Circular
No. A-123
Revised
June 21, 1995
TO THE HEADS
OF EXECUTIVE DEPARTMENTS AND ESTABLISHMENTS
FROM: Alice
M. Rivlin, Director
SUBJECT: Management
Accountability and Control
1. Purpose and
Authority. As Federal employees develop and implement strategies
for reengineering agency programs and operations, they should design management
structures that help ensure accountability for results, and include appropriate,
cost-effective controls. This Circular provides guidance to Federal managers
on improving the accountability and effectiveness of Federal programs
and operations by establishing, assessing, correcting, and reporting on
management controls.
The Circular is
issued under the authority of the Federal Managers' Financial Integrity
Act of 1982 as codified in 31 U.S.C. 3512.
The Circular replaces
Circular No. A-123, "Internal Control Systems," revised, dated August
4, 1986, and OMB's 1982 "Internal Controls Guidelines" and associated
"Questions and Answers" document, which are hereby rescinded.
2. Policy.
Management accountability is the expectation that managers are responsible
for the quality and timeliness of program performance, increasing productivity,
controlling costs and mitigating adverse aspects of agency operations,
and assuring that programs are managed with integrity and in compliance
with applicable law.
Management controls
are the organization, policies, and procedures used to reasonably ensure
that (i) programs achieve their intended results; (ii) resources are used
consistent with agency mission; (iii) programs and resources are protected
from waste, fraud, and mismanagement; (iv) laws and regulations are followed;
and (v) reliable and timely information is obtained, maintained, reported
and used for decision making.
3. Actions Required.
Agencies and individual Federal managers must take systematic and proactive
measures to (i) develop and implement appropriate, cost-effective management
controls for results-oriented management; (ii) assess the adequacy of
management controls in Federal programs and operations; (iii) identify
needed improvements; (iv) take corresponding corrective action; and (v)
report annually on management controls.
4. Effective
Date. This Circular is effective upon issuance.
5. Inquiries.
Further information concerning this Circular may be obtained from the
Management Integrity Branch, Office of Federal Financial Management, Office
of Management and Budget, Washington, DC 20503, 202/395-6911.
6. Copies.
Copies of this Circular may be obtained by telephoning the Executive Office
of the President, Publication Services, at 202/395-7332.
7. Electronic
Access. This document is also accessible on the U.S. Department of
Commerce's FedWorld Network under the OMB Library of Files.
- The Telnet address
for FedWorld via Internet is "fedworld.gov".
- The World Wide
Web address is "http://www.fedworld.gov/ftp.htm#omb".
- For file transfer
protocol (FTP) access, the address is "ftp://fwux.fedworld.gov/pub/omb/omb.htm".
The telephone number
for the FedWorld help desk is 703/487-4608.
Attachment
Note to Internet
Users: This document, with associated explanatory material, was published
in the Federal Register on June 29, 1995, Volume 60, Number 125, pages 33876-33872.
This can be accessed from the Federal Register Online via GPO Access [wais.access.gpo.gov].
Attachment
I. Introduction
II. Establishing
Management Controls
III. Assessing and
Improving Management Controls
IV. Correcting Management
Control Deficiencies
V. Reporting on
Management Controls
I. INTRODUCTION
The proper stewardship
of Federal resources is a fundamental responsibility of agency managers
and staff. Federal employees must ensure that government resources are used
efficiently and effectively to achieve intended program results. Resources
must be used consistent with agency mission, in compliance with law and
regulation, and with minimal potential for waste, fraud, and mismanagement.
To support results-oriented
management, the Government Performance and Results Act (GPRA, P.L.
103-62) requires agencies to develop strategic plans, set performance
goals, and report annually on actual performance compared to goals. As
the Federal government implements this legislation, these plans and goals
should be integrated into (i) the budget process, (ii) the operational
management of agencies and programs, and (iii) accountability reporting
to the public on performance results, and on the integrity, efficiency,
and effectiveness with which they are achieved.
Management accountability
is the expectation that managers are responsible for the quality and timeliness
of program performance, increasing productivity, controlling costs and
mitigating adverse aspects of agency operations, and assuring that programs
are managed with integrity and in compliance with applicable law.
Management controls
-- organization, policies, and procedures -- are tools to help program
and financial managers achieve results and safeguard the integrity of
their programs. This Circular provides guidance on using the range of
tools at the disposal of agency managers to achieve desired program results
and meet the requirements of the Federal Managers' Financial Integrity
Act (FMFIA, referred to as the Integrity Act throughout this document).
Framework.
