individuals accountable for their internal control responsibilities in the pursuit of objectives Present Functioning Design Implementation Conduct Management These expectations The agency holds establishes incorporate individuals accountable performance achieving for performance measures expectations performance and internal control throughout the measures and responsibilities. agency. complying with The agency periodically internal control evaluates performance responsibilities. measures for suitability and relevance.
RISK ASSESSMENT 6. The agency specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 7. The agency identifies risks to the achievement of its objectives across the agency and analyzes risks as a basis for determining how the risks should be managed. 8. The agency considers the potential for fraud in assessing risks to the achievement of objectives. 9. The agency identifies and assesses change significantly impact the system of internal control. that could
Principle 6: The agency specifi es objectives with suffi cient clarity to enable the identifi cation and assessment of risks relating to objectives Present Design Implementation Agency develops The strategic plan a strategic plan. includes the agency’s mission, vision, goals, and strategic priorities. Functioning Conduct The agency communicates the strategic plan to all staff. The strategic plan is published and available to all staff. Management ensures functional objectives align with the agency’s strategic plan.
Principle 7: The agency identifi es risks to the achievement of its objectives across the agency and analyzes risks as a basis for determining how the risks should be managed Present Design Implementation Management has The agency a process to performs a formal identify risks to risk assessment. the agency’s mission. Functioning Conduct A risk assessment is performed annually and updated as risks change in between assessment periods. Identified risks from all levels are reviewed holistically for likelihood and impact to the achievement of agency objectives.
Principle 8: The agency considers the potential for fraud in assessing risks to the achievement of objectives Present Design Implementation Process in place Fraud risks to identify consider possible fraud drivers/causes of that may occur fraud (incentives, within the opportunity, and agency’s pressures). business process. Functioning Conduct Agency performs a formal fraud risk assessment in addition to the annual risk assessment. The agency risk assessment process includes fraud risks in the risk identification process. Review of control activities to aid in the prevention/detection of fraud.
Principle 9: The agency identifi es and assesses change that could signifi cantly impact the system of internal control Present Design Implementation Agency monitors Agency counsel for changes in identifies and legislation and/or tracks legislation regulations that and/or regulations may impact that may impact agency agency operations. operations. Functioning Conduct Agency counsel provides summaries of proposed/enacted legislation and/or regulations. Agency counsel prepares comments on proposed legislation and/or regulations to appropriate parties. Agency leadership discusses the impact of
CONTROL ACTIVITIES 10. The agency selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11. The agency selects and develops general control activities over technology to support the achievement of objectives. 12. The agency deploys control activities through policies that establish what is expected and procedures that put policies into action.
Principle 10: The agency selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels Present Design Implementation Agency Procedures are in requires place for records of all employees to business maintain accurate transactions. records of all business transactions (both financial and operational) to ensure completeness and validity. Functioning Conduct Employees are aware of procedures and receive training for updated best practices and procedural changes. Management performs ongoing monitoring to ensure the completeness and validity of transactions. Internal audit performs separate evaluations to ensure the completeness and
Principle 11: The agency selects and develops general control activities over technology to support the achievement of objectives Present Functioning Design Implementation Conduct Users must Users are granted Process in place for request access to access to only the provisioning and systems. system functions deprovisioning of access needed based on requested by users. their role within the Approval levels are agency and established based on the internal control access level being responsibilities requested. assigned. Access reviews and certifications of users are performed periodically.
Principle 12: The agency deploys control activities through policies that establish what is expected and procedures that put policies into action Present Functioning Design Implementation Conduct Management Management Policies are formally establishes communicates published documents that policies that these policies to all are available to all staff. clearly outline staff. Procedures are in employee alignment with agency responsibilities, policies, documented, upaccountability, to-date, and available to and support the applicable staff. agency’s Obtain periodic objectives. confirmations from employees confirming that policies and/or
INFORMATION & COMMUNICATION 13. The agency obtains or generates and uses relevant, quality information to support the functioning of internal control. 14. The agency internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 15. The agency communicates with external parties regarding matters affecting the functioning of internal control.
Principle 13: The agency obtains or generates and uses relevant, quality information to support the functioning of internal control Present Design Implementation The agency Internal and generates external reports internal reports are distributed to and obtains staff as reports from applicable. external sources to conduct agency business. Functioning Conduct Reports are generated timely and in a format staff can use/read easily. Internal report information is reviewed for accuracy prior to distribution. External report information is verified for accuracy prior to use. System checks/security are used to ensure information is correct and safeguarded.
