Provides an approach that federal management may consider for assessing, documenting, and reporting on reviewing their internal controls (in the U.S. Office of Personnel Management) in conformance with the requirements of the revised OMB Circular A-123, Management’s Responsibility for Internal Control, Appendix A. The framework for the assessment is Standards for Internal Control in the Federal Government, issued by the U.S. Government Accountability Office (GAO) and outlined in the Circular. These standards, frequently referred to as the “Green Book,” are based on the Integrated Framework of Internal Control issued
by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Internal Control Review for a Federal Agency - Introduction
1. Completion of the Assessable
Unit Forms
Anthony Rainey, Business Manager,
U.S. Office of Personnel Management
April 17, 2013
2. 1 – Fiscal Year (FY) 2012 Accessable Unit
(AU) Form
• The purpose of this slide deck is to provide users
with some background as to:
– WHY the FIS’ accessable units require a form to be
completed, and
– WHAT the information on the form for
2
3. 2 - Legal/Regulatory Framework
Federal Managers’ Financial
Integrity Act of 1982
(FMFIA)
OMB Circular A-123
“Management’s
Responsibility for Internal
Control”
ICONO ICOFR ICOFS
ICONO: Internal Controls Over Non-financial Operations
ICOFR: Internal Controls Over Financial Reporting
ICOFS: Internal Controls Over Financial Systems
Annual Statement of
Assurance
From FMFIA:
“…internal accounting and administrative controls of each
executive agency shall be established IAW standards
prescribed by the Comptroller General…”
~ Head of each agency must prepare an annual statement
certifying whether the agency’s systems of internal
accounting and administrative control comply with FMFIA
From OMB Circular A-123:
~ Implementing guidance for federal agencies
~ Establishes 3 objectives of internal controls
~ Outlines 5 standards of internal control activities
3 Levels of Assurance:
~ Unqualified: no material weaknesses (MWs)
~ Qualified: MWs identified with corrective action
plan developed
~ No Assurance: no assessment done or MWs are
pervasive
Goal: Effective Internal Controls
3
4. 3 -Federal Manager's Financial Integrity
Act (FMFIA)
• Became law in 1982 to respond to concern about fraud, waste,
and abuse
• Required annual agency self assessments of internal control
effectiveness and reporting material weaknesses in controls
• The Act focused on the following problem areas:
o Mismanagement
o Erroneous Reports of Data
o Unauthorized Use of Resources
o Illegal or Unethical Acts
o Adverse or Unfavorable Public Opinion 4
5. 4 - FMFIA Annual Assurance Process in
OPM
OPM Director
Management’s Assurance in the Annual Performance and Accountability Report
OPM Chief Financial Officer
Assessment of Internal Control over Financial Reporting
Goal: Annual Assurance of Internal Controls
5
Effective & Efficient
Operations
Compliance with Laws and
Regulations Financial Reporting
Daily
Operations
Other
Sources Audits
Management
Reviews
Risk
Assessments
Senior
Assessment
Team
OMB Circular A-
123, Appendix A
Associate Directors and Heads of Offices
Assessable Unit (AU) Internal Control Form Update
6. 5 - OMB Circular A-123, Management’s
Responsibility for Internal Control
• Revision Issued: December 2004
• Effective: Beginning in Fiscal Year 2006
• Purpose: Provides guidance to Federal managers on improving the
accountability and effectiveness of Federal programs and operations
by:
- establishing,
- assessing,
- correcting, and
- reporting
on internal control.
• Authority: Includes but is not limited to Federal Managers’ Financial
Integrity Act of 1982 as codified in 31 U.S.C. 3512
6
7. 6 – Characteristics of OMB Circular A-123
• OMB Circular No. A-123, Management’s Responsibility for
Internal Control, is the implementing guidance for FMFIA.
• The last update for A-123, in December 2004, made major
changes, including:
• Requiring agency management to attest to internal controls over
financial reporting (ICFR) through testing and evaluation; patterned
after the Sarbanes-Oxley Act requirements for the private sector.