The importance of management controls is addressed, both explicitly and
implicitly, in many statutes and executive documents. The Federal Managers'
Financial Integrity Act (P.L. 97-255) establishes specific requirements
with regard to management controls. The agency head must establish controls
that reasonably ensure that: (i) obligations and costs comply with applicable
law; (ii) assets are safeguarded against waste, loss, unauthorized use
or misappropriation; and (iii) revenues and expenditures are properly
recorded and accounted for. 31 U.S.C. 3512(c)(1). In addition, the agency
head annually must evaluate and report on the control and financial systems
that protect the integrity of Federal programs. 31 U.S.C. 3512(d)(2).
The Act encompasses program, operational, and administrative areas as
well as accounting and financial management.
Instead of considering
controls as an isolated management tool, agencies should integrate their
efforts to meet the requirements of the Integrity Act with other efforts
to improve effectiveness and accountability. Thus, management controls
should be an integral part of the entire cycle of planning, budgeting,
management, accounting, and auditing. They should support the effectiveness
and the integrity of every step of the process and provide continual feedback
to management.
For instance, good
management controls can assure that performance measures are complete
and accurate. As another example, the management control standard of organization
would align staff and authority with the program responsibilities to be
carried out, improving both effectiveness and accountability. Similarly,
accountability for resources could be improved by more closely aligning
budget accounts with programs and charging them with all significant resources
used to produce the program's outputs and outcomes.
Meeting the requirements
of the Chief Financial Officers Act (P.L. 101-576, as amended)
should help agencies both establish and evaluate management controls.
The Act requires the preparation and audit of financial statements for
24 Federal agencies. 31 U.S.C. 901(b), 3515. In this process, auditors
report on internal controls and compliance with laws and regulations.
Therefore, the agencies covered by the Act have a clear opportunity both
to improve controls over their financial activities, and to evaluate the
controls that are in place.
The Inspector
General Act (P.L. 95-452, as amended) provides for independent reviews
of agency programs and operations. Offices of Inspectors General (OIGs)
and other external audit organizations frequently cite specific deficiencies
in management controls and recommend opportunities for improvements. Agency
managers, who are required by the Act to follow up on audit recommendations,
should use these reviews to identify and correct problems resulting from
inadequate, excessive, or poorly designed controls, and to build appropriate
controls into new programs.
Federal managers
must carefully consider the appropriate balance of controls in their programs
and operations. Fulfilling requirements to eliminate regulations ("Elimination
of One-Half of Executive Branch Internal Regulations," Executive Order
12861) should reinforce to agency managers that too many controls can
result in inefficient and ineffective government, and therefore that they
must ensure an appropriate balance between too many controls and too few
controls. Managers should benefit from controls, not be encumbered by
them.
Agency Implementation.
Appropriate management controls should be integrated into each system
established by agency management to direct and guide its operations. A
separate management control process need not be instituted, particularly
if its sole purpose is to satisfy the Integrity Act's reporting requirements.
Agencies need to
plan for how the requirements of this Circular will be implemented. Developing
a written strategy for internal agency use may help ensure that appropriate
action is taken throughout the year to meet the objectives of the Integrity
Act. The absence of such a strategy may itself be a serious management
control deficiency.
Identifying and
implementing the specific procedures necessary to ensure good management
controls, and determining how to evaluate the effectiveness of those controls,
is left to the discretion of the agency head. However, agencies should
implement and evaluate controls without creating unnecessary processes,
consistent with recommendations made by the National Performance Review.
The President's
Management Council, composed of the major agencies' chief operating officers,
has been established to foster governmentwide management changes ("Implementing
Management Reform in the Executive Branch," October 1, 1993). Many agencies
are establishing their own senior management council, often chaired by
the agency's chief operating officer, to address management accountability
and related issues within the broader context of agency operations. Relevant
issues for such a council include ensuring the agency's commitment to
an appropriate system of management controls; recommending to the agency
head which control deficiencies are sufficiently serious to report in
the annual Integrity Act report; and providing input for the level and
priority of resource needs to correct these deficiencies. (See also Section
III of this Circular.)
II. ESTABLISHING
MANAGEMENT CONTROLS
Definition of Management
Controls. Management controls are the organization, policies, and procedures
used by agencies to reasonably ensure that (i) programs achieve their intended
results; (ii) resources are used consistent with agency mission; (iii) programs
and resources are protected from waste, fraud, and mismanagement; (iv) laws
and regulations are followed; and (v) reliable and timely information is
obtained, maintained, reported and used for decision making.
