FMFIA and Internal Controls

1
FMFIA and Internal Controls

• NOAA Finance Conference May 10, 2007

2
Outline

• Purpose
• Internal Controls (I/C)
• Legislative Requirements for (I/C)
• OMB Circular A-123
• OMB Circular A-136
• Audit and Internal Control Process
• Reporting Requirements
• Audit and Internal Control Finding Process

3
Purpose

• To provide an understanding of FMFIA and internal
  controls and why they are important to all NOAA
  staff (not just the accountants).
• Also, provide an understanding of the financial
  reporting requirements and annual audit process.

4
Internal Controls
5
So what are Internal Controls?

• An integral component of an organizations
  management that provides reasonable assurance
  that the following objectives are being achieved
• Effectiveness and efficiency of operations,
• Reliability of financial reporting, and
• Compliance with applicable laws and regulations.

6
So what are Internal Controls?

• Internal Controls ensure that what should happen
  does happen!
• Policy
• Procedures
• Authorizations
• Chain of custody
• Devices (locks)

7
So what are Internal Controls?

• Managements first line of defense in preventing
  or detecting noncompliance or abuse.

8
Why are Internal Controls Important?

• They help ensure proper accountability for
• Validity and reliability of data
• Efficiency and economy of all activities
• Compliance with laws and regulations
• Achievement of agency objectives, and
• Safeguarding of assets.

9
Why are Internal Controls Important?

• Controls are fundamental to the successful
  accomplishment of your mission.

10
How am I responsible?

• Management is responsible for having an effective
  system of internal controls, but we all have a
  role in the effective implementation of these
  controls.
• People are what make internal controls work.

11
Types of Internal Controls

• 1. Managerial
• Include overall policy, planning internal
  review functions.
• 2. Program/Operational
• Involve agency activities that relate to the
  mission or role of the agency/program.
• These controls focus on program performance and
  economy and efficiency of operations.

12
Types of Internal Controls

• 3. Accounting
• Relates to the safeguarding assets and the
  reliability of financial reports.
• 4. Administrative
• Applies to actions leading to the authorization
  of transactions and events based on compliance
  with established policy and procedures.

13
Types of Internal Controls

• 5. Financial
• Applies to activities and processes involving the
  authorization and payment or collection of money.
• The focus is on the accountability of funds,
  authorization, and safeguards to protect money.

14
Internal Control Environment

• General Control Activities
• Reasonable Assurance
• Balance between cost and benefit of a control.
• Supportive Attitude
• Positive and supportive attitude towards
  controls.
• Competent Personnel
• Personnel have the skills and knowledge to
  perform their job.

15
Internal Control Environment

• Control Objectives
• The purpose of the control and the specific
  targets to be achieved are clearly understood.
• What is the control trying to prevent?
• Control Techniques
• Mechanisms used to achieve control objectives.
• Testing is conducted on control objectives to
  determine if the objective is effective and
  efficient.

16
Internal Control Environment

• Control Techniques consist of
• Documentation
• Written policies and procedures.
• Recording of transactions
• Accurate and timely recording of transactions.
• Execution of transactions
• Authorized and executed by persons acting within
  the scope of their authority.

17
Internal Control Environment

• Segregation of Duties
• No individual should control over all aspects of
  a transaction or event.
• Supervision
• Work should be reviewed and approved by person
  other than the preparer.
• Security
• Physical control over vulnerable assets
• Limit access to authorized individuals
• Periodic reviews/inventories to account for
  resources.

18
Internal Control Environment
Internal Control Activities
General Control Activities
Specific Control Activities

• Reasonable Assurance
• Supportive Attitude
• Competent Personnel
• Control Objectives

• Documentation
• Recording of Transactions
• Execution of Transactions
• Segregation of Duties
• Supervision
• Security

• Control Techniques

19
Key Points

• People are what make internal controls work.
• We all have a responsibility for internal
  controls.
• The cost of an internal control should not exceed
  the benefit derived from the control.
• The Internal Control Environment sets the tone
  for the organization.
• It determines how efficient and effective the
  controls will be in safeguarding assets,
  deterring waste, fraud, abuse and mismanagement.

