1 / 48

Internal Control Considerations in a Shared Services Environment

Internal Control Considerations in a Shared Services Environment. Introductions. Speakers:      Adam Goldberg , Executive Architect, Office of Financial Innovation and Transformation, U.S. Department of the Treasury Gil Hawk , Chief Information Officer, USDA National Finance Center

luciano
Download Presentation

Internal Control Considerations in a Shared Services Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Internal Control Considerations in a Shared Services Environment

  2. Introductions • Speakers:      • Adam Goldberg, Executive Architect, Office of Financial Innovation and Transformation, U.S. Department of the Treasury • Gil Hawk, Chief Information Officer, USDA National Finance Center • Francois Barnard, Senior Manager, MorganFranklin • Moderator: • Geoff Harkness, Managing Director, MorganFranklin 2

  3. Agenda • Topics of discussion: • - Introduction to shared services • - What is the future for shared services in the federal government? • Internal control considerations from a shared services provider/federal • center of excellence perspective • - Internal control considerations from a user agency perspective • What is SSAE16 and what does it mean to the parties in a shared • services arrangement? 3

  4. Internal Controls and Shared services the future for shared services in the federal government

  5. The Case for Financial ManagementShared Services • Reduce risk of failed systems implementations (cost avoidance) • Free up agency resources to focus on mission-based programs • Ensure greater standardization of data which allows for more • Transparency • Enable better decision-making through improved data analytics • Make adoption of new government-wide requirements easier • Deliver greater efficiencies and cost savings for the federal • government 5

  6. 6

  7. 7

  8. USDA National Finance Center A Shared service Center of Excellence

  9. Shared Service Provider • A shared service provider: • Provision one or more business capabilities or services from a common platform to one or more Partner Agencies/customers. • Strive to deliver best value in the Federal Government for the specific service. • Guarantee high level of quality and reliability to maintain trust and confidence by customers. 9

  10. Benefits of Shared Services • Implementation of the Shared Services Strategy and “Shared First” principles will produce a number of beneficial outcomes: • Eliminate inefficient spending that results from duplicative systems • Enhance awareness and adoption of available shared services across the government • Promote agility and innovation within agencies by improving speed, flexibility and responsiveness • Focus more agency resources on core mission requirements rather than administrative support services • Spur the adoption of best practices and best-in-class ideas and innovations • Reduce the support costs of redundant IT resources • Improve cost efficiencies and streamline through shared commodity IT 10

  11. NFC’s Business Model • Cross-Service (Shared Services) Provider • Employee-Centric Services • Agency Support Services • Economy Act Contracts • Benefits for a cost • “Breakeven” • “Best Value” • Internal • Other Federal • Commercial 11

  12. NFC’s Business Portfolio • Human Resources Line of Business • Payroll/Personnel • Human Resource Services • Office of Personnel Management Services • Direct Premium Remittance • FEHB Clearinghouse • Health Care Reform – High Risk Individuals (PCIP) • Customer-Specific Services • Data Center Hosting • Applications • Operations 12

  13. NFC’s Business Lines Payroll/Personnel • Personnel, time & attendance, payroll, and payroll accounting reporting • Since 1983, system functions have grown 400% • If annual costs had increased by inflation alone, the average rate would be $42 higher this year • Background • Services USDA and 170 other Federal organizations in all three Federal branches of Government • Coverage is 655,000 employees • Personnel Offices 4,137 • Operates as one of four approved e-Payroll providers 13

