Circular No. A-123
June 21, 1995
TO THE HEADS OF EXECUTIVE DEPARTMENTS AND ESTABLISHMENTS
FROM: Alice M. Rivlin, Director
SUBJECT: Management Accountability and Control
1. Purpose and Authority. As Federal employees develop and implement strategies for reengineering agency programs and operations, they should design management structures that help ensure accountability for results, and include appropriate, cost-effective controls. This Circular provides guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on management controls.
The Circular is issued under the authority of the Federal Managers' Financial Integrity Act of 1982 as codified in 31 U.S.C. 3512.
The Circular replaces Circular No. A-123, "Internal Control Systems," revised, dated August 4, 1986, and OMB's 1982 "Internal Controls Guidelines" and associated "Questions and Answers" document, which are hereby rescinded.
2. Policy. Management accountability is the expectation that managers are responsible for the quality and timeliness of program performance, increasing productivity, controlling costs and mitigating adverse aspects of agency operations, and assuring that programs are managed with integrity and in compliance with applicable law.
Management controls are the organization, policies, and procedures used to reasonably ensure that (i) programs achieve their intended results; (ii) resources are used consistent with agency mission; (iii) programs and resources are protected from waste, fraud, and mismanagement; (iv) laws and regulations are followed; and (v) reliable and timely information is obtained, maintained, reported and used for decision making.
3. Actions Required. Agencies and individual Federal managers must take systematic and proactive measures to (i) develop and implement appropriate, cost-effective management controls for results-oriented management; (ii) assess the adequacy of management controls in Federal programs and operations; (iii) identify needed improvements; (iv) take corresponding corrective action; and (v) report annually on management controls.
4. Effective Date. This Circular is effective upon issuance.
5. Inquiries. Further information concerning this Circular may be obtained from the Management Integrity Branch, Office of Federal Financial Management, Office of Management and Budget, Washington, DC 20503, 202/395-6911.
6. Copies. Copies of this Circular may be obtained by telephoning the Executive Office of the President, Publication Services, at 202/395-7332.
7. Electronic Access. This document is also accessible on the U.S. Department of Commerce's FedWorld Network under the OMB Library of Files.
- The Telnet address for FedWorld via Internet is "fedworld.gov".
- The World Wide Web address is "http://www.fedworld.gov/ftp.htm#omb".
- For file transfer protocol (FTP) access, the address is "ftp://fwux.fedworld.gov/pub/omb/omb.htm".
The telephone number for the FedWorld help desk is 703/487-4608.
Note to Internet Users: This document, with associated explanatory material, was published in the Federal Register on June 29, 1995, Volume 60, Number 125, pages 33876-33872. This can be accessed from the Federal Register Online via GPO Access [wais.access.gpo.gov].
The proper stewardship of Federal resources is a fundamental responsibility of agency managers and staff. Federal employees must ensure that government resources are used efficiently and effectively to achieve intended program results. Resources must be used consistent with agency mission, in compliance with law and regulation, and with minimal potential for waste, fraud, and mismanagement.
To support results-oriented management, the Government Performance and Results Act (GPRA, P.L. 103-62) requires agencies to develop strategic plans, set performance goals, and report annually on actual performance compared to goals. As the Federal government implements this legislation, these plans and goals should be integrated into (i) the budget process, (ii) the operational management of agencies and programs, and (iii) accountability reporting to the public on performance results, and on the integrity, efficiency, and effectiveness with which they are achieved.
Management accountability is the expectation that managers are responsible for the quality and timeliness of program performance, increasing productivity, controlling costs and mitigating adverse aspects of agency operations, and assuring that programs are managed with integrity and in compliance with applicable law.
Management controls -- organization, policies, and procedures -- are tools to help program and financial managers achieve results and safeguard the integrity of their programs. This Circular provides guidance on using the range of tools at the disposal of agency managers to achieve desired program results and meet the requirements of the Federal Managers' Financial Integrity Act (FMFIA, referred to as the Integrity Act throughout this document).
