December 21, 2004
MEMORANDUM TO
THE CHIEF FINANCIAL OFFICERS, CHIEF OPERATION OFFICERS, CHIEF INFORMATION
OFFICERS, AND PROGRAM MANAGERS
FROM:
|
Linda
M. Springer
Controller |
|
SUBJECT: |
Revisions to OMB Circular A-123, Management’s Responsibility
for Internal Control |
OMB Circular No. A-123 defines
management's responsibility for internal control in Federal agencies.
A re-examination of the existing internal control requirements for Federal
agencies was initiated in light of the new internal control requirements
for publicly-traded companies contained in the Sarbanes-Oxley Act of 2002.
Circular A-123 and the statute it implements, the Federal Managers’
Financial Integrity Act of 1982, are at the center of the existing Federal
requirements to improve internal control.
This circular reflects policy
recommendations developed by a joint committee of representatives from
the Chief Financial Officer Council (CFOC) and the President’s Council
on Integrity and Efficiency (PCIE). The policy changes in this circular
are intended to strengthen the requirements for conducting management’s
assessment of internal control over financial reporting. The circular
also emphasizes the need for agencies to integrate and coordinate internal
control assessments with other internal control-related activities.
The revised circular
is effective for FY 2006. Agencies should take steps in FY 2005 to prepare
for its implementation. OMB plans to continue to work closely with the
CFOC and the PCIE to provide further implementation guidance.
December
21, 2004
CIRCULAR
NO. A-123
Revised
TO THE HEADS OF EXECUTIVE
DEPARTMENTS AND ESTABLISHMENTS
SUBJECT: Management’s
Responsibility for Internal Control
1. Purpose.
This Circular provides guidance to Federal managers on improving
the accountability and effectiveness of Federal programs and operations
by establishing, assessing, correcting, and reporting on internal control.
The attachment to this Circular defines management’s responsibilities
related to internal control and the process for assessing internal control
effectiveness along with a summary of the significant changes. The Circular
provides updated internal control standards and new specific requirements
for conducting management’s assessment of the effectiveness of internal
control over financial reporting (Appendix A). This Circular emphasizes
the need for integrated and coordinated internal control assessments that
synchronize all internal control-related activities.
This revision to
the Circular will become effective in Fiscal Year 2006 and supersede all
previous versions. In the interim, OMB Circular No. A-123, "Management
Accountability and Control," revised, June 21, 1995 should continue
to be followed.
2. Authority.
The Circular is issued under the authority of the Federal Managers' Financial
Integrity Act of 1982 as codified in 31 U.S.C. 3512.
3. Policy.
Management is responsible for establishing and maintaining internal control
to achieve the objectives of effective and efficient operations, reliable
financial reporting, and compliance with applicable laws and regulations.
Management shall consistently apply the internal control standards to
meet each of the internal control objectives and to assess internal control
effectiveness. When assessing the effectiveness of internal control over
financial reporting and compliance with financial-related laws and regulations,
management must follow the assessment process contained in Appendix A.
Annually, management must provide assurances on internal control in its
Performance and Accountability Report, including a separate assurance
on internal control over financial reporting, along with a report on identified
material weaknesses and corrective actions.
4. Actions
Required. Agencies and individual Federal managers must take
systematic and proactive measures to (i) develop and implement appropriate,
cost-effective internal control for results-oriented management; (ii)
assess the adequacy of internal control in Federal programs and operations;
(iii) separately assess and document internal control over financial reporting
consistent with the process defined in Appendix A (iv) identify needed
improvements; (v) take corresponding corrective action; and (vi) report
annually on internal control through management assurance statements.
5. Effective
Date. This Circular is effective beginning with Fiscal Year 2006.
6. Applicability.
This Circular is applicable to each executive agency, with the exception
of the requirements in the appendix. The requirements of Appendix A are
applicable to the 24 CFO Act agencies.
7. Inquiries.
Further information concerning this Circular may be obtained from the
Financial Standards and Grants Branch, Office of Federal Financial Management,
Office of Management and Budget, Washington, DC 20503, 202/395-3993.
8. Copies.
Copies of this Circular may be obtained from www.omb.gov.
|
|
|
Joshua B.
Bolten
Director
|
Attachment
Attachment
Significant
Revisions to OMB Circular A-123
Section
|
Revision
to A-123
|
Purpose
of Revision
|
Transmittal
of Circular |
Changed
title from OMB Circular A-123, Management Accountability and Control
to OMB Circular A-123, Management’s Responsibility for Internal
Control |
Title
changed to align better with the focus of the circular and current
terminology. |
Throughout
Circular |
Changed
terminology from “management controls” to “internal
control” |
To
better align with currently accepted standards for internal control
and current terminology. The terms are intended to be synonymous. |
Section
II. Standards |
Realigned
section on the standards for internal control using the following
categories: control environment, risk assessment, control activities,
information and communication, and monitoring. |
To
better align with currently accepted standards for internal control. |
Section
III. Integrated Internal Control Frameword |
Provided
a separate section on an integrated internal control framework. Provided
a listing of statutes to consider when assessing internal control.
|
To
highlight current legislative and regulatory requirements that should
be coordinated and considered when assessing the effectiveness of
internal control. |
Section
IV.B. Identification of Deficiencies |
Introduced
reportable condition as a category of deficiency. |
To
better align with current governmental terminology. |
Section
VI.A. Annual Assurance Statements |
Require
agencies subject to the CFO Act to include the FMFIA annual report
in the PAR, under the heading “Management Assurances”
and submit to OMB 45 days from the end of the fiscal year. |
To consolidate assurance statements in one place within the PAR (Section
2, Section 4, and internal control over financial reporting). To accelerate
the due date of the FMFIA reports to be consistent with the due date
for the PAR. |
Section
VI.B. Reporting Pursuant to Section 2 |
Introduced
a new assurance statement on the effectiveness of internal control
over financial reporting. This statement will be a subset of the overall
FMFIA assurance statement. |
To emphasize management’s responsibility for assessing and documenting
internal control over financial reporting. To ensure Congress and
the public that the Federal Government is committed to safeguarding
its assets and providing reliable financial information. |
Section
VI. Reporting on Internal Control |
Included a summary chart of definitions and reporting requirements
for deficiency, reportable condition, material weakness, and nonconformance.
|
To
provide a concise summary of reporting definitions. |
Appendix
A |
To specifically address assessing, documenting, and reporting on the
effectiveness of internal control over financial reporting. |
To ensure Congress and the public that the Federal Government is committed
to safeguarding its assets and providing reliable financial information. |
New
Requirements in Appendix A –
Internal Control over Financial Reporting
New
Section
|
New
Requirement
|
Transmittal
of Circular |
Requires the 24 CFO Act agencies to comply with Appendix A. .
|
Section
II. Scope |
Defines
the scope of assessing and documenting internal control over financial
reporting to include the annual financial statements and other significant
internal or external financial reports and compliance with laws and
regulations that pertain to those financial reports |
Section
II.C. Planning Materiality |
Defines
materiality for the purposes of assessing and documenting internal
control over financial reporting. |
Section
III.A. Establish a Senior Assessment Team |
Recommends the establishment of a senior assessment team, which at
a minimum should oversee the assessment process. |
Section
III.B-E. Assessing Internal Control over Financial Reporting |
Defines
a process for assessing internal control over financial reporting
at the entity level as well as at the process, transaction, or application
level. |
Section
IV. Documentation |
A. Requires
that the controls over financial reporting be documented.
