Internal Control Review (ICR) - Completion of the "Assessable Unit" Form
Upcoming SlideShare
Loading in...5
×
 

Internal Control Review (ICR) - Completion of the "Assessable Unit" Form

on

  • 245 views

How to fill out the form

How to fill out the form

Statistics

Views

Total Views
245
Views on SlideShare
243
Embed Views
2

Actions

Likes
0
Downloads
2
Comments
0

1 Embed 2

http://localhost 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Internal Control Review (ICR) - Completion of the "Assessable Unit" Form Internal Control Review (ICR) - Completion of the "Assessable Unit" Form Presentation Transcript

  • Completion of the Assessable Unit Forms Anthony Rainey, Business Manager August 1, 2012
  • 1 – Fiscal Year (FY) 2012 Accessable Unit (AU) Form • The purpose of this slide deck is to provide users with some background as to: – WHY the FIS’ accessable units require a form to be completed, and – WHAT the information on the form for 2
  • 2 - Legal/Regulatory Framework Federal Managers’ Financial Integrity Act of 1982 (FMFIA) OMB Circular A-123 “Management’s Responsibility for Internal Control” ICONO ICOFR ICOFS ICONO: Internal Controls Over Non-financial Operations ICOFR: Internal Controls Over Financial Reporting ICOFS: Internal Controls Over Financial Systems Annual Statement of Assurance From FMFIA: “…internal accounting and administrative controls of each executive agency shall be established IAW standards prescribed by the Comptroller General…” ~ Head of each agency must prepare an annual statement certifying whether the agency’s systems of internal accounting and administrative control comply with FMFIA From OMB Circular A-123: ~ Implementing guidance for federal agencies ~ Establishes 3 objectives of internal controls ~ Outlines 5 standards of internal control activities 3 Levels of Assurance: ~ Unqualified: no material weaknesses (MWs) ~ Qualified: MWs identified with corrective action plan developed ~ No Assurance: no assessment done or MWs are pervasive Goal: Effective Internal Controls 3
  • 3 -Federal Manager's Financial Integrity Act (FMFIA) • Became law in 1982 to respond to concern about fraud, waste, and abuse • Required annual agency self assessments of internal control effectiveness and reporting material weaknesses in controls • The Act focused on the following problem areas: o Mismanagement o Erroneous Reports of Data o Unauthorized Use of Resources o Illegal or Unethical Acts o Adverse or Unfavorable Public Opinion 4
  • 4 - FMFIA Annual Assurance Process in OPM OPM Director Management’s Assurance in the Annual Performance and Accountability Report OPM Chief Financial Officer Assessment of Internal Control over Financial Reporting Associate Directors and Heads of Offices Assessable Unit (AU) Internal Control Form Update Daily Operations Other Sources Audits Effective & Efficient Operations Management Reviews Senior Assessment Team OMB Circular A123, Appendix A Risk Assessments Compliance with Laws and Regulations Financial Reporting Goal: Annual Assurance of Internal Controls 5
  • 5 - OMB Circular A-123, Management’s Responsibility for Internal Control • Revision Issued: December 2004 • Effective: Beginning in Fiscal Year 2006 • Purpose: Provides guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by: - establishing, - assessing, - correcting, and - reporting on internal control. • Authority: Includes but is not limited to Federal Managers’ Financial Integrity Act of 1982 as codified in 31 U.S.C. 3512 6
  • 6 – Characteristics of OMB Circular A-123 • OMB Circular No. A-123, Management’s Responsibility for Internal Control, is the implementing guidance for FMFIA. • The last update for A-123, in December 2004, made major changes, including: • Requiring agency management to attest to internal controls over financial reporting (ICFR) through testing and evaluation; patterned after the Sarbanes-Oxley Act requirements for the private sector. • Requiring a separate annual assurance statement on ICFR as of June 30 each year as sub-set of overall assurance. Agencies cannot rely solely on their financial statement auditors for those controls. • Required agencies to integrate internal control assessments with other related activities • Realigning standards. • Providing an additional level of control weaknesses (now called significant deficiency) below a material weakness. 7
  • 7 - Internal Controls- A Brief Definition •Internal controls are all the methods by which an organization governs its activities to accomplish its defined purpose. Internal Controls are: • Pervasive and inherent in the way management runs an organization • "Built into" not "added onto" an OPM entity's activities • Integrated part of management and execution of a program • Critical to a OPM entity's mission and outcomes 8
  • 8 - Internal Controls Are a Combination of • Plans and Policies = Control Objectives and • Procedures = Control Activities • Control Objectives - The positive things that FIS managers want to have happen. • Control Activities - The procedures that FIS managers use to provide reasonable assurance that the control objectives are achieved. 9
