Department of Homeland Security Federal Emergency Management Agency

Transcription

1 Department of Homeland Security Federal Emergency Management Agency Association of Government Accountants Improving Controls Can Improve Program Performance Audio Conference on Internal Controls June 8, 2011

2 Agenda FEMA s History FEMA s Audit Remediation/Internal Control Efforts: Mission Action Plan (MAP) Process Internal Control Board Internal Control Program A-123/IPIA Program Accomplishments and Impact Risk Assessment Moving Forward 2

3 FEMA: History 3

4 Financial Statement Audit History Process FY06 FY07 FY08 FY09 FY10 Financial Management and Reporting MW MW MW MW SD Financial Systems Security/IT General and Application Controls MW MW MW MW MW Capital Assets/Supplies Actuarial & Other Liabilities Budgetary Accounting Entity-Level Controls MW MW MW Corrected -- MW MW SD SD SD MW MW MW SD SD MW MW SD SD SD In FY06, FEMA had a total of six material weaknesses (MWs) and contributed to the Department s disclaimer conditions 4

5 A-123/IPIA History FEMA began A-123 compliance activities in FY06 and performed TOD/TOE assessments of several business processes FEMA focused on remediating internal control weaknesses in FY08 and resumed its A-123 assessments in FY09 FEMA began IPIA compliance activities in FY06 and tested one Program FEMA was non-compliant with IPIA requirements until FY08 5

6 FEMA: Remediation/Internal Control Efforts 6

7 FEMA Audit Progress Process FY06 FY07 FY08 FY09 FY10 Financial Management and Reporting MW MW MW MW SD Financial Systems Security/IT General and Application Controls MW MW MW MW MW Capital Assets/Supplies Actuarial & Other Liabilities Budgetary Accounting Entity-Level Controls MW MW MW Corrected -- MW MW SD SD SD MW MW MW SD SD MW MW SD SD SD FEMA has made significant progress over the past 5 years to strengthen its internal controls and reduce control weaknesses 7

8 Mission Action Plan (MAP) Definition: An overall plan that FEMA s management creates to correct specific deficiencies. These plans contain items such as a Root Cause Analysis and milestones with specific completion dates and remedial actions. Process: 8

9 Root Cause Analysis Definition: The specific underlying cause(s) of events that lead to control deficiencies. They fall under one or more of the following areas: Human Capital Insufficient training, need for more people, or wrong people in positions Process Break in the process flow, need for updated or additional processes Policy Insufficient or no policies or procedures in place Systems System failures or inadequate systems Benefits of an Effective RCA: Critical to preventing similar recurrences Over time, the root causes identified across the population of control deficiencies can be used to target major opportunities for improvement Root Cause Title Root Cause Detail Description Human Capital Insufficient Resources These findings are due to a lack of staff available. Lack of Training These findings are due to errors on the part of employees who have not been trained appropriately. Process Lack of Supporting Documentation These findings are due to a process which does not maintain documentation of controls performed. Lack of Proper Review/Reconciliation Lack of Ownership/Coordination These findings are due to a process with insufficient review and reconciliation to ensure that tasks are accomplished accurately. These findings are due to a lack of ownership over processes and coordination between process owners to ensure compliance. Policy Lack of Policies and Procedures These findings occurred because critical policies and procedures have not been developed or are insufficient. Lack of Enforcement of Policies and Procedures These findings occurred because supervisors are not enforcing the controls laid out in policies and procedures. System Systems Limitations These findings occurred because existing computer systems are not able to accomplish tasks required in order to remain compliant. Data Integrity These findings occurred because unauthorized people may access or modify data. 9

10 Case Study Financial Reporting Issues Lack of sufficient resources with the required financial management skill set within the OCFO to ensure segregation of duties and oversight over the financial reporting process Inadequate processes and controls to ensure that all adjustments are fully researched, substantiated, documented, and/or appropriately reviewed prior to preparation and submission of financial data to the Department Insufficient level of review and approval of supporting documentation for significant JVs recorded in the general ledger/treasury Information Executive Repository (TIER) Lack of policy and procedures and clearly documented roles and responsibilities over the financial reporting process Systematic errors related to incorrect attributes and poor data quality Corrective Actions Filled strategic OCFO vacancies to aid in implementing corrective actions to correct control weaknesses Developed and implemented improved control procedures over the TIER process (including TIER to GL reconciliation procedures) Developed and published budget/finance blueprint to improve accuracy of budget entries Updated, published, and implemented OCFO s Journal Voucher (JV) Process standard operating procedures Improved JV documentation and the review/approval of JVs Performed data clean-up 10

