Uniform Guidance Internal Controls Brandy Whittington CPA CITP
Uniform Guidance – Internal Controls
Brandy Whittington, CPA, CITP, CGMA Matheny & Company AC bwhittington@ripleycpa. com Work (304) 372 -2600 Cell (304) 767 -5310
Uniform Guidance Internal Control Requirements 2 CFR 200
§Process What are internal controls? effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the entity’s objectives will be achieved.
§ 200. 61 Internal controls. A process, implemented by a non-Federal entity, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (a) Effectiveness and efficiency of operations; (b) Reliability of reporting for internal and external use; and (c) Compliance with applicable laws and regulations.
Internal Control §Dynamic and interactive process §How an entity is run §Includes policies and procedures § Procedures – actions that implement a policy
§ 200. 303 Internal controls The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 8
§ 200. 303 Internal controls The non-Federal entity must: (b) Comply with Federal statutes, regulations, and the terms and conditions of the Federal awards. 9
§ 200. 303 Internal controls The non-Federal entity must: (c) Evaluate and monitor the non-Federal entity's compliance with statutes, regulations and the terms and conditions of Federal awards. 10
§ 200. 303 Internal controls The non-Federal entity must: (d) Take prompt action when instances of noncompliance are identified including noncompliance identified in audit findings. 11
§ 200. 303 Internal controls The non-Federal entity must: (e) Take reasonable measures to safeguard protected personally identifiable information and other information the Federal awarding agency or pass-through entity designates as sensitive or the non-Federal entity considers sensitive consistent with applicable Federal, state, local, and tribal laws regarding privacy and obligations of confidentiality. 12
FAQ 200. 303 -2 “Should” §While non-Federal entities must have effective internal control, there is no expectation or requirement that the non-Federal entity document or evaluate internal controls prescriptively in accordance with these three documents or that the non-Federal entity or auditor reconcile technical differences between them. They are provided solely to alert the non-Federal entity to source documents for best practices. Non. Federal entities and their auditors will need to exercise judgment in determining the most appropriate and cost effective internal control in a given environment or circumstance to provide reasonable assurance for compliance with Federal program requirements.
COSO & The Green Book Components of Internal Controls
COSO & The Green Book § 200. 303 Internal controls (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 15
COSO – Internal Control Framework (Committee of Sponsoring Organizations of the Treadway Commission) https: //www. coso. org/Documents /990025 P-Executive-Summaryfinal-may 20. pdf 3 Volumes: • Executive Summary • Framework & Appendices • Illustrative Tools
The Green Book sets the standard for an effective internal control system for federal governments.
The Green Book https: //www. gao. gov/produ cts/GAO-14 -704 G • 89 pages
Five Components of Internal Control • Control Activities • Risk assessment • Info & Comm • Monitoring • Environment
Principles of Internal Control §COSO identifies 17 principles related to 5 elements §Green Book adapts principles
Compliance Supplement §“To determine if an internal control is effective, auditee management assesses the design, implementation, and operating effectiveness of the five components and 17 principles. ”(pg. 6 -4)
Control Environment Foundation of the Internal Control System
Control Environment 1. Demonstrate Commitment to Integrity and Ethical Values 2. Exercise Oversight Responsibility 3. Establishes Structure, Responsibility and Authority 4. Demonstrate Commitment to Competence 5. Enforce Accountability
Risk Assessment provides the basis for developing appropriate risk responses.
Risk Assessment 6. Define Objectives and Risk Tolerances 7. Identify, Analyze, and Respond to Risks 8. Assesses Fraud Risk 9. Identify, Analyze and Respond to Change
Control Activities Policies & Procedures – actual actions management establishes and practices
Control Activities 10. Design Control Activities 11. Design Activities for the Information System 12. Implement Control Activities
Information & Communication Quality of the information in the system & how personnel communicate important information
Information & Communication 13. Use Quality Information 14. Communicate Internally 15. Communicate Externally
Monitoring How management assess the quality of performance over time and resolves findings
Monitoring Activities 16. Perform Monitoring Activities 17. Evaluate Issues and Remediate Deficiencies
Written policies §Non-Federal entities and auditors should be aware that the Uniform Guidance also includes requirements for non-Federal entities to have written policies or procedures supporting compliance with certain compliance requirements. §The areas of procurement and subrecipient monitoring are examples of compliance requirements that contain such requirements.
