General and Application Controls Reviews (FISCAM)
The CFO Act of 1990 and the Accountability of Tax Dollars Act of 2002 require audited financial statements annually. The CFO Act of 1990 lists 24 agencies, with approximately 225 component agencies, and the Accountability of Tax Dollars Act of 2002 lists 78 agencies. When performing an audit of these respective agencies, it is required to test internal controls in support of the financial statement audit.
CFO Act of 1990 - "Develop and maintain an integrated agency accounting and financial management system, including financial reporting and internal controls, which - - A. Complies with applicable accounting principles, standards, and requirements, and internal control standards ..."
As your financial audit teams perform their financial statement audits; it will be imperative to test the internal controls over the systems, applications, and databases that support the significant financial statement line items. These audits shall be performed each year in conjunction with the financial statement audit and shall conform to section 300 of the FAM.
Your Internal Controls, LLC has extensive experience performing General and Application Controls Reviews. Our personnel have worked with several accounting firms, as well as federal agencies. Our experience extends to various authoritative laws and guidance (e.g. OMB, GAO, NIST, DoD, and other Congressional laws such as IPIA, FFMIA, etc.). We can also assist you in developing a rotation strategy for auditing the systems, applications, and databases (must be done every 3 years in accordance with the FAM).
OMB Circular A-123
OMB A-123 was last revised on December 21, 2004 and states the following:
"Agencies and individual Federal managers must take systematic and proactive measures to:
1. Develop internal control oriented management.
2. Assess the adequacy of internal control in programs and operations.
3. Separately assess and document internal controls.
4. Identify needed improvements.
5. Take corrective action.
6. Report annually through management assurance statements."
Your Internal Controls, LLC has worked extensively in documenting, testing, and remediating internal controls against the respective federal laws, regulations, and guidance. We can assist your organization with regards to complying with the latest A-123 circular. Our CEO, Mr. Jack Heyman, has developed and taught formal courses covering A-123 at the Inspectors General Auditor Training Institute (IGATI) for many agencies.
FISMA - Federal Information Security Management Act
FISMA cites many requirements of agencies with regards to complying with laws and regulations. The head of each agency shall be responsible for:
• "Assessing the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems."
• "Implementing policies and procedures to cost effectively reduce risks to an acceptable level."
• "Periodically testing and evaluating information security controls and techniques to ensure that they are effectively implemented."
As executive agencies are required to comply with FISMA, it will be imperative to seek the assistance of a firm such as Your Internal Controls, LLC. We have expertise in documenting policies and procedures, as well as assisting agencies in complying with those policies and procedures.
OMB Circular A-133
Issued pursuant to the Single Audit Act of 1984, and subsequent amendments, this requires recipients of Federal monies to be audited in accordance with GAGAS. As such, Section 300 of the FAM will likely be the audit benchmark when performing internal controls testing. Our personnel have developed proprietary audit programs to test internal controls. Your Internal Controls, LLC can perform internal controls testing, or assist with remediating deficiencies identified by other auditors. We have the expertise with internal controls and can enable your organization to be free of deficiencies.
Certification and Accreditation (C&A)
The CFO Act of 1990 and the Accountability of Tax Dollars Act of 2002 require audited financial statements annually. The CFO Act of 1990 lists 24 agencies, with approximately 225 component agencies, and the Accountability of Tax Dollars Act of 2002 lists 78 agencies. When performing an audit of these respective agencies, it is required to test internal controls in support of the financial statement audit.
CFO Act of 1990 - "Develop and maintain an integrated agency accounting and financial management system, including financial reporting and internal controls, which - - A. Complies with applicable accounting principles, standards, and requirements, and internal control standards ..."
As your financial audit teams perform their financial statement audits; it will be imperative to test the internal controls over the systems, applications, and databases that support the significant financial statement line items. These audits shall be performed each year in conjunction with the financial statement audit and shall conform to section 300 of the FAM.
Your Internal Controls, LLC has extensive experience performing General and Application Controls Reviews. Our personnel have worked with several accounting firms, as well as federal agencies. Our experience extends to various authoritative laws and guidance (e.g. OMB, GAO, NIST, DoD, and other Congressional laws such as IPIA, FFMIA, etc.). We can also assist you in developing a rotation strategy for auditing the systems, applications, and databases (must be done every 3 years in accordance with the FAM).
OMB Circular A-123
OMB A-123 was last revised on December 21, 2004 and states the following:
"Agencies and individual Federal managers must take systematic and proactive measures to:
1. Develop internal control oriented management.
2. Assess the adequacy of internal control in programs and operations.
3. Separately assess and document internal controls.
4. Identify needed improvements.
5. Take corrective action.
6. Report annually through management assurance statements."
Your Internal Controls, LLC has worked extensively in documenting, testing, and remediating internal controls against the respective federal laws, regulations, and guidance. We can assist your organization with regards to complying with the latest A-123 circular. Our CEO, Mr. Jack Heyman, has developed and taught formal courses covering A-123 at the Inspectors General Auditor Training Institute (IGATI) for many agencies.