11 Internal Control Board (ICB) Objectives Support FEMA s internal control structure through improved control awareness, communication, and coordination Set the tone of the organization s control environment Prioritize, direct, and monitor internal control activities Improve internal control environment and achieve objectives Address enterprise-wide/cross-cutting internal control issues requiring collaboration at FEMA s most senior levels of leadership Structure Chaired by the FEMA Deputy Administrator Championed by the FEMA Administrator Comprised of a cross-functional team of senior FEMA officials/representatives 11

12 Value of the ICB Demonstrates commitment of senior leadership ( tone at the top ) Provides the governance structure needed to improve internal controls and achieve program goals and business objectives Establishes accountability throughout the agency Increases awareness as to the importance of maintaining effective internal control through continuous monitoring Improves integration and coordination of internal control-related activities Positions agency to better address multiple requirements Strengthens annual assurance statement process 12

13 Internal Controls Program (ICP) - Overview Created in November 2008 and chartered in January 2009 Key Functions: Provides support to its divisions/offices to remain compliant with Federal internal control requirements: Federal Manager s Financial Integrity Act (FMFIA) Office of Management and Budget (OMB) Circular A-123 Oversees the assessment of internal control within each Mission Support Bureau (MSB) Office to ensure compliance with governing legislative, regulatory, and Departmental guidance Summarizes and communicates results of the assessments to FEMA s Deputy Associate Administrator Assists the MSB Offices in creating their annual Assurance Statements 13

14 ICP Activities In FY11, the ICP performs the following activities: Conducting a self-assessment of each MSB Office s Entity-Level Controls (ELCs) Coordinating the design and implementation of more effective/efficient Business Processes Performing a FEMA-Wide Risk Assessment to assist the Region and Program Offices create their Assurance Statements Below is an example of the Tools & Templates used: Office: Office Director Name: Assessment Internal Control Representative Name: Internal Control Representative Title: Likelihood Impact Rationale / Comments / Support Narrative No. Risk Event Inherent Risk 1 The office regularly conducts activities that are complex in nature, both from an operational and financial standpoint, and are subject to potential high rates of error and failure (e.g. Urban Search & Rescue (operational) or accounting for Environmental Liabilities (financial)). 2 The Office perform activities that, in the event of failure, would subject FEMA to a great deal of negative exposure both internally and externally (e.g. the media). 14

15 FY11 Assurance Statement Process Task Description Start Date End Date Briefed FEMA Internal Control Board (ICB) on the FY 2011 Assurance Statement 1/04/2011 1/04/2011 Conduct briefings and outreach to Regions and Program Offices 6/06/2011 6/24/2011 ICOOP Assurance Statement submissions due to FEMA OCFO 6/27/2011 7/22/2011 Incorporate Regions and Program Offices input into draft FEMA Assurance Statement Memo 7/25/2011 8/05/2011 Distribute Draft Assurance Statement to FEMA ICB for review and comment 8/08/2011 8/12/2011 Incorporate ICB comments into final FEMA Assurance Statement Memo 8/15/2011 8/19/2011 Finalize Administrator Briefing Package on Assurance Statement Memo 8/22/2011 9/02/2011 Conduct briefing of final FEMA FY 2011 Assurance Statement to Administrator 9/05/2011 9/15/

16 ICP Structure ICP Chair: FEMA Deputy Administrator ICP Sponsor: Director of RM&C ICP Lead: RM&C Staff ICP Core Team 16

17 Value of the ICP Develops an internal control ethic in all employees Identifies areas of weakness and vulnerability Creates remediation plans to improve FEMA s efficiency and effectiveness Allows FEMA to stay ahead of auditors Manages the Enterprise-Wide Internal Control Issues Enhances focus on customer experience Improves decision making Increases accountability Trains FEMA employees across FEMA programs Moves control monitoring to the front end of the process 17

18 A-123 Progress Process FY07 FY08 FY09 FY10 Budgetary Resources Management (BRM) TOD * * V&V* Payment Management Fund Balance with Treasury (FBwT) National Response Plan Grants Management Limited Scope TOE * * TOE TOE ** TOE TOD ** ** TOE V&V General Ledger Management - Financial Reporting (GLM-FR) TOE ** TOE V&V Insurance Management ** TOE V&V HR/Payroll Management ** TOE * FEMA determined the need to perform an A-123 assessment ** DHS exempted FEMA from performing an A-123 assessment to focus on remediation efforts for FY

19 A-123 Current Year Activities Perform A-123 assessments over the Fund Balance with Treasury Process and the Purchase and Fleet Card Programs Extend assessments to focus on internal controls over operations Integrate A-123 into the Internal Control Program 19

