|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
President's Budget Management Information
& Legislative Information Agency Information |
December 21, 2004 MEMORANDUM TO THE CHIEF FINANCIAL OFFICERS, CHIEF OPERATION OFFICERS, CHIEF INFORMATION OFFICERS, AND PROGRAM MANAGERS
OMB Circular No. A-123 defines management's responsibility for internal control in Federal agencies. A re-examination of the existing internal control requirements for Federal agencies was initiated in light of the new internal control requirements for publicly-traded companies contained in the Sarbanes-Oxley Act of 2002. Circular A-123 and the statute it implements, the Federal Managers’ Financial Integrity Act of 1982, are at the center of the existing Federal requirements to improve internal control. This circular reflects policy recommendations developed by a joint committee of representatives from the Chief Financial Officer Council (CFOC) and the President’s Council on Integrity and Efficiency (PCIE). The policy changes in this circular are intended to strengthen the requirements for conducting management’s assessment of internal control over financial reporting. The circular also emphasizes the need for agencies to integrate and coordinate internal control assessments with other internal control-related activities. The revised circular is effective for FY 2006. Agencies should take steps in FY 2005 to prepare for its implementation. OMB plans to continue to work closely with the CFOC and the PCIE to provide further implementation guidance.
December 21, 2004
CIRCULAR
NO. A-123 TO THE HEADS OF EXECUTIVE DEPARTMENTS AND ESTABLISHMENTS SUBJECT: Management’s Responsibility for Internal Control 1. Purpose. This Circular provides guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on internal control. The attachment to this Circular defines management’s responsibilities related to internal control and the process for assessing internal control effectiveness along with a summary of the significant changes. The Circular provides updated internal control standards and new specific requirements for conducting management’s assessment of the effectiveness of internal control over financial reporting (Appendix A). This Circular emphasizes the need for integrated and coordinated internal control assessments that synchronize all internal control-related activities. This revision to the Circular will become effective in Fiscal Year 2006 and supersede all previous versions. In the interim, OMB Circular No. A-123, "Management Accountability and Control," revised, June 21, 1995 should continue to be followed. 2. Authority. The Circular is issued under the authority of the Federal Managers' Financial Integrity Act of 1982 as codified in 31 U.S.C. 3512. 3. Policy. Management is responsible for establishing and maintaining internal control to achieve the objectives of effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations. Management shall consistently apply the internal control standards to meet each of the internal control objectives and to assess internal control effectiveness. When assessing the effectiveness of internal control over financial reporting and compliance with financial-related laws and regulations, management must follow the assessment process contained in Appendix A. Annually, management must provide assurances on internal control in its Performance and Accountability Report, including a separate assurance on internal control over financial reporting, along with a report on identified material weaknesses and corrective actions. 4. Actions Required. Agencies and individual Federal managers must take systematic and proactive measures to (i) develop and implement appropriate, cost-effective internal control for results-oriented management; (ii) assess the adequacy of internal control in Federal programs and operations; (iii) separately assess and document internal control over financial reporting consistent with the process defined in Appendix A (iv) identify needed improvements; (v) take corresponding corrective action; and (vi) report annually on internal control through management assurance statements. 5. Effective Date. This Circular is effective beginning with Fiscal Year 2006. 6. Applicability. This Circular is applicable to each executive agency, with the exception of the requirements in the appendix. The requirements of Appendix A are applicable to the 24 CFO Act agencies. 7. Inquiries. Further information concerning this Circular may be obtained from the Financial Standards and Grants Branch, Office of Federal Financial Management, Office of Management and Budget, Washington, DC 20503, 202/395-3993. 8. Copies. Copies of this Circular may be obtained from www.omb.gov.
Attachment Attachment Significant Revisions to OMB Circular A-123
New
Requirements in Appendix A –
TABLE OF CONTENTS
I.