B. Requires
that the assessment process of the controls over financial reporting
be documented.
|
Section
V. Management’s Assessment of Internal Control over Financial
Reporting |
Requires
the assurance statement assert to the effectiveness of internal control
“as of June 30.” The assurance statement and corrective
actions, if applicable, will be submitted in the PAR no later than
45 days after the end of each fiscal year. |
Section
V. Management’s Assessment of Internal Control over Financial
Reporting |
Provides a sample assurance statement on the effectiveness of internal
control over financial reporting. |
Section
V.A. Agencies Obtaining Audit Opinions on Internal Control |
Agencies
electing to receive a separate audit opinion on internal control over
financial reporting may adjust the “as of” reporting date
of June 30 to align better with the “as of” date of the
audit opinion. This circular does not require a separate audit. |
Section
VI. Correcting Material Weaknesses in Internal Control over Financial
Reporting |
Provides a non-compliance clause that permits OMB to require an agency
to obtain an audit opinion over the internal controls over financial
reporting if the agreed upon deadlines for corrective actions are
continuously not met. |
TABLE
OF CONTENTS
I.
Introduction
II. Standards
III. Integrated Internal Control Framework
IV. Assessing Internal Control
V. Correcting Internal Control Deficiencies
VI. Reporting on Internal Control
I.
INTRODUCTION
Management has a
fundamental responsibility to develop and maintain effective internal
control. The proper stewardship of Federal resources is an essential responsibility
of agency managers and staff. Federal employees must ensure that Federal
programs operate and Federal resources are used efficiently and effectively
to achieve desired objectives. Programs must operate and resources must
be used consistent with agency missions, in compliance with laws and regulations,
and with minimal potential for waste, fraud, and mismanagement.
Management is responsible
for developing and maintaining effective internal control. Effective internal
control provides assurance that significant weaknesses in the design or
operation of internal control, that could adversely affect the agency’s
ability to meet its objectives, would be prevented or detected in a timely
manner.
Internal Control
-- organization, policies, and procedures – are tools to help program
and financial managers achieve results and safeguard the integrity of
their programs. This Circular provides guidance on using the range of
tools at the disposal of agency managers to achieve desired program results
and meet the requirements of the Federal Managers' Financial Integrity
Act (FMFIA) of 1982. The FMFIA encompasses accounting and administrative
controls. Such controls include program, operational, and administrative
areas as well as accounting and financial management.
The importance of
internal control is addressed in many statutes and executive documents.
The FMFIA establishes overall requirements with regard to internal control.
The agency head must establish controls that reasonably ensure that: “(i)
obligations and costs are in compliance with applicable law; (ii) funds,
property, and other assets are safeguarded against waste, loss, unauthorized
use or misappropriation; and (iii) revenues and expenditures applicable
to agency operations are properly recorded and accounted for to permit
the preparation of accounts and reliable financial and statistical reports
and to maintain accountability over the assets.”1 In addition, the agency
head annually must evaluate and report on the control and financial systems
that protect the integrity of Federal programs (Section 2 and Section
4 of FMFIA respectively). The three objectives of internal control are
to ensure the effectiveness and efficiency of operations, reliability
of financial reporting, and compliance with applicable laws and regulations.
The safeguarding of assets is a subset of all of these objectives.
Instead of considering
internal control as an isolated management tool, agencies should integrate
their efforts to meet the requirements of the FMFIA with other efforts
to improve effectiveness and accountability. Thus, internal control should
be an integral part of the entire cycle of planning, budgeting, management,
accounting, and auditing. It should support the effectiveness and the
integrity of every step of the process and provide continual feedback
to management.
Federal managers
must carefully consider the appropriate balance between controls and risk
in their programs and operations. Too many controls can result in inefficient
and ineffective government; agency managers must ensure an appropriate
balance between the strength of controls and the relative risk associated
with particular programs and operations. The benefits of controls should
outweigh the cost. Agencies should consider both qualitative and quantitative
factors when analyzing costs against benefits.
A. Agency
Implementation. Internal control guarantees neither the success
of agency programs, nor the absence of waste, fraud, and mismanagement,
but is a means of managing the risk associated with Federal programs and
operations. Managers should define the control environment (e.g., programs,
operations, or financial reporting) and then perform risk assessments
to identify the most significant areas within that environment in which
to place or enhance internal control. The risk assessment is a critical
step in the process to determine the extent of controls. Once significant
areas have been identified, control activities should be implemented.
Continuous monitoring and testing should help to identify poorly designed
or ineffective controls and should be reported upon periodically. Management
is then responsible for redesigning or improving upon those controls.
Management is also responsible for communicating the objectives of internal
control and ensuring the organization is committed to sustaining an effective
internal control environment.
Appropriate internal
control should be integrated into each system established by agency management
to direct and guide its operations. As stated earlier in this document,
internal control applies to program, operational, and administrative areas
as well as accounting and financial management.
Generally, identifying
and implementing the specific procedures necessary to ensure effective
internal control, and determining how to assess the effectiveness of those
controls, is left to the discretion of the agency head. While the procedures
may vary from agency to agency, management should have a clear, organized
strategy with well-defined documentation processes that contain an audit
trail, verifiable results, and specify document retention periods so that
someone not connected with the procedures can understand the assessment
process.
To ensure senior
management involvement, many agencies have established their own senior
management council, often chaired by the agency's lead management official,
to address management accountability and related issues within the broader
context of agency operations. Relevant issues for such a council include
ensuring the agency's commitment to an appropriate system of internal
control; actively overseeing the process of assessing internal controls,
including non-financial as well as financial reporting objectives; recommending
to the agency head which control deficiencies are material to disclose
in the annual FMFIA report; and providing input for the level and priority
of resource needs to correct these deficiencies. (See also Section IV.C.
Role of a Senior Management Council.)
II.
STANDARDS
Internal control is an integral component of an organization’s
management that provides reasonable assurance that the following
objectives are being achieved: effectiveness and efficiency of operations,
reliability of financial reporting, and compliance with applicable
laws and regulations.2
|
Internal control,
in the broadest sense, includes the plan of organization, methods and
procedures adopted by management to meet its goals. Internal control includes
processes for planning, organizing, directing, controlling, and reporting
on agency operations.
The three objectives
of internal control are:
- Effectiveness
and efficiency of operations,
- Reliability of
financial reporting, and
- Compliance with
applicable laws and regulations.
The safeguarding
of assets is a subset of all of these objectives. Internal control should
be designed to provide reasonable assurance regarding prevention of or
prompt detection of unauthorized acquisition, use or disposition of assets.
Management is responsible
for developing and maintaining internal control activities that comply
with the following standards to meet the above objectives:
- Control Environment,
- Risk Assessment,
- Control Activities,
- Information and
Communications, and
- Monitoring
A. Control
Environment
The control environment
is the organizational structure and culture created by management and
employees to sustain organizational support for effective internal control.
When designing, evaluating or modifying the organizational structure,
management must clearly demonstrate its commitment to competence in the
workplace. Within the organizational structure, management must clearly:
define areas of authority and responsibility; appropriately delegate the
authority and responsibility throughout the agency; establish a suitable
hierarchy for reporting; support appropriate human capital policies for
hiring, training, evaluating, counseling, advancing, compensating and
disciplining personnel; and uphold the need for personnel to possess and
maintain the proper knowledge and skills to perform their assigned duties
as well as understand the importance of maintaining effective internal
control within the organization.
The organizational
culture is also crucial within this standard. The culture should be defined
by management’s leadership in setting values of integrity and ethical
behavior but is also affected by the relationship between the organization
and central oversight agencies and Congress. Management’s philosophy
and operational style will set the tone within the organization. Management’s
commitment to establishing and maintaining effective internal control
should cascade down and permeate the organization’s control environment
which will aid in the successful implementation of internal control systems.
B. Risk
Assessment
Management should
identify internal and external risks that may prevent the organization
from meeting its objectives. When identifying risks, management should
take into account relevant interactions within the organization as well
as with outside organizations. Management should also consider previous
findings; e.g., auditor identified, internal management reviews, or noncompliance
with laws and regulations when identifying risks. Identified risks should
then be analyzed for their potential effect or impact on the agency.
