Integrating Risk Management and Compliance into Integrated Financial Management Information Systems (IFMIS)
The Global Financial Environment
The Global Financial Environment <ul><li>No successful economy or government can operate today without global interconnect...
The New Financial Reporting Environment <ul><li>As a result of the global economy, Financial Reporting must be relevant, t...
The Result of their Analysis? <ul><li>In the long term, Financial reporting will be standardized to provide adequate infor...
Impact on Federal Managers <ul><li>Governments are increasingly involved in global financial markets, not only as regulato...
Overview of Internal Controls
Internal Controls Defined <ul><li>Internal control is broadly defined as a process, effected by an entity's board of direc...
Background on Internal Controls <ul><li>Internal control is a means of managing the risk associated with programs and oper...
COSO <ul><li>Committee of Sponsoring Organizations of the Treadway Commission (COSO)  </li></ul><ul><ul><li>US private-sec...
COSO Internal controls structure
Control Environment <ul><li>Sets the tone of the organization – influencing control consciousness of its people </li></ul>...
Risk Assessment <ul><li>Identification and analysis of relevant risks to achieving the entity's objectives – forming the b...
Control Activities <ul><li>Policies and procedures assure management's directives are carried out </li></ul><ul><li>Range ...
Information and Communication <ul><li>Pertinent information identified, captured, and communicated in a timely manner </li...
Monitoring <ul><li>Assessment of a control system's performance over time </li></ul><ul><li>Combination of ongoing and sep...
Internal Controls Are Integrated into Processes Major Programs Information  Technology Finance & Administration Internal  ...
Global Trends in Internal Control mandates
U.S. Sarbanes-Oxley Act <ul><li>The Public Company Accounting Oversight Act, otherwise known U.S. Sarbanes-Oxley Act of 20...
Canadian Bill 198 <ul><li>Published in 2003 by the Ontario Securities Commission and the Canadian Security Administrators ...
Japanese SOX (J-SOX) <ul><li>February 15 th , 2007 – Business Accounting Council of the Financail Services Agency  </li></...
Evolution of Internal Controls in the US Government Budget and Accounting Procedures Act of 1950 IG Act 1978 FMFIA 1982 OM...
Other International Government Standards <ul><li>INTOSAI Internal Control Standards </li></ul><ul><li>UK Government Intern...
Integrated Financial Management Information Systems (IFMIS)
Describing a Financial Management System <ul><li>The term &quot;financial management system&quot; means an information sys...
Information Technology (IT) and IFMIS <ul><li>IFMIS systems are designed to automate financial process to aid transparency...
IT 's Potential Contribution to Internal Control <ul><li>IT provides potential benefits of effectiveness and efficiency fo...
IT's Potential Contribution to Internal Control (cont.) <ul><li>Enhance the ability to monitor the performance of the enti...
IT as a Source of Risk <ul><li>Reliance on systems or programs that are inaccurately processing data, processing inaccurat...
Automation of Internal Controls and Risk Management
Why Automate the Controls Process? <ul><li>Given the complexity of IT and financial reporting, automated controls software...
Benefits of automation <ul><li>Provides structure for the internal control program  </li></ul><ul><li>Improves monitoring ...
Discipline over internal control program <ul><li>Software can help an organization maintain discipline over its internal c...
Uses of automated internal control software <ul><li>The types of software available in the market include: </li></ul><ul><...
Repository software <ul><li>Provides a central repository for the documentation of internal controls throughout the organi...
Testing software <ul><li>Allows an organization to test the internal controls of a system by directly interfacing with the...
Business process management software <ul><li>Allows an organization to design and dictate the workflow for a given process...
Reporting capabilities <ul><li>Capabilities may allow for management reports to provide a status on one or more of the fol...
Basic steps to implementing a software solution <ul><li>Selection </li></ul><ul><ul><li>Products should be selected based ...
Basic steps to implementing a software solution <ul><li>Utilization </li></ul><ul><ul><li>Once the solution is fully imple...
Conclusions <ul><li>The implementation, maintenance and reporting of Internal controls compliance and risk management is t...
Upcoming SlideShare
Loading in …5
×

English - ICGFM The International Consortium on Governmental ...

411 views
289 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
411
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Include examples of effective IC’s
  • GAO directed to establish the standards for internal control In 1983, GAO issued &amp;quot;Standards of Internal Control in the Federal Government&amp;quot; (also known as the &amp;quot;Green Book&amp;quot;) In 1999, GAO revised these standards to reflect new internal control OMB directed to issue guidelines for issuing internal control assessment. OMB Circular A-123 originally issued in 1981, revised in 1995 and 2004.