Framework. The importance of management controls is addressed, both explicitly and implicitly, in many statutes and executive documents. The Federal Managers' Financial Integrity Act (P.L. 97-255) establishes specific requirements with regard to management controls. The agency head must establish controls that reasonably ensure that: (i) obligations and costs comply with applicable law; (ii) assets are safeguarded against waste, loss, unauthorized use or misappropriation; and (iii) revenues and expenditures are properly recorded and accounted for. 31 U.S.C. 3512(c)(1). In addition, the agency head annually must evaluate and report on the control and financial systems that protect the integrity of Federal programs. 31 U.S.C. 3512(d)(2). The Act encompasses program, operational, and administrative areas as well as accounting and financial management.
Instead of considering controls as an isolated management tool, agencies should integrate their efforts to meet the requirements of the Integrity Act with other efforts to improve effectiveness and accountability. Thus, management controls should be an integral part of the entire cycle of planning, budgeting, management, accounting, and auditing. They should support the effectiveness and the integrity of every step of the process and provide continual feedback to management.
For instance, good management controls can assure that performance measures are complete and accurate. As another example, the management control standard of organization would align staff and authority with the program responsibilities to be carried out, improving both effectiveness and accountability. Similarly, accountability for resources could be improved by more closely aligning budget accounts with programs and charging them with all significant resources used to produce the program's outputs and outcomes.
Meeting the requirements of the Chief Financial Officers Act (P.L. 101-576, as amended) should help agencies both establish and evaluate management controls. The Act requires the preparation and audit of financial statements for 24 Federal agencies. 31 U.S.C. 901(b), 3515. In this process, auditors report on internal controls and compliance with laws and regulations. Therefore, the agencies covered by the Act have a clear opportunity both to improve controls over their financial activities, and to evaluate the controls that are in place.
The Inspector General Act (P.L. 95-452, as amended) provides for independent reviews of agency programs and operations. Offices of Inspectors General (OIGs) and other external audit organizations frequently cite specific deficiencies in management controls and recommend opportunities for improvements. Agency managers, who are required by the Act to follow up on audit recommendations, should use these reviews to identify and correct problems resulting from inadequate, excessive, or poorly designed controls, and to build appropriate controls into new programs.
Federal managers must carefully consider the appropriate balance of controls in their programs and operations. Fulfilling requirements to eliminate regulations ("Elimination of One-Half of Executive Branch Internal Regulations," Executive Order 12861) should reinforce to agency managers that too many controls can result in inefficient and ineffective government, and therefore that they must ensure an appropriate balance between too many controls and too few controls. Managers should benefit from controls, not be encumbered by them.
Agency Implementation. Appropriate management controls should be integrated into each system established by agency management to direct and guide its operations. A separate management control process need not be instituted, particularly if its sole purpose is to satisfy the Integrity Act's reporting requirements.
Agencies need to plan for how the requirements of this Circular will be implemented. Developing a written strategy for internal agency use may help ensure that appropriate action is taken throughout the year to meet the objectives of the Integrity Act. The absence of such a strategy may itself be a serious management control deficiency.
Identifying and implementing the specific procedures necessary to ensure good management controls, and determining how to evaluate the effectiveness of those controls, is left to the discretion of the agency head. However, agencies should implement and evaluate controls without creating unnecessary processes, consistent with recommendations made by the National Performance Review.
The President's Management Council, composed of the major agencies' chief operating officers, has been established to foster governmentwide management changes ("Implementing Management Reform in the Executive Branch," October 1, 1993). Many agencies are establishing their own senior management council, often chaired by the agency's chief operating officer, to address management accountability and related issues within the broader context of agency operations. Relevant issues for such a council include ensuring the agency's commitment to an appropriate system of management controls; recommending to the agency head which control deficiencies are sufficiently serious to report in the annual Integrity Act report; and providing input for the level and priority of resource needs to correct these deficiencies. (See also Section III of this Circular.)
