GAO GreenbookとOMB Circular No. A-123

こんにちは、丸山満彦です。

米連邦政府のERM・内部統制の制度とGAOの監査について情報だけ載せておきます。

● Office of Management and Budget : OMB [wikipedia]

OMBは大統領直属の組織で大統領の方針のもと連邦政府の予算全体を調整し作成する役割をになっています。各政府機関によって適切に執行されるようにすることも任務となりますので、内部統制（セキュリティやプリバシーも含む）も管轄することになっているものと思います。

・The Mission and Structure of the Office of Management and Budget

-----

1. Budget development and execution, a significant government-wide process managed from the Executive Office of the President and a mechanism by which a President implements decisions, policies, priorities, and actions in all areas (from economic recovery to health care to energy policy to national security);
    
2. Management — oversight of agency performance, Federal procurement, financial management, and information/IT (including paperwork reduction, privacy, and security);
    
3. Coordination and review of all significant Federal regulations by executive agencies, to reflect Presidential priorities and to ensure that economic and other impacts are assessed as part of regulatory decision-making, along with review and assessment of information collection requests;
    
4. Legislative clearance and coordination (review and clearance of all agency communications with Congress, including testimony and draft bills) to ensure consistency of agency legislative views and proposals with Presidential policy; and
    
5. Executive Orders and Presidential Memoranda to agency heads and officials, the mechanisms by which the President directs specific government-wide actions by Executive Branch officials.

-----

内部統制については、OMB Circular No. A-123が存在します。最新版は、2016.07.15に公表されています。

・2016.07.15 A Conversation with OMB Controller David Mader on the Release of the Updated OMB Circular A-123

 ・[PDF] OMB Circular No. A-123

----

Purpose: This Circular defines management’s responsibilities for enterprise risk management (ERM) and internal control. The Circular provides updated implementation guidance to Federal managers to improve accountability and effectiveness of Federal programs as well as mission support operations through implementation of ERM practices and by establishing, maintaining, and assessing internal control effectiveness. The Circular emphasizes the need to integrate and coordinate risk management and strong and effective internal control into existing business activities and as an integral part of managing an Agency.

 ....

Requirements: Office of Management and Budget (OMB) Circular No. A-123 requires agencies to integrate risk management and internal control functions. The Circular also establishes an assessment process based on the Government Accountability Office’s (GAO) Standards for Internal Control in the Federal Government (known as the Green Book) that management must implement in order to properly assess and improve internal controls over operations, reporting, and compliance. The primary compliance indicators that management must consider when implementing OMB Circular No. A-123, include:  

• Management is responsible for the establishment of a governance structure to effectively implement, direct and oversee implementation of the Circular and all the provisions of a robust process of risk management and internal control.
  
  
• Implementation of the Circular should leverage existing offices or functions within the organization that currently monitor risks and the effectiveness of the organization’s internal control.
  
  
• Agencies should develop a maturity model approach1 to the adoption of an ERM framework. For FY 2016, Agencies are encouraged to develop an approach to implement ERM. For FY 2017 and thereafter Agencies must continuously build risk identification capabilities into the framework to identify new or emerging risks, and/or changes in existing risks (See Section II.C. for additional details).
  
  
• Management must evaluate the effectiveness of internal controls annually using GAO’s Standards for Internal Control in the Federal Government. (The Green Book) Throughout the Circular, the terms “Must” and “Will” denote a requirement that management will comply with in all cases. “Should,” indicates a presumptively mandatory requirement except in circumstances where the requirement is not relevant for the Agency. “May” or “Could,” indicate best practices that may be adopted at the discretion of management.

...