  •           Highly automated system IT key control         Key components on a general basis         IT relying on data – so important to know controls around that data.
  •           Highly automated system IT key control         Key components on a general basis         IT relying on data – so important to know controls around that data.
  • What are auditors’ expectations when evaluating management&apos;s internal control program? What are some strategies for working with auditors to resolve long-standing internal control problems (where there is an impasse)? What is the appropriate level of involvement for auditors in advising management on internal control issues? (followup - to what extent can auditors share their workpapers, audit plan, or other materials with management in ways that would help management improve its internal control program?) What are some best practices for management in setting the &amp;quot;tone at the top?&amp;quot; Other than the threat of an adverse audit finding, how can internal control program managers motivate other stakeholders to be proactive about implementing and testing controls? How often is it appropriate for steering committees to meet? How much detail should the steering committee get involved with? Can automation be used to improve communication among stakeholders?
  • As a lead in to the next slides elaborate on how the requirements for documentation have changed from the past as a result of OMB A-123
  • Include examples of effective IC’s
  • English - ICGFM The International Consortium on Governmental ...

    1. 1. Integrating Risk Management and Compliance into Integrated Financial Management Information Systems (IFMIS)
    2. 2. The Global Financial Environment
    3. 3. The Global Financial Environment <ul><li>No successful economy or government can operate today without global interconnectivity </li></ul><ul><li>Markets and industries exist transparently across the globe, and conduct business 24 hours a day. </li></ul><ul><li>Growth of that connectivity has increased the demands for the availability and reliability of financial information </li></ul><ul><li>That information demand is fed by the growing use of automated Financial Management Systems, using integrated Information Technology (IT). </li></ul>
    4. 4. The New Financial Reporting Environment <ul><li>As a result of the global economy, Financial Reporting must be relevant, timely, and comparable across jurisdictions </li></ul><ul><li>Company assets are considered more &quot;intangible&quot; and subject to inconsistent valuation </li></ul><ul><li>Company data is instantly accessible but not always sufficient to satisfy all stakeholders requirements </li></ul><ul><ul><li>Citizens </li></ul></ul><ul><ul><li>Shareholders </li></ul></ul><ul><ul><li>Regulators </li></ul></ul>
    5. 5. The Result of their Analysis? <ul><li>In the long term, Financial reporting will be standardized to provide adequate information to all interested parties </li></ul><ul><li>Global auditing standards will converge and harmonize to deliver reasonable assurance of the accuracy of financial reports </li></ul><ul><li>Adoption of new data standards to improve enforcement of controls and improve detection of Fraud </li></ul><ul><li>Financial systems must have adequate internal controls enabled for consistent transparency </li></ul>
    6. 6. Impact on Federal Managers <ul><li>Governments are increasingly involved in global financial markets, not only as regulators but as investors and participants. </li></ul><ul><li>They must provide the highest quality financial information to a range of interested parties, in a multitude of formats, often with repetitive efforts and inefficient processes. </li></ul><ul><li>Government agencies are entrusted by their citizens to maintain sound financial practices, limit fraud and corruption, and provide adequate controls over financial reporting </li></ul>
    7. 7. Overview of Internal Controls
    8. 8. Internal Controls Defined <ul><li>Internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, that is designed to provide reasonable assurance regarding the achievement of objectives in the following categories: </li></ul><ul><ul><li>Effectiveness and efficiency of operations </li></ul></ul><ul><ul><li>Reliability of financial reporting </li></ul></ul><ul><ul><li>Compliance with applicable laws and regulations </li></ul></ul><ul><ul><li>Source - The Committee of Sponsoring Organizations of the Treadway Commission Internal Control — Integrated Framework </li></ul></ul>Management has a fundamental responsibility to develop and maintain effective internal control.