§ 200. 514 Scope of audit. (c) Internal control. (1) The compliance supplement provides guidance on internal controls over Federal programs based upon the guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States and the Internal Control—Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
§ 200. 514 Scope of audit. (c) Internal control. §(2) In addition to the requirements of GAGAS, the auditor must perform procedures to obtain an understanding of internal control over Federal programs sufficient to plan the audit to support a low assessed level of control risk of noncompliance for major programs.
CAP Goal No. 8 §President’s Management Agenda - 2018 §“Each Federal agency has been mandated by OMB to limit the number of compliance requirements subject to the audit to six…”
2 CFR 200, Appendix XI 2019 Compliance Supplement https: //www. whitehouse. gov/w p-content/uploads/2019/09/2 CFR_Part-200_Appendix. XI_Compliance. Supplement_August 2019_FINAL_v 2_09. 19. pdf
Compliance Supplement 2019 §Revised 2019 version issued September 20, §Reduced required audit steps to 6/7 § A. Activities Allowed and Unallowed §B. Allowable Costs and Cost Principles §Not applicable to programs not in Supplement §Substantial Control changes to Part 6 - Internal
Compliance Supplement Part 6 Internal Control
Part 6 §Addresses objectives, principles, and components of internal control §Based on Green Book and COSO
§ 200. 303 Internal controls The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 40
§ 200. 62 Internal control over compliance requirements for Federal awards A process implemented by a non-Federal entity designed to provide reasonable assurance regarding the achievement of the following objectives for Federal awards: (a)Transaction s recorded and accounted for properly (b)Transaction s are executed in compliance (c) Assets are safeguarded
§ 200. 62 Internal control over compliance requirements for Federal awards (a) Transactions are properly recorded and accounted for, in order to: (1) Permit the preparation of reliable financial statements and Federal reports; (2) Maintain accountability over assets; and (3) Demonstrate compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
§ 200. 62 Internal control over compliance requirements for Federal awards (b) Transactions are executed in compliance with: (1) Federal statutes, regulations, and them terms and conditions of the Federal award that could have a direct and material effect on a Federal program; and (2) Any other Federal statutes and regulations that are identified in the Compliance Supplement.
§ 200. 62 Internal control over compliance requirements for Federal awards (c) Funds, property, and other assets are safeguarded against loss from unauthorized use or disposition.
Part 6 – Illustrative Controls §Appendices §Not all-inclusive §Not checklist of requirements
Entity-Wide Controls § 4/5 – typically implemented at entitywide level § Control Environment § Risk Assessment § Information & Communication § Monitoring §Governance Controls
Operational-level Controls §Specific Controls §Appendix 2 for Control Activities
Process vs. Control §Process – series of actions that lead to a particular result §Where non-compliance could occur. Example: Charging costs to a Federal award.
Process vs. Control §Process owner – doer §Control owner - reviewer
Potential Noncompliance §What-could-go-wrong §Controls (WCGW) are designed to prevent or timely detect noncompliance
Control Environment: Principle 1 § A code of conduct is developed, documented, communicated and periodically updated § A code of conduct explicitly prohibits inappropriate management override of established controls
Control Environment: Principle 2 § Those charged with governance (TCWG) have the requisite skills and knowledge to provide effective oversight pertaining to Federal award compliance issues and related risk. § TCWG periodically review ethical and moral conduct violations including stakeholder complaints regarding issues of Federal award compliance with senior management.
Control Environment: Principle 3 § Policies, procedures and organizational charts provide for segregation of duties within and among processes and controls. § Policies and procedures are in place to ensure compliance responsibilities are assigned to particular positions.
Control Environment: Principle 4 § Job descriptions include appropriate knowledge and skill requirements. § Appropriate training is provided that is relevant to responsibilities over compliance objectives.
Control Environment: Principle 5 § Appropriate performance evaluations are provided that establish goals, accountability, and feedback. § Penalties for inappropriate behavior are adequate and publicized.
Risk Assessment: Principle 6 § Management establishes an effective risk assessment process that includes the use of a specific risk matrix. § Management identifies key compliance objectives for types of compliance requirements.
Risk Assessment: Principle 7 § Management establishes an effective risk assessment process that includes the use of a specific risk matrix. § Management identifies key compliance objectives for types of compliance requirements.
