Z Sample CPE Tracking OMB Circular A-123 History Letter 1981 OMB - - PDF document

12/14/2018 1

Internal Control: Ensuring Effective Quality Management of the A-123 Program

#AGAwebinars

• Dec. 18| 2–3:50 p.m. ET | 2 CPEs | FOS: AUD

OMB Circular A-123 History

• 1981 – OMB First Issued Circular No. A-123, Internal Control Systems
• 1982 – OMB Issued Internal Control Guidelines and the Federal Managers Financial Integrity Act was

enacted

• 1983 – OMB Issued an Updated Circular No. A-123, Internal Control Systems
• 1986–OMB Updated A-123 to Require Management Control Plans to guide efforts
• 1995–OMB updated A-123, Management Accountability and Control to reflect GPRA, CFO Act, IG

Act

• 2004 – OMB updated A-123, Management’s Responsibility for Internal Control and added Appendix A,

Internal Control Over Financial Reporting

Z

Sample CPE Tracking Letter 1 2

12/14/2018 2

Speakers

• Mike Wetklow, CGFM, CPA, Deputy Chief Financial

Officer and Division Director, NSF

• Mark A. Krieger, CPA, Director, Office of Finance,

USPTO

• Dan Kaneshiro, JD, MPA, Policy Analyst, OMB

Moderator:

• Daniella Datskovska, Director, TFC Consulting Inc.

Learning Objective

Participants will learn the different tools and techniques that can be used to ensure quality for a continuous improvement A-123 programs.

3 4

12/14/2018 3

Learning Objective

Participants will learn the different tools and techniques that can be used to ensure quality for a continuous improvement A-123 programs.

Dan Kaneshiro

Senior Policy Analyst

OFFICE OF MANAGEMENT AND BUDGET

THE PRESIDENT’S MANAGEMENT AGENDA

Modernizing Government for the 21st Century

2018 update to Appendix A of A-123: Management of Reporting and Data Integrity Risk

Association of Government Accountants Webinar

December 18, 2018

5 6

12/14/2018 4

A-123, Appendix A Update Background

7

• Agencies need to provide reasonable assurances that correct information is reported, both

internally to drive informed, risk-based decisions, and externally, for accurate, transparent reporting to the public.

• In 2016, OMB issued A-123 Management’s Responsibility for Enterprise Risk Management and

Internal Controls. The updated guidance requires agencies to adopt a risk-based approach towards achieving their strategic, operations, compliance and reporting objectives.

• Agencies are already doing some form of internal control and risk management over reporting.

One of the goals is to update Appendix A of A-123 to integrate those efforts with A-123 enterprise risk management efforts, including the development and improvement of agency risk profiles, and integration with the FMFIA assurance statement processes for internal control.

• Another goal is to update Appendix A to capitalize on ERM as a management tool to provide

solutions that go beyond just internal controls when developing performance, budgetary, and strategic responses to risk.

Back to Management Controls

8

A-123 from the 1980’s and 1990’s described internal controls as including controls over programs and required agencies to provide reasonable assurance over the safeguarding of “government resources” and “assets”, not just limited to “funds.” A-123 from 1995 described internal controls as “Management Controls” The 2016 update to A-123 seeks to bring back the focus to internal controls beyond just financial controls. The 2018 update to Appendix A seeks to bring the focus from Internal Control over Financial Reporting (ICOFR) back to Internal Control over Reporting (ICOR).

7 8

12/14/2018 5

2017 Update to COSO ERM Framework

9

The 2017 update to the COSO ERM Framework officially retired the ERM cube model, and replaced it with a DNA or Candy Wave graphic. Reporting remains a key component. Agencies must manage risk to reporting objectives. Updated Appendix A Requirement

10

All executive agencies are required by Circular A-123 to integrate ERM processes and internal controls, and are required to include a consideration of internal controls over reporting in their annual assurance

• statement. This update aligns ICOR with the existing Circular A-123 ERM efforts. As an agency’s ERM process

matures, the agency risk profile may begin to identify and link some enterprise risks with formal internal

• controls. As this integration occurs, management must include consideration of these controls in the Circular

A-123 assurance process. Aside from this one requirement, all requirements from Appendix A, associated OMB Memoranda, FAQ(s), and all other related guidance are rescinded as requirements. Management will have discretion to determine which internal control activities to retain as it relates to the agencies reporting objectives. Management will have discretion in determining how to assess, test, document and correct deficiencies in

• rder to provide reasonable assurances over controls.