TABLE OF CONTENTS

I. Introduction

II. Establishing Enterprise Risk ManagementInManagement Practices
A. Governance
B. Risk Profiles
 B1. Identification of Objectives
 B2. Identification of Risk
 B3. Inherent Risk Assessment
 B4. Current Risk Response
 B5. Residual Risk Assessment
 B6. Proposed Action
 B7. Proposed Risk Response Category
C. Implementation
D. Role of Auditors in Enterprise Risk Management

III. Establishing And Operating An Effective System Of Internal Control
A. Governance
B. Establish Entity Level Control
 B1. Service Organizations
 B2. Managing Fraud Risks in Federal Programs

IV. Assessing Internal Control
A. Documentation Requirements
B. Sources of Information
C. Identification of Deficiencies
D. Internal Control Evaluation Approach

V. Correcting Internal Control Deficiencies
A. Importance of Correcting Internal Control Deficiencies
B. Corrective Action Plan Requirements
C. Audit Follow Up and Cooperative Audit Resolution and Oversight Initiatives

VI. Reporting on Internal Controls
A. Annual Assurance Statement
B. Reporting Pursuant to Integration of Enterprise Risk Management and Internal Control
C. Reporting Pursuant to OMB Circular No. A-123, Appendix A
D. Reporting Pursuant to OMB Circular No. A-130, Appendix I
E. Reporting Pursuant to Section 2—31 U.S.C. 3512(d) (2)
F. Reporting Pursuant to Section 4—31 U.S.C. 3512(d) (2) (B)
G. Government Corporations
H. Classified Matters
I. Agencies Obtaining Audit Opinions on Internal Control

VII. Additional Considerations
A. Managing Privacy Risks in Federal Programs
B. Conducting Acquisition Assessments under OMB Circular No. A-123
C. Managing Grants Risks in Federal Programs
D. Managing Antideficiency Act Risks

------

となっています。。。

 

一方、GAOのGreenbookですが、正式名称は、”Standards for Internal Control in the Federal Government”です。

● U.S. Government Accountability Office (GAO) [wikipedia]

Greenbookは、政府向けCOSO-内部統制基準と考えれば良いかもです。最新版は、2014.09.10に発行されています。

・2014.09.10 GAO-14-704G：Greenbook

 ・[PDF] Standards for Internal Control in the Federal Government

参考に、COSOの内部統制基準"Internal Control - Integrated Framework (Executive Summary)"と比べてみてくださいませ。

 

 

	Greenbook	COSO
	CONTROL ENVIRONMENT	CONTROL ENVIRONMENT
1	The oversight body and management should demonstrate a commitment to integrity and ethical values.	The organization demonstrates a commitment to integrity and ethical values.
2	The oversight body should oversee the entity's internal control system.	The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal.
3	Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity's objectives.	Management establishes, with board oversight, structure, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
4	Management should demonstrate a commitment to recruit, develop, and retain competent individuals.	The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
5	Management should evaluate performance and hold individuals accountable for their internal control responsibilities.	The organization holds individuals accountable for their internal control responsibilities in pursuit of objectives.
	RISK ASSESSMENT	RISK ASSESSMENT
6	Management should define objectives clearly to enable the identification of risks and define risk tolerances.	The organization specifies objectives with sufficient clarity to enable the identification and assessment of risk relating to objectives.
7	Management should identify, analyze, and respond to risks related to achieving the defined objectives.	The organization identifies risk to achievement of its objectives across the entity and analyzes risks as a basis for determine how the risks should be managed.
8	Management should consider the potential for fraud when identifying, analyzing, and responding to risks.	The organization considers the potential for fraud in assessing risks to the achievement of objectives.
9	Management should identify, and respond to significant changes that could impact the internal control system.	The organization identifies and assesses changes that could significantly impact the system of internal control.
	CONTROL ACTIVITIES	CONTROL ACTIVITIES
10	Management should design control activities to achieve objectives and respond to risks.	The organization selects and develops control actives that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
11	Management should design the entity's information system and related control activities to achieve objectives and respond to risks.	The organization selects and develops general control activities over technology to support the achievement of objectives.
12	Management should implement control activities through policies.	The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
	INFORMATION & COMMUNICATION	INFORMATION & COMMUNICATION
13	Management should use quality information to achieve the entity's objectives.	The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
14	Management should internally communicate the necessary quality information to achieve the entity's objectives.	The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
15	Management should externally communicate the necessary quality information to achieve the entity's objectives.	The organization communicates with external parties regarding matters affecting the functioning of internal control.
	MONITORING	MONITORING
16	Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results.	The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
17	Management should remediate identified internal control deficiencies on a timely basis.	The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.