• Requiring a separate annual assurance statement on ICFR as of June
30 each year as sub-set of overall assurance. Agencies cannot rely
solely on their financial statement auditors for those controls.
• Required agencies to integrate internal control assessments with other
related activities
• Realigning standards.
• Providing an additional level of control weaknesses (now called
significant deficiency) below a material weakness. 7
8. 7 - Internal Controls- A Brief Definition
•Internal controls are all the methods by which an organization
governs its activities to accomplish its defined purpose. Internal
Controls are:
• Pervasive and inherent in the way management runs an
organization
• "Built into" not "added onto" an OPM entity's activities
• Integrated part of management and execution of a program
• Critical to a OPM entity's mission and outcomes
8
9. 8 - Internal Controls Are a Combination of
• Plans and Policies = Control Objectives
and
• Procedures = Control Activities
• Control Objectives - The positive things that FIS managers
want to have happen.
• Control Activities - The procedures that FIS managers use to
provide reasonable assurance that
the control objectives are achieved.
9
10. 9 – Three Objectives of Internal Controls
• Organization, policies and procedures to help program and
financial managers achieve results and safeguard the integrity of
their programs.
– Ensure what should occur in daily activities does occur.
Safeguarding
of assets is a
10
• 3 objectives:
– Effectiveness and efficiency of operations
– Reliability of non-financial reporting
– Compliance with applicable laws and
regulations
• Support performance-based management
• Incorporate into every business process
• Further, not hinder, mission accomplishment
subset
– Cost/benefit analysis should be used when implementing controls
Goal: provide reasonable assurance 3 objectives are met
11. 10 - How Does the OCFO Conduct Evaluations of
OPM’s Internal Controls?
• Chapter 22 – Internal Control Program – of the OPM Financial Management Manual,
establishes the policy, requirements and responsibilities for the Office of Personnel
Management’s (OPM) Internal Control Program. The objectives of the Internal Control
Program are to:
1. Ensure OPM has effective and efficient systems of internal control as required by the
“Federal Managers’ Financial Integrity Act (FMFIA) of 1982,” revised OMB Circular A-
123, “Management’s Responsibility for Internal Control,” and related guidance.
2. Evaluate systems of internal control using existing information and day-to-day knowledge
to the maximum extent possible.
3. Provide “reasonable assurance” that OPM’s programs and functions are protected from
waste, abuse, loss, and misuse of resources.
4. Focus attention on resolving reportable conditions and “material” weaknesses in internal
control.
5. Help achieve OPM’s mission, goals, and objectives.
11
12. 11 - Internal Oversight and Compliance (IOC) and What Is
Their Role Regarding Non-Financial Reporting Unit Internal
Controls?
• Internal Oversight and Compliance (IOC) is an independent
organization within OPM that proactively provides internal oversight while
holding OPM officials accountable for operating effectively and efficiently
in accordance with applicable policy, regulations and other criteria as
further defined by the Director of OPM.
• IOC responds to GAO Reports, other external evaluative entities, as
applicable, and the OPM OIG that require an official response on behalf
of the OPM Director.
• IOC collaborates with FIS to select an external auditor to conduct an
audit of FIS’ Assessable Unit (AU) Internal Controls by reviewing and
auditing the Fiscal Year 2012 AU Internal Control Forms for Non-
Financial Units. It is important that the forms are carefully constructed
and reviewed.
• The completed forms are due to the IOC on September 13, 2013.
12
13. 12 - "The" Internal Control (IC) Flow in OPM
• 1. Financial Managers’ Financial Integrity Act (FMFIA)
1A. OMB Circular A-123 – discussed earlier
1B. OMB Circulars A-127 and A-130 – guidance on IT systems and
processes
1C. GAO Standards for Internal Control in the Federal Government
• 2. Other OPM policies and procedures like the OPM Financial
Management Manual (FMM)
• 3. OPM Associate Directors, Office Heads and IC Coordinators (generally
Resource Management Officers - RMO)
• 4. Assessable Unit (AU) Managers
• 5. All FIS Employees 13
14. 13 - Completing your Assessable Unit Documentation
and Performing Internal Control Reviews (ICR)
• An ICR is a detailed evaluation of existing internal controls
within an AU to determine whether necessary controls are in
place and producing the intended results. These reviews are
documented and are designed to provide reasonable
assurance in critical risk areas that the controls are effective.