Management controls,
in the broadest sense, include the plan of organization, methods and procedures
adopted by management to ensure that its goals are met. Management controls
include processes for planning, organizing, directing, and controlling
program operations. A subset of management controls are the internal controls
used to assure that there is prevention or timely detection of unauthorized
acquisition, use, or disposition of the entity's assets.
Developing Management
Controls. As Federal employees develop and execute strategies for
implementing or reengineering agency programs and operations, they should
design management structures that help ensure accountability for results.
As part of this process, agencies and individual Federal managers must
take systematic and proactive measures to develop and implement appropriate,
cost-effective management controls. The expertise of the agency CFO and
IG can be valuable in developing appropriate controls.
Management controls
guarantee neither the success of agency programs, nor the absence of waste,
fraud, and mismanagement, but they are a means of managing the risk associated
with Federal programs and operations. To help ensure that controls are
appropriate and cost-effective, agencies should consider the extent and
cost of controls relative to the importance and risk associated with a
given program.
Standards.
Agency managers shall incorporate basic management controls in the strategies,
plans, guidance and procedures that govern their programs and operations.
Controls shall be consistent with the following standards, which are drawn
in large part from the "Standards for Internal Control in the Federal
Government," issued by the General Accounting Office (GAO).
General management
control standards are:
- Compliance
With Law. All program operations, obligations and costs must comply
with applicable law and regulation. Resources should be efficiently
and effectively allocated for duly authorized purposes.
- Reasonable
Assurance and Safeguards. Management controls must provide reasonable
assurance that assets are safeguarded against waste, loss, unauthorized
use, and misappropriation. Management controls developed for agency
programs should be logical, applicable, reasonably complete, and effective
and efficient in accomplishing management objectives.
- Integrity,
Competence, and Attitude. Managers and employees must have personal
integrity and are obligated to support the ethics programs in their
agencies. The spirit of the Standards of Ethical Conduct requires that
they develop and implement effective management controls and maintain
a level of competence that allows them to accomplish their assigned
duties. Effective communication within and between offices should be
encouraged.
Specific management
control standards are:
- Delegation
of Authority and Organization. Managers should ensure that appropriate
authority, responsibility and accountability are defined and delegated
to accomplish the mission of the organization, and that an appropriate
organizational structure is established to effectively carry out program
responsibilities. To the extent possible, controls and related decision-making
authority should be in the hands of line managers and staff.
- Separation
of Duties and Supervision. Key duties and responsibilities in authorizing,
processing, recording, and reviewing official agency transactions should
be separated among individuals. Managers should exercise appropriate
oversight to ensure individuals do not exceed or abuse their assigned
authorities.
- Access to and
Accountability for Resources. Access to resources and records should
be limited to authorized individuals, and accountability for the custody
and use of resources should be assigned and maintained.
- Recording and
Documentation. Transactions should be promptly recorded, properly
classified and accounted for in order to prepare timely accounts and
reliable financial and other reports. The documentation for transactions,
management controls, and other significant events must be clear and
readily available for ex amination.
- Resolution
of Audit Findings and Other Deficiencies. Managers should promptly
evaluate and determine proper actions in response to known deficiencies,
reported audit and other findings, and related recommendations. Managers
should complete, within established timeframes, all actions that correct
or otherwise resolve the appropriate matters brought to management's
attention.
Other policy documents
may describe additional specific standards for particular functional or
program activities. For example, OMB Circular No. A-127, "Financial Management
Systems," describes government-wide requirements for financial systems.
The Federal Acquisition Regulations define requirements for agency procurement
activities.
III. ASSESSING
AND IMPROVING MANAGEMENT CONTROLS
Agency managers should
continuously monitor and improve the effectiveness of management controls
associated with their programs. This continuous monitoring, and other periodic
evaluations, should provide the basis for the agency head's annual assessment
of and report on management controls, as required by the Integrity Act.
Agency management should determine the appropriate level of documentation
needed to support this assessment.
Sources of Information.
The agency head's assessment of management controls can be performed using
a variety of information sources. Management has primary responsibility
for monitoring and assessing controls, and should use other sources as
a supplement to -- not a replacement for -- its own judgment. Sources
of information include:
- Management knowledge
gained from the daily operation of agency programs and systems.
- Management reviews
conducted (i) expressly for the purpose of assessing management controls,
or (ii) for other purposes with an assessment of management controls
as a by-product of the review.
- IG and GAO reports,
including audits, inspections, reviews, investigations, outcome of hotline
complaints, or other products.
- Program evaluations.