9 10

12/14/2018 6

A-123/A-11 ERM Implementation Timeline

11

Agencies must update their risk profiles in coordination with the agency Strategic Reviews. Key findings should be made available for discussion with OMB as part of the Agency Strategic Review meetings. Integration with Strategic Reviews Integration with Management Evaluation of Internal Control For those risks for which formal internal controls have been identified and linked to the Risk Profile in FY 2018, assurances

• n internal control processes

must be presented in the Agency FY 2018 Annual Financial Report (AFR) or Performance and Accountability Report (PAR).

Spring ‘18 Fall ‘18

No less than annually, agencies must prepare a complete risk profile and include required risk components and elements required by this guidance. CFO Act Agencies, at a minimum, must update their risk profiles in coordination with the agency Strategic Review. For these Agencies, key findings should be made available for discussion with OMB as part of the Agency Strategic Review meetings.

Updated Risk Profile

Annually, 20XX Temporary Requirement: Data Quality Plans

12

Agencies who have determined they are subject to DATA Act reporting must develop and maintain a Data Quality Plan that considers the incremental risks and mitigating controls surrounding the representation of Federal spending data, in accordance with OMB Circular A-123. Consideration of these plans must be included in agencies existing annual assurance statement over internal controls over reporting at a minimum beginning fiscal year 2019 and continuing through the statement covering fiscal year 2021 at a minimum, or until agencies determine that they can provide reasonable assurance over the data quality controls that support achievement of the reporting objective in accordance with the DATA Act.

11 12

12/14/2018 7

Important Websites for PMA, CAP Goals, ERM, Appendix A, and DATA ACT

https://www.performance.gov/PMA/ https://www.whitehouse.gov/omb/management/pma/ https://www.whitehouse.gov/wp-content/uploads/2018/06/M-18-16.pdf https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2016/m-16-17.pdf https://www.usaspending.gov/#/ https://cfo.gov/wp-content/uploads/2018/12/Data-Quality-Playbook-2018.pdf

PTO Case Study

13 14

12/14/2018 8

OMB Circular No. A-123, Management's Responsibility for Enterprise Risk Management and Internal Control

• The policy changes in the A-123 “modernize existing efforts by

requiring agencies to implement an Enterprise Risk Management (ERM) capability coordinated with the strategic planning and strategic review process established by GPRAMA, and the internal control processes required by FMFIA and Government Accountability Office (GAO)'s Green Book. This integrated governance structure will improve mission delivery, reduce costs, and focus corrective actions towards key risks. Implementation of this policy will engage all agency management, beyond the traditional ownership of OMB Circular No. A-123 by the Chief Financial Officer community. In particular, it will require leadership from the agency Chief Operating Officer and Performance Improvement Officer, and close collaboration across all agency mission and mission- support functions.”

POLLING Question

Do you know if your agency has a specifically identified Chief Performance Improvement Office?

• Yes
• No

15 16

12/14/2018 9

ERM Prioritization

Activity Description Outcome

Risk Identification Risk Assessment & Prioritization Mitigation Planning Risk Monitoring & Management Identify key business risks across USPTO in a series of dimensions: strategic, operational, reputational, etc. Facilitate the prioritization of identified risks considering the consequence on the business and likelihood of occurrence. Based on the risk profile, develop proposed mitigation strategies that will bring the risk to acceptable levels upon completion. Identify risk and action plan owners for implementation of suggested mitigation activities and cadence for reporting.

Risk listing of all identified risks Risk prioritization resulting in the Risk Profile Mitigation plan for key risks and Residual Risk assessment Status reports to drive continued decision-making

Using our methodology, we focus ERM activities on Risk Profile items that could most significantly impact our objectives

Risk Assessment

Risk Profile

We use two primary conduits to gather risk information

Annual Risk Assessment

Information from both sources is evaluated through our methodology and framework

Emerging Risk Capture

• Enterprise-wide
• Formal risk capture process
• Ad hoc risk identification
• Sources through topical events

17 18

12/14/2018 10

Risk Evaluation

Scoring Methodology:

• Aggregate 1-5 scores for

likelihood and consequence

• Rank by Risk Score (product)
• Sort and graph results
• Discuss and evaluate highest

scoring risks for potential inclusion on USPTO Risk Profile

Risk and Controls

The ERM and A-123 teams review the Risk Profile

ERM A-123 RISK

∙∙∙ ∙∙∙

• What do we know about the risk?
• What processes are impacted?
• Do we have existing controls in place?
• Do we need to adjust the level of controls for the given

level of risk?