• This type of periodic evaluation focuses directly on the
controls' effectiveness at a specific time. The scope and
frequency of ICRs are a function of the assessment of risks
and the effectiveness of the constant monitoring procedures.
To the extent possible, ICRs should be built into your activities
and not added on at year end. The final review should focus
on summarizing and reporting ICR results.
14
15. 14 – Clearly Identifies What Comprises Your
Assessable Unit (AUs)
• Accessable Units are organized functionally
• Reviewed and updated annually with input from program
managers/subject matter experts
• Supplemented by FIS specific identified manuals,
procedures or published business rules
• Assessable Units (AU) – Have clear limits and boundaries; Are
small enough to be measured; Are large enough to be meaningful;
Provide for
• -clear lines of communication
• -reporting up through the chain of command
• -accurate aggregation responsibilities
Goal: Identify control deficiencies and implement
actions to minimize risks
15
16. 15 - What is meant by the term “Internal
Controls”?
• Internal controls are the OPM and FIS, policies, procedures, actions,
and activities that management implements to ensure that goals and
objectives are met.
• Effective internal control provides assurance that significant
weaknesses in the design or operation of internal control, that could
adversely affect the agency’s ability to meet its objectives, would be
prevented or detected in a timely manner.
• Internal control should be an integral part of the entire cycle of planning,
budgeting, management, accounting, and auditing. It should support the
effectiveness and the integrity of every step of the process and provide
continual feedback to management.
• Internal control – OPM and FIS, policies, and procedures – are tools to
help managers achieve results and safeguard the integrity of their
programs and it applies to program, operational, and administrative areas
not just accounting and financial management. 16
17. 16 - What are the Objectives of “Internal
Controls”?
• Internal control is an integral component of an FIS’s
management that provides reasonable assurance that the
following objectives are being achieved:
- Effectiveness and efficiency of program activities
and operations
- Reliable, complete, and timely data are maintained
- Compliance with applicable laws and regulations
- Programs and resources are protected from waste,
fraud, and mismanagement
17
18. 17 - What Are the Legislative Requirements?
• OPM produces an Annual Financial Report (AFR) that is one in a series of reports
used to convey budget, performance and financial information to OPM’s
constituents. An AFR is a requirement of OMB Circular A-136, Financial Reporting
Requirements.
One of the responsibilities of OPM’s Office of the Chief Financial Officer (OCFO) is
to manage and oversee OPM internal control and financial policy functions which
enable the Agency to meet the objectives of the Federal Managers’ Financial
Integrity Act (FMFIA).
OPM conducts its assessment of internal control over the effectiveness and
efficiency of operations and compliance with applicable laws and regulations in
accordance with OMB Circular A-123, Management’s Responsibility for Internal
Control. Based on the results of this evaluation, OPM can provide qualified
assurance, that its internal control over the effectiveness and efficiency of
operations and compliance with applicable laws and regulations and financial
management systems
18
19. 18 - The Role of the OPM Assessable Unit (AU)
• An Assessable Unit (AU) is the lowest level of functional
responsibility on which to be assessed, tracked, and reported.
• The AU should have a single person designated as the AU
manager. However, one person can be the manager for more
than one AU – but their name, title, and area of responsibility
should be clearly designated.
• The AU should have clearly defined objectives that tie to
OPM’s overall mission and strategic goals and objectives.
• Additionally, an AU should be defined in terms of clearly
identifiable risks, controls to help mitigate those risks, and
monitoring to ensure the effectiveness of the controls.
19
20. 19 - Chapter 22 – Internal Control Program – of
the OPM Financial Management Manual
• Chapter 22.6 of the OPM Financial Management Manual requires annual
reviews of internal controls as required by FMFIA. To meet the
requirements of the annual review of internal controls, FIS should:
1. Appoint Control Owners to manage each FIS Accessable Unit’s planning,
evaluating, and reporting activities related to each Business Process, Control
Objective, Risk, and Control identified on the Accessible Unit Internal Control
Form.