C. Control
Activities
Control activities
include policies, procedures and mechanisms in place to help ensure that
agency objectives are met. Several examples include: proper segregation
of duties (separate personnel with authority to authorize a transaction,
process the transaction, and review the transaction); physical controls
over assets (limited access to inventories or equipment); proper authorization;
and appropriate documentation and access to that documentation.
Internal control
also needs to be in place over information systems – general and
application control. General control applies to all information systems
such as the mainframe, network and end-user environments, and includes
agency-wide security program planning, management, control over data center
operations, system software acquisition and maintenance. Application control
should be designed to ensure that transactions are properly authorized
and processed accurately and that the data is valid and complete. Controls
should be established at an application’s interfaces to verify inputs
and outputs, such as edit checks. General and application control over
information systems are interrelated, both are needed to ensure complete
and accurate information processing. Due to the rapid changes in information
technology, controls must also adjust to remain effective.
D. Information
and Communications
Information should
be communicated to relevant personnel at all levels within an organization.
The information should be relevant, reliable, and timely. It is also crucial
that an agency communicate with outside organizations as well, whether
providing information or receiving it. Examples include: receiving updated
guidance from central oversight agencies; management communicating requirements
to the operational staff; operational staff communicating with the information
systems staff to modify application software to extract data requested
in the guidance.
E. Monitoring
Monitoring the effectiveness
of internal control should occur in the normal course of business. In
addition, periodic reviews, reconciliations or comparisons of data should
be included as part of the regular assigned duties of personnel. Periodic
assessments should be integrated as part of management’s continuous
monitoring of internal control, which should be ingrained in the agency’s
operations. If an effective continuous monitoring program is in place,
it can level the resources needed to maintain effective internal controls
throughout the year.
Deficiencies found
in internal control should be reported to the appropriate personnel and
management responsible for that area. Deficiencies identified, whether
through internal review or by an external audit, should be evaluated and
corrected. A systematic process should be in place for addressing deficiencies.
III.
INTEGRATED INTERNAL CONTROL FRAMEWORK
Federal agencies
are subject to numerous legislative and regulatory requirements that promote
and support effective internal control. Effective internal control is
a key factor in achieving agency missions and program results through
improved accountability. Identifying internal control weaknesses and taking
related corrective actions are critically important to creating and maintaining
a strong internal control infrastructure that supports the achievement
of agency objectives. Recent government-wide initiatives have been implemented
to improve program management, as well as financial management, including
tracking corrective actions for material weaknesses in internal control
related to financial reporting, imposing accelerated reporting due dates
for more timely financial information, and assessing the effectiveness
and efficiency of program operations using the Program Assessment Rating
Tool (PART). Activities conducted as part of these initiatives support
an agency’s overall internal control framework. Statutory requirements
that should also be considered as part of an agency’s internal control
framework include:
Federal
Managers Financial Integrity Act of 1982 (FMFIA)
The FMFIA requires
agencies to establish and maintain internal control. The agency head must
annually evaluate and report on the control and financial systems that
protect the integrity of Federal programs; Section 2 and Section 4 respectively.
The requirements of FMFIA serve as an umbrella under which other reviews,
evaluations and audits should be coordinated and considered to support
management’s assertion about the effectiveness of internal control
over operations, financial reporting, and compliance with laws and regulations.
Government
Performance and Results Act (GPRA)
To support results-oriented
management, GPRA requires agencies to develop strategic plans, set performance
goals, and report annually on actual performance compared to goals. With
the implementation of this legislation, these plans and goals are integrated
into (i) the budget process, (ii) the operational management of agencies
and programs, and (iii) accountability reporting to the public on performance
results, and on the integrity, efficiency, and effectiveness with which
they are achieved. Similarly, the PART’s primary purpose is to assess
program effectiveness and improve program performance. The PART has also
become an integral part of the budget process when making funding resource
allocations or decisions.
Chief Financial
Officers Act, as amended (CFO Act)
The CFO Act requires
agencies to both establish and assess internal control related to financial
reporting. The Act requires the preparation and audit of financial statements.
In this process, auditors report on internal control and compliance with
laws and regulations related to financial reporting. Therefore, the agencies
covered by the Act have a clear opportunity to improve internal control
over their financial activities, and to evaluate the controls that are
in place. The Accountability of Tax Dollars Act of 2002 amended the CFO
Act to expand the types of Federal agencies that are required to prepare
audited financial statements.
Meeting the accelerated
financial statement reporting due date also provides incentive for agencies
to have added discipline and effective internal control to routinely produce
reliable financial information. Deficiencies in internal control need
to be mitigated to ensure timely and accurate financial information.
Inspector
General Act of 1978, as amended (IG Act)
The IG Act provides
for independent reviews of agency programs and operations. IGs are required
to submit semiannual reports to Congress on significant abuses and deficiencies
identified during the reviews and the recommended actions to correct those
deficiencies. IGs and/or external auditors are required by the Government
Auditing Standards3 and OMB Bulletin No.
01-02, Audit Requirements of Federal Financial Statements, as amended4 to report material weaknesses
in internal control related to financial reporting and noncompliance with
laws and regulations as part of the financial statement audit. Auditors
also provide recommendations for correcting the material weaknesses. Agency
managers, who are required by the IG Act to follow up on audit recommendations,
should use these reviews to identify and correct problems resulting from
inadequate or poorly designed controls, and to build appropriate controls
into new programs. Audit work planned by the IG should be coordinated
with management’s assessment requirements to ensure cost effectiveness
and avoid duplication.
Federal
Financial Management Improvement Act of 1996 (FFMIA)
The FFMIA requires
agencies to have financial management systems that substantially comply
with the Federal financial management systems requirements, standards
promulgated by the Federal Accounting Standards Advisory Board (FASAB),
and the U.S. Standard General Ledger (USSGL) at the transaction level.
Financial management systems shall have general and application controls
in place in order to support management decisions by providing timely
and reliable data. The agency head shall make a determination annually
about whether the agency’s financial management systems substantially
comply with the FFMIA. If the systems are found not to be compliant, management
shall develop a remediation plan to bring those systems into substantial
compliance. Management shall determine whether non-compliances with FFMIA
should also be reported as non-conformances with Section 4 of FMFIA.
Federal
Information Security Management Act of 2002 (FISMA)
The FISMA provides,
“…a comprehensive framework for ensuring the effectiveness
of information security controls over information resources that support
Federal operations and assets…” Agencies are required to provide
information security controls proportionate with the risk and potential
harm of not having those controls in place. Agency heads are required
to annually report on the effectiveness of the agencies’ security
programs. “Significant deficiencies” found under FISMA must
also be reported as material weaknesses under FMFIA.
Improper
Payments Information Act of 2002 (IPIA)
The IPIA requires
agencies to review and, “…identify programs and activities
that may be susceptible to significant improper payments.” Agencies
must annually submit estimates of improper payments, corrective actions
to reduce the improper payments, and statements as to whether its current
information systems and infrastructure can support the effort to reduce
improper payments. The nature and incidence of improper payments shall
be considered when assessing the effectiveness of internal control.
Single Audit
Act, as amended
The Single Audit
Act, as amended requires financial statement audits of non-Federal entities
that receive or administer grant awards of Federal monies. The financial
statement audits include testing the effectiveness of internal control
and determining whether the award monies have been spent in compliance
with laws and regulations. Each Federal agency which provides Federal
awards shall review the audits of the recipients to determine whether
corrective actions are implemented with respect to audit findings.