FISMA - Federal Information Security Management Act
FISMA cites many requirements of agencies with regards to complying with laws and regulations. The head of each agency shall be responsible for:
• "Assessing the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems."
• "Implementing policies and procedures to cost effectively reduce risks to an acceptable level."
• "Periodically testing and evaluating information security controls and techniques to ensure that they are effectively implemented."
As executive agencies are required to comply with FISMA, it will be imperative to seek the assistance of a firm such as Your Internal Controls, LLC. We have expertise in documenting policies and procedures, as well as assisting agencies in complying with those policies and procedures.
OMB Circular A-133
Issued pursuant to the Single Audit Act of 1984, and subsequent amendments, this requires recipients of Federal monies to be audited in accordance with GAGAS. As such, Section 300 of the FAM will likely be the audit benchmark when performing internal controls testing. Our personnel have developed proprietary audit programs to test internal controls. Your Internal Controls, LLC can perform internal controls testing, or assist with remediating deficiencies identified by other auditors. We have the expertise with internal controls and can enable your organization to be free of deficiencies.
Certification and Accreditation (C&A)
Your Internal Controls, LLC personnel have audited and prepared numerous C&A packages. We have extensive experience in developing Boundary Scope Memos, Security Plans, IT Contingency Plans, conducting the FIPS-199 security categorization, and more. We can develop the C&A package from scratch and bring it to completion where it will be ready for signatures from the Designated Accrediting Authority. We can also perform independent Security Test and Evaluations (STE). We have prior documents that we can leverage to save your agency time by assisting with the C&A package. We also have extensive experience with the relevant requirements such as NIST (800-18, 30, 37, FIPS-199, etc.), and FISMA.
Privacy Audits
NIST 800-122 documents the elements of PII. If your agency has a system with any of those PII elements, a Privacy Threshold Analysis (PTA) must identify if those PII elements can be traced to a person. If those PII elements can in fact be traced to a person, then it is considered Information in Identifiable Form (IIF). For those systems with IIF, a Privacy Impact Assessment (PIA) must be performed. Systems must also be assessed in terms of changes made to the data that may warrant a more recent PIA (e.g. conversion of data from a legacy system). There are actually many requirements related to privacy from the Privacy Act of 1974 to several OMB memorandums such as OMB M-03-22. It can be quite complicated to comply with all of the requirements. Your Internal Controls has extensive experience in performing privacy audits and helping agencies prepare for a privacy audit.
IPIA - Improper Payments Information Act of 2002
Given the recent wars our country has faced, as well as an ageing population that requires more money from social security, as well as the increase in our national debt; it is imperative that we act more fiscally responsible. Many agencies are now required to take an inventory count of their internal controls surrounding the systems that support their respective agency programs. These agencies must estimate the amounts which are deemed to be improper and report those amounts in their annual PAR. Furthermore, these agencies must also employ proper internal controls to reduce the number of estimated improper payments.
SAS 70
If your agency is performing services for multiple customers and one of them has requested a SAS 70; you have come to the right place. Our personnel have not only partaken on SAS 70 engagements, but we have also developed and taught them in a formal classroom setting at the Inspectors General Auditor Training Institute (IGATI). We can assist your organization with either a Type I, Type II, or a Type II Readiness Review. Our personnel have worked on the GSA SAS 70 surrounding their payroll processing for numerous other agencies. Our personnel have also worked on other SAS 70 engagements such as with the Department of Defense (DoD), which consisted of more than 50 personnel and 50,000 engagement hours.
OMB Circular A-50
As agencies are audited in accordance with the CFO Act of 1990 and the Accountability of Tax Dollars Act of 2002, they may be presented with control deficiencies, significant deficiencies, and/or material weaknesses. It is crucial that agencies comply with OMB Circular A-50, which requires timelines for responding to and remediating deficiencies. Your Internal Controls, LLC personnel have been on the audit side many times. As such, we know what the auditors are looking for and how they identify the deficiencies. Our expertise can assist your agency in remediating those deficiencies so that they are removed and your next year's PAR is clean and free of deficiencies.
Control Deficiency Assessment & Remediation
Many agencies struggle with identifying deficiencies, as well as the classification of those deficiencies (e.g. Significant Deficiency, Material Weakness). It is also challenging to prioritize which deficiencies are remediated first. Our firm can assist your agency with the identification and classification of deficiencies, as well as a remediation strategy for resolving the deficiencies. Our experience in formal course instruction and hands-on experience working with various agencies, enables us to be both efficient and effective in remediation efforts.