2. Complete the Accessable Unit Internal Control Form for all assessable units.
3. Develop Management Self Assessments reflecting the timely and effective
review of controls, the person conducting the review, results of the self-assessment,
and determining whether any corrective action is required..
4. Report the status of internal controls to the CFO to support the Director’s
annual assurance to the President and Congress by means of an annual
assurance statement.
5. Track progress on completing any corrective actions identified.
20
21. 20- FIS Priority Goals, Outcome & Target,
Strategy & Goals, Measures
• Determine where your Accessable Unit fits within
the following:
21
22. 21- Four Sections of the AU Form
• Your internal controls are identified through the Assessable Unit
Internal Control Forms
• Section 1 – General Information
• Section 2 – Accessible Unit (AU) Internal Controls
– Subsection 2.1 AU Description
– Subsection 2.2 Major Business Processes
– Subsection 2.3 Control Objectives
– Subsection 2.4 Management Self Assessment of Risk
– Subsection 2.5 Control Activities
• Section 3 – Management Self Assessment
• Section 4 – Corrective Actions
Goal: Clear definition of the AU, major business processes,
Control objectives, what management believes are the major risks,
and the control activities management uses to manage these risks
22
23. 22 – The Assessable Units (AU)
• Assessable Units (AU) - Any FIS organizational
functional , programmatic or other applicable
subdivision, whose internal controls are capable of
being evaluated.
• An assessable unit should be a subdivision of a FIS
organization (have an Org Code) that ensures a
reasonable level of span of control to allow for adequate
control analysis.
23
24. 23 – Filling Out the Assessable Units (AU)
Form
• Provide an Assessable Unit NAME.
• Identify the NAME and TITLE of the Assessable Unit
Manager(s). These are the senior managers with primary and
direct responsibility for accomplishing a function in an assessable
unit
• Identify the NAME and TITLE of each Assessable Unit
Supervisor or Team Leader. They have responsibility for
implementing and sustaining internal controls in their assessable
unit.
• Provide a unique Assessable Unit ID.
• Identify the Performance Period – the begin and end date that
this for will cover.
24
25. 24 - AU Internal Control Form – Non-Financial
Reporting Unit – Section 1 – General Information
• Section 1 provides the following General Information about the Accessable Unit:
The name of the FIS organization should be listed for all names along with a
contact telephone number and email.
25
26. 25 - Assessable Units (AU) Questions to
Consider
• How would your organization best be segmented – organizational,
functional, or program lines?
• How many segments does the organization have? Identify these segments.
Describe the objectives/function of each.
• Note again that Assessable Units (AU)-
• Have clear limits and boundaries
• Are small enough to be measured
• Are large enough to be meaningful
• Provide for
-clear lines of communication
-reporting up through the chain of command
-accurate aggregation
26
27. 26 – Keep in Mind How Your AU Supports OPM’s
Mission and Strategic Goals
27
28. 27 – Consider How Your AU Supports the OPM’s Two
Strategic Goals: Expect the Best and Hire the Best
28
29. 28 – Think About How Your AU Helps OPM
accomplish its Mission
• Review OPM’s Mission Statement
and think about how your Assessable Unit help
OPM accomplish its mission.
29
30. 29 - Identify Your AU’s Customers, Partners,
Products and Services
CUSTOMERS
WHO RECEIVE
YOUR AU’S
PRODUCTS OR
SERVICES
PARTNERS WHO
ASSIST IN THE
PROVISION OF
PRODUCTS AND
SERVICES BY
YOUR AU
MAJOR
PRODUCTS
PROVIDED
MAJOR
SERVICES
PROVIDED
30
31. 30 - AU Internal Control Form – Non-Financial
Reporting Unit – Section 2.1 – AU Description
• Section 2.1 provides an Accessable Unit Description:
Remember that the information here may be reviewed by an internal or external
auditor to verify and validate the information presented. It should be written to enable
a person outside of the Accessible Unit to easily comprehend who your customers
and partners are and what the major services and products are. 31
32. 31 - Business Processes
• A business process is a set of activities - any
system used or procedures followed - that your AU
uses to provide a product and/or service to your
customer.