Introduction Management has a fundamental responsibility to develop and maintain effective internal control. The proper stewardship of Federal resources is an essential responsibility of agency managers and staff. Federal employees must ensure that Federal programs operate and Federal resources are used efficiently and effectively to achieve desired objectives. Programs must operate and resources must be used consistent with agency missions, in compliance with laws and regulations, and with minimal potential for waste, fraud, and mismanagement. Management is responsible for developing and maintaining effective internal control. Effective internal control provides assurance that significant weaknesses in the design or operation of internal control, that could adversely affect the agency’s ability to meet its objectives, would be prevented or detected in a timely manner. Internal Control -- organization, policies, and procedures – are tools to help program and financial managers achieve results and safeguard the integrity of their programs. This Circular provides guidance on using the range of tools at the disposal of agency managers to achieve desired program results and meet the requirements of the Federal Managers' Financial Integrity Act (FMFIA) of 1982. The FMFIA encompasses accounting and administrative controls. Such controls include program, operational, and administrative areas as well as accounting and financial management. The importance of internal control is addressed in many statutes and executive documents. The FMFIA establishes overall requirements with regard to internal control. The agency head must establish controls that reasonably ensure that: “(i) obligations and costs are in compliance with applicable law; (ii) funds, property, and other assets are safeguarded against waste, loss, unauthorized use or misappropriation; and (iii) revenues and expenditures applicable to agency operations are properly recorded and accounted for to permit the preparation of accounts and reliable financial and statistical reports and to maintain accountability over the assets.”1 In addition, the agency head annually must evaluate and report on the control and financial systems that protect the integrity of Federal programs (Section 2 and Section 4 of FMFIA respectively). The three objectives of internal control are to ensure the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. The safeguarding of assets is a subset of all of these objectives. Instead of considering internal control as an isolated management tool, agencies should integrate their efforts to meet the requirements of the FMFIA with other efforts to improve effectiveness and accountability. Thus, internal control should be an integral part of the entire cycle of planning, budgeting, management, accounting, and auditing. It should support the effectiveness and the integrity of every step of the process and provide continual feedback to management. Federal managers must carefully consider the appropriate balance between controls and risk in their programs and operations. Too many controls can result in inefficient and ineffective government; agency managers must ensure an appropriate balance between the strength of controls and the relative risk associated with particular programs and operations. The benefits of controls should outweigh the cost. Agencies should consider both qualitative and quantitative factors when analyzing costs against benefits. A. Agency Implementation. Internal control guarantees neither the success of agency programs, nor the absence of waste, fraud, and mismanagement, but is a means of managing the risk associated with Federal programs and operations. Managers should define the control environment (e.g., programs, operations, or financial reporting) and then perform risk assessments to identify the most significant areas within that environment in which to place or enhance internal control. The risk assessment is a critical step in the process to determine the extent of controls. Once significant areas have been identified, control activities should be implemented. Continuous monitoring and testing should help to identify poorly designed or ineffective controls and should be reported upon periodically. Management is then responsible for redesigning or improving upon those controls. Management is also responsible for communicating the objectives of internal control and ensuring the organization is committed to sustaining an effective internal control environment. Appropriate internal control should be integrated into each system established by agency management to direct and guide its operations. As stated earlier in this document, internal control applies to program, operational, and administrative areas as well as accounting and financial management. Generally, identifying and implementing the specific procedures necessary to ensure effective internal control, and determining how to assess the effectiveness of those controls, is left to the discretion of the agency head. While the procedures may vary from agency to agency, management should have a clear, organized strategy with well-defined documentation processes that contain an audit trail, verifiable results, and specify document retention periods so that someone not connected with the procedures can understand the assessment process. To ensure senior management involvement, many agencies have established their own senior management council, often chaired by the agency's lead management official, to address management accountability and related issues within the broader context of agency operations. Relevant issues for such a council include ensuring the agency's commitment to an appropriate system of internal control; actively overseeing the process of assessing internal controls, including non-financial as well as financial reporting objectives; recommending to the agency head which control deficiencies are material to disclose in the annual FMFIA report; and providing input for the level and priority of resource needs to correct these deficiencies. (See also Section IV.C. Role of a Senior Management Council.)
Internal control, in the broadest sense, includes the plan of organization, methods and procedures adopted by management to meet its goals. Internal control includes processes for planning, organizing, directing, controlling, and reporting on agency operations. The three objectives of internal control are:
The safeguarding of assets is a subset of all of these objectives. Internal control should be designed to provide reasonable assurance regarding prevention of or prompt detection of unauthorized acquisition, use or disposition of assets. Management is responsible for developing and maintaining internal control activities that comply with the following standards to meet the above objectives:
A. Control Environment The control environment is the organizational structure and culture created by management and employees to sustain organizational support for effective internal control. When designing, evaluating or modifying the organizational structure, management must clearly demonstrate its commitment to competence in the workplace. Within the organizational structure, management must clearly: define areas of authority and responsibility; appropriately delegate the authority and responsibility throughout the agency; establish a suitable hierarchy for reporting; support appropriate human capital policies for hiring, training, evaluating, counseling, advancing, compensating and disciplining personnel; and uphold the need for personnel to possess and maintain the proper knowledge and skills to perform their assigned duties as well as understand the importance of maintaining effective internal control within the organization. The organizational culture is also crucial within this standard. The culture should be defined by management’s leadership in setting values of integrity and ethical behavior but is also affected by the relationship between the organization and central oversight agencies and Congress. Management’s philosophy and operational style will set the tone within the organization. Management’s commitment to establishing and maintaining effective internal control should cascade down and permeate the organization’s control environment which will aid in the successful implementation of internal control systems. B. Risk Assessment Management should identify internal and external risks that may prevent the organization from meeting its objectives. When identifying risks, management should take into account relevant interactions within the organization as well as with outside organizations. Management should also consider previous findings; e.g., auditor identified, internal management reviews, or noncompliance with laws and regulations when identifying risks. Identified risks should then be analyzed for their potential effect or impact on the agency. C. Control Activities Control activities include policies, procedures and mechanisms in place to help ensure that agency objectives are met. Several examples include: proper segregation of duties (separate personnel with authority to authorize a transaction, process the transaction, and review the transaction); physical controls over assets (limited access to inventories or equipment); proper authorization; and appropriate documentation and access to that documentation. Internal control also needs to be in place over information systems – general and application control. General control applies to all information systems such as the mainframe, network and end-user environments, and includes agency-wide security program planning, management, control over data center operations, system software acquisition and maintenance. Application control should be designed to ensure that transactions are properly authorized and processed accurately and that the data is valid and complete. Controls should be established at an application’s interfaces to verify inputs and outputs, such as edit checks. General and application control over information systems are interrelated, both are needed to ensure complete and accurate information processing. Due to the rapid changes in information technology, controls must also adjust to remain effective. D. Information and Communications Information should be communicated to relevant personnel at all levels within an organization. The information should be relevant, reliable, and timely. It is also crucial that an agency communicate with outside organizations as well, whether providing information or receiving it. Examples include: receiving updated guidance from central oversight agencies; management communicating requirements to the operational staff; operational staff communicating with the information systems staff to modify application software to extract data requested in the guidance. E. Monitoring Monitoring the effectiveness of internal control should occur in the normal course of business. In addition, periodic reviews, reconciliations or comparisons of data should be included as part of the regular assigned duties of personnel. Periodic assessments should be integrated as part of management’s continuous monitoring of internal control, which should be ingrained in the agency’s operations. If an effective continuous monitoring program is in place, it can level the resources needed to maintain effective internal controls throughout the year. Deficiencies found in internal control should be reported to the appropriate personnel and management responsible for that area. Deficiencies identified, whether through internal review or by an external audit, should be evaluated and corrected. A systematic process should be in place for addressing deficiencies. III. INTEGRATED INTERNAL CONTROL FRAMEWORK Federal agencies are subject to numerous legislative and regulatory requirements that promote and support effective internal control. Effective internal control is a key factor in achieving agency missions and program results through improved accountability. Identifying internal control weaknesses and taking related corrective actions are critically important to creating and maintaining a strong internal control infrastructure that supports the achievement of agency objectives. Recent government-wide initiatives have been implemented to improve program management, as well as financial management, including tracking corrective actions for material weaknesses in internal control related to financial reporting, imposing accelerated reporting due dates for more timely financial information, and assessing the effectiveness and efficiency of program operations using the Program Assessment Rating Tool (PART). Activities conducted as part of these initiatives support an agency’s overall internal control framework. Statutory requirements that should also be considered as part of an agency’s internal control framework include: Federal Managers Financial Integrity Act of 1982 (FMFIA) The FMFIA requires agencies to establish and maintain internal control. The agency head must annually evaluate and report on the control and financial systems that protect the integrity of Federal programs; Section 2 and Section 4 respectively. The requirements of FMFIA serve as an umbrella under which other reviews, evaluations and audits should be coordinated and considered to support management’s assertion about the effectiveness of internal control over operations, financial reporting, and compliance with laws and regulations. Government Performance and Results Act (GPRA) To support results-oriented management, GPRA requires agencies to develop strategic plans, set performance goals, and report annually on actual performance compared to goals. With the implementation of this legislation, these plans and goals are integrated into (i) the budget process, (ii) the operational management of agencies and programs, and (iii) accountability reporting to the public on performance results, and on the integrity, efficiency, and effectiveness with which they are achieved. Similarly, the PART’s primary purpose is to assess program effectiveness and improve program performance. The PART has also become an integral part of the budget process when making funding resource allocations or decisions. Chief Financial Officers Act, as amended (CFO Act) The CFO Act requires agencies to both establish and assess internal control related to financial reporting. The Act requires the preparation and audit of financial statements. In this process, auditors report on internal control and compliance with laws and regulations related to financial reporting. Therefore, the agencies covered by the Act have a clear opportunity to improve internal control over their financial activities, and to evaluate the controls that are in place. The Accountability of Tax Dollars Act of 2002 amended the CFO Act to expand the types of Federal agencies that are required to prepare audited financial statements. Meeting the accelerated