Z Sample CPE Tracking OMB Circular A-123 History Letter 1981 OMB - PDF document

12/14/2018 Internal Control: Ensuring Effective Quality Management of the A-123 Program Dec. 18| 2–3:50 p.m. ET | 2 CPEs | FOS: AUD #AGAwebinars 1 Z Sample CPE Tracking OMB Circular A-123 History Letter 1981 – OMB First Issued Circular No. A-123, Internal Control Systems • • 1982 – OMB Issued Internal Control Guidelines and the Federal Managers Financial Integrity Act was • enacted • 1983 – OMB Issued an Updated Circular No. A-123, Internal Control Systems • • 1986–OMB Updated A-123 to Require Management Control Plans to guide efforts • • 1995–OMB updated A-123, Management Accountability and Control to reflect GPRA, CFO Act, IG • Act • 2004 – OMB updated A-123, Management’s Responsibility for Internal Control and added Appendix A, • Internal Control Over Financial Reporting 2 1

12/14/2018 Speakers • Mike Wetklow, CGFM, CPA, Deputy Chief Financial Officer and Division Director, NSF • Mark A. Krieger, CPA, Director, Office of Finance, USPTO • Dan Kaneshiro, JD, MPA, Policy Analyst, OMB Moderator: • Daniella Datskovska, Director, TFC Consulting Inc. 3 Learning Objective Participants will learn the different tools and techniques that can be used to ensure quality for a continuous improvement A-123 programs. 4 2

12/14/2018 Learning Objective Participants will learn the different tools and techniques that can be used to ensure quality for a continuous improvement A-123 programs. 5 THE PRESIDENT’S MANAGEMENT AGENDA Modernizing Government for the 21 st Century 2018 update to Appendix A of A-123: Management of Reporting and Data Integrity Risk Association of Government Accountants Webinar December 18, 2018 Dan Kaneshiro Senior Policy Analyst OFFICE OF MANAGEMENT AND BUDGET 6 3

12/14/2018 A-123, Appendix A Update Background • Agencies need to provide reasonable assurances that correct information is reported, both internally to drive informed, risk-based decisions , and externally, for accurate, transparent reporting to the public. • In 2016, OMB issued A-123 Management’s Responsibility for Enterprise Risk Management and Internal Controls . The updated guidance requires agencies to adopt a risk-based approach towards achieving their strategic , operations , compliance and reporting objectives. • Agencies are already doing some form of internal control and risk management over reporting . One of the goals is to update Appendix A of A-123 to integrate those efforts with A-123 enterprise risk management efforts, including the development and improvement of agency risk profiles, and integration with the FMFIA assurance statement processes for internal control. • Another goal is to update Appendix A to capitalize on ERM as a management tool to provide solutions that go beyond just internal controls when developing performance, budgetary, and strategic responses to risk. 7 7 Back to Management Controls A-123 from the 1980’s and 1990’s described internal controls as including controls over programs and required agencies to provide reasonable assurance over the safeguarding of “government resources” and “assets”, not just limited to “funds.” A-123 from 1995 described internal controls as “Management Controls” The 2016 update to A-123 seeks to bring back the focus to internal controls beyond just financial controls. The 2018 update to Appendix A seeks to bring the focus from Internal Control over Financial Reporting (ICOFR) back to Internal Control over Reporting (ICOR). 8 8 4

12/14/2018 2017 Update to COSO ERM Framework The 2017 update to the COSO ERM Framework officially retired the ERM cube model, and replaced it with a DNA or Candy Wave graphic. Reporting remains a key component. Agencies must manage risk to reporting objectives. 9 9 Updated Appendix A Requirement All executive agencies are required by Circular A-123 to integrate ERM processes and internal controls , and are required to include a consideration of internal controls over reporting in their annual assurance statement . This update aligns ICOR with the existing Circular A-123 ERM efforts. As an agency’s ERM process matures , the agency risk profile may begin to identify and link some enterprise risks with formal internal controls. As this integration occurs, management must include consideration of these controls in the Circular A-123 assurance process. Aside from this one requirement, all requirements from Appendix A, associated OMB Memoranda, FAQ(s), and all other related guidance are rescinded as requirements . Management will have discretion to determine which internal control activities to retain as it relates to the agencies reporting objectives. Management will have discretion in determining how to assess, test, document and correct deficiencies in order to provide reasonable assurances over controls. 10 10 5