• A business process executes a set of actions that
transform physical or informational things in the AU
from an INPUT state to and OUTPUT state.
• Anything that is not a set of actions is not a
business process including a role, an organizational
unit, a facility or a technology.
32
33. 32 - Example of a Simple Business Process
• Steps involved when a vendor sells an item to a
customer
• Several steps involved in one process.
34. 33 - Partner Involvement
• Partners are the external parties that are
involved in the business process.
• The partner (e.g. vendor, supplier, contractor,
federal agency) may provide the AU with
something (activity, product) that is part of
your business process. This should be clearly
identified.
35. 34 - AU Internal Control Form – Non-Financial Reporting
Unit – Section 2.2 – Major Business Processes
• Section 2.2 provides the following information about the Major Business
Processes:
“Descriptions” should include the names of tangible products produced or services
provided along with the “purpose” of the process. Systems Used should spell out
acronyms and Document References should include version numbers and/or dates if
possible. 35
36. 35 - Efficiency and Effectiveness of Processes
• HOW DO YOU ASSESS WHETHER THE OPERATIONS ARE
EFFICIENT? Efficiency means how fast one can do something
correctly. Hence testing efficiency can be “# of cases
completed per month or per person day". This explains how
efficient (i.e. fast) the person is at properly completing
assigned cases.
• EFFECTIVNESS is a quality metric meaning how good a
person is at completing assigned cases without missing any
items. Hence if the quality metric is a 0% missing items rate,
then case effectiveness metrics can be “# of incomplete items
identified by a reviewer of in a given item / Total # of items
reviewed".
36
37. 36 - AU Internal Control Form – Non-Financial Reporting
Unit – Section 2.3 – Control Objectives
• Section 2.3 identifies the Control Objectives of the Accessable Unit:
Please contact Business Management for the Account Code identifications. Impacts
should be tied to a FIS “Strategy and Goals” and “Measures” that are part of the
“Strategic Goal: Expect the Best and Hire the Best”. 37
38. 37 - SMART OBJECTIVES
Specific Use specific terms rather
than vague abstract ones
Measurable Include some method for
objectively measuring their
achievement
Achievable Are challenging but realistic
Relevant Follow the business strategy
of the organization
Timely Specify a time period
38
39. 38 - What Is Meant By the Assessment of
Risk?
• Risk is “the possibility that an event will
occur and adversely affect the achievement
of objectives.”
• Thereby decreasing value for the AU’s
customers.
39
40. 39 - Management Self-Assessment of Risk -
Tips
- Risks should be analyzed and assessed as to
their likelihood and impact
- Management should consider the mix of future
events, both expected & unexpected
- Useful first step – often a “brainstorming”
session with AU staff
- What is the “worst that could happen,” or the
“worst that happened?”
40
41. 40 - Consider Your Appetite for Risk
• Broadly defined as amount of risk an AU is
willing to accept in pursuing its objectives.
• For most government entities: risk appetite
is fairly low!
• Related is risk tolerance: “tolerable level of
variation associated w/ a particular
objective.”
41
42. 41 - Consider Both Inherent & Residual Risk
• Inherent – Risk
without any
management activity
or before controls are
in place.
• Example: inherent
risk mitigated by
payment card’s
policies and
procedures.
• Residual – level of
risk that remains after
management has a
plan in place to deal
with the risk.
• Example: residual risk
remains after
payment card policies
are in place.
42
43. 42 - Consider both the Likelihood and Impact of Risk
• Likelihood of Occurrence: possibility an
event will occur, measured in “low,
medium, high,’ percentage or some
frequency of occurrence.
• Potential Impact: Effect on an agency on
others.
• Risk Magnitude:
43
44. 43 - AU Internal Control Form – Non-Financial Reporting
Unit – Section 2.4 – Management Self Assessment of Risk
• Section 2.4 portrays Management’s Self Assessment of Risk for the Accessable
Unit:
44
45. 44 - Control Activities Are Risk Responses
Control activities generally are established
to ensure risk responses are carried out.