  14. Evolution of NFC Services • EmpowHR 9.0 • PPS Database Change • EPIC Web • webTA • EmpowHR 8.8 • OPM Shared Services Center Selection • OPM Clearinghouse System • Employee Personal Page • TCP/IP Applications • Direct Premium Remittance System • Multiple Payroll/Personnel Databases • Thrift Savings Plan System • Electronic Access/ customer data entry • First Cross- Servicing client 35 Departments/Agencies Serviced 170 • EmpowHR 8.8 • OPM Shared Services Center Selection • OPM Clearinghouse System • Employee Personal Page • TCP/IP Applications • Direct Premium Remittance System • Multiple Payroll/Personnel Databases • Thrift Savings Plan System • Electronic Access/ customer data entry • First Cross- Servicing client • 163,000 W-2s Processed 700,000 • OPM Shared Services Center Selection • OPM Clearinghouse System • Employee Personal Page • TCP/IP Applications • Direct Premium Remittance System • Multiple Payroll/Personnel Databases • Thrift Savings Plan System • Electronic Access/ customer data entry • First Cross- Servicing client • OPM Clearinghouse System • Employee Personal Page • TCP/IP Applications • Direct Premium Remittance System • Multiple Payroll/Personnel Databases • Thrift Savings Plan System • Electronic Access/ customer data entry • First Cross- Servicing client 4,017,569 Lines of Code 20,000,000+ • Employee Personal Page • TCP/IP Applications • Direct Premium Remittance System • Multiple Payroll/Personnel Databases • Thrift Savings Plan System • Electronic Access/ customer data entry • First Cross- Servicing client 1,000 DPRS Accounts 31,799 • Direct Premium Remittance System • Multiple Payroll/Personnel Databases • Thrift Savings Plan System • Electronic Access/ customer data entry • First Cross- Servicing client 76,200 Payroll/Personnel Help Desk Calls 65,161 • Multiple Payroll/Personnel Databases • Thrift Savings Plan System • Electronic Access/ customer data entry • First Cross- Servicing client • Thrift Savings Plan System • Electronic Access/ customer data entry • First Cross- Servicing client 1,300 EmpowHR 3,800 Help Desk Calls • Electronic Access/ customer data entry • First Cross- Servicing client 1983 1987 1989 1990 1998-99 2000 2005 2006 2008-12

  15. Payroll/Personnel Payee Growth

  16. Average Billed Rate vs. Rate of Inflation (Base Year = 2004)

  17. webTA Rates

  18. NFC’s Business Lines (cont’d) Human Resources Line of Business (HR LoB) • Human Resources Life Cycle • “From Hire to Retire” • Strategize and Plan • Position Management • Recruiting and Hiring • Development, Performance Management,and Compensation • Separating • Background • Servicing USDA, LoC, DHS, DoJ, GPO with EmpowHR • Business area includes entire employee life cycle • Operates as one of five Federal Shared Service Centers 18

  19. NFC’s HRLOB Strategic Solution General Support Systems

  20. HRLOB Rates

  21. NFC’s Business Lines (cont’d) Office of Personnel Management • Government-wide Benefit Systems • Direct Premium Remittance servicing 120,000 annual premiums • Federal Employee Health Benefits Clearinghouse supporting 4.2M enrollees • High Risk Insurance Pool servicing 20 + states 21

  22. NFC’s Business Lines (cont’d) Agency Specific Services • Provides for USDA and external customers: • Complete data center services • Application development and maintenance services • Employee support services • Bulk mailing services • Security services 22

  23. Customer Profile • Several components within the Legislative Branch • Several components within the Judicial Branch • Approximately half of small agencies • Payroll covers 35% of civilian Federal staff • Benefits recordkeeping for 90% Federal and beyond 23

  24. Why NFC? • We deliver quality customer service • Platform for future value added • Helpdesk for full suite of services • Data warehouses – reporting and analytics • Disaster recovery – fully tested • Best cost/value

  25. Bringing a New Customer On-board • System demonstration • Fit-gap Session with the customer • Functional Requirements Document (FRD) • Level-of-effort & cost estimates for implementation • Reviews the costs with the customer • System development • Develop/test/edit conversion & load scripts for data conversion • Load customer data into the Quality Assurance (QA) • Testing in QA

  26. Bringing a New Customer On-board (con’t) • Load customer data into Customer User Acceptance Test (CUAT) • Conduct training on the product for customer • CUAT testing • Resolve any defects from testing • Customer approval to Go Live • Move customer into production environment for Go Live

  27. NFC’s Management Controls Program • Management controls • Essential for enhancing business integrity, minimizing business risks, and operating in an “effective, efficient, secure, auditable, and well-controlled” (EESAC) environment in support of National Finance Center (NFC) goals and objectives. • Objectives of internal controls • Effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations • “Management control activities are not stand-alone management practices, but rather are woven into the day-to-day operational responsibilities of agency management.” (OMB)

  28. Management Responsibilities • Conduct risk assessments of operational activities. • Ensure key management controls are developed, documented, maintained, implemented, evaluated, improved, and reported on. • Ensure adherence to NFC-wide management controls. • Assess effectiveness of management controls on an ongoing basis and annually document assessment process. • Report possible material weaknesses, significant deficiencies, and/or non-conformances to the general control standards and the financial management system requirements.

