Assessment of Internal Control Over Financial Reporting - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Assessment of Internal Control Over Financial Reporting

Description:

Office of the Chief Financial Officer. United States Department ... Using OCIO's Cyber Security Assesment & Management System (CSAM) to document A-123 testing ... – PowerPoint PPT presentation

Number of Views:195
Avg rating:3.0/5.0
Slides: 16
Provided by: ljones7
Category:

less

Transcript and Presenter's Notes

Title: Assessment of Internal Control Over Financial Reporting


1
Assessment of Internal Control Over Financial
Reporting
  • Presented byAnnie Walker-Bradley Michael A.
    Fiene

2
Agenda
  • Where Weve Been. Where Were Going
  • FY 2009 General Computer Controls
  • Fun With Internal Control

3
Where Weve Been. Where Were Going
Office of the Chief Financial Officer
2
4
Year 1 FY 2006
  • Accomplishments
  • Organized Governance Structure (AIT, SAT, SMCC)
  • Obtained Contract Support Services
  • Established a documentation repository
    Quickplace (now ADTS)
  • Determined Materiality Quantitative and
    Qualitative
  • Determined Scope
  • Conducted Interviews, Walkthroughs Testing
  • Established USDA A-123 Assessment Process
  • Uncovered Reportable Findings
  • Provided Periodic Reports to OMB
  • Fully Complied with the Requirements of the
    Circular in Year 1

5
Year 2 FY 2007
  • Accomplishments
  • Established IT Weakness Executive Steering
    Committee
  • Developed New A-123 Deliverables Tracking
    System (ADTS)
  • Provided Web-based Training
  • Implemented Revised Definitions for Material
    Weakness, Significant Deficiency and Control
    Deficiency
  • Conducted the Assessment at the Cycle level vs
    Process
  • Standard control objectives for each cycle and
    its underlying processes were established
  • General computer control objectives based on
    FISCAM and linked to NIST 800-53 control families
  • Structured decision tree analysis for the Summary
    of Aggregated Deficiencies (SAD)
  • Commenced Remediation of Prior Year Reportable
    Findings
  • Revised the Corrective Action Plan (CAP) Process
    Guide

6
Year 3 FY 2008
  • Accomplishments
  • Enhanced ADTS
  • Began Rotational Testing
  • Improved the Standard Forms Used for the
    Assessment
  • Provided Additional Training
  • Conducted Spot Testing on a Sampling of Test
    Results
  • Re-competed the Support Services Contract
  • Completed the Assessment Ahead of Prior Year
  • Began to Institutionalize Internal Controls

7
Year 4 FY 2009
  • Accomplishments
  • Transitioned to New Contract Service Provider
  • Transitioned GCC Portion of the Assessment to
    CSAM
  • Work with our Kansas City Counterparts (ICD and
    ISD)
  • Improved Reporting
  • Automated Five Forms in ADTS
  • Improved Reporting
  • Changed the Workflow
  • Provided Additional Training utilizing Webinar
    Technology

8
Plans for FY 2010
  • Review and Refine Cycle Control Objectives, Risks
    and Techniques
  • Share Component Agency Best Practices
  • Evaluate Other Tools for the Business Process
    Assessment
  • Initiate Plans for Continuous Monitoring
    Solutions
  • Better Integrate Business Process with GCC

9
FY 2009 General Computer Controls (GCC)
8
10
FISMA and NIST SP 800-53
  • Federal Information Security Management Act
    (FISMA) of 2002
  • Requires, among other things, to periodically
    test and evaluate the effectiveness of
    information security policies, procedures,
    practices, and security controls (no less than
    annually)
  • National Institute of Standards Technology
    (NIST) SP 800-53
  • Provides a catalog of minimum security controls
    for information systems supporting the Federal
    Government

11
NIST 800-53 Control Families
  • AC-Access Control
  • AT-Awareness Training
  • AU-Audit Accountability
  • CA-Certification Accreditation
  • CM-Configuration Management
  • CP-Contingency Planning
  • IA-Identification Authentication
  • IR-Incident Response
  • MA-Maintenance
  • MP-Media Protection
  • PE-Physical Environmental
  • PL-Planning
  • PS-Personnel Security
  • RA-Risk Assessment
  • SA-System Service Acquisition
  • SC-System Communications Protection
  • SI-System Information Integrity

Office of the Chief Financial Officer
10
12
FISMA and A-123 Appendix A
13
2009 GCC A-123, Apendix A Assessment
  • Developed control objectives for each control
    family
  • Identified 29 key NIST 800-53 controls
    requiring annual testing
  • Developed Departmental test plan for testing the
    29 key controls
  • Using OCIOs Cyber Security Assesment
    Management System (CSAM) to document A-123 testing

14
CSAM
15
QUESTIONS???
Write a Comment
User Comments (0)
About PowerShow.com