  • 9 – Three Objectives of Internal Controls • Organization, policies and procedures to help program and financial managers achieve results and safeguard the integrity of their programs. – Ensure what should occur in daily activities does occur. • 3 objectives: – Effectiveness and efficiency of operations – Reliability of non-financial reporting – Compliance with applicable laws and regulations • Support performance-based management • Incorporate into every business process Safeguarding of assets is a subset • Further, not hinder, mission accomplishment – Cost/benefit analysis should be used when implementing controls Goal: provide reasonable assurance 3 objectives are met 10
  • 10 - How Does the OCFO Conduct Evaluations of OPM’s Internal Controls? • Chapter 22 – Internal Control Program – of the OPM Financial Management Manual, establishes the policy, requirements and responsibilities for the Office of Personnel Management’s (OPM) Internal Control Program. The objectives of the Internal Control Program are to: 1. Ensure OPM has effective and efficient systems of internal control as required by the “Federal Managers’ Financial Integrity Act (FMFIA) of 1982,” revised OMB Circular A123, “Management’s Responsibility for Internal Control,” and related guidance. 2. Evaluate systems of internal control using existing information and day-to-day knowledge to the maximum extent possible. 3. Provide “reasonable assurance” that OPM’s programs and functions are protected from waste, abuse, loss, and misuse of resources. 4. Focus attention on resolving reportable conditions and “material” weaknesses in internal control. 5. Help achieve OPM’s mission, goals, and objectives. 11
  • 11 - Internal Oversight and Compliance (IOC) and What Is Their Role Regarding Non-Financial Reporting Unit Internal Controls? • Internal Oversight and Compliance (IOC) is an independent organization within OPM that proactively provides internal oversight while holding OPM officials accountable for operating effectively and efficiently in accordance with applicable policy, regulations and other criteria as further defined by the Director of OPM. • IOC responds to GAO Reports, other external evaluative entities, as applicable, and the OPM OIG that require an official response on behalf of the OPM Director. • IOC collaborates with FIS to select an external auditor to conduct an audit of FIS’ Assessable Unit (AU) Internal Controls by reviewing and auditing the Fiscal Year 2012 AU Internal Control Forms for NonFinancial Units. It is important that the forms are carefully constructed and reviewed. • The completed forms are due to the IOC on September 14, 2012. 12
  • 12 - "The" Internal Control (IC) Flow in OPM • 1. Financial Managers’ Financial Integrity Act (FMFIA) 1A. OMB Circular A-123 – discussed earlier 1B. OMB Circulars A-127 and A-130 – guidance on IT systems and processes 1C. GAO Standards for Internal Control in the Federal Government • 2. Other OPM policies and procedures like the OPM Financial Management Manual (FMM) • 3. OPM Associate Directors, Office Heads and IC Coordinators (generally Resource Management Officers - RMO) • 4. Assessable Unit (AU) Managers • 5. All FIS Employees 13
  • 13 - Completing your Assessable Unit Documentation and Performing Internal Control Reviews (ICR) • An ICR is a detailed evaluation of existing internal controls within an AU to determine whether necessary controls are in place and producing the intended results. These reviews are documented and are designed to provide reasonable assurance in critical risk areas that the controls are effective. • This type of periodic evaluation focuses directly on the controls' effectiveness at a specific time. The scope and frequency of ICRs are a function of the assessment of risks and the effectiveness of the constant monitoring procedures. To the extent possible, ICRs should be built into your activities and not added on at year end. The final review should focus on summarizing and reporting ICR results. 14
  • 14 – Clearly Identifies What Comprises Your Assessable Unit (AUs) • Accessable Units are organized functionally • Reviewed and updated annually with input from program managers/subject matter experts • Supplemented by FIS specific identified manuals, procedures or published business rules • Assessable Units (AU) – Have clear limits and boundaries; Are small enough to be measured; Are large enough to be meaningful; Provide for • -clear lines of communication • • -reporting up through the chain of command -accurate aggregation responsibilities Goal: Identify control deficiencies and implement actions to minimize risks 15