However, control activities themselves are
risk responses.
45
46. 45 - Risk Assessment: Likelihood of Occurrence
♦ High Likelihood
Rating: 3
Guideline: Very likely to occur
♦ Medium Likelihood
Rating: 2
Guideline: May occur
♦ Low Likelihood
Rating: 1
Guideline: Unlikely to occur
46
47. 46 - Risk Assessment: Degree of Impact
• High Impact - Rating: 3
Guideline: Risk occurrence (1) may result in the highly costly
loss of major tangible assets or resources; (2) may
significantly violate, harm, or impede an organization’s
mission, reputation, or interest; or (3) may result in human
death or serious injury.
• Medium Impact - Rating: 2
Guideline: Risk occurrence (1) may result in the costly loss of tangible
assets or resources; (2) may violate, harm , or impede an organization’s
mission, reputation, or interest; or (3) may result in human injury
• Low Impact - Rating: 1
Guideline: risk occurrence (1) may result in the loss of some tangible
assets or resources, or (2) may noticeably affect an organization’s mission,
reputation, or interest. 47
48. 47 - Risk Assessment: Risk Magnitude (Likelihood
times Impact)
High Likelihood (3) x Low Impact (1) = Low Risk Magnitude (3)
Medium Likelihood (2) x Low Impact (1) = Low Risk Magnitude (2)
Low Likelihood (1) x Low Impact (1) = Low Risk Magnitude (1)
High Likelihood (3) x Medium Impact (2) = Medium Risk Magnitude (6)
Medium Likelihood (2) x Medium Impact (2) = Medium Risk Magnitude (4)
Low Likelihood (1) x Medium Impact (2) = Low Risk Magnitude (2)
High Likelihood (3) x High Impact (3) = High Risk Magnitude (9)
Medium Likelihood (2) x High Impact (3) = Medium Risk Magnitude (6)
Low Likelihood (1) x High Impact (3) = Low Risk Magnitude (3)
48
49. 48 - Control Activity Questions
• For each of the AUs, what types of policies govern the operations? Are
there documented procedures that describe the operations to be
accomplished and how to accomplish them? Reference these policies and
procedures in the form.
• How does management track the organization’s accomplishments and
compare these to its plans, goals, and objectives? How does management
compare actual results with planned or expected results and analyze
significant differences?
• What major reviews are conducted by managers and supervisors?
49
50. 49 - Control Activity Questions (cont’d)
• Are roles and responsibilities clearly defined and accountability
established? If so, please describe.
• How are duties assigned systematically to a number of
individuals to ensure that effective checks and balances exist?
• How are physical and data assets safeguarded?
• What type of performance measures and indicators (i.e., specific
metrics) has your organization established to measure progress in
accomplishing its objectives and goals?
•♦ How are controls and significant events documented?
50
51. 50 – SINGLE AND MULTIPLE CONTROL
ACTIVITIES
• A single control activity can address
multiple risk responses or
• Multiple control activities may be needed
for one risk response.
51
52. 51 - Categorize Your Type of Control Activities
Types of Control Activities
o Preventive
o Detective
o Manual (People Based)
o Automated (System Based)
52
53. 52 - Assess Reliability of Your Control Activities
LESS RELIABLE
MORE RELIABLE
People Based Automated
Detective Preventive Detective Preventive
53
54. 53 - Preventive Control Activities
• Preventive Controls
1. Prevents errors
2. Proactive approach – frees up people
resources
54
55. 54 - Preventative Control Activities –
Approval/Authorizations
• Approval/Authorizations (Preventive)
– Policies and procedures
– Limits to authority
– Supporting documentation
– Question unusual items
55
56. 55 - Detective Control Activities – Reconciliations and
Reviews
Reconciliations (Detective)
Personnel approving or executing transactions
should not perform reconciliations.
Reviews (Detective)
Budget to Actual
Current to prior period comparisons
Performance measurements
Note the frequency of reconciliations or reviews.
