Assessment of Internal Control Over Financial Reporting

1
Assessment of Internal Control Over Financial
Reporting

• Presented byAnnie Walker-Bradley Michael A.
  Fiene

2
Agenda

• Where Weve Been. Where Were Going
• FY 2009 General Computer Controls
• Fun With Internal Control

3
Where Weve Been. Where Were Going
Office of the Chief Financial Officer
2
4
Year 1 FY 2006

• Accomplishments
• Organized Governance Structure (AIT, SAT, SMCC)
• Obtained Contract Support Services
• Established a documentation repository
  Quickplace (now ADTS)
• Determined Materiality Quantitative and
  Qualitative
• Determined Scope
• Conducted Interviews, Walkthroughs Testing
• Established USDA A-123 Assessment Process
• Uncovered Reportable Findings
• Provided Periodic Reports to OMB
• Fully Complied with the Requirements of the
  Circular in Year 1

5
Year 2 FY 2007

• Accomplishments
• Established IT Weakness Executive Steering
  Committee
• Developed New A-123 Deliverables Tracking
  System (ADTS)
• Provided Web-based Training
• Implemented Revised Definitions for Material
  Weakness, Significant Deficiency and Control
  Deficiency
• Conducted the Assessment at the Cycle level vs
  Process
• Standard control objectives for each cycle and
  its underlying processes were established
• General computer control objectives based on
  FISCAM and linked to NIST 800-53 control families
• Structured decision tree analysis for the Summary
  of Aggregated Deficiencies (SAD)
• Commenced Remediation of Prior Year Reportable
  Findings
• Revised the Corrective Action Plan (CAP) Process
  Guide

6
Year 3 FY 2008

• Accomplishments
• Enhanced ADTS
• Began Rotational Testing
• Improved the Standard Forms Used for the
  Assessment
• Provided Additional Training
• Conducted Spot Testing on a Sampling of Test
  Results
• Re-competed the Support Services Contract
• Completed the Assessment Ahead of Prior Year
• Began to Institutionalize Internal Controls

7
Year 4 FY 2009

• Accomplishments
• Transitioned to New Contract Service Provider
• Transitioned GCC Portion of the Assessment to
  CSAM
• Work with our Kansas City Counterparts (ICD and
  ISD)
• Improved Reporting
• Automated Five Forms in ADTS
• Improved Reporting
• Changed the Workflow
• Provided Additional Training utilizing Webinar
  Technology

8
Plans for FY 2010

• Review and Refine Cycle Control Objectives, Risks
  and Techniques
• Share Component Agency Best Practices
• Evaluate Other Tools for the Business Process
  Assessment
• Initiate Plans for Continuous Monitoring
  Solutions
• Better Integrate Business Process with GCC

9
FY 2009 General Computer Controls (GCC)
8
10
FISMA and NIST SP 800-53

• Federal Information Security Management Act
  (FISMA) of 2002
• Requires, among other things, to periodically
  test and evaluate the effectiveness of
  information security policies, procedures,
  practices, and security controls (no less than
  annually)
• National Institute of Standards Technology
  (NIST) SP 800-53
• Provides a catalog of minimum security controls
  for information systems supporting the Federal
  Government

11
NIST 800-53 Control Families

• AC-Access Control
• AT-Awareness Training
• AU-Audit Accountability
• CA-Certification Accreditation
• CM-Configuration Management
• CP-Contingency Planning
• IA-Identification Authentication
• IR-Incident Response
• MA-Maintenance

• MP-Media Protection
• PE-Physical Environmental
• PL-Planning
• PS-Personnel Security
• RA-Risk Assessment
• SA-System Service Acquisition
• SC-System Communications Protection
• SI-System Information Integrity

Office of the Chief Financial Officer
10
12
FISMA and A-123 Appendix A
13
2009 GCC A-123, Apendix A Assessment

• Developed control objectives for each control
  family
• Identified 29 key NIST 800-53 controls
  requiring annual testing
• Developed Departmental test plan for testing the
  29 key controls
• Using OCIOs Cyber Security Assesment
  Management System (CSAM) to document A-123 testing

14
CSAM
15
QUESTIONS???