Clinger-Cohen
Act of 1996 (formerly known as the Information Technology Management Reform
Act)
The Clinger-Cohen
Act requires agencies to use a disciplined capital planning and investment
control (CPIC) process to maximize the value of and assess and manage
the risks of the information technology acquisitions. The Act requires
that agencies “(1) establish goals for improving the efficiency
and effectiveness of agency operations and, as appropriate, the delivery
of services to the public through the effective use of information technology;
(2) prepare an annual report…on the progress in achieving the goals;
(3) ensure that performance measurements are prescribed for information
technology used by, or to be acquired for, the executive agency and that
the performance measurements measure how well the information technology
supports programs of the executive agency; (4) where comparable processes
and organizations in the public or private sectors exist, quantitatively
benchmark agency process performance against such processes in terms of
cost, speed, productivity, and quality of outputs and outcomes; (5) analyze
the missions of the executive agency and, based on the analysis, revise
the executive agency’s mission-related processes and administrative
processes as appropriate before making significant investments in information
technology that is to be used in support of the performance of those missions;
and (6) ensure that the information security policies, procedures, and
practices of the executive agency are adequate.”
A. Developing
Internal Control. It is management’s responsibility to
develop and maintain effective internal control. As agencies develop and
execute strategies for implementing or reengineering agency programs and
operations, they should design management structures that help ensure
accountability for results. As part of this process, agencies and individual
Federal managers must take systematic and proactive measures to develop
and implement appropriate, cost-effective internal control. The degree
to which studies and analysis are performed will vary depending on the
complexity and risk associated with a given program or operation. The
expertise of the agency CFO can be valuable in developing appropriate
control and the IG can be valuable in providing advice or consultation.
Decisions made during this process should be documented and readily available
for review.
IV.
ASSESSING INTERNAL CONTROL
Agency managers
should continuously monitor and improve the effectiveness of internal
control associated with their programs. This continuous monitoring, and
other periodic assessments, should provide the basis for the agency head's
annual assessment of and report on internal control, as required by FMFIA.
Agency management
should determine the appropriate level of documentation needed to support
this assessment. Documentation should be appropriately detailed and organized
and contain sufficient information to support management’s assertion.
Documentation should also include appropriate representations from officials
and personnel responsible for monitoring, improving and assessing internal
controls. Specific assessment and documentation requirements to support
management’s assurance statement on internal control over financial
reporting are defined in Appendix A.
A. Sources
of Information. The agency head's assessment of internal control
can be performed using a variety of information sources. Management has
primary responsibility for assessing and monitoring controls, and should
use other sources as a supplement to -- not a replacement for -- its own
judgment. Sources of information include:
- Management knowledge
gained from the daily operation of agency programs and systems.
- Management reviews
conducted (i) expressly for the purpose of assessing internal control,
or (ii) for other purposes with an assessment of internal control as
a by-product of the review.
- IG and GAO reports,
including audits, inspections, reviews, investigations, outcome of hotline
complaints, or other products.
- Program evaluations.
- Audits of financial
statements conducted pursuant to the CFO Act, as amended, including:
information revealed in preparing the financial statements; the auditor's
reports on the financial statements, internal control, and compliance
with laws and regulations; and any other materials prepared relating
to the statements.
- Reviews of financial
systems which consider whether the requirements of FFMIA and OMB Circular
No. A-127, Financial Management Systems 5 are being met.
- Annual evaluations
and reports pursuant to FISMA and OMB Circular No. A-130, Management
of Federal Information Resources 6.
- Annual performance
plans and reports pursuant to GPRA.
- PART assessments.
- Annual reviews
and reports pursuant to IPIA.
- Single Audit
reports for grant-making agencies.
- Reports and other
information provided by the Congressional committees of jurisdiction.
- Other reviews
or reports relating to agency operations, e.g. for the Department of
Health and Human Services, quality control reviews of the Medicaid and
Temporary Assistance for Needy Families programs.
- Results from
tests of key controls performed as part of the assessment of internal
control over financial reporting conducted in accordance with the requirements
in Appendix A.
Use of a source of
information should take into consideration whether the process included
an evaluation of internal control. Agency management should avoid duplicating
reviews which assess internal control, and should coordinate their efforts
with other evaluations to the extent practicable.
If a Federal manager
determines that there is insufficient information available upon which
to base an assessment of internal control, then appropriate reviews should
be conducted which will provide such a basis.
B. Identification
of Deficiencies. Agency managers and employees should identify
deficiencies in internal control from the sources of information described
above and the results of their assessment process. Agency employees and
managers shall report control deficiencies to the next supervisory level,
which will allow the chain of command structure to determine the relative
importance of each deficiency.
A control deficiency
or combination of control deficiencies that in management’s judgment
represent significant deficiencies in the design or operation of internal
control that could adversely affect the organization's ability to meet
its internal control objectives is a reportable condition (internally
tracked and monitored within the agency). A reportable condition that
the agency head determines to be significant enough to be reported outside
the agency shall be considered a material weakness7 and included in the
annual FMFIA assurance statement and reported in the agency’s annual
PAR. As it relates to financial reporting, agencies should also consider
qualitative as well as quantitative measures to determine material items.
This designation requires a judgment by agency managers as to the relative
risk and significance of reportable conditions. In identifying and assessing
the relative importance of reportable conditions, consideration should
be given to the views of the agency's IG. Definitions of reportable conditions
and material weaknesses for management’s assessment of internal
control over financial reporting are provided in Appendix A Section II.
Scope. Additionally, definitions and reporting requirements are
summarized in Exhibit 1. The “significant deficiencies” identified
under FISMA must be reported as material weaknesses in the annual FMFIA
report.
Agency managers
and staff should be encouraged to identify control deficiencies, as this
reflects positively on the agency's commitment to recognizing and addressing
management problems. Failing to report a known reportable condition would
reflect adversely on the agency and continue to place the agency’s
operations at risk. Agencies should carefully consider whether systemic
weaknesses exist that adversely affect internal control across organizational
or program lines.
C. Role
of a Senior Management Council. Many agencies use a Senior Management
Council to assess and monitor deficiencies in internal control. A Senior
Management Council, which may include the Chief Financial Officer, the
Senior Procurement Executive, the Chief Information Officer, and the managers
of other functional offices, should be involved in identifying and ensuring
correction of systemic weaknesses relating to their respective functions.
Consideration should be given to involving the IG in a consulting capacity
but not to conduct management’s assessment of internal controls.
Such councils generally recommend to the agency head which reportable
conditions are deemed to be material weaknesses to the agency as a whole,
and should therefore be included in the annual FMFIA assurance statement
and reported in the agency’s PAR. This council should be responsible
for overseeing the timely implementation of corrective actions related
to material weaknesses. Such a council may also be useful in determining
when sufficient action has been taken to declare that a reportable condition
or material weakness has been corrected. While the establishment of such
a council is not a requirement of this document, a Senior Management Council
or similar construct is encouraged.
V.
CORRECTING INTERNAL CONTROL DEFICIENCIES
Agency managers
are responsible for taking timely and effective action to correct deficiencies
identified by the variety of sources discussed in Section IV, Assessing
Internal Control. Correcting deficiencies is an integral part of management
accountability and must be considered a priority by the agency.
The extent to which
corrective actions are tracked by the agency should be commensurate with
the severity of the deficiency. Corrective action plans should be developed
for all material weaknesses, and progress against plans should be periodically
assessed and reported to agency management. Management should track progress
to ensure timely and effective results. For reportable conditions that
are not included in the FMFIA report, corrective action plans should be
developed and tracked internally at the appropriate level.
A summary of the
corrective action plans for material weaknesses shall be included in the
agency’s PAR. The summary discussion shall include a description
of the material weakness, status of corrective actions, and timeline for
resolution.
Management shall
maintain more detailed corrective action plans internally which shall
be available for OMB review. Management’s process for resolution
and corrective action of identified material weaknesses in internal control
must:
- Provide for appointment
of an overall corrective action accountability official from senior
agency management. The corrective action accountability official should
report to the agency’s Senior Management Council, if applicable.