  29. Assessing Controls • A-123, Assessment of Internal Controls over Financial Reporting • Annual FISMA self-assessment • Assessment and Authorization (formerly C&A) • Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization

  30. Summary • Shared services allow customers to focus on their main mission areas

  31. Internal Control Considerations in a Shared Services Environment User AGENCY AND SHARED SERVICES PROVIDER PERSPECTIVE

  32. Internal Control ConsiderationsOverview • FISMA requires that user agencies maintain and periodically assess the protections over the information collected or maintained by or on behalf of the user agency • The American Institute of Certified Public Accounts (AICPA) provides guidance through standards on performing an objective and independent assessment of the effectiveness of the protections maintained by the shared services providers • Outsourcing tasks or functions to a shared services provider does not eliminate the risks associated with those activities, nor compliance with requirements

  33. Internal Control ConsiderationsUser Agency Perspective • Assessing the effectiveness of the applicable internal controls maintained at the shared services providers will require an assessment • Conducting an on-site assessment will require the consent and cooperation of the shared services providers • The ability to conduct on-site assessments (‘right to audit’ clause), if any, at a shared services provider is usually defined within the contractual agreement (MOU, RA, SLA etc.) • Shared services providers may be reluctant to provide the necessary access to their operations

  34. Internal Control ConsiderationsShared Services Providers Perspective • User agencies continue to increase their due diligence and governance over the services they are receiving from their shared services providers • Allowing on-site assessments will most likely prove disruptive and impractical • Being able to measure the effectiveness of shared services provider’s environment once and provide that information to many agencies can avoid the disruption on-site assessments may cause • Demonstrating an effective and well controlled environment will help satisfy the user agencies requirements around the due diligence of the services being provided

  35. Internal Control ConsiderationsService Organization Reports (SOC reports) • The assessment can address both the effectiveness of controls over financial reporting (SOC 1) or specific compliance or operational requirements (SOC 2, SOC 3) • The SOC reports allow the shared services provider to meet the needs • of their clients

  36. Service Organization Reports

  37. Service Organization Reports(Continued)

  38. Service Organization Reports(Continued)

  39. Service Organization Reports Trust Principles • The Trust Services Principles include the following: • Security - The system is protected against unauthorized access (both physical and logical) • Availability - The system is available for operation and use as committed or agreed (including Business Continuity) • Integrity – System processing is complete, accurate, timely, and authorized • Confidentiality – Information designated as confidential is protected as committed or agreed • Privacy – Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles GAPP issued by the AICPA and Canadian Institute of Chartered Accountants.

  40. Service Organization Reports(SOC) Reports - Which SOC Report?

  41. SSAE 16

  42. SSAE 16 Responsibilities - Shared Services Provider • Under the standard a shared services provider has five primary responsibilities: • Prepare and present a complete and accurate description of the system(s) being used (not just controls/control environment) • Specify the control objectives of the system(s) and include those control objectives in the description of the system • Identify the risks that threaten the achievement of the control objective(s) • Design, implement and maintain controls to provide reasonable assurance that the control objectives will be achieved • Provide a written assertion to accompany the description as to the completeness and accuracy of the information provided as well as the criteria used as a basis for making the assertion

  43. SSAE 16 Responsibilities – User Agencies • Under the standard a user agency has the following responsibilities: • Verify that the report and the period covered is applicable to the services provided by the service organization • Read and understand the description of the service organization’s system and confirm that it provides adequate information to understand the flows of transactions through the service organization and where errors could occur • Review results of the report and apply information accordingly • Retain the report and assessment as test evidence   • Determine impact of reported control weaknesses on clients assertions/control objectives • Make sure that applicable Complementary User Entity Controls (CUECs) are in place and operational • User agencies should assess any services provided to the shared services provider and passed through to the user agency that may not be covered by the SSAE 16 report (‘carve outs’/ subservice organizations)

  44. SSAE 16 Assessing Test Failures • The potential impact of test failures noted within the SSAE 16 report should be evaluated • Compensating controls may already exist within the report, that may help reduce the overall impact • In addition, the user agencies should also be able to leverage CUECs, where appropriate • A test failure do not automatically translate to control failure

  45. SSAE 16 Responsibilities – User Agencies • Complementary User Entity Controls (CUECs) • Formerly known as User Control Considerations (UCCs) • Describe controls that are the responsibility of the user agency, and deemed out of scope of the SOC1 report • If CUECs are not designed and operating effectively at the user organization, the control objectives in the SOC1 report may not be met • Conversely, CUECs may compensate/mitigate control weaknesses at the service provider • It is the responsibility of the user agency to document these controls and provide evidence of their operational effectiveness to their auditor

  46. References • AICPA. (2010). Service Organization Controls: Managing Risks by Obtaining a Service Auditor’s Report [White Paper]. Retrieved from http://www.aicpa.org/interestareas/informationtechnology/resources/trustservices/downloadabledocuments/10957-378%20soc%20whitepaper.pdf

  47. Questions & Answers

  48. Thank You

More Related