Title: Integrating Risk Management and Compliance into Integrated Financial Management Information Systems
1Integrating Risk Management and Compliance into
Integrated Financial Management Information
Systems (IFMIS)
2The Global Financial Environment
3The Global Financial Environment
- No successful economy or government can operate
today without global interconnectivity - Markets and industries exist transparently across
the globe, and conduct business 24 hours a day. - Growth of that connectivity has increased the
demands for the availability and reliability of
financial information - That information demand is fed by the growing use
of automated Financial Management Systems, using
integrated Information Technology (IT).
4The New Financial Reporting Environment
- As a result of the global economy, Financial
Reporting must be relevant, timely, and
comparable across jurisdictions - Company assets are considered more "intangible"
and subject to inconsistent valuation - Company data is instantly accessible but not
always sufficient to satisfy all stakeholders
requirements - Citizens
- Shareholders
- Regulators
5The Result of their Analysis?
- In the long term, Financial reporting will be
standardized to provide adequate information to
all interested parties - Global auditing standards will converge and
harmonize to deliver reasonable assurance of the
accuracy of financial reports - Adoption of new data standards to improve
enforcement of controls and improve detection of
Fraud - Financial systems must have adequate internal
controls enabled for consistent transparency
6Impact on Federal Managers
- Governments are increasingly involved in global
financial markets, not only as regulators but as
investors and participants. - They must provide the highest quality financial
information to a range of interested parties, in
a multitude of formats, often with repetitive
efforts and inefficient processes. - Government agencies are entrusted by their
citizens to maintain sound financial practices,
limit fraud and corruption, and provide adequate
controls over financial reporting
7Overview of Internal Controls
8Internal Controls Defined
- Internal control is broadly defined as a
process, effected by an entity's board of
directors, management, and other personnel, that
is designed to provide reasonable assurance
regarding the achievement of objectives in the
following categories - Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
-
- Source - The Committee of Sponsoring
Organizations of the Treadway Commission
Internal Control Integrated Framework
Management has a fundamental responsibility to
develop and maintain effective internal control.
9Background on Internal Controls
- Internal control is a means of managing the risk
associated with programs and operations
Internal controls organization, policies, and
procedures are tools to help program and
financial managers achieve results and safeguard
the integrity of their program
10COSO
- Committee of Sponsoring Organizations of the
Treadway Commission (COSO) - US private-sector initiative created in 1985.
- Its major objective is to identify the factors
that cause fraudulent financial reporting and to
make recommendations to reduce its incidence. - COSO is sponsored by 5 main professional
accounting organizations in the US - American Institute of Certified Public
Accountants (AICPA), - American Accounting Association (AAA),
- Financial Executives Institute (FEI),
- The Institute of Internal Auditors (IIA)
- The Institute of Management Accountants (IMA).
- COSO has established a common definition of
internal controls, standards, and criteria
against which companies and organizations can
assess their control systems which is the basis
for the SOX Internal Control framework. - Source www.coso.org
11COSO Internal controls structure
12Control Environment
- Sets the tone of the organization influencing
control consciousness of its people - Includes integrity, ethical values, competence,
authority, and responsibility - Acts as foundation for all other components of
control
13Risk Assessment
- Identification and analysis of relevant risks to
achieving the entity's objectives forming the
basis for determining control activities
14Control Activities
- Policies and procedures assure management's
directives are carried out - Range of activities, including approvals,
authorizations, verifications, recommendations,
performance reviews, asset security, and
segregation of duties
15Information and Communication
- Pertinent information identified, captured, and
communicated in a timely manner - Access to internally and externally generated
information - Flow of information that allows for successful
control actions from instructions on
responsibilities to summary of findings for
management action
16Monitoring
- Assessment of a control system's performance over
time - Combination of ongoing and separate evaluation
- Management and supervisory activities
- Internal audit activities
17Internal Controls Are Integrated into Processes
18Global Trends in Internal Control mandates
19U.S. Sarbanes-Oxley Act
- The Public Company Accounting Oversight Act,
otherwise known U.S. Sarbanes-Oxley Act of 2002
or "SOX". - Composed of three sections
- Title I Public Company Accounting Oversight
Board. PCAOB formed as branch of Securities and
Exchange Commission (SEC). Public Auditing firms
must register with PCAOB and are now brought
under the regulation of the PCAOB. - Title III Corporate Responsibility. Section 302
establishes certification requirements for CEOs
and CFOs of Annual and Quarterly reports filed
with the SEC. - Title IV Enhanced Financial Disclosures.
