Applying Internal Controls Using the New Green Book - GFOA-PA

Applying Internal Controls
Using the New Green Book
Jennifer CruverKibi, CPA
Presentation Highlights
1. Internal control basics
2. What is the Green Book and why should it
be used?
3. Breaking down the Green Book
4. How to apply the Green Book with limited
staffing
2
Internal Control Basics
 Internal control is a process used by
management to help an entity achieve its
objectives.
 Internal control helps an entity:
- Run its operations efficiently and effectively
- Report reliable information about its operations
- Comply with applicable laws and regulations
3
1
Internal Control Basics
 Management’s objectives
- Operate effectively and efficiently
- Provide reliable financial reporting
- Comply with applicable laws and regulations
 Internal controls = practical tools to ensure
these objectives are met
- How can management reasonably assert it is
meeting its objectives?
4
Internal Control Basics
 There are inherent limitations on internal
control:
- The cost of controls should not exceed their benefits
- Risk of “management override”
- Risk of collusion to circumvent controls
5
Internal Control Basics
 Internal control is a process driven by
management and employees. Responsibility of
internal control is as follows:
- Primary = Management (key beneficiary)
- Ultimate = Board
- Indirect = Independent Auditor
6
2
Internal Control Basics
 Predisposition to fraud
= The Fraud Triangle
- Only element employers
can control is
opportunity
- Poor internal control
creates opportunity for
fraud
7
What is the Green Book?
 Released by GAO – Standards for Internal
Control in the Federal Government 2014
Revision.
- www.gao.gov/greenbook
 Provides standards for management and
criteria for auditors
 Revision is first since 1999 and continues to set
the standards for an effective internal control
system for federal entities.
8
What is the Green Book?
 Supersedes previous GAO’s version and
effective beginning fiscal years 2016 for Federal
Managers’ Financial Integrity Act reports
covering that year.
 Adopted key concepts from the 2013 COSO,
Internal Control – Integrated Framework, and
adapts them for a government environment.
9
3
What is the Green Book?
 Presents 17 new principles, arranged by 5
components, that elaborate on management
responsibilities in implementing and overseeing
an effective internal control environment.
 Establishes:




Definition of internal control
Categories of objectives
Components and principles of internal control
Requirements for effectiveness
10
Why Consider Using the Green Book?
 While Green Book is specifically applicable to federal
entities, it may be applied to state and local
governments as a framework for internal control
system.
 Uniform Administrative Requirements, Cost Principles,
and Audit Requirements for Federal Awards) identifies
Green Book as best practice for organizations for
meeting requirement of establishing and maintaining
effective internal control that provides assurance that
entity is managing federal awards in compliance with
regulations and terms and conditions of federal awards.
11
Why Consider Using the Green Book?
• All 17 principles apply to both large and small entities,
so may choose to apply Green Book standards as a
framework for an internal control system.
• Written for government
• Leverages the COSO Framework
• Uses government terms
• Smaller entities may have different implementation
approaches than larger entities.
• Provides standards for management
• Provides criteria for auditors
12
4
13
Breaking Down the Green Book
 What is internal control in Green Book?
- OV1.01: internal control is a process affected by an
entity’s management that provides reasonable assurance
that the objectives of an entity will be achieved.
 What is an internal control system in Green Book?
- OV1.04: an internal control system is a continuous built-in
component of operations, effected by people, that
provides reasonable assurance, not absolute assurance,
that an organization’s objectives will be achieved.
14
Breaking Down the Green Book
15
5
Breaking Down the Green Book
16
Breaking Down the Green Book:
Control Environment
 1. The oversight body and management should
demonstrate a commitment to integrity and ethical
values.
- Tone at the top
- Standards of conduct
- Adherence to standards of conduct
 2. The oversight body should oversee the entity’s
internal control system.
- Oversight structure
- Oversight for the IC system
- Input for remediation of deficiencies
17
Breaking Down the Green Book:
Control Environment
 3. Management should establish an organizational
structure, assign responsibility, and delegate
authority to achieve the entity’s objectives.
- Organizational structure
- Assignment of responsibility and delegation of
authority
- Documentation of IC system
18
6
Breaking Down the Green Book:
Control Environment
 4. Management should demonstrate a commitment to
recruit, develop, and retain competent individuals.
- Expectations of competence
- Recruitment, development, and retention of individuals
- Succession and contingency plan and preparation
 5. Management should evaluate performance and hold
individuals accountable for their internal control
responsibilities.