Principle 14: The agency internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control Present Design Implementation Agency Agency commissioner commissioner supports the issues a clear and functioning of concise statement internal control. supporting the functioning of internal control. Functioning Conduct Statement of support of internal control is reinforced with staff annually. The statement can be a memo, address at a town hall meeting, or during meetings with agency units.
Principle 15: The agency communicates with external parties regarding matters aff ecting the functioning of internal control Present Design Implementation A process is in The agency place to appoints a Public communicate Information Officer information to (PIO) to external parties. communicate with external parties on behalf of the agency. Functioning Conduct The PIO responds timely and appropriately to inquiries. The PIO holds press conferences or issues press releases regarding matters affecting the functioning of internal control. The agency’s website contains information pertinent to the public.
MONITORING ACTIVITIES 16. The agency selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17. The agency evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the Board of Directors, as appropriate.
Principle 16: The agency selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning Present Design Implementation Ongoing Routine reviews of evaluations are key controls are built into each performed. business process. Periodic reconciliations. Routine monitoring of large or atypical transactions. Automated software controls/exception reports of failed Functioning Conduct Reviews are performed at regular intervals (i.e. monthly, quarterly, semiannually, annually, as needed). Exception reports resulting from reviews are followed up by management. Significant findings and variances are routinely documented and
Principle 16 continued Present Functioning Design Implementation Conduct Separate Audits performed Audit report or summary evaluations by the Internal of results from the performed by an Audit function. evaluation. independent Benchmarking Agency responds in party. studies. writing to the issuing Peer evaluations. party. Reviews performed Documentation of by control corrective action taken agencies. when Compliance exceptions/recommendati reviews. ons are identified.
Principle 17: The agency evaluates and communicates internal control defi ciencies in a timely manner to those parties responsible for taking corrective action, including senior management and the Board of Directors, as appropriate Present Design Implementation A process is in Reports from place to report Internal Control, internal control Internal Audit, and deficiencies. external parties are issued to the agency commissioner and board of directors. Functioning Conduct Findings and recommendations are discussed with the issuing party and process owner. Corrective action plans are agreed upon and formally documented. Implementation status is tracked to completion. Follow-up evaluations are conducted to confirm implementation and
WHAT HAPPENS IF SOMETHING IS MISSING OR NOT WORKING?
YOU HAVE IDENTIFIED A DEFICIENCY
INTERNAL CONTROL DEFICIENCY Shortcoming in a component or relevant principle(s) that reduces the likelihood of the agency achieving its objectives.
DEFICIENCY IN DESIGN Control necessary to meet a control objective is missing, or an existing control is not properly designed so that even if the control operates as designed, the control objective would not be met.
DEFICIENCY IN IMPLEMENTATION Properly designed control is not implemented correctly in the internal control system.
DEFICIENCY IN CONDUCT Properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.
MAJOR DEFICIENCY Refers to an internal control deficiency, or combination of deficiencies, that severely reduces the likelihood that the agency can achieve its objectives. When a major deficiency exists, the agency cannot conclude that it has met the requirements for an effective system of internal control.
A major deficiency in one component or principle cannot be mitigated to an acceptable level by the presence and functioning of another component or principle. Deficiencies are evaluated both on individual basis and in the aggregate. an Management considers the correlation among different deficiencies or groups of deficiencies when evaluating their significance.
EFFECTIVE SYSTEM OF INTERNAL CONTROL (Continued)
OPERATING TOGETHER The determination that all five components collectively reduce, to an acceptable level, the risk of not achieving an objective. Risk Assessment (4 principles) Control Environment (5 principles) Control Activities (3 principles) Operati ng Togethe r Information & Communicat ion (3 principles) Monitoring Activities (2 principles)
Management can demonstrate that components operate together when all relevant principles are present and functioning and internal control deficiencies aggregated across components do not result in a major deficiency.
COMPONENT AND PRINCIPLE EVALUATION TEMPLATE
QUESTIONS
NYSICA has published the guide and template for you on the Library tab of our website: www.nysica.com
NEW YORK STATE INTERNAL CONTROL ASSOCIATION PO BOX 2005 ALBANY NY 12220 WWW.NYSICA.COM