Section 404 (a) requires management to assess and
report on internal controls, and Section 404 (b)
requires the companys External Auditor to attest
to and report on managements assertions on
internal controls.
20Canadian Bill 198
- Published in 2003 by the Ontario Securities
Commission and the Canadian Security
Administrators - Consists of three statutes
- Multilateral Instrument 52-108 Auditor Oversight
- Multilateral Instrument 52-109 Certification of
Disclosure in Companies' Annual and Interim
Filings (CSOx) - Multilateral Instrument 52-110 Audit Committees
- Multilateral Instrument 52-109 is basically
Section 302 with an emphasis on Disclosure
Controls and Procedures (DCP). - Implementation of Section 404 equivalent
certification still pending
21Japanese SOX (J-SOX)
- February 15th, 2007 Business Accounting Council
of the Financail Services Agency - "Implementation Standards for Evaluation and
Auditing of Internal Controls over Financial
Reporting" - Requires all publicly-held companies to submit
consolidated internal control reports on or after
April 1, 2008 - Reporting standards similar to sections 302 and
404 under US SOX.
22Evolution of Internal Controls in the US
Government
Sarbanes Oxley 2002
Budget and Accounting Procedures Act of 1950
DHS Financial Accountability Act 2004
FMFIA 1982
IG Act 1978
FFMIA 1996
FISMA 2002
CFO Act 1990
OMB A-123 2004
OMB A-123 1995
OMB A-123 1981
OMB QA 1984
CFO Council Implementation Guide 2005
GAO Green Book 1999
GAO Green Book 1983
23Other International Government Standards
- INTOSAI Internal Control Standards
- UK Government Internal Audit Good Practice Guide
- Canada Government Internal Audit Policy
- Institute of Internal Auditors (IIA) Code of
Ethics - Canadian Government risk management framework
24Integrated Financial Management Information
Systems (IFMIS)
25Describing a Financial Management System
- The term "financial management system" means an
information system, comprised of one or more
applications, that is used for any of the
following - Collecting, processing, maintaining,
transmitting, and reporting data about financial
events - Supporting financial planning or budgeting
activities - Accumulating and reporting cost information or
- Supporting the preparation of financial
statements - A financial system may include multiple
applications that are integrated through a common
database or are electronically interfaced, as
necessary, to meet defined data and processing
requirements - Source Office of Management and Budget (OMB)
Circular A-127
26Information Technology (IT) and IFMIS
- IFMIS systems are designed to automate financial
process to aid transparency and accountability in
public financial management - Modern Financial Management Systems are driven by
IT - Key to driving adequate transparency and
accountability is to enable systems with
comprehensive internal controls framework - IT requires special considerations to properly
implement and enforce Internal Controls
27IT 's Potential Contribution to Internal Control
- IT provides potential benefits of effectiveness
and efficiency for an entitys internal control
because it enables an entity to - Consistently apply predefined business rules and
perform complex calculations in processing large
volumes of transactions and data - Enhance the timeliness, availability, and
accuracy of information - Facilitate the additional analysis of information
from multiple sources on an as needed basis
28IT's Potential Contribution to Internal Control
(cont.)
- Enhance the ability to monitor the performance of
the entitys activities, policies, and procedures - Reduce the risk that controls will be
circumvented - Enhance the ability to achieve effective
segregation of duties by implementing security
controls in applications, databases, and
operating systems
29IT as a Source of Risk
- Reliance on systems or programs that are
inaccurately processing data, processing
inaccurate data, or both - Unauthorized access to data that may result in
destruction of data or misappropriation of assets
through improper changes to data, including the
recording of unauthorized or nonexistent
transactions, or inaccurate recording of
transactions - Potential loss of data
- Unauthorized changes to data in master files
- Unauthorized changes to systems or programs
- Failure to make necessary changes to systems or
programs - Inappropriate manual intervention
30- Automation of Internal Controls and Risk
Management
31Why Automate the Controls Process?