  • 15 - What is meant by the term “Internal Controls”? • Internal controls are the OPM and FIS, policies, procedures, actions, and activities that management implements to ensure that goals and objectives are met. • Effective internal control provides assurance that significant weaknesses in the design or operation of internal control, that could adversely affect the agency’s ability to meet its objectives, would be prevented or detected in a timely manner. • Internal control should be an integral part of the entire cycle of planning, budgeting, management, accounting, and auditing. It should support the effectiveness and the integrity of every step of the process and provide continual feedback to management. • Internal control – OPM and FIS, policies, and procedures – are tools to help managers achieve results and safeguard the integrity of their programs and it applies to program, operational, and administrative areas 16 not just accounting and financial management.
  • 16 - What are the Objectives of “Internal Controls”? • Internal control is an integral component of an FIS’s management that provides reasonable assurance that the following objectives are being achieved: - Effectiveness and efficiency of program activities and operations - Reliable, complete, and timely data are maintained - Compliance with applicable laws and regulations - Programs and resources are protected from waste, fraud, and mismanagement 17
  • 17 - What Are the Legislative Requirements? • OPM produces an Annual Financial Report (AFR) that is one in a series of reports used to convey budget, performance and financial information to OPM’s constituents. An AFR is a requirement of OMB Circular A-136, Financial Reporting Requirements.  One of the responsibilities of OPM’s Office of the Chief Financial Officer (OCFO) is to manage and oversee OPM internal control and financial policy functions which enable the Agency to meet the objectives of the Federal Managers’ Financial Integrity Act (FMFIA).  OPM conducts its assessment of internal control over the effectiveness and efficiency of operations and compliance with applicable laws and regulations in accordance with OMB Circular A-123, Management’s Responsibility for Internal Control. Based on the results of this evaluation, OPM can provide qualified assurance, that its internal control over the effectiveness and efficiency of operations and compliance with applicable laws and regulations and financial management systems 18
  • 18 - The Role of the OPM Assessable Unit (AU) • An Assessable Unit (AU) is the lowest level of functional responsibility on which to be assessed, tracked, and reported. • The AU should have a single person designated as the AU manager. However, one person can be the manager for more than one AU – but their name, title, and area of responsibility should be clearly designated. • The AU should have clearly defined objectives that tie to OPM’s overall mission and strategic goals and objectives. • Additionally, an AU should be defined in terms of clearly identifiable risks, controls to help mitigate those risks, and monitoring to ensure the effectiveness of the controls. 19
  • 19 - Chapter 22 – Internal Control Program – of the OPM Financial Management Manual • Chapter 22.6 of the OPM Financial Management Manual requires annual reviews of internal controls as required by FMFIA. To meet the requirements of the annual review of internal controls, FIS should: 1. Appoint Control Owners to manage each FIS Accessable Unit’s planning, evaluating, and reporting activities related to each Business Process, Control Objective, Risk, and Control identified on the Accessible Unit Internal Control Form. 2. Complete the Accessable Unit Internal Control Form for all assessable units. 3. Develop Management Self Assessments reflecting the timely and effective review of controls, the person conducting the review, results of the selfassessment, and determining whether any corrective action is required.. 4. Report the status of internal controls to the CFO to support the Director’s annual assurance to the President and Congress by means of an annual assurance statement. 5. Track progress on completing any corrective actions identified. 20
  • 20- FIS Priority Goals, Outcome & Target, Strategy & Goals, Measures • Determine where your Accessable Unit fits within the following: 21
  • 21- Four Sections of the AU Form • Your internal controls are identified through the Assessable Unit Internal Control Forms • Section 1 – General Information • Section 2 – Accessible Unit (AU) Internal Controls – – – – – Subsection 2.1 AU Description Subsection 2.2 Major Business Processes Subsection 2.3 Control Objectives Subsection 2.4 Management Self Assessment of Risk Subsection 2.5 Control Activities • Section 3 – Management Self Assessment • Section 4 – Corrective Actions Goal: Clear definition of the AU, major business processes, Control objectives, what management believes are the major risks, and the control activities management uses to manage these risks 22
  • 22 – The Assessable Units (AU) • Assessable Units (AU) - Any FIS organizational functional , programmatic or other applicable subdivision, whose internal controls are capable of being evaluated. • An assessable unit should be a subdivision of a FIS organization (have an Org Code) that ensures a reasonable level of span of control to allow for adequate control analysis. 23