Risk Assessment: Principle 8 § Management reviews audit findings to identify fraud risks. § Management reviews the internal control structure for fraud risk.
Risk Assessment: Principle 9 § Management identifies changes such as new personnel, new technology, changes in operating environments and adjusts risk assessments to address those changes. § Management analyzes compliance requirement modifications to properly adjust risk.
Control Activities §Principles 10 §Appendix 2 – 12
Information & Communication: Principle 13 § The accounting system provides for separate identification of Federal and non-Federal transactions. § Adequate source documentation exists to support amounts and items reported.
Information & Communication: Principle 14 § Relevant internal and external information is communicated and delivered to employees responsible for Federal award compliance on a timely basis. § Effective channels for communication throughout the organization exist.
Information & Communication: Principle 15 § Relevant information is communicated to external parties including subrecipients, vendors, Federal granting agencies, and 3 rd-party processors on a timely basis. § Effective channels exist for communications with Federal granting, oversight and cognizant agencies.
Monitoring: Principle 16 § Management monitors the use of effective self-review procedures in critical compliance areas. § Management monitors the reconciliation of key performance indicators with data from financial or other reporting systems, including reconciliation with data from financial or other reporting systems to ensure its accuracy.
Monitoring: Principle 17 § Findings, recommendations and other observations by independent, internal and Federal auditors are distributed and reviewed by individuals responsible for compliance with Federal requirements. § Control deficiencies and instances of noncompliance are reported to and evaluated by management and TCWG for resolution on a timely basis.
Control Activities Principles 10 -12 Appendix 2
Process vs. Control §Process – series of actions that lead to a particular result §Where non-compliance could occur. Example: Charging costs to a Federal award.
Process vs. Control §Process owner – doer §Control owner - reviewer
Potential Noncompliance §What-could-go-wrong §Controls (WCGW) are designed to prevent or timely detect noncompliance
Control Category §Authorization §Management review §Segregation of Duties § Approval § Custody § Recordkeeping §System Access
Control Activities Preventative §Avoids an unintended event or result at the time of the transaction. Detective §Discovers an unintended event or result after the initial processing has occurred but before ultimate objective has concluded.
Management versus Auditor Management External Auditor §Focus = Compliance = Material Noncompliance
Compliance Requirements §Activities Allowed or Unallowed (A) §Allowable Costs / Cost Principles (B) §Cash Management (C) §Eligibility (E) §Equipment and Real Property Management (F) §Matching, Level of Effort, Earmarking (G) §Period of Performance (H) §Procurement and Suspension and Debarment (I) §Program Income (J) §Reporting (L) §Subrecipient Monitoring (M) §Special Tests (N) 73
Approach, Analyze and Document Each Compliance Requirement Separately
Activities Allowed or Unallowed (A) §Control Environment – written policies, reasonable budgets, employees provided with an allowable list of expenditures §Risk Assessment – managers are aware of where unallowable charges could occur §Control Activities – grant agreements and cost principles are available to staff who determine allowability, approvals are required for all transactions by knowledgeable individuals §Information & Communication – formal training of staff regarding allowable program charges §Monitoring – budget to actual comparisons performed 75
Audit Reporting Requirements Internal Controls over Federal Programs
2 CFR 200. 514 Scope of Audit (c) Internal Control (4) When internal control over some or all of the compliance requirements for a major program are likely to be ineffective in preventing or detecting noncompliance, the planning and performing of testing described in paragraph (c)(3) of this section are not required for those compliance requirements. However, the auditor must report a significant deficiency or material weakness in accordance with § 200. 516 Audit findings, assess the related control risk at the maximum, and consider whether additional compliance tests are required because of ineffective internal control.
Internal Control Deficiency §A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis.
Material Weakness §A deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented or detected and corrected on a timely basis.
Significant Deficiency §A deficiency or a combination of deficiencies in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.
Questions? Brandy Whittington, CPA, CITP, CGMA Matheny & Company AC Contact Info bwhittington@ripleycpa. com Office 304 -372 -2600 Cell 304 -767 -5310 These materials are presented with the understanding that the information provided is not legal advice. Due to the rapidly changing nature of law, information contained in this presentation may become outdated. Anyone using information contained in this presentation should always research original sources of authority and update this information to ensure accuracy when dealing with a specific matter. No person should act or rely upon the information contained in this presentation without seeking the advice of an attorney.
- Slides: 81