20
Legislative Requirement for Internal Controls
21
Legislative Requirements

• Key Legislation
• Federal Managers Financial Integrity Act (FMFIA)
  of 1982 (Integrity Act)
• Agency heads must annually evaluate internal
  controls and report
• Section 2 Assurance on overall adequacy and
  effectiveness of internal controls within the
  agency and on financial reporting.
• Section 4 Whether financial management systems
• conform to government-wide requirements
• Implemented by OMB Circular A-123

22
Legislative Requirements

• Key Legislation
• Chief Financial Officers Act of 1990 (CFO Act)
• Executive Branch departments, agencies, and
  entities required to submit audited financial
  statements and interim financial statements.
• Implemented by OMB Circular A-136.

23
OMB Circular A-123
24
OMB Circular A-123

• Prescribes policies and standards for evaluating,
  improving, and reporting on internal controls.
• Implements the Federal Managers Financial
  Integrity Act (FMFIA) of 1982 (Integrity Act)
• Agencies must annually evaluate and report on
• Section 2 -Adequacy and effectiveness of internal
  controls
• Section 4 Financial management systems

25
Whats new?

• Major revision to A-123, December 2004
• Addition of Appendix A
• Requires a separate assurance statement on the
  effectiveness of the internal controls over
  financial reporting.
• Requires management to perform direct testing of
  the internal controls in place in order to
  support the new assurance statement.
• New assurance statement as of June 30 will be
  part of the Performance and Accountability Report
  (PAR) which includes agency performance measures
  and audited financial statements as of September
  30.

26
Why was A-123 revised?

• Passage of Sarbanes-Oxley Act of 2002 (SOX)
• Requires that management of publicly-traded
  companies strengthen their processes for
  assessing and reporting on internal controls over
  financial reporting.

27
Why was A-123 revised?

• SOX served as the push for the Federal government
  to re-evaluate its current policies relating to
  internal controls over financial reporting and
  managements responsibilities.
• No government wide policy concerning audits of
  federal internal controls.

28
Why was A-123 revised?

• Empty Clean Opinions
• Intent of the CFO Act was that annual financial
  statements would flow from, and be a routine
  by-product of an effective system of internal
  controls.
• Years of preparing financial statements have
  shown that this is not a reality.
• Heroic efforts to manually compile financial
  statements because financial systems are unable
  to produce financial statements.

29
Why was A-123 revised?

• No consistency between agencies as to type of
  internal control audits and opinion issued by
  auditors.
• Only eleven of the 24 CFO agencies reported an
  audit of internal controls.
• Audit opinions referenced a variety of internal
  control criteria.

30
OMB Circular A-136
31
OMB Circular A-136

• Provides guidance on financial reporting for
  Executive Branch departments, agencies, and
  entities.
• Establishes requirement to submit
• audited financial statements,
• interim financial statements, and
• Performance and Accountability Reports (PAR)
  under the Chief Financial Officers Act of 1990
  (CFO Act).

32
Key Points

• OMB Circular A-123 implements FMFIA
• Annual assertion on adequacy and effectiveness of
  internal controls.
• OMB Circular A-136 implements the CFO Act
• Quarterly financial statements
• Annually, independent audit of agency financial
  statements

33
Audit and Internal Control Process
34
Audit and Internal Control Process

• Annual audit and internal control process which
  consists of
• FMFIA Program Reviews (OMB-123)
• Program Internal Control Reviews
• Management Control Reviews
• OMB A-123, Appendix A Reviews
• Financial statement audit by KPMG (OMB-136)

35
Audit and Internal Control Process

• 
  

CFO Act of 1990
FMFIA
PAR
Audit Process
Internal Control Process
OMB A-136
OMB A-123 Appendix A
OMB Circulars
36
Audit and Internal Control Process

• FMFIA Program Reviews (OMB A-123)
• Test internal controls related to a non-financial
  program or process.
• Requires testing internal controls over financial
  reporting (OMB A-123, Appendix A).
• Annual Financial Statement Audit (OMB A-136)
• Annual Departmental audit by KPMG
• Conducts the audit on behalf of the DOC Office of
  Inspector General.