  • 23 – Filling Out the Assessable Units (AU) Form • Provide an Assessable Unit NAME. • Identify the NAME and TITLE of the Assessable Unit Manager(s). These are the senior managers with primary and direct responsibility for accomplishing a function in an assessable unit • Identify the NAME and TITLE of each Assessable Unit Supervisor or Team Leader. They have responsibility for implementing and sustaining internal controls in their assessable unit. • Provide a unique Assessable Unit ID. • Identify the Performance Period – the begin and end date that this for will cover. 24
  • 24 - AU Internal Control Form – Non-Financial Reporting Unit – Section 1 – General Information • Section 1 provides the following General Information about the Accessable Unit: The name of the FIS organization should be listed for all names along with a contact telephone number and email. 25
  • 25 - Assessable Units (AU) Questions to Consider • How would your organization best be segmented – organizational, functional, or program lines? • How many segments does the organization have? Identify these segments. Describe the objectives/function of each. • Note again that Assessable Units (AU)• Have clear limits and boundaries • Are small enough to be measured • Are large enough to be meaningful • Provide for -clear lines of communication -reporting up through the chain of command -accurate aggregation 26
  • 26 – Keep in Mind How Your AU Supports OPM’s Mission and Strategic Goals 27
  • 27 – Consider How Your AU Supports the OPM’s Two Strategic Goals: Expect the Best and Hire the Best 28
  • 28 – Think About How Your AU Helps OPM accomplish its Mission • Review OPM’s Mission Statement and think about how your Assessable Unit help OPM accomplish its mission. 29
  • 29 - Identify Your AU’s Customers, Partners, Products and Services CUSTOMERS WHO RECEIVE YOUR AU’S PRODUCTS OR SERVICES PARTNERS WHO ASSIST IN THE PROVISION OF PRODUCTS AND SERVICES BY YOUR AU MAJOR PRODUCTS PROVIDED MAJOR SERVICES PROVIDED 30
  • 30 - AU Internal Control Form – Non-Financial Reporting Unit – Section 2.1 – AU Description • Section 2.1 provides an Accessable Unit Description: Remember that the information here may be reviewed by an internal or external auditor to verify and validate the information presented. It should be written to enable a person outside of the Accessible Unit to easily comprehend who your customers and partners are and what the major services and products are. 31
  • 31 - Business Processes • A business process is a set of activities - any system used or procedures followed - that your AU uses to provide a product and/or service to your customer. • A business process executes a set of actions that transform physical or informational things in the AU from an INPUT state to and OUTPUT state. • Anything that is not a set of actions is not a business process including a role, an organizational unit, a facility or a technology. 32
  • 32 - Example of a Simple Business Process • Steps involved when a vendor sells an item to a customer • Several steps involved in one process.
  • 33 - Partner Involvement • Partners are the external parties that are involved in the business process. • The partner (e.g. vendor, supplier, contractor, federal agency) may provide the AU with something (activity, product) that is part of your business process. This should be clearly identified.
  • 34 - AU Internal Control Form – Non-Financial Reporting Unit – Section 2.2 – Major Business Processes • Section 2.2 provides the following information about the Major Business Processes: “Descriptions” should include the names of tangible products produced or services provided along with the “purpose” of the process. Systems Used should spell out acronyms and Document References should include version numbers and/or dates if possible. 35
  • 35 - Efficiency and Effectiveness of Processes • HOW DO YOU ASSESS WHETHER THE OPERATIONS ARE EFFICIENT? Efficiency means how fast one can do something correctly. Hence testing efficiency can be “# of cases completed per month or per person day". This explains how efficient (i.e. fast) the person is at properly completing assigned cases. • EFFECTIVNESS is a quality metric meaning how good a person is at completing assigned cases without missing any items. Hence if the quality metric is a 0% missing items rate, then case effectiveness metrics can be “# of incomplete items identified by a reviewer of in a given item / Total # of items reviewed". 36
  • 36 - AU Internal Control Form – Non-Financial Reporting Unit – Section 2.3 – Control Objectives • Section 2.3 identifies the Control Objectives of the Accessable Unit: Please contact Business Management for the Account Code identifications. Impacts should be tied to a FIS “Strategy and Goals” and “Measures” that are part of the “Strategic Goal: Expect the Best and Hire the Best”. 37
  • 37 - SMART OBJECTIVES Specific Use specific terms rather than vague abstract ones Measurable Include some method for objectively measuring their achievement Achievable Relevant Are challenging but realistic Timely Specify a time period Follow the business strategy of the organization 38