- Audits of financial
statements conducted pursuant to the Chief Financial Officers Act, as
amended, including: information revealed in preparing the financial
statements; the auditor's reports on the financial statements, internal
controls, and compliance with laws and regulations; and any other materials
prepared relating to the statements.
- Reviews of financial
systems which consider whether the requirements of OMB Circular No.
A-127 are being met.
- Reviews of systems
and applications conducted pursuant to the Computer Security Act of
1987 (40 U.S.C. 759 note) and OMB Circular No. A-130, "Management of
Federal Information Resources."
- Annual performance
plans and reports pursuant to the Government Performance and Results
Act.
- Reports and other
information provided by the Congressional committees of jurisdiction.
- Other reviews
or reports relating to agency operations, e.g. for the Department of
Health and Human Services, quality control reviews of the Medicaid and
Aid to Families with Dependent Children programs.
Use of a source
of information should take into consideration whether the process included
an evaluation of management controls. Agency management should avoid duplicating
reviews which assess management controls, and should coordinate their
efforts with other evaluations to the extent practicable.
If a Federal manager
determines that there is insufficient information available upon which
to base an assessment of management controls, then appropriate reviews
should be conducted which will provide such a basis.
Identification
of Deficiencies. Agency managers and employees should identify deficiencies
in management controls from the sources of information described above.
A deficiency should be reported if it is or should be of interest to the
next level of management. Agency employees and managers generally report
deficiencies to the next supervisory level, which allows the chain of
command structure to determine the relative importance of each deficiency.
A deficiency that
the agency head determines to be significant enough to be reported outside
the agency (i.e. included in the annual Integrity Act report to the President
and the Congress) shall be considered a "material weakness."
[1] This designation requires a judgment by agency managers as to
the relative risk and significance of deficiencies. Agencies may wish
to use a different term to describe less significant deficiencies, which
are reported only internally in an agency. In identifying and assessing
the relative importance of deficiencies, particular attention should be
paid to the views of the agency's IG.
Agencies should
carefully consider whether systemic problems exist that adversely affect
management controls across organizational or program lines. The Chief
Financial Officer, the Senior Procurement Executive, the Senior IRM Official,
and the managers of other functional offices should be involved in identifying
and ensuring correction of systemic deficiencies relating to their respective
functions.
Agency managers
and staff should be encouraged to identify and report deficiencies, as
this reflects positively on the agency's commitment to recognizing and
addressing management problems. Failing to report a known deficiency would
reflect adversely on the agency.
Role of A Senior
Management Council. Many agencies have found that a senior management
council is a useful forum for assessing and monitoring deficiencies in
management controls. The membership of such councils generally includes
both line and staff management; consideration should be given to involving
the IG. Such councils generally recommend to the agency head which deficiencies
are deemed to be material to the agency as a whole, and should therefore
be included in the annual Integrity Act report to the President and the
Congress. (Such a council need not be exclusively devoted to management
control issues.) This process will help identify deficiencies that although
minor individually, may constitute a material weakness in the aggregate.
Such a council may also be useful in determining when sufficient action
has been taken to declare that a deficiency has been corrected.
IV. CORRECTING
MANAGEMENT CONTROL DEFICIENCIES
Agency managers are
responsible for taking timely and effective action to correct deficiencies
identified by the variety of sources discussed in Section III. Correcting
deficiencies is an integral part of management accountability and must be
considered a priority by the agency.
The extent to which
corrective actions are tracked by the agency should be commensurate with
the severity of the deficiency. Corrective action plans should be developed
for all material weaknesses, and progress against plans should be periodically
assessed and reported to agency management. Management should track progress
to ensure timely and effective results. For deficiencies that are not
included in the Integrity Act report, corrective action plans should be
developed and tracked internally at the appropriate level.
A determination
that a deficiency has been corrected should be made only when sufficient
corrective actions have been taken and the desired results achieved. This
determination should be in writing, and along with other appropriate documentation,
should be available for review by appropriate officials. (See also role
of senior management council in Section III.)
As managers consider
IG and GAO audit reports in identifying and correcting management control
deficiencies, they must be mindful of the statutory requirements for audit
followup included in the IG Act, as amended. Under this law, management
has a responsibility to complete action, in a timely manner, on audit
recommendations on which agreement with the IG has been reached. 5 U.S.C.
Appendix 3. (Management must make a decision regarding IG audit recommendations
within a six month period and implementation of management's decision
should be completed within one year to the extent practicable.) Agency
managers and the IG share responsibility f or ensuring that IG Act requirements
are met.