37
Audit and Internal Control Process

• FMFIA Program Reviews (OMB A-123)
• Program Internal Control Review
• Management Control Review (MCR)

38
Audit and Internal Control Process

• FMFIA Program Reviews (OMB A-123)
• Program Internal Control Review
• Comprehensive look at the internal controls for a
  selected program.
• Conducted by the Financial Policy Compliance
  Division/Office of the CFO.
• Independence from program area.

39
Audit and Internal Control Process

• Program Internal Control Review
• Reviewing background information and document the
  process cycle under review.
• Analyzing the control environment.
• Organizational structure,
• Policy and procedures,
• Planning, and
• Organizational checks and balances.

40
Audit and Internal Control Process

• Program Internal Control Review
• Testing internal controls.
• Focuses on written requirements and actions.
• Testing verifies that actions have been taken as
  planned.
• Evaluating the Internal Controls
• What did the evidence tell us?
• Is there compliance with the policy and
  procedures?

41
Audit and Internal Control Process

• Program Internal Control Review
• Report findings.
• Make recommendations and request corrective
  actions.
• OCFO monitor corrective actions on a quarterly
  basis.
• Corrective actions will be reviewed by internal
  auditor for completeness.

42
Audit and Internal Control Process

• Management Control Review
• Evaluate internal controls of a specific activity
  (within a program or process).
• Guidance issued by Financial Policy Compliance
  Division/Office of the CFO.
• Available on the Finance Office web site.
• http//www.corporateservices.noaa.gov/finance/Int
  ernal20Controls.html

43
Audit and Internal Control Process

• Management Control Review
• Conducted by Line and Staff Offices
• Self-assessment of their internal controls.
• Allows management to determine if
• A positive and supportive environment exists
• Laws, regulations, policies and procedures are
  being followed as directed
• Internal controls exist and they are cost
  effective and
• Corrective actions are needed.

44
Audit and Internal Control Process

• Management Control Review
• Steps for conducting a MCR consists of
• Conducting a risk assessment
• Reviewing internal controls
• Reporting findings and
• Monitoring
• Developing corrective action plan,
• Implementing corrective actions, and
• Reporting progress to OCFO.

45
Key Points

• FMFIA Program Reviews (OMB-123) consist of
• Program Internal Control Reviews (CFO)
• Management Control Reviews (LO/SO)
• Annual financial statement audit (OMB-136)
  conducted by KPMG.
• Independent CPA firm contracted by OIG.

46
Reporting Requirements
47
Reporting Requirements

• Annual audit and internal control process which
  consists of
• FMFIA Program Reviews (OMB-123)
• Program Internal Control Reviews
• Management Control Reviews
• OMB A-123, Appendix A Reviews
• Financial statement audit by KPMG (OMB-136).

48
Reporting Requirements

• FMFIA Program Reviews (OMB A-123)
• Program Internal Control Reviews (OCFO)
• Written report issued by July 31 (or sooner).
• Draft report issued to program area for comments
  before Final report is issued.
• Final report sent to Line Office CFO and Program
  area.
• Departmental data call August/September.
• Included in the FMFIA Report as of September 30.
• Quarterly monitoring of corrective actions.

49
Reporting Requirements

• FMFIA Program Reviews (OMB A-123)
• Management Control Reviews (LO/SO)
• Completed by June 30 with written report issued
  by July 31.
• Data call by DOC August/September
• FMFIA Report as of September 30.
• Quarterly monitoring of corrective actions.

50
Reporting Requirements

• OMB A-123, Appendix A
• Completed August 31 for internal control in place
  as of June 30.
• Assurance statement dated September 30.
• Included in the PAR as of September 30.
• Quarterly monitoring of corrective actions.

51
Reporting Requirements

• Financial Statement Audit
• Quarterly financial statements submitted to DOC
  by
• 1st Quarter January 11
• 2nd Quarter April 11
• 3rd Quarter July 11
• 4th Quarter October 11

52
Reporting Requirements

• Financial Statement Audit
• Audit conducted by KPMG April to November.
• Opinion issued on the financial statements as of
  September 30.
• PAR issued by November 15 (includes auditor
  opinion).