financial statement reporting due date also provides incentive for agencies to have added discipline and effective internal control to routinely produce reliable financial information. Deficiencies in internal control need to be mitigated to ensure timely and accurate financial information. Inspector General Act of 1978, as amended (IG Act) The IG Act provides for independent reviews of agency programs and operations. IGs are required to submit semiannual reports to Congress on significant abuses and deficiencies identified during the reviews and the recommended actions to correct those deficiencies. IGs and/or external auditors are required by the Government Auditing Standards3 and OMB Bulletin No. 01-02, Audit Requirements of Federal Financial Statements, as amended4 to report material weaknesses in internal control related to financial reporting and noncompliance with laws and regulations as part of the financial statement audit. Auditors also provide recommendations for correcting the material weaknesses. Agency managers, who are required by the IG Act to follow up on audit recommendations, should use these reviews to identify and correct problems resulting from inadequate or poorly designed controls, and to build appropriate controls into new programs. Audit work planned by the IG should be coordinated with management’s assessment requirements to ensure cost effectiveness and avoid duplication. Federal Financial Management Improvement Act of 1996 (FFMIA) The FFMIA requires agencies to have financial management systems that substantially comply with the Federal financial management systems requirements, standards promulgated by the Federal Accounting Standards Advisory Board (FASAB), and the U.S. Standard General Ledger (USSGL) at the transaction level. Financial management systems shall have general and application controls in place in order to support management decisions by providing timely and reliable data. The agency head shall make a determination annually about whether the agency’s financial management systems substantially comply with the FFMIA. If the systems are found not to be compliant, management shall develop a remediation plan to bring those systems into substantial compliance. Management shall determine whether non-compliances with FFMIA should also be reported as non-conformances with Section 4 of FMFIA. Federal Information Security Management Act of 2002 (FISMA) The FISMA provides, “…a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets…” Agencies are required to provide information security controls proportionate with the risk and potential harm of not having those controls in place. Agency heads are required to annually report on the effectiveness of the agencies’ security programs. “Significant deficiencies” found under FISMA must also be reported as material weaknesses under FMFIA. Improper Payments Information Act of 2002 (IPIA) The IPIA requires agencies to review and, “…identify programs and activities that may be susceptible to significant improper payments.” Agencies must annually submit estimates of improper payments, corrective actions to reduce the improper payments, and statements as to whether its current information systems and infrastructure can support the effort to reduce improper payments. The nature and incidence of improper payments shall be considered when assessing the effectiveness of internal control. Single Audit Act, as amended The Single Audit Act, as amended requires financial statement audits of non-Federal entities that receive or administer grant awards of Federal monies. The financial statement audits include testing the effectiveness of internal control and determining whether the award monies have been spent in compliance with laws and regulations. Each Federal agency which provides Federal awards shall review the audits of the recipients to determine whether corrective actions are implemented with respect to audit findings. Clinger-Cohen Act of 1996 (formerly known as the Information Technology Management Reform Act) The Clinger-Cohen Act requires agencies to use a disciplined capital planning and investment control (CPIC) process to maximize the value of and assess and manage the risks of the information technology acquisitions. The Act requires that agencies “(1) establish goals for improving the efficiency and effectiveness of agency operations and, as appropriate, the delivery of services to the public through the effective use of information technology; (2) prepare an annual report…on the progress in achieving the goals; (3) ensure that performance measurements are prescribed for information technology used by, or to be acquired for, the executive agency and that the performance measurements measure how well the information technology supports programs of the executive agency; (4) where comparable processes and organizations in the public or private sectors exist, quantitatively benchmark agency process performance against such processes in terms of cost, speed, productivity, and quality of outputs and outcomes; (5) analyze the missions of the executive agency and, based on the analysis, revise the executive agency’s mission-related processes and administrative processes as appropriate before making significant investments in information technology that is to be used in support of the performance of those missions; and (6) ensure that the information security policies, procedures, and practices of the executive agency are adequate.” A. Developing Internal Control. It is management’s responsibility to develop and maintain effective internal control. As agencies develop and execute strategies for implementing or reengineering agency programs and operations, they should design management structures that help ensure accountability for results. As part of this process, agencies and individual Federal managers must take systematic and proactive measures to develop and implement appropriate, cost-effective internal control. The degree to which studies and analysis are performed will vary depending on the complexity and risk associated with a given program or operation. The expertise of the agency CFO can be valuable in developing appropriate control and the IG can be valuable in providing advice or consultation. Decisions made during this process should be documented and readily available for review. IV. ASSESSING INTERNAL CONTROL Agency managers should continuously monitor and improve the effectiveness of internal control associated with their programs. This continuous monitoring, and other periodic assessments, should provide the basis for the agency head's annual assessment of and report on internal control, as required by FMFIA. Agency management should determine the appropriate level of documentation needed to support this assessment. Documentation should be appropriately detailed and organized and contain sufficient information to support management’s assertion. Documentation should also include appropriate representations from officials and personnel responsible for monitoring, improving and assessing internal controls. Specific assessment and documentation requirements to support management’s assurance statement on internal control over financial reporting are defined in Appendix A. A. Sources of Information. The agency head's assessment of internal control can be performed using a variety of information sources. Management has primary responsibility for assessing and monitoring controls, and should use other sources as a supplement to -- not a replacement for -- its own judgment. Sources of information include:
Use of a source of information should take into consideration whether the process included an evaluation of internal control. Agency management should avoid duplicating reviews which assess internal control, and should coordinate their efforts with other evaluations to the extent practicable. If a Federal manager determines that there is insufficient information available upon which to base an assessment of internal control, then appropriate reviews should be conducted which will provide such a basis. B. Identification of Deficiencies. Agency managers and employees should identify deficiencies in internal control from the sources of information described above and the results of their assessment process. Agency employees and managers shall report control deficiencies to the next supervisory level, which will allow the chain of command structure to determine the relative importance of each deficiency. A control deficiency or combination of control deficiencies that in management’s judgment represent significant deficiencies in the design or operation of internal control that could adversely affect the organization's ability to meet its internal control objectives is a reportable condition (internally tracked and monitored within the agency). A reportable condition that the agency head determines to be significant enough to be reported outside the agency shall be considered a material weakness7 and included in the annual FMFIA assurance statement and reported in the agency’s annual PAR. As it relates to financial reporting, agencies should also consider qualitative as well as quantitative measures to determine material items. This designation requires a judgment by agency managers as to the relative risk and significance of reportable conditions. In identifying and assessing the relative importance of reportable conditions, consideration should be given to the views of the agency's IG. Definitions of reportable conditions and material weaknesses for management’s assessment of internal control over financial reporting are provided in Appendix A Section II. Scope. Additionally, definitions and reporting requirements are summarized in Exhibit 1. The “significant deficiencies” identified under FISMA must be reported as material weaknesses in the annual FMFIA report. Agency managers and staff should be encouraged to identify control deficiencies, as this reflects positively on the agency's commitment to recognizing and addressing management problems. Failing to report a known reportable condition would reflect adversely on the agency and continue to place the agency’s operations at risk. Agencies should carefully consider whether systemic weaknesses exist that adversely affect internal control across organizational or program lines. C. Role of a Senior Management Council. Many agencies use a Senior Management Council to assess and monitor deficiencies in internal control. A Senior Management Council, which may include the Chief Financial Officer, the Senior Procurement Executive, the Chief Information Officer, and the managers of other functional offices, should be involved in identifying and ensuring correction of systemic weaknesses relating to their respective functions. Consideration should be given to involving the IG in a consulting capacity but not to conduct management’s assessment of internal controls. Such councils generally recommend to the agency head which reportable conditions are deemed to be material weaknesses to the agency as a whole, and should therefore be included in the annual FMFIA assurance statement and reported in the agency’s PAR. This council should be responsible for overseeing the timely implementation of corrective actions related to material weaknesses. Such a council may also be useful in determining when sufficient action has been taken to declare that a reportable condition or material weakness has been corrected. While the establishment of such a council is not a requirement of this document, a Senior Management Council or similar construct is encouraged. V. CORRECTING INTERNAL CONTROL DEFICIENCIES Agency managers are responsible for taking timely and effective action to correct deficiencies identified by the variety of sources discussed in Section IV, Assessing Internal Control. Correcting deficiencies is an integral part of management accountability and must be considered a priority by the agency. The extent to which corrective actions are tracked by the agency should be commensurate with the severity of the deficiency. Corrective action plans should be developed for all material weaknesses, and progress against plans should be periodically assessed and reported to agency management. Management should track progress to ensure timely and effective results. For reportable conditions that are not included in the FMFIA report, corrective action plans should be developed and tracked internally at the appropriate level. A summary of the corrective action plans for material weaknesses shall be included in the agency’s PAR. The summary discussion shall include a description of the material weakness, status of corrective actions, and timeline for resolution. Management shall maintain more detailed corrective action plans internally which shall be available for OMB review. Management’s process for resolution and corrective action of identified material weaknesses in internal control must:
A determination that a reportable condition has been corrected should be made only when sufficient corrective actions have been taken and the desired results achieved. This determination should be in writing, and along with other appropriate documentation supporting the determination, should be available for review by appropriate officials. (See also Section IV.C. Role of a Senior Management Council.) As managers consider IG and GAO audit reports in identifying and correcting internal control deficiencies, they must be mindful of the statutory requirements for audit follow-up included in the IG Act, as amended and OMB Circular A-50, Audit Followup. Management has a responsibility to complete action, in a timely manner, on audit recommendations on which agreement with the IG has been reached. Management must make a decision regarding IG audit recommendations within a six month period after issuance of the audit report and implement management's decision within one year to the extent practicable. VI. REPORTING ON INTERNAL CONTROL A. Annual Assurance Statements. The assurance statements and information related to Section 2, Section 4, and internal control over financial reporting should be provided in a single FMFIA report section of the annual PAR labeled “Management Assurances.” The section should include the annual assurance statements, summary of material weaknesses and non-conformances, and summary of corrective action plans. Management’s assurance statement relating to internal control over financial reporting and any related material weaknesses and corrective actions shall be separately identified. B. Reporting Pursuant to Section 2. 31 U.S.C. 3512(d) (2) (commonly referred to as Section 2 of the FMFIA) requires that annually the head of each executive agency submit to the President and the Congress (i) a statement on whether there is reasonable assurance that the agency's controls are achieving their intended objectives; and (ii) a report on material weaknesses in the agency's controls.