- Given the complexity of IT and financial
reporting, automated controls software can
potentially provide tremendous benefits to an
internal controls program. - Automated solutions can detect, monitor, and
report a wide range of control issues, risk
areas, and performance indicators. - Software allows for business rules to be built
into system to insure compliance with regulations
and automate reporting processes.
32Benefits of automation
- Provides structure for the internal control
program - Improves monitoring of control deficiencies and
corrective action plans at all levels of
management within an organization - Provides a repository of documentation that can
be made available to auditors and stakeholders - Enables senior management to gain awareness of
areas that require process changes or additional
resources
33Discipline over internal control program
- Software can help an organization maintain
discipline over its internal control program by
providing a framework for documenting and
assessing controls, testing internal controls or
controlling the workflow to ensure the controls
are enforced - Software can make it easier to demonstrate your
internal controls to your auditors and may lessen
the amount of testing that needs to be performed
by the auditors
34Uses of automated internal control software
- The types of software available in the market
include - Testing and Reporting
- Document and records management
- Business process modeling
- Policy management
- Risk management and risk assessment
- Support for multiple control frameworks
- Support for multiple regulations across multiple
business units - Controls automation and monitoring
35Repository software
- Provides a central repository for the
documentation of internal controls throughout the
organization - Allows the documentation of workflow and key
processes, control objectives, control activities
and risks for each major function in the
organization - May be set up as a web based tool that allows
multiple users to input information - Allows the organization to centrally manage the
documentation of internal controls and capture
information about the results of testing - May come "out of the box" with standard templates
for control objectives, control activities and
risks
36Testing software
- Allows an organization to test the internal
controls of a system by directly interfacing with
the system - May test for segregation of duty and
authorization violations - Allows organizations to identify where violations
can or have occurred and make changes to business
processes or roles as appropriate - May come "out of the box" with standard control
objectives and control activities that can be
modified as appropriate - May has a limited repository capability to
document workflow
37Business process management software
- Allows an organization to design and dictate the
workflow for a given process - Integral to the performance of the process
- Allows for the documentation of the workflow
process - The workflow is performed outside of the primary
system - Helps ensure the workflow process is performed as
designed by not allowing the process to continue
until each step is performed - May include features such as email notification
when a step has been completed - May have a limited capability for repository or
to test transactions
38Reporting capabilities
- Capabilities may allow for management reports to
provide a status on one or more of the following - Documentation or testing of controls
- Potential violations that have been identified
- Where a document is in the process
- May also allow for customizable management
reports - May be capable of personalized "dashboards" for
each user that present a current status, a "to
do" list and interactive reports with drilldown
capability
39Basic steps to implementing a software solution
- Selection
- Products should be selected based on the needs of
a defined internal controls program - A requirements analysis should be performed to
identify areas that the program can be improved,
or further meet compliance goals - The analysis forms the basis for product
selection - Implementation
- Once a product is selected, an implementation
plan should be developed - The plan incorporates the required steps to
implement the solution and how the functions will
be used in the corresponding areas of the
internal control program
40Basic steps to implementing a software solution
- Utilization
- Once the solution is fully implemented, the full
functionality of the solution can be utilized - Key performance indicators (KPIs) should be
established that measure how well the solution is
improving risk management and compliance efforts. - Example KPIs include
- Improved rate of fraud detection
- Improved speed in reporting
- Accuracy of reporting measures
41Conclusions
- The implementation, maintenance and reporting of
Internal controls compliance and risk management
is the way of the future for global financial
management and accounting - Financial reporting will become increasingly
demanding and require greater transparency and
validity of financial information - Automated tools and processes can be of benefit
in managing the increasing level of effort in
meeting the demands for financial reporting,
managing risk and providing reasonable assurance
of internal controls and fraud detection.