19 20

12/14/2018 11

Risk Mapping

The teams map the risk profile to the list of key controls where applicable

RISK

• Do we need to add additional controls?
• Have we sufficiently mitigated this risk?

POLLING Question

• In your agency’s most recent annual report (AFR or

PAR), did the auditors report a material weakness or a significant deficiency in your IT general controls?

• Yes, material weakness
• Yes, significant deficiency
• No
• Don’t know

21 22

12/14/2018 12

POLLING Question

• Of the 24 CFO Act agencies, how many agencies do

you think received a material weakness or significant deficiency with IT general controls?

• All 24
• 15-23
• 6-14
• 0-5

Example of Integration

Identified User Access Risk Discussed at Biweekly Meeting Defined Risk Response Strategy Allocated Resources to Mitigate Monitored Results of Investment

• Recognized User

Access was a recurring finding and consuming significant resources

• Convened the

ERM and A-123 teams to discuss and evaluate the risk and associated controls

• Discussed plans
• f action to

minimize repeat findings and reduce likelihood

• f repeat findings
• Invested in third-

party review of the process and worked together to support implementation of recommendations

• Revisited source
• f the risk to

evaluate the impact of mitigating activities

23 24

12/14/2018 13

Appendix A to OMB Circular No. A-123, Management of Reporting and Data Integrity Risk

• “OMB reexamined existing internal control reporting

guidance to identify opportunities to reduce waste and burden on agencies, while balancing the need for transparency.”

• “Prior to this update, Appendix A was prescriptive and

rigorous in what agencies were required to implement in

• rder to provide reasonable assurances over internal

controls over financial reporting (ICOFR). This update balances that rigor with giving agencies the flexibility to determine which control activities are necessary to achieve reasonable assurances over internal controls and processes that support overall data quality contained in agency reports.”

Internal Controls Over Reporting

Effective and efficient

• perations

Reliable financial reporting Compliance with laws and regulations Three primary objectives of internal controls are

25 26

12/14/2018 14

Illustrative Relationship within Reporting Category of Objectives (per OMB M-18-16)

Internal Control Over Reporting

• Previously included in Appendix A and retained as best

practices:

• Independent Verification and Validation (IV&V)
• Service organization reviews
• Acquisition assessments
• Assessment of Internal Control Over Financial Reporting

(ICOFR)

• Also taken into account during the assessment:
• OIG, GAO, or other Performance Audits, Reviews, and

Investigations

• Agency actions taken in response to OIG-identified top

management challenges

27 28

12/14/2018 15

USPTO Oversight – Risk Management Council and Senior Assessment Team (SAT)

Collaborative effort between USPTO Office of Finance and all program areas Includes representatives from each of the business unit

• Providing processes / sub-process and mapping of material financial statement line items
• Reviewing best practices
• Disseminating information to team members to enable them to be better prepared for internal control

testing

• Act as subject matter experts and control owners during the A-123 review to provide insight, guidance,

and updates as needed

• Bring matters of concern to attention – this way we approach it from the top-down and from the

bottom-up SAT responsibilities include:

Current Process

29 30

12/14/2018 16

Current Process - Testing

Processes and Sub-Processes for Assessment of Internal Controls over Financial Reporting Budget Execution Property, Plant, and Equipment 1 Budget Authority Acquisitions 1 Apportionments Depreciation and Amortization 1 Obligations Disposals and Retirements 1 Leases and Leasehold Improvements 1 Treasury Management 1 Software 1 Treasury Reporting 1 Master File Maintenance1, 2 Cash Reconciliation 1 Capitalization 1, 2 Non-Entity Assets 1 Asset Management 1 Imprest Funds 1 Fiduciary Activities 1 Financial Reporting General Ledger Maintenance Payroll & Employee Benefits 1 Consolidation/Adjusting, Elimination & Consolidating Entries Payroll & Employee Master File Maintenance 1 Footnote Support & Other Supplementary Reporting Time and Attendance 1 Financial Statement Preparation Payroll Processing 1 GTAS Preparation Payroll Accruals 1 General Journal Entries Pension & Post-Retirement Benefits 1 Employee Transit Subsidy Program 1, 2 Risk Management 1 Telework Program 1, 2 Commitments & Contingencies 1 Purchasing 1 Information Systems – General & Application Controls 1 Vendor Master File Maintenance 1 Security Management 1 Requisitions 1 Access Controls 1 Purchase Orders 1 Configuration Management 1 Invoice Processing1 Contingency Planning 1 Cash Disbursements 1 Segregation of Duties 1 Accruals 1 Systems within Scope: Travel 1 RAM Purchase Card Transactions1 Momentum Prepayments 1, 2 EAMS Training1, 2 Employee Reimbursement 1, 2 Revenues 1 Conferences 1, 2 Pricing1 Billing 1 Reimbursable Agreements 1