- Require prompt
resolution and corrective actions.
- Maintain accurate
records of the status of the identified material weaknesses through
the entire process of resolution and corrective action.
- Assure that the
corrective action plans are consistent with laws, regulations, and Administration
policy.
- Assure that performance
appraisals of appropriate officials reflect effectiveness in resolving
or implementing corrective action for identified material weaknesses8.
A determination
that a reportable condition has been corrected should be made only when
sufficient corrective actions have been taken and the desired results
achieved. This determination should be in writing, and along with other
appropriate documentation supporting the determination, should be available
for review by appropriate officials. (See also Section IV.C. Role
of a Senior Management Council.)
As managers consider
IG and GAO audit reports in identifying and correcting internal control
deficiencies, they must be mindful of the statutory requirements for audit
follow-up included in the IG Act, as amended and OMB Circular A-50, Audit
Followup. Management has a responsibility to complete action, in
a timely manner, on audit recommendations on which agreement with the
IG has been reached. Management must make a decision regarding IG audit
recommendations within a six month period after issuance of the audit
report and implement management's decision within one year to the extent
practicable.
VI.
REPORTING ON INTERNAL CONTROL
A. Annual
Assurance Statements. The assurance statements and information
related to Section 2, Section 4, and internal control over financial reporting
should be provided in a single FMFIA report section of the annual PAR
labeled “Management Assurances.” The section should include
the annual assurance statements, summary of material weaknesses and non-conformances,
and summary of corrective action plans. Management’s assurance statement
relating to internal control over financial reporting and any related
material weaknesses and corrective actions shall be separately identified.
B. Reporting
Pursuant to Section 2. 31 U.S.C. 3512(d) (2) (commonly referred
to as Section 2 of the FMFIA) requires that annually the head of each
executive agency submit to the President and the Congress (i) a statement
on whether there is reasonable assurance that the agency's controls are
achieving their intended objectives; and (ii) a report on material weaknesses
in the agency's controls.
- Statement
of Assurance. The statement of assurance represents the agency
head's informed judgment as to the overall adequacy and effectiveness
of internal control within the agency. The statement must take one of
the following forms:
- Unqualified
statement of assurance (no material weaknesses reported);
- Qualified
statement of assurance, considering the exceptions explicitly noted
(one or more material weaknesses reported); or
- Statement
of no assurance (no processes in place or pervasive material weaknesses).
In deciding on the type of assurance to provide, the agency head should
consider information from the sources described in Section III of this
Circular, with input from senior program and administrative officials
and the IG. The agency head must describe the analytical basis for the
type of assurance being provided, and the extent to which agency activities
were assessed. Management is precluded from concluding that the agency’s
internal control is effective (unqualified statement of assurance) if
there are one or more material weaknesses. The statement of assurance
must be signed by the agency head.
- Statement
of Assurance for Internal Control over Financial Reporting.
Management is required to provide a separate assurance over the effectiveness
of the internal controls over financial reporting. This assurance is
a subset of the overall Statement of Assurance and is based on the results
of management’s assessment conducted in accordance with the requirements
in Appendix A. Refer to Appendix A Section V. Management’s
Assurance Statement on Internal Control over Financial Reporting
for a further discussion.
C. Reporting
Pursuant to Section 4.
31 U.S.C. 3512(d) (2) (B) (commonly referred to as Section 4 of the FMFIA)
requires an annual statement on whether the agency's financial management
systems conform to government-wide requirements. These financial systems
requirements are mandated by the FFMIA and OMB Circular No. A-127, Financial
Management Systems, section 7. If the agency’s systems do not
substantially conform to financial systems requirements, the statement
must list the nonconformances and discuss the agency's plans for bringing
its systems into substantial compliance. Financial management systems
include both financial and financially-related (or mixed) systems.
D. Government
Corporations.
For government corporations, Section 306 of the Chief Financial Officers
Act established a reporting requirement related to the internal controls
for corporations covered by the Government Corporation and Control Act.
These corporations must submit an annual management report to the Congress.
This report must include, among other items, a statement on control systems
by the head of the management of the corporation consistent with the requirements
of the FMFIA. The corporation is required to provide the President, the
Director of OMB, and the Comptroller General a copy of the management
report when it is submitted to Congress.
Exhibit
1: Summary of A-123 reporting requirements
|
Definition9
|
Reporting
|
Control
Deficiency (FMFIA Section 2 and internal control over financial
reporting) |
Control deficiencies exist when the design or operation of a control
does not allow management or employees, in the normal course of performing
their assigned functions, to prevent or detect misstatements on a
timely basis. A design deficiency exists when a control necessary
to meet the control objective is missing or an existing control is
not properly designed, so that even if the control operates as designed
the control objective is not always met. An operation deficiency exists
when a properly designed control does not operate as designed or when
the person performing the control is not qualified or properly skilled
to perform the control effectively.
|
Internal
to the organization and not reported externally. Progress against
corrective action plans should be periodically assessed and reported
to agency management. |
Reportable
Condition (FMFIA Section 2 and internal control over financial
reporting) |
FMFIA
overall – A control deficiency, or combination of
control deficiencies, that in management’s judgment, should
be communicated because they represent significant weaknesses in
the design or operation of internal control that could adversely
affect the organization’s ability to meet its internal control
objectives.
Financial
reporting – A control deficiency, or combination
of control deficiencies, that adversely affects the entity’s
ability to initiate, authorize, record, process, or report external
financial data reliably in accordance with generally accepted accounting
principles such that there is more than a remote10 likelihood that a
misstatement of the entity’s financial statements, or other
significant financial reports, that is more than inconsequential
will not be prevented or detected.
|
Internal
to the organization and not reported externally. Progress against
corrective action plans should be periodically assessed and reported
to agency management. |
Material
Weakness (FMFIA Section 2 and internal control over financial
reporting) |
FMFIA
overall – Reportable conditions in which the agency
head determines to be significant enough to report outside of the
agency.
Financial reporting
–
Reportable condition, or combination of reportable conditions, that
results in more than a remote11 likelihood that a
material misstatement of the financial statements, or other significant
financial reports, will not be prevented or detected.
|
Material weaknesses
and a summary of corrective actions shall be reported to OMB and
Congress through the PAR (Management Report for Government Corporations).
Progress against corrective action plans should be periodically
assessed and reported to agency management.
|
Non-conformance
(FMFIA Section 4) |
Instances in which financial management systems do not substantially
conform to financial systems requirements. Financial management systems
include both financial and financially-related (or mixed) systems.
|
Non-conformances and a summary of corrective actions to bring systems
into conformance shall be reported to OMB and Congress through the
PAR (Management Report for Government Corporations). Progress against
corrective action plans should be periodically assessed and reported
to agency management. |
APPENDIX
A: INTERNAL CONTROL OVER FINANCIAL REPORTING
TABLE
OF CONTENTS
I.
Introduction
II. Scope
III. Assessing Internal Control over Financial Reporting
IV. Documentation
V. Management’s Assurance Statement on Internal
Control over Financial
Reporting
VI. Correcting Material Weaknesses in Internal Control
over Financial
Reporting
I.
INTRODUCTION
This Appendix provides
a methodology for agency management to assess, document, and report on
the internal controls over financial reporting. This document also encourages
an integrated approach to assessing the internal controls over financial
reporting considering the current legislative and regulatory environment
in which Federal entities operate.
Effective
internal control over financial reporting provides reasonable assurance
that misstatements, losses, or noncompliance with applicable laws
and regulations, material in relation to financial reports, would
be prevented or detected.12
|
The Sarbanes-Oxley
Act of 2002 required that management of publicly-traded companies strengthen
their processes for assessing and reporting on the internal controls over
financial reporting. The passage of the Sarbanes-Oxley Act served as an
impetus for the Federal government to reevaluate its current policies
relating to internal control over financial reporting and management’s
related responsibilities. While the Sarbanes-Oxley Act created a new requirement
for managers of publicly-traded companies to report on the internal controls
over financial reporting, Federal managers have been subject to similar
internal control reporting requirements for many years.