C. Reporting Pursuant to Section 4. 31 U.S.C. 3512(d) (2) (B) (commonly referred to as Section 4 of the FMFIA) requires an annual statement on whether the agency's financial management systems conform to government-wide requirements. These financial systems requirements are mandated by the FFMIA and OMB Circular No. A-127, Financial Management Systems, section 7. If the agency’s systems do not substantially conform to financial systems requirements, the statement must list the nonconformances and discuss the agency's plans for bringing its systems into substantial compliance. Financial management systems include both financial and financially-related (or mixed) systems. D. Government Corporations. For government corporations, Section 306 of the Chief Financial Officers Act established a reporting requirement related to the internal controls for corporations covered by the Government Corporation and Control Act. These corporations must submit an annual management report to the Congress. This report must include, among other items, a statement on control systems by the head of the management of the corporation consistent with the requirements of the FMFIA. The corporation is required to provide the President, the Director of OMB, and the Comptroller General a copy of the management report when it is submitted to Congress. Exhibit 1: Summary of A-123 reporting requirements
APPENDIX A: INTERNAL CONTROL OVER FINANCIAL REPORTING TABLE OF CONTENTS
I.
Introduction This Appendix provides a methodology for agency management to assess, document, and report on the internal controls over financial reporting. This document also encourages an integrated approach to assessing the internal controls over financial reporting considering the current legislative and regulatory environment in which Federal entities operate.
The Sarbanes-Oxley Act of 2002 required that management of publicly-traded companies strengthen their processes for assessing and reporting on the internal controls over financial reporting. The passage of the Sarbanes-Oxley Act served as an impetus for the Federal government to reevaluate its current policies relating to internal control over financial reporting and management’s related responsibilities. While the Sarbanes-Oxley Act created a new requirement for managers of publicly-traded companies to report on the internal controls over financial reporting, Federal managers have been subject to similar internal control reporting requirements for many years. Federal agencies are subject to numerous legislative and regulatory requirements that promote and support effective internal control. The Federal Managers’ Financial Integrity Act (FMFIA) of 1982 provides the statutory basis for management’s responsibility for and assessment of internal control. In addition, the Chief Financial Officers Act (CFO Act) of 1990 requires agency CFOs to, “develop and maintain an integrated agency accounting and financial management system, including financial reporting and internal controls, which … complies with applicable … internal control standards…” The Federal Financial Management Improvement Act (FFMIA) of 1996 and OMB Circular No. A-127, Financial Management Systems also instruct agencies to maintain an integrated financial management system that complies with Federal system requirements, FASAB Standards, and the USSGL at the transaction level. The Inspector General Act (IG Act) of 1978, as amended requires that IGs submit semiannual reports to the Congress on significant abuses and deficiencies identified during these reviews and the recommended actions to correct those deficiencies. The GAO Government Auditing Standards (Yellow Book) and OMB Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, as amended require auditors to test and report on internal control as part of a Federal agency financial statement audit, including a description of reportable conditions and material weaknesses in internal control over financial reporting. Recent government-wide initiatives have also contributed to improvements in financial management and placed greater emphasis on implementing and maintaining effective internal control over financial reporting. These initiatives include aggressive OMB quarterly tracking of corrective actions for material weaknesses in internal control related to financial reporting, accelerated financial reporting due dates, and the emphasis on demonstrating the availability of timely and accurate financial management information for management decisions. The FMFIA and OMB Circular A-123 apply to each of the three objectives of internal control: effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations. While the standards of internal control shall be applied consistently toward each of the objectives, this Appendix, however, requires agencies to specifically document the process and methodology for applying the standards when assessing internal control over financial reporting. This Appendix also requires management to use a separate materiality level when assessing internal control over financial reporting (See Appendix A Section II. Scope). The agency head’s annual assurance statement on the effectiveness of internal control over financial reporting required by this Appendix is a subset of the assurance statement required under FMFIA on the overall internal control of the agency. A. Objectives of Internal Control over Financial Reporting Internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting. Reliability of financial reporting means that management can reasonably make the following assertions:
B. Definition of Financial Reporting Internal control over financial reporting should assure the safeguarding of assets from waste, loss, unauthorized use, or misappropriation as well as assure compliance with laws and regulations pertaining to financial reporting. Financial reporting includes annual financial statements of an agency as well as other significant internal or external financial reports. Other significant financial reports are defined as any financial reports that could have a material effect on a significant spending, budgetary or other financial decision of the agency or that is used to determine compliance with laws and regulations on the part of the agency. An agency needs to determine the scope of financial reports that are significant, i.e., which reports are included in the assessment of internal control over financial reporting. In addition to the annual financial statements, significant reports might include: quarterly financial statements; financial statements at the operating division or program level; budget execution reports; reports used to monitor specific activities such as specific revenues, receivables, or liabilities; reports used to monitor compliance with laws and regulations such as the Anti-Deficiency Act, etc. C. Planning Materiality Materiality for financial reporting is the risk of error