  • 38 - What Is Meant By the Assessment of Risk? • Risk is “the possibility that an event will occur and adversely affect the achievement of objectives.” • Thereby decreasing value for the AU’s customers. 39
  • 39 - Management Self-Assessment of Risk Tips - Risks should be analyzed and assessed as to their likelihood and impact - Management should consider the mix of future events, both expected & unexpected - Useful first step – often a “brainstorming” session with AU staff - What is the “worst that could happen,” or the “worst that happened?” 40
  • 40 - Consider Your Appetite for Risk • Broadly defined as amount of risk an AU is willing to accept in pursuing its objectives. • For most government entities: risk appetite is fairly low! • Related is risk tolerance: “tolerable level of variation associated w/ a particular objective.” 41
  • 41 - Consider Both Inherent & Residual Risk • Inherent – Risk without any management activity or before controls are in place. • Example: inherent risk mitigated by payment card’s policies and procedures. • Residual – level of risk that remains after management has a plan in place to deal with the risk. • Example: residual risk remains after payment card policies are in place. 42
  • 42 - Consider both the Likelihood and Impact of Risk • Likelihood of Occurrence: possibility an event will occur, measured in “low, medium, high,’ percentage or some frequency of occurrence. • Potential Impact: Effect on an agency on others. • Risk Magnitude: 43
  • 43 - AU Internal Control Form – Non-Financial Reporting Unit – Section 2.4 – Management Self Assessment of Risk • Section 2.4 portrays Management’s Self Assessment of Risk for the Accessable Unit: 44
  • 44 - Control Activities Are Risk Responses  Control activities generally are established to ensure risk responses are carried out. However, control activities themselves are risk responses. 45
  • 45 - Risk Assessment: Likelihood of Occurrence ♦ High Likelihood Rating: 3 Guideline: Very likely to occur ♦ Medium Likelihood Rating: 2 Guideline: May occur ♦ Low Likelihood Rating: 1 Guideline: Unlikely to occur 46
  • 46 - Risk Assessment: Degree of Impact • High Impact - Rating: 3 Guideline: Risk occurrence (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury. • Medium Impact - Rating: 2 Guideline: Risk occurrence (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm , or impede an organization’s mission, reputation, or interest; or (3) may result in human injury • Low Impact - Rating: 1 Guideline: risk occurrence (1) may result in the loss of some tangible assets or resources, or (2) may noticeably affect an organization’s mission, reputation, or interest. 47
  • 47 - Risk Assessment: Risk Magnitude (Likelihood times Impact) High Likelihood (3) x Low Impact (1) = Low Risk Magnitude (3) Medium Likelihood (2) x Low Impact (1) = Low Risk Magnitude (2) Low Likelihood (1) x Low Impact (1) = Low Risk Magnitude (1) High Likelihood (3) x Medium Impact (2) = Medium Risk Magnitude (6) Medium Likelihood (2) x Medium Impact (2) = Medium Risk Magnitude (4) Low Likelihood (1) x Medium Impact (2) = Low Risk Magnitude (2) High Likelihood (3) x High Impact (3) = High Risk Magnitude (9) Medium Likelihood (2) x High Impact (3) = Medium Risk Magnitude (6) Low Likelihood (1) x High Impact (3) = Low Risk Magnitude (3) 48
  • 48 - Control Activity Questions • For each of the AUs, what types of policies govern the operations? Are there documented procedures that describe the operations to be accomplished and how to accomplish them? Reference these policies and procedures in the form. • How does management track the organization’s accomplishments and compare these to its plans, goals, and objectives? How does management compare actual results with planned or expected results and analyze significant differences? • What major reviews are conducted by managers and supervisors? 49
  • 49 - Control Activity Questions (cont’d) • Are roles and responsibilities clearly defined and accountability established? If so, please describe. • How are duties assigned systematically to a number of individuals to ensure that effective checks and balances exist? • How are physical and data assets safeguarded? • What type of performance measures and indicators (i.e., specific metrics) has your organization established to measure progress in accomplishing its objectives and goals? • How are controls and significant events documented? 50
  • 50 – SINGLE AND MULTIPLE CONTROL ACTIVITIES • A single control activity can address multiple risk responses or • Multiple control activities may be needed for one risk response. 51
  • 51 - Categorize Your Type of Control Activities Types of Control Activities o Preventive o Detective o Manual (People Based) o Automated (System Based) 52
  • 52 - Assess Reliability of Your Control Activities LESS RELIABLE People Based Detective Preventive MORE RELIABLE Automated Detective Preventive 53
  • 53 - Preventive Control Activities • Preventive Controls 1. Prevents errors 2. Proactive approach – frees up people resources 54
  • 54 - Preventative Control Activities – Approval/Authorizations • Approval/Authorizations (Preventive) – Policies and procedures – Limits to authority – Supporting documentation – Question unusual items 55