Federal agencies
are subject to numerous legislative and regulatory requirements that promote
and support effective internal control. The Federal Managers’ Financial
Integrity Act (FMFIA) of 1982 provides the statutory basis for management’s
responsibility for and assessment of internal control. In addition, the
Chief Financial Officers Act (CFO Act) of 1990 requires agency CFOs to,
“develop and maintain an integrated agency accounting and financial
management system, including financial reporting and internal controls,
which … complies with applicable … internal control standards…”
The Federal Financial Management Improvement Act (FFMIA) of 1996 and OMB
Circular No. A-127, Financial Management Systems also instruct
agencies to maintain an integrated financial management system that complies
with Federal system requirements, FASAB Standards, and the USSGL at the
transaction level. The Inspector General Act (IG Act) of 1978, as amended
requires that IGs submit semiannual reports to the Congress on significant
abuses and deficiencies identified during these reviews and the recommended
actions to correct those deficiencies. The GAO Government Auditing
Standards (Yellow Book) and OMB Bulletin No. 01-02, Audit Requirements
for Federal Financial Statements, as amended require auditors to
test and report on internal control as part of a Federal agency financial
statement audit, including a description of reportable conditions and
material weaknesses in internal control over financial reporting.
Recent government-wide
initiatives have also contributed to improvements in financial management
and placed greater emphasis on implementing and maintaining effective
internal control over financial reporting. These initiatives include aggressive
OMB quarterly tracking of corrective actions for material weaknesses in
internal control related to financial reporting, accelerated financial
reporting due dates, and the emphasis on demonstrating the availability
of timely and accurate financial management information for management
decisions.
The FMFIA and OMB
Circular A-123 apply to each of the three objectives of internal control:
effective and efficient operations, reliable financial reporting, and
compliance with applicable laws and regulations. While the standards of
internal control shall be applied consistently toward each of the objectives,
this Appendix, however, requires agencies to specifically document the
process and methodology for applying the standards when assessing internal
control over financial reporting. This Appendix also requires management
to use a separate materiality level when assessing internal control over
financial reporting (See Appendix A Section II. Scope). The agency
head’s annual assurance statement on the effectiveness of internal
control over financial reporting required by this Appendix is a subset
of the assurance statement required under FMFIA on the overall internal
control of the agency.
II.
SCOPE
A.
Objectives of Internal Control over Financial Reporting
Internal control
over financial reporting is a process designed to provide reasonable assurance
regarding the reliability of financial reporting. Reliability of financial
reporting means that management can reasonably make the following assertions:
- All reported transactions
actually occurred during the reporting period and all assets and liabilities
exist as of the reporting date (existence and occurrence);
- All assets, liabilities,
and transactions that should be reported have been included and no unauthorized
transactions or balances are included (completeness);
- All assets are
legally owned by the agency and all liabilities are legal obligations
of the agency (rights and obligations);
- All assets and
liabilities have been properly valued, and where applicable, all costs
have been properly allocated (valuation);
- The financial
report is presented in the proper form and any required disclosures
are present (presentation and disclosure);
- The transactions
are in compliance with applicable laws and regulations (compliance);
- All assets have
been safeguarded against fraud and abuse; and
- Documentation
for internal control, all transactions, and other significant events
is readily available for examination.
B. Definition
of Financial Reporting
Internal control
over financial reporting should assure the safeguarding of assets from
waste, loss, unauthorized use, or misappropriation as well as assure compliance
with laws and regulations pertaining to financial reporting. Financial
reporting includes annual financial statements of an agency as well as
other significant internal or external financial reports. Other significant
financial reports are defined as any financial reports that could have
a material effect on a significant spending, budgetary or other financial
decision of the agency or that is used to determine compliance with laws
and regulations on the part of the agency. An agency needs to determine
the scope of financial reports that are significant, i.e., which reports
are included in the assessment of internal control over financial reporting.
In addition to the annual financial statements, significant reports might
include: quarterly financial statements; financial statements at the operating
division or program level; budget execution reports; reports used to monitor
specific activities such as specific revenues, receivables, or liabilities;
reports used to monitor compliance with laws and regulations such as the
Anti-Deficiency Act, etc.
C. Planning
Materiality
Materiality for
financial reporting is the risk of error or misstatement that could occur
in a financial report that would impact management’s or users’
decisions or conclusions based on such report. The planning materiality
for the assessment should be designed as to ensure that items required
to be reported will be detected. Therefore, the planning materiality should
be at a lower threshold than the reporting materiality as defined below.
Materiality should be determined for each financial report included in
the scope of the assessment. Materiality may differ from report to report.
Materiality shall be considered when determining the extent of testing
or work required to assess internal control over financial reporting as
well as what deficiencies should be reported. Management must determine
whether the internal controls over a financial report is sufficient to
prevent or detect errors or misstatements that would be considered material
for a specific financial report. Therefore, the extent of work performed
and reporting threshold for control deficiencies must be determined on
a report by report basis. Additionally, agencies should consider qualitative
as well as quantitative measures to determine material items.
D. Definition
of Deficiencies13
A control deficiency
exists when the design or operation of a control does not allow management
or employees, in the normal course of performing their assigned functions,
to prevent or detect misstatements on a timely basis. A design deficiency
exists when a control necessary to meet the control objective is missing
or an existing control is not properly designed, so that even if the control
operates as designed the control objective is not always met. An operation
deficiency exists when a properly designed control does not operate as
designed or when the person performing the control is not qualified or
properly skilled to perform the control effectively.
A reportable condition
is a control deficiency, or combination of control deficiencies, that
adversely affects the entity’s ability to initiate, authorize, record,
process, or report external financial data reliably in accordance with
generally accepted accounting principles such that there is more than
a remote14
likelihood that a misstatement of the entity’s financial statements,
or other significant financial reports, that is more than inconsequential
will not be prevented or detected.
A material weakness
in internal control is a reportable condition, or combination of reportable
conditions, that results in more than a remote15
likelihood that a material misstatement of the financial statements, or
other significant financial reports, will not be prevented or detected.
Material weaknesses in internal control over financial reporting shall
be included in the annual FMFIA report, but separately identified.
A summary of the
above definitions and corresponding reporting requirements are summarized
in Exhibit 1.
III.
ASSESSING INTERNAL CONTROL OVER FINANCIAL REPORTING
A. Establish
a Senior Assessment Team
The success of an
agency's assessment will depend in large part on who will be responsible
to carry out or direct the assessment. Given the significance and breadth
of the assessment, a senior assessment team should be established that
includes senior executives and derives its authority and support from
the head of the agency or the Chief Financial Officer. The senior assessment
team could be a subset of the Senior Management Council. The senior assessment
team could take many forms, such as a financial management improvement
committee. The senior assessment team, at a minimum, should provide oversight
of the assessment process and is responsible for:
- Ensuring that
assessment objectives are clearly communicated throughout the agency;
- Ensuring that
the assessment is carried out in a thorough, effective, and timely manner;
- Identifying and
ensuring adequate funding and resources are made available;
- Identifying staff
and/or securing contractors to perform the assessment;
- Determining the
scope of the assessment, i.e., those financial reports covered by the
assessment; and
- Determining the
assessment design and methodology.
B. Evaluate
Internal Control at the Entity Level
Internal control
at the entity level refers to those elements of the five components of
internal control that have an overarching or pervasive effect on the agency.
Specific elements of internal control that should be evaluated at this
level are discussed below.