or misstatement that could occur in a financial report that would impact management’s or users’ decisions or conclusions based on such report. The planning materiality for the assessment should be designed as to ensure that items required to be reported will be detected. Therefore, the planning materiality should be at a lower threshold than the reporting materiality as defined below. Materiality should be determined for each financial report included in the scope of the assessment. Materiality may differ from report to report. Materiality shall be considered when determining the extent of testing or work required to assess internal control over financial reporting as well as what deficiencies should be reported. Management must determine whether the internal controls over a financial report is sufficient to prevent or detect errors or misstatements that would be considered material for a specific financial report. Therefore, the extent of work performed and reporting threshold for control deficiencies must be determined on a report by report basis. Additionally, agencies should consider qualitative as well as quantitative measures to determine material items. D. Definition of Deficiencies13 A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A design deficiency exists when a control necessary to meet the control objective is missing or an existing control is not properly designed, so that even if the control operates as designed the control objective is not always met. An operation deficiency exists when a properly designed control does not operate as designed or when the person performing the control is not qualified or properly skilled to perform the control effectively. A reportable condition is a control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote14 likelihood that a misstatement of the entity’s financial statements, or other significant financial reports, that is more than inconsequential will not be prevented or detected. A material weakness in internal control is a reportable condition, or combination of reportable conditions, that results in more than a remote15 likelihood that a material misstatement of the financial statements, or other significant financial reports, will not be prevented or detected. Material weaknesses in internal control over financial reporting shall be included in the annual FMFIA report, but separately identified. A summary of the above definitions and corresponding reporting requirements are summarized in Exhibit 1. III. ASSESSING INTERNAL CONTROL OVER FINANCIAL REPORTING A. Establish a Senior Assessment Team The success of an agency's assessment will depend in large part on who will be responsible to carry out or direct the assessment. Given the significance and breadth of the assessment, a senior assessment team should be established that includes senior executives and derives its authority and support from the head of the agency or the Chief Financial Officer. The senior assessment team could be a subset of the Senior Management Council. The senior assessment team could take many forms, such as a financial management improvement committee. The senior assessment team, at a minimum, should provide oversight of the assessment process and is responsible for:
B. Evaluate Internal Control at the Entity Level Internal control at the entity level refers to those elements of the five components of internal control that have an overarching or pervasive effect on the agency. Specific elements of internal control that should be evaluated at this level are discussed below.
C. Evaluate Internal Control at the Process, Transaction, or Application Level
D. Overall Assessment of the Design and Operation of Internal Control over Financial Reporting The final step in the assessment is an overall conclusion as to the design and operation of the internal controls over financial reporting based on the assessments at the entity level and the process, transaction, or application level. The overall assessment should conclude whether the internal controls over financial reporting are operating effectively or whether material weaknesses exist in the design or operation. A template for the Statement of Assurance can be found in Exhibit 2. E. Reliance on Other Work to Accomplish Assessment The assessment of internal control over financial reporting should be coordinated with other activities to avoid duplication of efforts with similar activities. For example, agencies are required to perform reviews of financial systems under FFMIA or information security under FISMA. Reviews performed by management, or at management’s direction, may be used to help accomplish this assessment. Management may consult with the agency IG to plan and coordinate related work. The IG may be involved in a consulting capacity but shall not conduct management’s assessment of internal controls over financial reporting. Control weaknesses at a service organization could have a material impact on the controls of the customer organization. Therefore, management of cross-servicing agencies will need to provide an annual assurance statement to its customer agencies in advance to allow its customer agencies to rely upon that assurance statement. Management of cross-servicing agencies shall test the controls over the activities for which it performs for others on a yearly basis. These controls shall be highlighted in management’s assurance statement that is provided to its customers. Cross-servicing and customer agencies will need to coordinate the timing of the assurance statements. A. Documenting Internal Control over Financial Reporting The senior assessment team should document its understanding of the agency's internal control over financial reporting. The form and extent of documentation depends in part on the nature and complexity of the agency's controls, the more extensive and complex the controls, the more extensive the documentation. Documentation may be electronic, hard copy format, or both and be readily available for examination. Documentation could include organizational charts, flow charts, questionnaires, decision tables, or memoranda. Documentation may already exist as part of normal agency policy or procedure; however, the senior assessment team should separately identify, verify, and maintain the documentation it uses in making its assessment. The documentation prepared by internal or external auditors may also be used, but again, the senior assessment team must take responsibility and verify and maintain that documentation. Documentation should also include appropriate representations from officials and personnel responsible for monitoring, improving and assessing internal controls. After an initial assessment, subsequent assessments may focus on updating existing documentation. All documentation and records shall be properly managed and maintained; therefore, agencies will need to establish, or review existing retention policies for documentation (paper and electronic media). B. Documenting the Assessment of Effectiveness The senior assessment team must also document the assessment process of internal control over financial reporting, including:
The documentation may be electronic, hard copy format, or both, and should be available for review. Documentation should also include appropriate representations from officials and personnel responsible for monitoring, improving and assessing internal controls. V. MANAGEMENT’S ASSURANCE STATEMENT ON INTERNAL CONTROL OVER FINANCIAL REPORTING An agency’s management is required to include an assurance statement on the internal controls over financial reporting in its annual Performance and Accountability Report as described in Section VI. Reporting on Internal Control. This statement is management’s assessment of the effectiveness of the agency’s internal control over financial reporting as of June 30 of that fiscal year (see Exhibit 2). This assurance statement is required to include the following:
In its assurance statement on the internal controls over financial reporting, management is required to state a direct conclusion about whether the agency’s internal controls over financial reporting are effective. The statement must take one of the following forms:
Management is precluded from concluding that the agency’s internal control over financial reporting is effective if there are one or more material weaknesses. Management must make the final determination with regard to what constitutes a material weakness. Management is required to disclose all material weaknesses that exist as of June 30 of the current fiscal year. Management may be able to accurately represent that internal control over financial reporting, as of June 30 of the agency’s current fiscal year, is effective even if one or more material weaknesses existed during the period. To make this representation, management must have implemented improvements in internal control over financial reporting to mitigate the material weaknesses and have satisfactorily tested the effectiveness over a period of time that is adequate for it to determine whether, as of June 30 of the current fiscal year, the design and operation of the internal controls over financial reporting are effective. A. Agencies Obtaining Audit Opinions on Internal Control This Circular does not require a separate audit opinion on internal control over financial reporting. Agencies may at their discretion elect to receive an audit opinion on internal control over financial reporting. Agencies electing to receive an audit opinion on internal control over financial reporting may adjust the “as of” reporting date of June 30 to coincide with the “as of” date of the audit opinion on internal control. Refer to Appendix A Section VI. Correcting Material Weakness in Internal Control over Financial Reporting for special circumstances requiring an opinion level of assurance. VI. CORRECTING MATERIAL WEAKNESSESS IN INTERNAL CONTROL OVER FINANCIAL REPORTING Each agency shall establish systems to assure the prompt and proper resolution and implementation of corrective action on identified material weaknesses. These systems shall provide for a complete record of action taken on the material weaknesses identified. Management’s process for resolution and corrective action of the identified material weaknesses in the internal controls over financial reporting must also meet the standards listed in Section V. Correcting Internal Control Deficiencies. If the agency cannot meet the deadlines outlined in the approved corrective action plan, OMB may, at its discretion, require the agency to obtain an independent audit opinion of their internal control over financial reporting as part of their financial statement audit. Exhibit 2: Sample Annual Assurance Statement on Internal Control over Financial Reporting
1 The quoted text is from the Federal Managers’ Financial Integrity Act (FMFIA) of 1982. 2 Internal control standards and the definition of internal control are based on GAO, Standards for Internal Control in the Federal Government, November 1999, “Green Book”. 3 The Government Auditing Standards, June 2003 (GAO-03-673G) can be found on the GAO website at www.gao.gov. The Government Auditing Standards are commonly known as the “Yellow Book.” 4 The OMB Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, as amended can be found on the OMB website at www.omb.gov. 5 The OMB Circular No. A-127, Financial Management Systems can be found on the OMB website at www.omb.gov. 6 The OMB Circular No. A-130, Management of Federal Information Resources can be found on the OMB website at www.omb.gov. 7 This Circular's use of the term "material weakness" is similar to the same term used by auditors to identify internal control weaknesses found during a financial statement audit (see OMB Bulletin 01-02 or GAO “Yellow Book”). This Circular’s use of the same term encompasses not only financial reporting, but also encompasses weaknesses found in program operations and compliance with applicable laws and regulations. Material weaknesses for the purposes of this Circular are determined by management, whereas material weaknesses reported as part of a financial statement audit are determined by independent auditors. 8 Standards based upon OMB Circular A-50, Audit Followup. 9 The definition of control deficiency and definitions of reportable condition and material weakness relative to financial reporting are based upon the definitions provided in Auditing Standard No. 2 – An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements issued by the Public Company Accounting Oversight Board (PCAOB). 10 The term “remote” is defined in SFFAS No. 5, Accounting for Liabilities of the Federal Government, as the chance of the future event, or events, occurring is slight. 11 The term “remote” is defined in SFFAS No. 5, Accounting for Liabilities of the Federal Government, as the chance of the future event, or events, occurring is slight. 12 The definition of effective internal control is based on the GAO/PCIE, Financial Audit Manual. 13 The definition of control deficiency and definitions of reportable condition and material weakness relative to financial reporting are based upon the definitions provided in Auditing Standard No. 2 – An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements issued by the Public Company Accounting Oversight Board (PCAOB). 14 The term “remote” is defined in SFFAS No. 5, Accounting for Liabilities of the Federal Government, as the chance of the future event, or events, occurring is slight. |
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Federal Register | Jobs at OMB | FOIA | OMB Locator | FirstGov.gov | Accessibility | Privacy Policy | Site Search | Help
|
File Type | application/msword |
Author | Joyce.McNeil |
Last Modified By | Joyce.McNeil |
File Modified | 2006-03-16 |
File Created | 2006-03-16 |