Audit Readiness and Sustainment
The Chief Financial Officers Act of 1990 established the need for federal agencies within the executive branch to undergo financial statement audits in order to provide tax payers with confidence that the government is practicing effective financial management. The complexity of federal agencies and the accountability to tax payers requires a concerted effort to establish policies and procedures to ensure the respective agencies are responsibly managing federal funds. 11th Hour Service’s approach to Audit Readiness and Sustainment is a five phased approach. Each phase is critical to the success of the other phases, and those phases are:
- Phase I – Governance
- Phase II – Risk Assessment
- Phase III – Documentation
- Phase IV – Information Technology
- Phase V – Sustainment
Governance – The key to being successful in an audit readiness or sustainment engagement is to establish a governance structure to oversee the engagement and be accountable for the path and progress of the engagement. As part of the overall governance there should be a defined structure with roles and responsibilities throughout the agency to achieve success in the readiness/sustainment process.
Risk Assessment – In order to make changes to the agency to become audit ready, the agency must first understand where the highest risks are. A quantitative and qualitative risk assessment should be performed to identify the highest risk areas and to prioritize the path forward.
Documentation – Once the high risk areas are identified and prioritized the next step is to document the processes surrounding the high risk areas to gain an understanding of the current state of procedures using business process cycle memorandum. Once the process is accurately captured the next steps would be to perform an internal control evaluation to identify strengths and weaknesses in the process.
Information Technology – Information technology includes all systems from the financial statement systems all the way down to the various feeder systems that aid in the process of documenting a transaction and appropriately reporting it on the annual financial statements. The use of IT systems can greatly increase the efficiency and effectiveness of the business process, however there must be adequate controls in place to ensure all systems are functioning appropriately.
Sustainment – Once the agency obtains a readiness state there must be a process in place to ensure that the agency can sustain readiness and monitor the process. This will require continuous testing based on the risk assessment and a rotating schedule to ensure all areas are covered during the sustainment period.
- Being compliant with both OMB Circular A-123 and the GAO Green Book;
- Developing a program that can support CFO Act Financial Statement audit processes;
- Customizing the program for the Agency; and
- Integrating internal controls with other risk functions, including Enterprise Risk Management and DATA Act.
OMB Circular A-123 and Green Book Compliance – Agencies are required to meet minimum compliance requirements for internal controls programs. We recommend that agencies focus on just meeting the compliance requirements of their internal controls program, but instead focus the full power of an effective program.To achieve this, we have designed a methodology, enabled by our technology platform ACL, that automates the assessment of compliance with all 14 of Green Books principles. This helps agencies reduce the burden and cost of compliance.
Financial Statement Audit Support – Internal controls is a Management function, which means that the function is both driven by Management and for the benefit of Management, and most important, the agency as a whole. While that is certainly the case, our internal controls programs are designed so that the procedures and testing performed by the internal controls program can be relied upon by the OIG, or contracted auditors performing the financial statement audit.
What does that really mean? When auditors perform testing, they are ultimately concerned with the reliability of the balances or numbers presented in the financial statements and accompanying note disclosures. To get that comfort they have to perform testing over those numbers. Because internal controls are intended to reduce the likelihood of a misstatement, or the likelihood of the numbers being wrong, auditors test internal controls to help them determine how much testing they need to do over the numbers. This means that if the controls are good, the audits will test less. When an agency’s internal controls program is designed in a way to support that control testing, it ultimately means the auditors can rely on that work and may test less, which reduces the burden on program personnel throughout the course of the audit.
Program Customization – There is no “out of the box” internal controls program that will fit the needs of every Agency. Our programs are customized to the needs of each Agency depending on:
- Agency mission;
- Size and complexity of the Agency;
- Existence and maturity of current internal controls program;
- Management’s vision of the program;
- Agency resources supporting the program;
- Organization cultural influences;
- Technological inclination; and
- Historical trends of internal controls, audit, GAO, ERM, DATA Act, and other related risks
Integration with ERM and DATA Act – With the promulgation of OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, in July of 2016 and OMB Circular A-123, Appendix A, Management of Reporting and Data Integrity Risk, in June of 2018, ERM and DATA Act program integration are critical for success.
11th Hour Service has created an internal control approach that addresses that need through both short-term and long-term efforts.
Short-term (6-12 months) –
- Define data quality specific to each reporting entity;
- Identify full population of data quality risk points;
- Develop a mapping of reporting objectives to programs, processes, and systems that support those objectives;
- Document a risk assessment methodology that evaluates significant programs, processes, and data points based on both materiality and criticality to mission achievement;
- Establish program objectives, capabilities, and data alignment between internal controls, Enterprise Risk Management, and DATA Act; and
- Evaluate potential data analytics and normalization solutions.
Long-term (1-3 years) –
- Develop an organization change management strategy;
- Develop a training and education enhancement program to enhance competencies and reduce jargon based barriers;
- Determine a data analytics and normalization solution;
- Execute risk assessment methodology for all programs, processes, and data points;
- Update annual SOA process to incorporate additional reporting requirements; and
- Develop a compliance maturity model for Appendix A requirements.