12/14/2018 A-123/A-11 ERM Implementation Timeline Fall ‘18 Annually, 20XX Spring ‘18 Integration with Integration with Updated Risk Management Evaluation of Strategic Reviews Profile Internal Control For those risks for which formal No less than annually, agencies Agencies must update must prepare a complete risk their risk profiles in internal controls have been profile and include required risk coordination with the identified and linked to the Risk components and elements agency Strategic Reviews. Profile in FY 2018, assurances required by this guidance. CFO Act Key findings should be on internal control processes Agencies, at a minimum, must must be presented in the made available for update their risk profiles in discussion with OMB as Agency FY 2018 Annual coordination with the agency part of the Agency Financial Report (AFR) or Strategic Review. For these Strategic Review Performance and Agencies, key findings should be meetings. Accountability Report (PAR). made available for discussion with OMB as part of the Agency Strategic Review meetings. 11 11 Temporary Requirement: Data Quality Plans Agencies who have determined they are subject to DATA Act reporting must develop and maintain a Data Quality Plan that considers the incremental risks and mitigating controls surrounding the representation of Federal spending data , in accordance with OMB Circular A-123 . Consideration of these plans must be included in agencies existing annual assurance statement over internal controls over reporting at a minimum beginning fiscal year 2019 and continuing through the statement covering fiscal year 2021 at a minimum, or until agencies determine that they can provide reasonable assurance over the data quality controls that support achievement of the reporting objective in accordance with the DATA Act . 12 12 6

12/14/2018 Important Websites for PMA, CAP Goals, ERM, Appendix A, and DATA ACT https://www.performance.gov/PMA/ https://www.whitehouse.gov/omb/management/pma/ https://www.whitehouse.gov/wp-content/uploads/2018/06/M-18-16.pdf https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2016/m-16-17.pdf https://www.usaspending.gov/#/ https://cfo.gov/wp-content/uploads/2018/12/Data-Quality-Playbook-2018.pdf 13 PTO Case Study 14 7

12/14/2018 OMB Circular No. A-123, Management's Responsibility for Enterprise Risk Management and Internal Control • The policy changes in the A-123 “modernize existing efforts by requiring agencies to implement an Enterprise Risk Management (ERM) capability coordinated with the strategic planning and strategic review process established by GPRAMA, and the internal control processes required by FMFIA and Government Accountability Office (GAO)'s Green Book. This integrated governance structure will improve mission delivery, reduce costs, and focus corrective actions towards key risks . Implementation of this policy will engage all agency management , beyond the traditional ownership of OMB Circular No. A-123 by the Chief Financial Officer community. In particular, it will require leadership from the agency Chief Operating Officer and Performance Improvement Officer, and close collaboration across all agency mission and mission- support functions .” 15 POLLING Question Do you know if your agency has a specifically identified Chief Performance Improvement Office? • Yes • No 16 8

12/14/2018 ERM Prioritization Using our methodology, we focus ERM activities on Risk Profile items that could most significantly impact our objectives Activity Description Outcome Risk listing of all Identify key business risks across USPTO in a series of dimensions: Risk identified risks strategic, operational, reputational, etc. Identification Facilitate the prioritization of identified risks considering the Risk prioritization resulting in Risk Assessment & consequence on the business and likelihood of occurrence. the Risk Profile Prioritization Mitigation plan for key risks Mitigation Based on the risk profile, develop proposed mitigation strategies that and Residual Risk Planning will bring the risk to acceptable levels upon completion. assessment Risk Monitoring & Identify risk and action plan owners for implementation of suggested Status reports to drive continued Management mitigation activities and cadence for reporting. decision-making 17 Risk Assessment We use two primary conduits to gather risk information • Enterprise-wide • Formal risk capture process Annual Risk Assessment Information from both sources is evaluated through our methodology and framework Emerging Risk Capture Risk Profile • Ad hoc risk identification • Sources through topical events 18 9