    9. 9. Background on Internal Controls <ul><li>Internal control is a means of managing the risk associated with programs and operations </li></ul>Internal controls – organization, policies, and procedures – are tools to help program and financial managers achieve results and safeguard the integrity of their program
    10. 10. COSO <ul><li>Committee of Sponsoring Organizations of the Treadway Commission (COSO) </li></ul><ul><ul><li>US private-sector initiative created in 1985. </li></ul></ul><ul><ul><li>Its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence. </li></ul></ul><ul><ul><li>COSO is sponsored by 5 main professional accounting organizations in the US: </li></ul></ul><ul><ul><ul><li>American Institute of Certified Public Accountants (AICPA), </li></ul></ul></ul><ul><ul><ul><li>American Accounting Association (AAA), </li></ul></ul></ul><ul><ul><ul><li>Financial Executives Institute (FEI), </li></ul></ul></ul><ul><ul><ul><li>The Institute of Internal Auditors (IIA) </li></ul></ul></ul><ul><ul><ul><li>The Institute of Management Accountants (IMA). </li></ul></ul></ul><ul><li>COSO has established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems which is the basis for the SOX Internal Control framework. </li></ul><ul><ul><ul><ul><ul><li>Source: www.coso.org </li></ul></ul></ul></ul></ul>
    11. 11. COSO Internal controls structure
    12. 12. Control Environment <ul><li>Sets the tone of the organization – influencing control consciousness of its people </li></ul><ul><li>Includes integrity, ethical values, competence, authority, and responsibility </li></ul><ul><li>Acts as foundation for all other components of control </li></ul>
    13. 13. Risk Assessment <ul><li>Identification and analysis of relevant risks to achieving the entity's objectives – forming the basis for determining control activities </li></ul>
    14. 14. Control Activities <ul><li>Policies and procedures assure management's directives are carried out </li></ul><ul><li>Range of activities, including approvals, authorizations, verifications, recommendations, performance reviews, asset security, and segregation of duties </li></ul>
    15. 15. Information and Communication <ul><li>Pertinent information identified, captured, and communicated in a timely manner </li></ul><ul><li>Access to internally and externally generated information </li></ul><ul><li>Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action </li></ul>
    16. 16. Monitoring <ul><li>Assessment of a control system's performance over time </li></ul><ul><li>Combination of ongoing and separate evaluation </li></ul><ul><li>Management and supervisory activities </li></ul><ul><li>Internal audit activities </li></ul>
    17. 17. Internal Controls Are Integrated into Processes Major Programs Information Technology Finance & Administration Internal Controls
    18. 18. Global Trends in Internal Control mandates
    19. 19. U.S. Sarbanes-Oxley Act <ul><li>The Public Company Accounting Oversight Act, otherwise known U.S. Sarbanes-Oxley Act of 2002 or &quot;SOX&quot;. </li></ul><ul><li>Composed of three sections: </li></ul><ul><ul><li>Title I – Public Company Accounting Oversight Board. PCAOB formed as branch of Securities and Exchange Commission (SEC). Public Auditing firms must register with PCAOB and are now brought under the regulation of the PCAOB. </li></ul></ul><ul><ul><li>Title III – Corporate Responsibility. Section 302 establishes certification requirements for CEOs and CFOs of Annual and Quarterly reports filed with the SEC. </li></ul></ul><ul><ul><li>Title IV – Enhanced Financial Disclosures. Section 404 (a) requires management to assess and report on internal controls, and Section 404 (b) requires the company’s External Auditor to attest to and report on management’s assertions on internal controls . </li></ul></ul>
    20. 20. Canadian Bill 198 <ul><li>Published in 2003 by the Ontario Securities Commission and the Canadian Security Administrators </li></ul><ul><li>Consists of three statutes: </li></ul><ul><ul><li>Multilateral Instrument 52-108 Auditor Oversight </li></ul></ul><ul><ul><li>Multilateral Instrument 52-109 Certification of Disclosure in Companies' Annual and Interim Filings (“CSOx”) </li></ul></ul><ul><ul><li>Multilateral Instrument 52-110 Audit Committees </li></ul></ul><ul><li>Multilateral Instrument 52-109 is basically Section 302 with an emphasis on Disclosure Controls and Procedures (DC&P). </li></ul><ul><li>Implementation of Section 404 equivalent certification still pending </li></ul>
    21. 21. Japanese SOX (J-SOX) <ul><li>February 15 th , 2007 – Business Accounting Council of the Financail Services Agency </li></ul><ul><ul><li>&quot;Implementation Standards for Evaluation and Auditing of Internal Controls over Financial Reporting&quot; </li></ul></ul><ul><li>Requires all publicly-held companies to submit consolidated internal control reports on or after April 1, 2008 </li></ul><ul><li>Reporting standards similar to sections 302 and 404 under US SOX. </li></ul>
    22. 22. Evolution of Internal Controls in the US Government Budget and Accounting Procedures Act of 1950 IG Act 1978 FMFIA 1982 OMB A-123 1981 OMB Q&A 1984 GAO Green Book 1983 CFO Act 1990 FFMIA 1996 FISMA 2002 DHS Financial Accountability Act 2004 OMB A-123 1995 GAO Green Book 1999 OMB A-123 2004 CFO Council Implementation Guide 2005 Sarbanes Oxley 2002