Corrective Action Planning
- Remediation governance – effective remediation is an involved process. To be most effective there should be governance around the remediation process. That includes creating a policy outlining minimum requirements of remediation activities, as well creating guidance documents, such a Playbook, and Standard Operating Procedures (SOPs) to provide the steps to ensure compliance with the requirements outlined in the policy;
- Risk and deficiency compilation, evaluation and prioritization – Risks are identified through a seeming less endless number of channels: audits, internal evaluations, GAO, news outlets, etc. There is no way Agencies can remediate all risks consecutively. Our remediation approach includes a methodology to compile these risks, evaluate the documents that report the risks to identify more gradual risks, and then prioritize the risks so that Agencies have a better idea of where to begin and a structured path to effective remediation;
- Risk decision communication – Decisions are made everyday. Large and small. When they are large, they are often documented and that should not be different when those decisions are about risk. Agencies often have a significantly higher amount of institutional knowledge than those external to the Agency who are identifying risks.
Because of this and many other factors, when a risk is identified Management has decisions to make. Management can decide to accept, reduce, avoid, share, or pursue risks, and in most cases, those decisions should be documented;
- Remediation documentation – Remediation efforts need to be properly documented in order to support and report plans, progress, and accomplishments. We have templates that can be customized to fit any program’s needs. However, we recommend that the critical remediation elements always be included. Those elements are:
- Identified deficiency and/or risk(s);
- Source of the deficiency or risk;
- Process owner, remediation owner, and executive sponsor;
- Root cause analysis;
- Current internal controls mitigating the risks;
- Remediation strategy summary;
- Progress milestones, including critical path milestones; and
- Verification and validation.
- Remediation training, facilitation, and collaboration – Our approach to training is two-fold:
- Remediation specific training; and
- Technical training.
Remediation specific training – Remediation specific training is designed to enhance the capabilities of remediation stakeholders as it relates to successfully remediation gets deficiencies. For instance, we have training that is specific to performing an effective root cause analysis, or how to perform and adequately support verification and validation procedures.
Technical training – Technical training is designed to enhance the capabilities of process owners, and capability gaps are often identified as a result of successful root cause analysis. For instance, if a root cause analysis resulted in determining that there are not adequate policies and procedures around reviewing purchase orders, we have training that targets how to successfully develop and subsequently monitor the effectiveness of a policy.
- Policy and program implication information – Through the remediation process, there will be efforts that have an implication on various programs and related policies. Our approach ensures an evaluation is performed on potential program and policy connections, and simultaneously ensures that a communication channel between the appropriate personnel is established and maintained.
Our solution can be implemented in any environment, but it is best in a technology enabled environment through our Governance, Risk, and Compliance (GRC) software. This software allows for an easy user interface, automation, and ultimately a reduction in administrative time requirements.
Accounting Operations Support
- Purchase order creation and maintenance;
- Invoice and payment reviews and approvals, including Prompt Payment Act compliance;
- Fund account balance analysis;
- Unliquidated obligation monitoring;
- Travel voucher processing and FTR compliance;
- Receivables monitoring and processing;
- Inter-agency Agreement (IAA) processing and transaction monitoring;
- Allowance for doubtful account estimation, monitoring, and reporting;
- Property, plant, and equipment accounting, reconciliation, and monitoring, including inventory management, asset acquisition and disposition;
- Asset capitalization methodology development and execution; and
- Accounting estimate calculation and monitoring, including accruals, actuarial liabilities and look-back analyses of accounting estimates.
Our teams not only provide these accounting operational services, but we ensure that they are compliant with relevant standards and guidance promulgated through organizations such as FASAB, FASB, ASB, AICPA, GAO, OMB, etc. Because each aspect of accounting operations impacts the quality of financial reporting, this level of scrutiny will make financial reporting a more efficient process.
We can also provide technical training to improve the capabilities and performance of the programs and operations the processes support.
- Analysis of account relationships, including analysis of budgetary to proprietary balances;
- Ad-hoc analysis including monitoring of obligations and other activities that support budget formulation and execution activities; and
- Reviews of journal vouchers and other adjustments for accuracy and support, as well as analysis of potential downstream effects of the entries on future financial reporting.
Whether it’s participating in the preparation of the principal financial statements and footnotes, or any process that supports financial reporting, our team members work tirelessly to meet the highest standards and make continuous improvements.
Budget Formulation and Execution
- Strategic budgetary planning;
- Component level budget justification and formulation based on Congressional, OMB, and Agency guidance;
- Agency budget justification and formulation, including component analysis and integration;
- Presentation and pass back;
- President’s budget alignment;
- Pre-appropriations activities including congressional hearing and markup support;
- Spend plan development;
- Apportioning funding;
- Allotting, sub-allotting, and allowances;
- Committing and obligating;
- Cancellations and rescission’s; and
- Funds control techniques.
Grants and Cooperative Agreement Management
- Establishment of federal assistance programs;
- Understanding the statutory and regulatory guidance that governs the federal assistance processes;
- Reviewing and selecting award recipients;
- Awarding, including negotiating, documenting, and notification;
- Post-award monitoring and assistance; and
- Close-out procedures and OMB Circular A-133 audit preparedness.
Financial Management Policy Development and Monitoring
- Establishing a technical working group made of SMEs and process owners that are impacted by various financial management policies (i.e. grants, procurement, facilities, budget, etc.);
- Developing a collaborative process for stakeholders to provide input on financial management policies that are currently in development, or in the development pipeline; and
- Implementing a policy development cycle that focuses on data driven research, facts, and best practices as to what should be happening, not focusing on what is happening.
The policy monitoring aspect is equally as important as the development. Our monitoring efforts focuses on two major aspects of monitoring:
- Scanning the financial management environment to be aware of changing legislation, regulations, guidance, and best practices to assess the impact on current policy; and
- Integrating monitoring techniques with internal controls and other internal assessment processes to determine the effectiveness of the policies.