- Enforcement of accountability
- Consideration of excessive pressures
19
Breaking Down the Green Book: Risk
Assessment
 6. Management should define objectives clearly to
enable the identification of risks and define risk
tolerances.
- Definitions of objectives
- Definitions of risk tolerances
 7. Management should identify, analyze, and respond to
risks related to achieving the defined objectives.
- Identification of risks
- Analysis of risks
- Response to risks
20
Breaking Down the Green Book: Risk
Assessment
 8. Management should consider the potential for fraud
when identifying, analyzing, and responding to risks.
- Types of fraud
- Fraud risk factors
- Response to fraud risks
 9. Management should identify, analyze, and respond to
significant changes that could impact the internal control
system.
- Identification of change
- Analysis of response to change
21
7
Breaking Down the Green Book:
Control Activities
 10. Management should design control activities to
achieve objectives and respond to risks.
- Response to objectives and risks
- Design of appropriate types of control activities – common
categories are:
•
•
•
•
•
•
•
•
Top-level reviews of actual performance
Reviews by management at the functional or activity level
Management of human capital
Controls over information processing
Physical control over vulnerable assets
Establishment and review of performance measures and indicators
Segregation of duties
Proper execution of transactions
22
Breaking Down the Green Book:
Control Activities
 10. Management should design control activities to
achieve objectives and respond to risks (Continued).
- Design of appropriate types of control activities common
categories (Continued):
• Accurate and timely recording of transactions
• Access restrictions to and accountability for resources and records
• Appropriate documentation of transactions and internal control
- Design of control activities at various levels
• Entity-level controls
• Transaction controls
- Segregation of duties
23
Breaking Down the Green Book:
Control Activities
 11. Management should design the entity’s information
system and related control activities to achieve
objectives and respond to risks.
- Design the entity’s information system
• Does the system meet entity’s objectives and risks?
• Does the system meet operational process’s information
requirements?
• Does the system meet information processing objectives ?
 Completeness
 Accuracy
 Validity
24
8
Breaking Down the Green Book:
Control Activities
 11. Management should design the entity’s information
system and related control activities to achieve
objectives and respond to risks (Continued).
- Design appropriate types of control activities
• General controls





Security management
Logical and physical access
Configuration management
Segregation of duties
Backup and recovery
• Application controls
 Use of IT to initiate, authorize, record, process, and report
transactions
25
Breaking Down the Green Book:
Control Activities
 11. Management should design the entity’s information
system and related control activities to achieve
objectives and respond to risks (Continued).
- Design of IT infrastructure
- Design of security management
- Design of IT acquisition, development, and maintenance
26
Breaking Down the Green Book:
Control Activities
 12. Management should implement control
activities through policies.
- Documentation of responsibilities through policies
- Periodic review of control activities
27
9
Breaking Down the Green Book:
Information and Communication
 13. Management should use quality information to
achieve the entity’s objectives.
- Identification of information requirements
- Relevant data from reliable sources
- Data processed into quality information
 14. Management should internally communicate the
necessary quality information to achieve the entity’s
objectives.
- Communication throughout the entity
- Appropriate methods of communication
28
Breaking Down the Green Book:
Information and Communication
 15. Management should externally
communicate the necessary quality information
to achieve the entity’s objectives
- Communication with external parties
- Appropriate methods of communication
29
Breaking Down the Green Book:
Monitoring
 16. Management should establish and operate
monitoring activities to monitor the internal control
system and evaluate the results.
- Establishment of a baseline
- IC system monitoring
- Evaluation of results
 17. Management should remediate identified internal
control deficiencies on a timely basis.
- Reporting of issues
- Evaluation of issues
- Corrective actions
30
10
Other Considerations: Service
Organizations
 Management still retains responsibility for the
performance of processes assigned to service
organizations.
 Therefore, management needs to determine extent of
oversight. Some considerations are:
- The nature of services outsourced
- The service organization’s standards of conduct and internal
controls
- The quality and frequency of the service organization’s
enforcement of adherence to standards of conduct by its
personnel
31
How to Apply Green Book: Control
Environment
 Tone at the Top
-
Corporate culture = honesty and integrity
Policy and practice should match
Swift and appropriate disciplinary action
NO “see no evil, hear no evil”
 Assign responsibility
- Hold people accountable, with reasonable expectations
- Ensure responsibilities are effectively communicated to
employees
- Documentation of responsibilities are important, especially for
succession planning
32
How to Apply Green Book: Control
Environment
 Recruit and develop
- Be selective with hiring
• Do they fit corporate culture?