Definition of Management Controls. Management controls are the organization, policies, and procedures used by agencies to reasonably ensure that (i) programs achieve their intended results; (ii) resources are used consistent with agency mission; (iii) programs and resources are protected from waste, fraud, and mismanagement; (iv) laws and regulations are followed; and (v) reliable and timely information is obtained, maintained, reported and used for decision making.
Management controls, in the broadest sense, include the plan of organization, methods and procedures adopted by management to ensure that its goals are met. Management controls include processes for planning, organizing, directing, and controlling program operations. A subset of management controls are the internal controls used to assure that there is prevention or timely detection of unauthorized acquisition, use, or disposition of the entity's assets.
Developing Management Controls. As Federal employees develop and execute strategies for implementing or reengineering agency programs and operations, they should design management structures that help ensure accountability for results. As part of this process, agencies and individual Federal managers must take systematic and proactive measures to develop and implement appropriate, cost-effective management controls. The expertise of the agency CFO and IG can be valuable in developing appropriate controls.
Management controls guarantee neither the success of agency programs, nor the absence of waste, fraud, and mismanagement, but they are a means of managing the risk associated with Federal programs and operations. To help ensure that controls are appropriate and cost-effective, agencies should consider the extent and cost of controls relative to the importance and risk associated with a given program.
Standards. Agency managers shall incorporate basic management controls in the strategies, plans, guidance and procedures that govern their programs and operations. Controls shall be consistent with the following standards, which are drawn in large part from the "Standards for Internal Control in the Federal Government," issued by the General Accounting Office (GAO).
General management control standards are:
Compliance With Law. All program operations, obligations and costs must comply with applicable law and regulation. Resources should be efficiently and effectively allocated for duly authorized purposes.
Reasonable Assurance and Safeguards. Management controls must provide reasonable assurance that assets are safeguarded against waste, loss, unauthorized use, and misappropriation. Management controls developed for agency programs should be logical, applicable, reasonably complete, and effective and efficient in accomplishing management objectives.
- Integrity, Competence, and Attitude. Managers and employees must have personal integrity and are obligated to support the ethics programs in their agencies. The spirit of the Standards of Ethical Conduct requires that they develop and implement effective management controls and maintain a level of competence that allows them to accomplish their assigned duties. Effective communication within and between offices should be encouraged.
Specific management control standards are:
Delegation of Authority and Organization. Managers should ensure that appropriate authority, responsibility and accountability are defined and delegated to accomplish the mission of the organization, and that an appropriate organizational structure is established to effectively carry out program responsibilities. To the extent possible, controls and related decision-making authority should be in the hands of line managers and staff.
Separation of Duties and Supervision. Key duties and responsibilities in authorizing, processing, recording, and reviewing official agency transactions should be separated among individuals. Managers should exercise appropriate oversight to ensure individuals do not exceed or abuse their assigned authorities.
Access to and Accountability for Resources. Access to resources and records should be limited to authorized individuals, and accountability for the custody and use of resources should be assigned and maintained.
Recording and Documentation. Transactions should be promptly recorded, properly classified and accounted for in order to prepare timely accounts and reliable financial and other reports. The documentation for transactions, management controls, and other significant events must be clear and readily available for ex amination.
- Resolution of Audit Findings and Other Deficiencies. Managers should promptly evaluate and determine proper actions in response to known deficiencies, reported audit and other findings, and related recommendations. Managers should complete, within established timeframes, all actions that correct or otherwise resolve the appropriate matters brought to management's attention.
Other policy documents may describe additional specific standards for particular functional or program activities. For example, OMB Circular No. A-127, "Financial Management Systems," describes government-wide requirements for financial systems. The Federal Acquisition Regulations define requirements for agency procurement activities.
III. ASSESSING AND IMPROVING MANAGEMENT CONTROLS
Agency managers should continuously monitor and improve the effectiveness of management controls associated with their programs. This continuous monitoring, and other periodic evaluations, should provide the basis for the agency head's annual assessment of and report on management controls, as required by the Integrity Act. Agency management should determine the appropriate level of documentation needed to support this assessment.