56
57. 56 - Preventive and Detective Control Activities
• Assets Security (Preventive and Detective)
– Physical safeguards
– Record retention
– Periodic counts/Inventories
57
58. 57 - Types of Controls – Segregation of Duties
• Segregation of Duties (Preventive and
Detective)
– The following functions should be segregated
• Approval
• Accounting/Reconciling
• Asset Custody
58
59. 58 - Types of Controls – Separation of Duties
• Separation of Duties (Preventive and
Detective) – Custody, recording,
reconciliation and authorization.
59
60. 59 - Effectiveness and Efficiency of Control Activities
• Control activities must be tested to ensure
they are documented and there are no
weaknesses or significant deficiencies.
• Management should also ensure that
control activities are carried out in a timely
and frequent manner (e.g. review).
– External auditors may support management
by providing assurance on the effectiveness
and efficiency of control activates.
60
61. 60 - AU Internal Control Form – Non-Financial Reporting
Unit – Section 2.5 – Control Activities
• Section 2.5 portrays Control Activities associated with each risk for the
Accessable Unit:
Categorize the “control activity” as either preventive or detective, how it prevents
and/or detects the “risk”, the “frequency” of its use, and applicable documentation
so that an external auditor can easily trace what, where, and why.
61
62. 61 - Management Self-Assessment – External
Reviews
• Monitoring – External Reviews
• Does the organization undergo reviews (audits, inspections,
investigations) by outside organizations? How are results of the review
communicated up and down the organization?
• Control Activities:
- How do you ensure your controls are working? Do you build
control reviews into your normal activities? Do you keep documentation of
your control reviews?
- Have you developed corrective action plans with milestones for
controls that are not working or where additional controls are needed?
62
63. 62 - Management Self-Assessment Internal Reviews
(Section 3 of AU Form)
• Monitoring – Internal Reviews (Section 3 of AU Form)
• How does your organization monitor its functions, operations, projects? How
often? What is communicated up/down the organization?
• How does your organization measure progress in accomplishing its goals
and mission? How often? What is communicated up/down the organization?
• What types of self-assessments of identified control activities does your
organization perform? How often?
• How does your organization identify problem areas? What action is taken?
How is that corrective action communicated throughout the organization? Are
problems (and subsequent corrective action) routinely reported up the chain of
command?
63
64. 63 - AU Internal Control Form – Non-Financial Reporting
Unit – Section 3 – Management Self-Assessment
• Section 3 portrays the Self-Assessment Results and any requirements for
Corrective Actions associated with each risk for the Accessable Unit:
In the control title, categorize whether the self-assessment was preventive or
detective, document and retain the “self-assessment” process itself by describing the
tests and analyses undertaken, what the results were, and whether corrective action
was required.
64
65. 64 - Corrective Actions Are Based on the Finding of
a “Significant Deficiency” of a Control Activity
• Significant deficiencies are defined as conditions, or
combinations of conditions, that could adversely affect the
AU’s ability to initiate, record, process, and report data that
meets the following Control Objectives:
CO1 - Efficiency and Effectiveness of Operations
CO2 - Reliability of Financial Reporting
CO3 - Compliance with Laws and Regulations
CO-4 Safeguarding Assets against Waste, Fraud, Abuse and Misuse
• They are important enough to bring to the attention of
management
– Absence of appropriate separation of duties.
– Absence of appropriate reviews and approvals of transactions.
– Evidence of failure of control procedures.
65
66. 65 - AU Internal Control Form – Non-Financial Reporting
Unit – Section 4 – Corrective Actions
• Section 4 portrays Corrective Actions associated with each risk, Management
Actions required, Who Will Implement these Corrective Actions and the Dues
Dates for Implementation for the Accessable Unit:
66
67. 66 - CONCLUSION
• This slide pack is intended to serve as a “reference
sheet” to examine the scope, purpose, and
underlying legal and regulatory requirements for this
audit of internal controls. Please feel free to ask the
Auditors questions and obtain clarification when
they are on site. Please send Anthony Rainey
anthony.rainey@opm.gov emails with questions,
concerns or issues you may have regarding this
“engagement”.
67