    23. 23. Other International Government Standards <ul><li>INTOSAI Internal Control Standards </li></ul><ul><li>UK Government Internal Audit Good Practice Guide </li></ul><ul><li>Canada Government Internal Audit Policy </li></ul><ul><li>Institute of Internal Auditors (IIA) Code of Ethics </li></ul><ul><li>Canadian Government risk management framework </li></ul>
    24. 24. Integrated Financial Management Information Systems (IFMIS)
    25. 25. Describing a Financial Management System <ul><li>The term &quot;financial management system&quot; means an information system, comprised of one or more applications, that is used for any of the following: </li></ul><ul><ul><li>Collecting, processing, maintaining, transmitting, and reporting data about financial events; </li></ul></ul><ul><ul><li>Supporting financial planning or budgeting activities; </li></ul></ul><ul><ul><li>Accumulating and reporting cost information; or </li></ul></ul><ul><ul><li>Supporting the preparation of financial statements </li></ul></ul><ul><li>A financial system may include multiple applications that are integrated through a common database or are electronically interfaced, as necessary, to meet defined data and processing requirements </li></ul><ul><ul><ul><ul><ul><li>Source: Office of Management and Budget (OMB) Circular A-127 </li></ul></ul></ul></ul></ul>
    26. 26. Information Technology (IT) and IFMIS <ul><li>IFMIS systems are designed to automate financial process to aid transparency and accountability in public financial management </li></ul><ul><li>Modern Financial Management Systems are driven by IT </li></ul><ul><li>Key to driving adequate transparency and accountability is to enable systems with comprehensive internal controls framework </li></ul><ul><li>IT requires special considerations to properly implement and enforce Internal Controls </li></ul>
    27. 27. IT 's Potential Contribution to Internal Control <ul><li>IT provides potential benefits of effectiveness and efficiency for an entity’s internal control because it enables an entity to: </li></ul><ul><ul><li>Consistently apply predefined business rules and perform complex calculations in processing large volumes of transactions and data </li></ul></ul><ul><ul><li>Enhance the timeliness, availability, and accuracy of information </li></ul></ul><ul><ul><li>Facilitate the additional analysis of information from multiple sources on an as needed basis </li></ul></ul>
    28. 28. IT's Potential Contribution to Internal Control (cont.) <ul><li>Enhance the ability to monitor the performance of the entity’s activities, policies, and procedures </li></ul><ul><li>Reduce the risk that controls will be circumvented </li></ul><ul><li>Enhance the ability to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems </li></ul>
    29. 29. IT as a Source of Risk <ul><li>Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both </li></ul><ul><li>Unauthorized access to data that may result in destruction of data or misappropriation of assets through improper changes to data, including the recording of unauthorized or nonexistent transactions, or inaccurate recording of transactions </li></ul><ul><li>Potential loss of data </li></ul><ul><li>Unauthorized changes to data in master files </li></ul><ul><li>Unauthorized changes to systems or programs </li></ul><ul><li>Failure to make necessary changes to systems or programs </li></ul><ul><li>Inappropriate manual intervention </li></ul>
    30. 30. Automation of Internal Controls and Risk Management
    31. 31. Why Automate the Controls Process? <ul><li>Given the complexity of IT and financial reporting, automated controls software can potentially provide tremendous benefits to an internal controls program. </li></ul><ul><li>Automated solutions can detect, monitor, and report a wide range of control issues, risk areas, and performance indicators. </li></ul><ul><li>Software allows for business rules to be built into system to insure compliance with regulations and automate reporting processes. </li></ul>
    32. 32. Benefits of automation <ul><li>Provides structure for the internal control program </li></ul><ul><li>Improves monitoring of control deficiencies and corrective action plans at all levels of management within an organization </li></ul><ul><li>Provides a repository of documentation that can be made available to auditors and stakeholders </li></ul><ul><li>Enables senior management to gain awareness of areas that require process changes or additional resources </li></ul>
    33. 33. Discipline over internal control program <ul><li>Software can help an organization maintain discipline over its internal control program by providing a framework for documenting and assessing controls, testing internal controls or controlling the workflow to ensure the controls are enforced </li></ul><ul><li>Software can make it easier to demonstrate your internal controls to your auditors and may lessen the amount of testing that needs to be performed by the auditors </li></ul>