• Mandatory background checks
• Education degrees
- Keep up-to-date job descriptions
- Provide frequent and relevant training
- Meaningful review of performance periodically
33
11
How to Apply Green Book: Risk
Assessment
 Have well-defined objectives
 Evaluate changes in operating environment and assess
effects on internal controls:
-
New information system/changes in technology
Rapid growth in programs/increased demand in services
New departments, programs or services
New accounting pronouncements
 Don’t forget about FRAUD risks!!
34
How to Apply Green Book: Control
Activities
 Segregation of duties is very important and there is no
“one size fits all”. Some considerations for small staff:
- Consider using Governing body/Finance Committee as a
resource
- Consider involving non-finance personnel or even
volunteers/interns, but make sure to adequately train them
- Consider “delegating up” for top level reviews, just ensure
adequate training (consider KISS principle)
- Consider rotating duties and cross-training
- Perform analytical reviews
- Watch out for workload overload
35
How to Apply Green Book: Control
Activities
 Other considerations
- IT security
•
•
•
•
-
Cyber criminals are not picky!
Computer and mobile device security
Password policy
Data encryption
Use of 3rd party vendors
Consider use of positive pay for disbursements.
Dual signature for check signers and check sequencing
Always lock up cash
36
12
How to Apply Green Book: Control
Activities
 Examples of segregation of duties: Receipts
-
Billing
Recording revenue in the accounting records
Receipt of payments
Initial recording of collections
Preparation of deposits and timely cash deposits
Posting of receipts in the accounting records
Timely reconciliation of bank statement
Reconciling accounts receivable sub ledger with general ledger
37
How to Apply Green Book: Control
Activities
 Other Financial Controls over Receipts
-
Immediate restrictive endorsement of checks rec’d
Timely depositing of funds rec’d
Locking up undeposited funds
Additional safeguards:
• Security cameras
• Security personnel
- Cash receipts log or equivalent
• Periodic reconciliation to deposits
• Periodic reconciliation to accounting records
38
How to Apply Green Book: Control
Activities
 Examples of segregation of duties: Disbursements
-
Purchase request
Purchase authorization
Receiving
Recording of accounts payable
Approval of vendor invoices
Check writing (or initiation of electronic transfer)
Recording of disbursements and relief of accounts payable
Delivery of checks to vendors
Reconciliation of bank account
39
13
How to Apply Green Book: Control
Activities
 Other Financial Controls over Disbursements
- Limiting access to credit cards and regular monitoring of usage
- Have written policies on credit card usage and make sure
policies are in practice
- Pre-numbered checks in sequential order
- Prohibit advance signing of checks
- Limiting or prohibiting signature stamps (locked when not in
use)
- Prohibiting the writing of checks made payable to cash
- Updating authorized signature cards
40
How to Apply Green Book: Control
Activities
 Other Financial Controls over Disbursements (Cont’d)
-
Proper physical security over unused checks
Appropriate authorization prior to check preparation
Properly training those with authorization ability
Requiring two signatures
Mailing checks promptly after signature
Lock up checks held overnight
Properly voiding checks
Writing off old checks
41
How to Apply Green Book: Control
Activities
 Examples of segregation of duties: Payroll
-
Authorization of pay rates and changes
Entering master employee data into the payroll system
Authorizing timekeeping information
Processing payroll
Distributing payroll
Transferring funds to the payroll bank account
Reconciling the payroll bank account
Posting payroll to the general ledger
42
14
How to Apply Green Book: Control
Activities
 Other Financial Controls over Payroll
- Policies and procedures for timekeeping and payroll
processing
- Utilizing a separate bank account for payroll
- Proper physical security over unused payroll checks
- Pre-numbered checks in sequence
- Holding unclaimed payroll checks
- Detailed payroll register
43
How to Apply Green Book: Control
Activities
 Other Financial Controls over Payroll (Cont’d)
- Timesheets/timecards
- Review and approval of payroll tax returns
- Review the posting of payroll from the payroll
register to general ledger
- Authorization of salaries by designated official
44
How to Apply Green Book: Information
and Communication
 Communicate where policies and procedures
are maintained
 Communicate expectations and job
responsibilities
 Communication should be multi-directional
 Formal whistleblower policy
 Fraud tip hotline
45
15
How to Apply Green Book: Monitoring
 Monitoring should be routine and ongoing
- Always question whether the controls are functioning
as they are designed/intended
 Resolve issues as they arise! Two options:
- Fix the problem (control)
- Eliminate the problem (control)
46
Contact Information
Jennifer CruverKibi, CPA
Senior Manager
(717) 232-1230
[email protected]
47
16