Data Reliability Assessments
Data Reliability Assessments are different than performing IT audits in support of a financial statement audit. The GAO has released guidance on how to address Data Reliability (GAO’s Assessing the Reliability of Computer-Processed Data). The methodology to be used is quite flexible and can be various pieces of the FISCAM approach, complemented with Section 300 of the FAM. In order to effectively assess Data Reliability, an agency must seek the advice of a firm that has appropriate experience. Your Internal Controls, LLC has extensive formal course instruction as well as hands-on experience in assessing Data Reliability.
Recovery Auditing
Agencies (in resolving their IPIA efforts) recognize that payments may have been made incorrectly (e.g. duplicate payments, wrong payee, etc.). As such, your agency may require the experience of a firm that specializes in internal controls. Your Internal Controls, LLC can assist your agency in the identification of improper payments, and identify amounts to be recovered.
Management Control Plan
Does your agency span across several physical locations? Are there different divisions with different missions? Are the systems integrated across the organization as a whole? If the answer is yes to any of these questions, Your Internal Controls, LLC can help with your overall Management Control Plan. From start to finish, we can setup a plan that identifies the universe of controls. From there we then identify key controls and begin testing. If remediation efforts are necessary, we can identify the action required and resolve the deficiencies. The entire approach is matrix oriented with a risk-based, top-down methodology. Our approach can save time and ensure an efficient process is in place.
IPIA - Improper Payments Information Act of 2002
Given the recent wars our country has faced, as well as an ageing population that requires more money from social security, as well as the increase in our national debt; it is imperative that we act more fiscally responsible. Many agencies are now required to take an inventory count of their internal controls surrounding the systems that support their respective agency programs. These agencies must estimate the amounts which are deemed to be improper and report those amounts in their annual PAR. Furthermore, these agencies must also employ proper internal controls to reduce the number of estimated improper payments.
SAS 70
If your agency is performing services for multiple customers and one of them has requested a SAS 70; you have come to the right place. Our personnel have not only partaken on SAS 70 engagements, but we have also developed and taught them in a formal classroom setting at the Inspectors General Auditor Training Institute (IGATI). We can assist your organization with either a Type I, Type II, or a Type II Readiness Review. Our personnel have worked on the GSA SAS 70 surrounding their payroll processing for numerous other agencies. Our personnel have also worked on other SAS 70 engagements such as with the Department of Defense (DoD), which consisted of more than 50 personnel and 50,000 engagement hours.
OMB Circular A-50
As agencies are audited in accordance with the CFO Act of 1990 and the Accountability of Tax Dollars Act of 2002, they may be presented with control deficiencies, significant deficiencies, and/or material weaknesses. It is crucial that agencies comply with OMB Circular A-50, which requires timelines for responding to and remediating deficiencies. Your Internal Controls, LLC personnel have been on the audit side many times. As such, we know what the auditors are looking for and how they identify the deficiencies. Our expertise can assist your agency in remediating those deficiencies so that they are removed and your next year's PAR is clean and free of deficiencies.
Control Deficiency Assessment & Remediation
Many agencies struggle with identifying deficiencies, as well as the classification of those deficiencies (e.g. Significant Deficiency, Material Weakness). It is also challenging to prioritize which deficiencies are remediated first. Our firm can assist your agency with the identification and classification of deficiencies, as well as a remediation strategy for resolving the deficiencies. Our experience in formal course instruction and hands-on experience working with various agencies, enables us to be both efficient and effective in remediation efforts.
Data Reliability Assessments
Data Reliability Assessments are different than performing IT audits in support of a financial statement audit. The GAO has released guidance on how to address Data Reliability (GAO’s Assessing the Reliability of Computer-Processed Data). The methodology to be used is quite flexible and can be various pieces of the FISCAM approach, complemented with Section 300 of the FAM. In order to effectively assess Data Reliability, an agency must seek the advice of a firm that has appropriate experience. Your Internal Controls, LLC has extensive formal course instruction as well as hands-on experience in assessing Data Reliability.
Recovery Auditing
Agencies (in resolving their IPIA efforts) recognize that payments may have been made incorrectly (e.g. duplicate payments, wrong payee, etc.). As such, your agency may require the experience of a firm that specializes in internal controls. Your Internal Controls, LLC can assist your agency in the identification of improper payments, and identify amounts to be recovered.
Management Control Plan
Does your agency span across several physical locations? Are there different divisions with different missions? Are the systems integrated across the organization as a whole? If the answer is yes to any of these questions, Your Internal Controls, LLC can help with your overall Management Control Plan. From start to finish, we can setup a plan that identifies the universe of controls. From there we then identify key controls and begin testing. If remediation efforts are necessary, we can identify the action required and resolve the deficiencies. The entire approach is matrix oriented with a risk-based, top-down methodology. Our approach can save time and ensure an efficient process is in place.