    34. 34. Uses of automated internal control software <ul><li>The types of software available in the market include: </li></ul><ul><ul><li>Testing and Reporting </li></ul></ul><ul><ul><li>Document and records management </li></ul></ul><ul><ul><li>Business process modeling </li></ul></ul><ul><ul><li>Policy management </li></ul></ul><ul><ul><li>Risk management and risk assessment </li></ul></ul><ul><ul><li>Support for multiple control frameworks </li></ul></ul><ul><ul><li>Support for multiple regulations across multiple business units </li></ul></ul><ul><ul><li>Controls automation and monitoring </li></ul></ul>
    35. 35. Repository software <ul><li>Provides a central repository for the documentation of internal controls throughout the organization </li></ul><ul><li>Allows the documentation of workflow and key processes, control objectives, control activities and risks for each major function in the organization </li></ul><ul><li>May be set up as a web based tool that allows multiple users to input information </li></ul><ul><li>Allows the organization to centrally manage the documentation of internal controls and capture information about the results of testing </li></ul><ul><li>May come &quot;out of the box&quot; with standard templates for control objectives, control activities and risks </li></ul>
    36. 36. Testing software <ul><li>Allows an organization to test the internal controls of a system by directly interfacing with the system </li></ul><ul><li>May test for segregation of duty and authorization violations </li></ul><ul><li>Allows organizations to identify where violations can or have occurred and make changes to business processes or roles as appropriate </li></ul><ul><li>May come &quot;out of the box&quot; with standard control objectives and control activities that can be modified as appropriate </li></ul><ul><li>May has a limited repository capability to document workflow </li></ul>
    37. 37. Business process management software <ul><li>Allows an organization to design and dictate the workflow for a given process </li></ul><ul><li>Integral to the performance of the process </li></ul><ul><li>Allows for the documentation of the workflow process </li></ul><ul><li>The workflow is performed outside of the primary system </li></ul><ul><li>Helps ensure the workflow process is performed as designed by not allowing the process to continue until each step is performed </li></ul><ul><li>May include features such as email notification when a step has been completed </li></ul><ul><li>May have a limited capability for repository or to test transactions </li></ul>
    38. 38. Reporting capabilities <ul><li>Capabilities may allow for management reports to provide a status on one or more of the following: </li></ul><ul><ul><li>Documentation or testing of controls </li></ul></ul><ul><ul><li>Potential violations that have been identified </li></ul></ul><ul><ul><li>Where a document is in the process </li></ul></ul><ul><li>May also allow for customizable management reports </li></ul><ul><ul><li>May be capable of personalized &quot;dashboards&quot; for each user that present a current status, a &quot;to do&quot; list and interactive reports with drilldown capability </li></ul></ul>
    39. 39. Basic steps to implementing a software solution <ul><li>Selection </li></ul><ul><ul><li>Products should be selected based on the needs of a defined internal controls program </li></ul></ul><ul><ul><li>A requirements analysis should be performed to identify areas that the program can be improved, or further meet compliance goals </li></ul></ul><ul><ul><li>The analysis forms the basis for product selection </li></ul></ul><ul><li>Implementation </li></ul><ul><ul><li>Once a product is selected, an implementation plan should be developed </li></ul></ul><ul><ul><li>The plan incorporates the required steps to implement the solution and how the functions will be used in the corresponding areas of the internal control program </li></ul></ul>
    40. 40. Basic steps to implementing a software solution <ul><li>Utilization </li></ul><ul><ul><li>Once the solution is fully implemented, the full functionality of the solution can be utilized </li></ul></ul><ul><ul><li>Key performance indicators (KPIs) should be established that measure how well the solution is improving risk management and compliance efforts. </li></ul></ul><ul><ul><ul><li>Example KPIs include: </li></ul></ul></ul><ul><ul><ul><ul><li>Improved rate of fraud detection </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Improved speed in reporting </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Accuracy of reporting measures </li></ul></ul></ul></ul>
    41. 41. Conclusions <ul><li>The implementation, maintenance and reporting of Internal controls compliance and risk management is the way of the future for global financial management and accounting </li></ul><ul><li>Financial reporting will become increasingly demanding and require greater transparency and validity of financial information </li></ul><ul><li>Automated tools and processes can be of benefit in managing the increasing level of effort in meeting the demands for financial reporting, managing risk and providing reasonable assurance of internal controls and fraud detection. </li></ul>

    ×