20 IPIA Progress IPIA Progress at FEMA Fiscal Year (FY) FY06 FY07 FY08 FY09 FY10 FY11 FEMA Programs IHP IHP, VP AFG, HSGP, IHP, IPP, NFIP, PA, VP AFG, HSGP, IHP, NFIP, PA, VP AFG, EFSP, HSGP, IHP, NFIP, PA, TSGP, VP AFG, EFSP, HSGP, IHP, NFIP, PA, TSGP, VP, PSGP Type of Activity Testing Testing Risk Assessment, Testing, Pilot Study Risk Assessment, Testing Risk Assessment, Testing, Communications Strategy Risk Assessment, Testing FEMA began IPIA compliance activities in FY06 and tested one Program For FY11, FEMA is testing nine Programs (including the Port Security Grant Program (PSGP)) FEMA s past and current IPIA activities include testing, risk assessments, pilot studies, and communications strategy development Over time, FEMA Programs have taken on increasing levels of responsibility for and collaboration with IPIA testing and related activities 20

21 Accomplishments and Impact FEMA has performed activities to improve its internal controls and program performance including, but not limited to: Implemented an audit remediation and internal controls strategy that has led to the successful downgrading/elimination of 5 out of 6 material weaknesses Sustained progress to date through continued efforts to monitor and strengthen internal controls over financial reporting and operations Improved communication with external auditor resulting in a more effective and efficient annual financial statement audit Enhanced Management s assessment of internal controls over financial reporting and operations Improved awareness, communication and coordination at all levels of the agency Integrated processes and assessments Established the ICB to address enterprise-wide/cross-cutting issues 21

22 Risk Assessment Overview FEMA faces a variety of risks that could detract from its mission to build, sustain, and improve the Nation's capability to prepare for, protect against, respond to, recover from, and mitigate all hazards FEMA s risk assessment methodology is flexible and scalable to allow for the development of a multi-year implementation plan that will improve financial reporting and operational processes and infrastructure FEMA s risk assessment methodology is intended to employ comprehensive risk management to enhance FEMA programs and operations 22

23 Risk Assessment Framework Combines traditional bottom-up and top-down stakeholder value approach 23

24 Risk Assessment Methodology FEMA s risk assessment methodology involves a five step process: 1. Planning Gather information and conduct interviews 2. Drafting the Risk Strategy Map Populate tool to capture and analyze risk 3. Evaluating Risk Complete Risk Register Template 4. Prioritizing Activities Prioritize based on Inherent Risk and Control Environment 5. Preparing the Annual Plan Identify processes to be remediated by corrective action or assessed through Self Inspection Plan (A-123) 24

25 Risk Assessment Outcomes The intersection of the inherent risk rating and the control environment strength on the Risk Assessment Matrix details the proposed follow-up activity High 5 Inherent Risk Assessment of Controls Assess Controls on Rotational Basis Remediation Lower Remediation Priority Low Strong Weak Control Environment 25

26 Value of the Risk Assessment FEMA s Risk Assessment Methodology provides the following benefits: Includes ICOFR and ICOOPs processes/risks/controls Directly links to actionable outcomes including: processes to be assessed and remediation areas of focus Creates a simple, not overly complex methodology that is flexible and scalable for business needs Has the approval and sponsorship of the ICB Links to strategic goals and objectives Forms an Annual Plan, which takes into account prioritization, current initiatives, and resource considerations 26

27 FEMA: Moving Forward 27

28 Moving Forward Implement a process to more effectively and efficiently assess entity-wide risks, evaluate internal controls, improve processes, and achieve compliance with Federal requirements Create an organizational structure and culture that promotes the importance and value of internal control and accountability throughout the agency Promote the integration and coordination of internal control-related activities throughout the agency Establish a formal standardized entity-wide process/methodology/tool for assessing risks to better prioritize internal control initiatives and remediation efforts and dedicate resources where most needed Move beyond a compliance driven responsiveness toward strategic decision making based on risks 28

29 FEMA s Future State FEMA s future state will enable us to more effectively and efficiently assess entitywide risks, evaluate internal controls, improve processes, achieve compliance with Federal requirements, and achieve program goals and business objectives Internal Control Board Cross Functional Oversight Direction Monitoring Program / Operations FMFIA Sec. 2 Charge Cards (A-123, App. B) Financial ICOFR (A-123, App. A) IPIA/IPERA (A-123, App. C) Information Systems FMFIA Sec. 4 FISMA FFMIA Remediation Mission Action Plans Policies & Procedures Business Process Redesign Communication Reporting & Tracking Progress Training Effective and Efficient Operations Benefits Reliable Financial Reporting Compliant with Laws & Regulation 29

30 Contact Information: Kathy Hill: Director of Risk Management & Compliance FEMA OCFO 30

31 Questions 31