- Control
Environment
The assessment should
include obtaining a sufficient knowledge of the control environment
to understand management's attitude, awareness, and actions concerning
the control environment. The assessment should consider the collective
effect on the control environment, since management's strengths and
weaknesses can have a pervasive effect on internal control. Specific
elements of the control environment that should be considered include:
- Integrity and
ethical standards
- Commitment to
competence
- Management philosophy
and operating style
- Organizational
structure
- Assignment of
authority and responsibility
- Human resource
policies and practices
- Risk
Assessment
The assessment
should include obtaining sufficient knowledge of the agency's process
on how management considers risks relevant to financial reporting objectives
and decides about actions to address those risks. The assessment should
determine how management identifies risks, estimates the significance
of risks, assesses the existence of risks in the current environment,
and relates them to financial reporting. The results of this assessment
at the agency-wide level will drive the extent of testing and review
performed at the process, transaction, or application level. Some significant
circumstances or events that can affect risk include:
- Complexity or
magnitude of programs, operations, transactions, etc;
- Accounting estimates;
- Related party
transactions;
- Extent of manual
processes or applications;
- Decentralized
versus centralized accounting and reporting functions;
- Changes in operating
environment;
- New personnel
or significant personnel changes;
- New or revamped
information systems;
- Significant new
or changed programs or operations;
- New technology;
and
- New or amended
laws, regulations, or accounting standards.
-
Control Activities
Control activities
are the policies and procedures that help ensure that management directives
are carried out and that management's assertions in its financial reporting
are valid. The assessment should include obtaining an understanding
of the control activities applicable at the entity level, such as:
- Policies and
procedures;
- Management objectives
(clearly written and communicated throughout the agency);
- Planning and
reporting systems;
- Analytical review
and analysis;
- Segregation of
duties;
- Safeguarding
of records; and
- Physical and
access controls.
- Information
and Communication
The assessment should
include obtaining an understanding of the information system(s) relevant
to financial reporting. Such an understanding should include:
- The type and
sufficiency of reports produced;
- The manner in
which information systems development is managed;
- Disaster recovery;
- Communication
of employees' control related duties and responsibilities; and
- How incoming
external communication is handled.
- Monitoring
The assessment should
include obtaining an understanding of the major types of activities
the agency uses to monitor internal control over financial reporting,
including the source of the information related to those activities,
and how those activities are used to initiate corrective actions. Several
examples include:
- Self assessments
by management;
- Evaluations by
the IG or external auditor; and
- Direct testing.
C. Evaluate
Internal Control at the Process, Transaction, or Application Level
- Determine
Significant Accounts or Groups of Accounts
For each financial report identified in the scope of the assessment,
identify those accounts or groups of accounts that individually or collectively
could have a material effect on the financial report. Agencies should
consider qualitative as well as quantitative measures to determine material
items.
- Identify
and Evaluate the Major Classes of Transactions
For each significant account or group of accounts, identify the major
classes of transactions that materially affect those accounts. In identifying
transactions, specifically consider whether a class of transactions
is routine, non-routine, or represents an accounting estimate. This
type of classification can help the senior assessment team identify
the inherent risk and the controls necessary to adequately mitigate
such risks. The assessment should include obtaining an understanding
of the specific processes and document flow involved in each class of
transactions. Thoroughly understanding the processes and document flow
will help in understanding where errors could occur and what control
objectives and techniques may prevent or detect those errors.
- Understand
the Financial Reporting Process
Obtaining an understanding of the process and workflow that links the
accounting system to the financial report(s). Often times, financial
information is not directly transferable from the accounting system
to the financial report, but requires intervening calculations, summarizations,
etc. This represents another point where errors can be introduced into
the financial report, and it is important to understand where such errors
could occur and what control objectives and control techniques can prevent
or detect these errors.
- Gain
an Understanding of Control Design to Achieve Management's Assertions
Prepare a control evaluation(s) for each significant account or group
of accounts that aligns specific controls with management's assertions
for each account or group of accounts. An individual assessment of the
potential effectiveness of the design of the controls for each account
or group of accounts should be made considering the risk of error and
the controls that are designed and in place to prevent or detect such
errors. Assessing the effectiveness of the design of a control is concerned
with whether the control is suitably designed to prevent or detect a
material error related to an account or group of accounts. Procedures
to obtain such evidential matter ordinarily include inquiries of appropriate
agency personnel; inspection of documents, reports, or electronic files;
and observation of the application of specific controls. This is sometimes
referred to as a "walk-through" and helps the senior assessment
team ensure its understanding of the controls. An assessment of the
control design should identify controls as effective, moderately effective,
or not effective.
- Controls
Not Adequately Designed
If a control
over a significant account or group of accounts is missing or its design
is determined to be not effective considering the associated risk of
error, the senior assessment team does not need to test this control
for the purpose of concluding on control effectiveness. This instance
should be noted in the report of deficiencies and suggestions for improvement.
However, management may nevertheless seek to further test affected transactions
to determine if there was any actual loss, fraud, error, improper payment,
or noncompliance resulting from those ineffective controls.
- Test
Controls and Assess Compliance to Support Management's Assertions
For those controls whose design is deemed effective or moderately effectively,
the senior assessment team should test those controls to determine the
extent to which the controls were applied, the consistency of their
application, and who applied them. Tests of controls ordinarily include
procedures such as inquiries of appropriate agency personnel; inspection
of documents, reports, or electronic files, indicating performance of
the control; observation of the application of specific control; and
reperformance of the application of the control by the senior assessment
team. If testing indicates that a significant control is not operating
as designed, it should be reported as a deficiency.
D. Overall
Assessment of the Design and Operation of Internal Control over Financial
Reporting
The final step in
the assessment is an overall conclusion as to the design and operation
of the internal controls over financial reporting based on the assessments
at the entity level and the process, transaction, or application level.
The overall assessment should conclude whether the internal controls over
financial reporting are operating effectively or whether material weaknesses
exist in the design or operation. A template for the Statement of Assurance
can be found in Exhibit 2.
E. Reliance
on Other Work to Accomplish Assessment
The assessment of
internal control over financial reporting should be coordinated with other
activities to avoid duplication of efforts with similar activities. For
example, agencies are required to perform reviews of financial systems
under FFMIA or information security under FISMA. Reviews performed by
management, or at management’s direction, may be used to help accomplish
this assessment. Management may consult with the agency IG to plan and
coordinate related work. The IG may be involved in a consulting capacity
but shall not conduct management’s assessment of internal controls
over financial reporting.
Control weaknesses
at a service organization could have a material impact on the controls
of the customer organization. Therefore, management of cross-servicing
agencies will need to provide an annual assurance statement to its customer
agencies in advance to allow its customer agencies to rely upon that assurance
statement. Management of cross-servicing agencies shall test the controls
over the activities for which it performs for others on a yearly basis.
These controls shall be highlighted in management’s assurance statement
that is provided to its customers. Cross-servicing and customer agencies
will need to coordinate the timing of the assurance statements.
IV.
DOCUMENTATION
A. Documenting
Internal Control over Financial Reporting
The senior assessment
team should document its understanding of the agency's internal control
over financial reporting. The form and extent of documentation depends
in part on the nature and complexity of the agency's controls, the more
extensive and complex the controls, the more extensive the documentation.
Documentation may be electronic, hard copy format, or both and be readily
available for examination. Documentation could include organizational
charts, flow charts, questionnaires, decision tables, or memoranda. Documentation
may already exist as part of normal agency policy or procedure; however,
the senior assessment team should separately identify, verify, and maintain
the documentation it uses in making its assessment. The documentation
prepared by internal or external auditors may also be used, but again,
the senior assessment team must take responsibility and verify and maintain
that documentation. Documentation should also include appropriate representations
from officials and personnel responsible for monitoring, improving and
assessing internal controls. After an initial assessment, subsequent assessments
may focus on updating existing documentation. All documentation and records
shall be properly managed and maintained; therefore, agencies will need
to establish, or review existing retention policies for documentation
(paper and electronic media).