53
Reporting Requirements
Financial Audit (KPMG) (OMB A-136)
FMFIA Program Reviews (OMB A-123)
OMB A-123 Appendix A

• 
  

NOAA FMFIA Report
DOC Financial Statements
DOC FMFIA Report
DOC Performance Accountability Report (PAR)
DOC Appendix A Assurance Stmt.
54
Audit and Internal Control Finding Process
55
Audit and Internal Control Findings Process

• FMFIA Program Reviews (OMB-123)
• Program Internal Control Reviews
• Findings issued by NOAA CFO and monitored by the
  Financial Policy Compliance Division
  (FPCD)/OCFO.
• Quarterly monitoring.
• Request for updates on progress to remedy finding
  sent out by the15th of the month following the
  end of a quarter.  The due date is two weeks
  later.

56
Audit and Internal Control Findings Process

• Management Control Reviews
• Findings issued by LO/SO.
• Monitored by both FPCD/OCFO and LO/SO.
• Quarterly monitoring.
• OMB A-123, Appendix A Reviews
• Findings issued by NOAA CFO and monitored by
  FPCD/OCFO.
• Quarterly monitoring.

57
Audit and Internal Control Findings Process

• Annual Financial Statement Audit
• KPMG issues draft Notice of Finding
  Recommendation (NFR)
• Verify factual accuracy as much as possible
  before issuance of NFR form
• Distribute (simultaneously) to
• Bureau liaison (OCFO)
• Commerce Office of Inspector General (OIG)
• Commerce Office of Financial Management (OFM)

58
Audit and Internal Control Findings Process

• Annual Financial Statement Audit
• Response requirements to NFR by Responsible Party
• In written format within one week of distribution
  
• Signed and dated
• Supporting documentation provided for disagree
  responses
• KPMG replies to disagree responses in written
  format within one week of receipt of response
• KPMG does not have to accept a non-concurrence
  response to a NFR.

59
Audit and Internal Control Findings Process

• Corrective Action Plans (CAPs)
• Once the Internal Control or Management Letter
  has been issued, a CAP needs to be developed for
  all findings.
• CAPs need to address the finding even though you
  still may not agree with the finding.

60
Audit and Internal Control Findings Process

• Developing Corrective Action Plans (CAPs)
• Use format provided with Internal Control or
  Management Letter.
• Clearly state actions to be taken to remedy the
  finding with corresponding dates.
• Provide overall date of completion.
• Monitoring by FPCD/OCFO.
• FMFIA Program Reviews quarterly.
• OMB 123, Appendix A quarterly.
• Annual Financial Audit (KPMG) monthly.

61
Annual KPMG Audit Process
June - Nov
Nov - Dec
Jan - June
Draft Mgmt. Letter
Corrective Action Plan (CAP)
KPMG Auditor
Draft Notice of Finding (NFR)
Comment Period
Implement Corrective Actions
Monthly Updates to CFO
Comment Concurrence Period
Final Mgmt. Letter
NOAA A-123 Auditor
KPMG Auditor
Final NFR
Review
62
Key Points

• Corrective Action Plan (CAP) must be developed
  for findings.
• FMFIA Program Reviews quarterly monitoring
• Annual audit (management letter) monthly
• KPMG does not have to accept a non-concurrence
  response.
• The time to request changes to a finding is when
  it is presented too late after the issuance of
  the final report or management letter.

63
How can I learn more?

• OMB Circular A-123
• http//www.whitehouse.gov/omb/financial/offm_circu
  lars.html
• Implementation Guide for OMB Circular A-123
  Appendix A
• http//www.cfoc.gov/documents/Implementation_Guide
  _for_OMB_Circular_A-123.pdf

64
How can I learn more?

• OMB Circular A-136
• http//www.whitehouse.gov/omb/circulars/a136/a136_
  revised_2006.pdf
• GAO Standards for Internal Control in the
  Federal Government http//www.gao.gov/special.p
  ubs/ai00021p.pdf

65
Questions?