V. REPORTING ON
MANAGEMENT CONTROLS
Reporting Pursuant
to Section 2. 31 U.S.C. 3512(d)(2) (commonly referred to as Section
2 of the Integrity Act) requires that annually by December 31, the head
of each executive agency submit to the President and the Congress (i) a
statement on whether there is reasonable assurance that the agency's controls
are achieving their intended objectives; and (ii) a report on material weaknesses
in the agency's controls. OMB may provide guidance on the composition of
the annual report.
- Statement of
Assurance. The statement on reasonable assurance represents the
agency head's informed judgment as to the overall adequacy and effectiveness
of management controls within the agency. The statement must take one
of the following forms: statement of assurance; qualified statement
of assurance, considering the exceptions explicitly noted; or statement
of no assurance.
In deciding
on the type of assurance to provide, the agency head should consider
information from the sources described in Section III of this Circular,
with input from senior program and administrative officials and the
IG. The agency head must describe the analytical basis for the type
of assurance being provided, and the extent to which agency activities
were assessed. The statement of assurance must be signed by the agency
head.
- Report on Material
Weaknesses. The Integrity Act report must include agency plans to
correct the material weaknesses and progress against those plans.
Reporting Pursuant
to Section 4. 31 U.S.C. 3512(d)(2)(B) (commonly referred to as Section
4 of the Integrity Act) requires an annual statement on whether the agency's
financial management systems conform with government-wide requirements.
These financial systems requirements are presented in OMB Circular No.
A-127, "Financial Management Systems," section 7. If the agency does not
conform with financial systems requirements, the statement must discuss
the agency's plans for bringing its systems into compliance.
If the agency head
judges a deficiency in financial management systems and/or operations
to be material when weighed against other agency deficiencies, the issue
must be included in the annual Integrity Act report in the same manner
as other material weaknesses.
Distribution of
Integrity Act Report. The assurance statements and information related
to both Sections 2 and 4 should be provided in a single Integrity Act
report. Copies of the report are to be transmitted to the President; the
President of the Senate; the Speaker of the House of Representatives;
the Director of OMB; and the Chairpersons and Ranking Members of the Senate
Committee on Governmental Affairs, the House Committee on Government Reform
and Oversight, and the relevant authorizing and appropriations committees
and subcommittees. In addition, 10 copies of the report are to be provided
to OMB's Office of Federal Financial Management, Management Integrity
Branch. Agencies are also encouraged to make their reports available electronically.
Streamlined Reporting.
The Government Management Reform Act (GMRA) of 1994 (P.L. 103-356) permits
OMB for fiscal years 1995 through 1997 to consolidate or adjust the frequency
and due dates of certain statutory financial management reports after
consultation with the Congress. GMRA prompted the CFO Council to recommend
to OMB a new approach towards financial management reporting which could
help integrate management initiatives. This proposal is being pilot-tested
by several agencies for FY 1995. Further information on the implications
of this initiative for other agencies will be issued by OMB after the
pilot reports have been evaluated. In the meantime, the reporting requirements
outlined in this Circular remain valid except for those agencies identified
as pilots by OMB.
Under the CFO Council
approach, agencies would consolidate Integrity Act information with other
performance-related reporting into a broader "Accountability Report" to
be issued annually by the agency head. This report would be issued as
soon as possible after the end of the fiscal year, but no later than March
31 for agencies producing audited financial statements and December 31
for all other agencies. The proposed "Accountability Report" would integrate
the following information: the Integrity Act report, management's Report
on Final Action as required by the IG Act, the CFOs Act Annual Report
(including audited financial statements), Civil Monetary Penalty and Prompt
Payment Act reports, and available information on agency performance compared
to its stated goals and objectives, in preparation for implementation
of the GPRA.
Government Corporations.
Section 306 of the Chief Financial Officers Act established a reporting
requirement related to management controls for corporations covered by
the Government Corporation and Control Act. 31 U.S.C. 9106. These corporations
must submit an annual management report to the Congress not later than
180 days after the end of the corporation's fiscal year. This report must
include, among other items, a statement on control systems by the head
of the management of the corporation consistent with the requirements
of the Integrity Act.
The corporation
is required to provide the President, the Director of OMB, and the Comptroller
General a copy of the management report when it is submitted to Congress.
[1]
This Circular's use of the term "material weakness" should not be confused
with use of the same term by government auditors to identify management
control weaknesses which, in their opinion, pose a risk or a threat to
the internal control systems of an audited entity, such as a program or
operation. Auditors are required to identify and report those types of
weaknesses at any level of operation or organization, even if the management
of the audited entity would not report the weaknesses outside the agency.
Return
to Top