B. Documenting
the Assessment of Effectiveness
The senior assessment
team must also document the assessment process of internal control over
financial reporting, including:
- The establishment
of the senior assessment team, its authority and members;
- Contracting actions
if contractors are used to perform or assist in the assessment;
- Communications
with agency management and employees regarding the assessment;
- Key decisions
of the senior assessment team;
- The assessment
methodology and guide;
- The assessment
of internal control at the entity level;
- The assessment
of internal control at the process, transaction, or application level;
- The testing of
controls and related results; and
- Identified deficiencies
and suggestions for improvement.
The documentation
may be electronic, hard copy format, or both, and should be available
for review. Documentation should also include appropriate representations
from officials and personnel responsible for monitoring, improving and
assessing internal controls.
V.
MANAGEMENT’S ASSURANCE STATEMENT ON INTERNAL CONTROL OVER FINANCIAL
REPORTING
An agency’s
management is required to include an assurance statement on the internal
controls over financial reporting in its annual Performance and Accountability
Report as described in Section VI. Reporting on Internal Control.
This statement is management’s assessment of the effectiveness of
the agency’s internal control over financial reporting as of June
30 of that fiscal year (see Exhibit 2). This assurance statement is required
to include the following:
- A statement of
management's responsibility for establishing and maintaining adequate
internal control over financial reporting for the agency.
- A statement identifying
the OMB Circular A-123, Management’s Responsibility for Internal
Control as the framework used by management to conduct the assessment
of the effectiveness of the agency’s internal control over financial
reporting.
- An assessment
of the effectiveness of the agency’s internal control over financial
reporting as of June 30, including an explicit conclusion as to whether
the internal controls over financial reporting are effective.
- If a material
weakness is discovered by June 30, but corrected by September 30, a
statement identifying the material weakness, the corrective action taken,
and that it has been resolved by September 30.
- If a material
weakness is discovered after June 30, but prior to September 30, the
statement identifying the material weaknesses should be updated to include
the subsequently identified material weakness.
In its assurance
statement on the internal controls over financial reporting, management
is required to state a direct conclusion about whether the agency’s
internal controls over financial reporting are effective. The statement
must take one of the following forms:
- Unqualified
statement of assurance (no material weaknesses reported);
- Qualified statement
of assurance, considering the exceptions explicitly noted (one or
more material weaknesses reported); or
- Statement of
no assurance (no processes in place or pervasive material weaknesses).
Management is precluded
from concluding that the agency’s internal control over financial
reporting is effective if there are one or more material weaknesses. Management
must make the final determination with regard to what constitutes a material
weakness. Management is required to disclose all material weaknesses that
exist as of June 30 of the current fiscal year.
Management may be
able to accurately represent that internal control over financial reporting,
as of June 30 of the agency’s current fiscal year, is effective
even if one or more material weaknesses existed during the period. To
make this representation, management must have implemented improvements
in internal control over financial reporting to mitigate the material
weaknesses and have satisfactorily tested the effectiveness over a period
of time that is adequate for it to determine whether, as of June 30 of
the current fiscal year, the design and operation of the internal controls
over financial reporting are effective.
A. Agencies
Obtaining Audit Opinions on Internal Control
This Circular does
not require a separate audit opinion on internal control over financial
reporting. Agencies may at their discretion elect to receive an audit
opinion on internal control over financial reporting. Agencies electing
to receive an audit opinion on internal control over financial reporting
may adjust the “as of” reporting date of June 30 to coincide
with the “as of” date of the audit opinion on internal control.
Refer to Appendix A Section VI. Correcting Material Weakness in Internal
Control over Financial Reporting for special circumstances requiring
an opinion level of assurance.
VI.
CORRECTING MATERIAL WEAKNESSESS IN INTERNAL CONTROL OVER FINANCIAL REPORTING
Each agency shall
establish systems to assure the prompt and proper resolution and implementation
of corrective action on identified material weaknesses. These systems
shall provide for a complete record of action taken on the material weaknesses
identified. Management’s process for resolution and corrective action
of the identified material weaknesses in the internal controls over financial
reporting must also meet the standards listed in Section V. Correcting
Internal Control Deficiencies.
If the agency cannot
meet the deadlines outlined in the approved corrective action plan, OMB
may, at its discretion, require the agency to obtain an independent audit
opinion of their internal control over financial reporting as part of
their financial statement audit.
Exhibit
2: Sample Annual Assurance Statement on Internal Control over Financial
Reporting
Fiscal
Year 2xxx
Annual
Assurance Statement on Internal Control over Financial Reporting
The [Agency’s]
management is responsible for establishing and maintaining effective
internal control over financial reporting, which includes safeguarding
of assets and compliance with applicable laws and regulations. The
[Agency] conducted its assessment of the effectiveness of the [Agency’s]
internal control over financial reporting in accordance with OMB
Circular A-123, Management’s Responsibility for Internal Control.
Based on the results of this evaluation, the [Agency] can provide
reasonable assurance that internal control over financial reporting
as of June 30, 2xxx was operating effectively and no material weaknesses
were found in the design or operation of the internal controls over
financial reporting.
____________________________________
Head of the Agency
|
1
The quoted text is from the Federal Managers’
Financial Integrity Act (FMFIA) of 1982.
2
Internal control standards and the definition of internal
control are based on GAO, Standards for Internal Control in the Federal
Government, November 1999, “Green Book”.
3
The Government Auditing Standards, June 2003 (GAO-03-673G)
can be found on the GAO website at www.gao.gov.
The Government Auditing Standards are commonly known as the “Yellow
Book.”
4
The OMB Bulletin No. 01-02, Audit Requirements for
Federal Financial Statements, as amended can be found on the OMB
website at www.omb.gov.
5
The OMB Circular No. A-127, Financial Management Systems
can be found on the OMB website at www.omb.gov.
6
The OMB Circular No. A-130, Management of Federal
Information Resources can be found on the OMB website at www.omb.gov.
7
This Circular's use of the term "material weakness"
is similar to the same term used by auditors to identify internal control
weaknesses found during a financial statement audit (see OMB Bulletin
01-02 or GAO “Yellow Book”). This Circular’s use of
the same term encompasses not only financial reporting, but also encompasses
weaknesses found in program operations and compliance with applicable
laws and regulations. Material weaknesses for the purposes of this Circular
are determined by management, whereas material weaknesses reported as
part of a financial statement audit are determined by independent auditors.
8 Standards based
upon OMB Circular A-50, Audit Followup.
9
The definition of control deficiency and definitions of
reportable condition and material weakness relative to financial reporting
are based upon the definitions provided in Auditing Standard No. 2
– An Audit of Internal Control Over Financial Reporting Performed
in Conjunction with An Audit of Financial Statements issued by the
Public Company Accounting Oversight Board (PCAOB).
10
The term “remote” is defined in SFFAS No.
5, Accounting for Liabilities of the Federal Government, as the
chance of the future event, or events, occurring is slight.
11
The term “remote” is defined in SFFAS No.
5, Accounting for Liabilities of the Federal Government, as the
chance of the future event, or events, occurring is slight.
12
The definition of effective internal control
is based on the GAO/PCIE, Financial Audit Manual.
13
The definition of control deficiency and definitions
of reportable condition and material weakness relative to financial reporting
are based upon the definitions provided in Auditing Standard No. 2
– An Audit of Internal Control Over Financial Reporting Performed
in Conjunction with An Audit of Financial Statements issued by the
Public Company Accounting Oversight Board (PCAOB).
14
The term “remote” is defined in SFFAS
No. 5, Accounting for Liabilities of the Federal Government,
as the chance of the future event, or events, occurring is slight.
15
Ibid.
Return to Top