1 Will be tested at transaction level in FY18 2 USPTO-specific sub-processes and not

reflected on the DOC process templates. **Limited procedures will be performed on the remaining items including risk assessments, documentation updates, and control certifications.** Refunds Processing1 Receipts Processing 1 Accounts Receivable 1 Revenue Recognition1 Parking Collections 1 Deposit Accounts 1

Current Process – Peer Review

• Rated high for workpaper

review

• USPTO cycle memos were

requested for presentation as a standard to follow to OFM by the Peer Review team

• USPTO performed all

corrections recommended by Peer Review team

DOC

USPTO

31 32

12/14/2018 17

In closing …

It’s an iterative process that will continue to evolve and improve over time

NSF Case Study

33 34

12/14/2018 18

Restoring Trust In Government with OMB A-123

DHS 2010 Performance Accountability Report Excerpt

35 36

12/14/2018 19

Today’s Financial Management Environment

MBA enrollment is down again. What’s the future of the degree? Audit dead in a decade? Prepare accounting students for working with data analytics

Looking to the Future

• Dealing with the

proliferation of data

• Leveraging artificial

intelligence and automation

• Managing the cost of risk

management

• Building stronger
• rganizations

37 38

12/14/2018 20

Federal Governance Environment Traditional FM Management Maturity Model Example

Start up/Turnaround vs. Realignment/Sustaining Success A new maturity model is needed

39 40

12/14/2018 21

The ABCDs of Technology DFM 2026 Plan

Shift from: Low Value As Is Good To: High Value to Be Great

41 42

12/14/2018 22

A is for Artificial Intelligence/Automation

1. NSF participation in Treasury Innovation Program 2. RPA Tools Selected 3. DFM Pilots in Process – NSF’s first robot IPP-88 (named after IG-88) went into production on 12/4 4. Infrastructure Platforms in Process 5. Center of Excellence and Governance Model in Progress 6. Ongoing NSF RPA Program Under development

B is for Blockchain

1. NSF participation in GSA Innovation Program and OMB-Treasury Blockchain Project 2. Exploring the hypothesis that implementing a blockchain solution has the potential to improve the grants payment process and spending information sharing. Identify

• Impacts to grants management functions/activities related to grant recipient payments and reporting spending

information

• Impacts to financial management functions/activities performing grant payment processes and reporting

payment disbursement information

• Programmatic, economic, organizational, technical, and operational implications for the Federal agency and

grant recipient entities overseeing, managing, or using the grant payment blockchain solution 3. Develop recommendations should the Federal government seek to pursue a grant payment blockchain solution

43 44

12/14/2018 23

C is for Cybersecurity

• 1. NSF eliminated and sustained

progress on recent information technology security significant deficiency

• 2. NSF was one of first agencies

certified as FedRamp compliant

• 3. In 2018 NSF implemented a SSAE 18

service provider report reducing workload while simultaneously strengthening iTrak financial system security

• 4. There is no space between

OCFO/DFM and OCIO/DIS teams.

D is for Data Analytics

• 1. NSF built a Data Warehouse
• 2. NSF participation in

development of PMA Data Strategy and CFOC Data Quality Playbook

• 3. DFM Pilots – Charge Cards,

Financial Assistance Model

• Identify hidden relationships
• More efficiency ability to assess internal

control continuously

• Analyze transactions in less time and more

cost effective than traditional testing

45 46

12/14/2018 24

Prepare for the Future!

• 1. Deal with the proliferation
• f data
• 2. Leverage AI and

automation

• 3. Manage the cost of risk

management

• 4. Build a stronger
• rganization
• 5. Do it for your people

47 48