  • 55 - Detective Control Activities – Reconciliations and Reviews  Reconciliations (Detective)  Personnel approving or executing transactions should not perform reconciliations.  Reviews (Detective)  Budget to Actual  Current to prior period comparisons  Performance measurements Note the frequency of reconciliations or reviews. 56
  • 56 - Preventive and Detective Control Activities • Assets Security (Preventive and Detective) – Physical safeguards – Record retention – Periodic counts/Inventories 57
  • 57 - Types of Controls – Segregation of Duties • Segregation of Duties (Preventive and Detective) – The following functions should be segregated • Approval • Accounting/Reconciling • Asset Custody 58
  • 58 - Types of Controls – Separation of Duties • Separation of Duties (Preventive and Detective) – Custody, recording, reconciliation and authorization. 59
  • 59 - Effectiveness and Efficiency of Control Activities • Control activities must be tested to ensure they are documented and there are no weaknesses or significant deficiencies. • Management should also ensure that control activities are carried out in a timely and frequent manner (e.g. review). – External auditors may support management by providing assurance on the effectiveness and efficiency of control activates. 60
  • 60 - AU Internal Control Form – Non-Financial Reporting Unit – Section 2.5 – Control Activities • Section 2.5 portrays Control Activities associated with each risk for the Accessable Unit: Categorize the “control activity” as either preventive or detective, how it prevents and/or detects the “risk”, the “frequency” of its use, and applicable documentation so that an external auditor can easily trace what, where, and why. 61
  • 61 - Management Self-Assessment – External Reviews • Monitoring – External Reviews • Does the organization undergo reviews (audits, inspections, investigations) by outside organizations? How are results of the review communicated up and down the organization? • Control Activities: - How do you ensure your controls are working? Do you build control reviews into your normal activities? Do you keep documentation of your control reviews? - Have you developed corrective action plans with milestones for controls that are not working or where additional controls are needed? 62
  • 62 - Management Self-Assessment Internal Reviews (Section 3 of AU Form) • Monitoring – Internal Reviews (Section 3 of AU Form) • How does your organization monitor its functions, operations, projects? How often? What is communicated up/down the organization? • How does your organization measure progress in accomplishing its goals and mission? How often? What is communicated up/down the organization? • What types of self-assessments of identified control activities does your organization perform? How often? • How does your organization identify problem areas? What action is taken? How is that corrective action communicated throughout the organization? Are problems (and subsequent corrective action) routinely reported up the chain of command? 63
  • 63 - AU Internal Control Form – Non-Financial Reporting Unit – Section 3 – Management Self-Assessment • Section 3 portrays the Self-Assessment Results and any requirements for Corrective Actions associated with each risk for the Accessable Unit: In the control title, categorize whether the self-assessment was preventive or detective, document and retain the “self-assessment” process itself by describing the tests and analyses undertaken, what the results were, and whether corrective action was required. 64
  • 64 - Corrective Actions Are Based on the Finding of a “Significant Deficiency” of a Control Activity • Significant deficiencies are defined as conditions, or combinations of conditions, that could adversely affect the AU’s ability to initiate, record, process, and report data that meets the following Control Objectives: CO1 - Efficiency and Effectiveness of Operations CO2 - Reliability of Financial Reporting CO3 - Compliance with Laws and Regulations CO-4 Safeguarding Assets against Waste, Fraud, Abuse and Misuse • They are important enough to bring to the attention of management – – – Absence of appropriate separation of duties. Absence of appropriate reviews and approvals of transactions. Evidence of failure of control procedures. 65
  • 65 - AU Internal Control Form – Non-Financial Reporting Unit – Section 4 – Corrective Actions • Section 4 portrays Corrective Actions associated with each risk, Management Actions required, Who Will Implement these Corrective Actions and the Dues Dates for Implementation for the Accessable Unit: 66
  • 66 - CONCLUSION • This slide pack is intended to serve as a “reference sheet” to examine the scope, purpose, and underlying legal and regulatory requirements for this audit of internal controls. Please feel free to ask the Auditors questions and obtain clarification when they are on site. Please send Anthony Rainey anthony.rainey@opm.gov emails with questions, concerns or issues you may have regarding this “engagement”. 67