Sources of Information. The agency head's assessment of management controls can be performed using a variety of information sources. Management has primary responsibility for monitoring and assessing controls, and should use other sources as a supplement to -- not a replacement for -- its own judgment. Sources of information include:
Management knowledge gained from the daily operation of agency programs and systems.
Management reviews conducted (i) expressly for the purpose of assessing management controls, or (ii) for other purposes with an assessment of management controls as a by-product of the review.
IG and GAO reports, including audits, inspections, reviews, investigations, outcome of hotline complaints, or other products.
Audits of financial statements conducted pursuant to the Chief Financial Officers Act, as amended, including: information revealed in preparing the financial statements; the auditor's reports on the financial statements, internal controls, and compliance with laws and regulations; and any other materials prepared relating to the statements.
Reviews of financial systems which consider whether the requirements of OMB Circular No. A-127 are being met.
Reviews of systems and applications conducted pursuant to the Computer Security Act of 1987 (40 U.S.C. 759 note) and OMB Circular No. A-130, "Management of Federal Information Resources."
Annual performance plans and reports pursuant to the Government Performance and Results Act.
Reports and other information provided by the Congressional committees of jurisdiction.
- Other reviews or reports relating to agency operations, e.g. for the Department of Health and Human Services, quality control reviews of the Medicaid and Aid to Families with Dependent Children programs.
Use of a source of information should take into consideration whether the process included an evaluation of management controls. Agency management should avoid duplicating reviews which assess management controls, and should coordinate their efforts with other evaluations to the extent practicable.
If a Federal manager determines that there is insufficient information available upon which to base an assessment of management controls, then appropriate reviews should be conducted which will provide such a basis.
Identification of Deficiencies. Agency managers and employees should identify deficiencies in management controls from the sources of information described above. A deficiency should be reported if it is or should be of interest to the next level of management. Agency employees and managers generally report deficiencies to the next supervisory level, which allows the chain of command structure to determine the relative importance of each deficiency.
A deficiency that the agency head determines to be significant enough to be reported outside the agency (i.e. included in the annual Integrity Act report to the President and the Congress) shall be considered a "material weakness."  This designation requires a judgment by agency managers as to the relative risk and significance of deficiencies. Agencies may wish to use a different term to describe less significant deficiencies, which are reported only internally in an agency. In identifying and assessing the relative importance of deficiencies, particular attention should be paid to the views of the agency's IG.
Agencies should carefully consider whether systemic problems exist that adversely affect management controls across organizational or program lines. The Chief Financial Officer, the Senior Procurement Executive, the Senior IRM Official, and the managers of other functional offices should be involved in identifying and ensuring correction of systemic deficiencies relating to their respective functions.
Agency managers and staff should be encouraged to identify and report deficiencies, as this reflects positively on the agency's commitment to recognizing and addressing management problems. Failing to report a known deficiency would reflect adversely on the agency.
Role of A Senior Management Council. Many agencies have found that a senior management council is a useful forum for assessing and monitoring deficiencies in management controls. The membership of such councils generally includes both line and staff management; consideration should be given to involving the IG. Such councils generally recommend to the agency head which deficiencies are deemed to be material to the agency as a whole, and should therefore be included in the annual Integrity Act report to the President and the Congress. (Such a council need not be exclusively devoted to management control issues.) This process will help identify deficiencies that although minor individually, may constitute a material weakness in the aggregate. Such a council may also be useful in determining when sufficient action has been taken to declare that a deficiency has been corrected.
Agency managers are responsible for taking timely and effective action to correct deficiencies identified by the variety of sources discussed in Section III. Correcting deficiencies is an integral part of management accountability and must be considered a priority by the agency.
The extent to which corrective actions are tracked by the agency should be commensurate with the severity of the deficiency. Corrective action plans should be developed for all material weaknesses, and progress against plans should be periodically assessed and reported to agency management. Management should track progress to ensure timely and effective results. For deficiencies that are not included in the Integrity Act report, corrective action plans should be developed and tracked internally at the appropriate level.
A determination that a deficiency has been corrected should be made only when sufficient corrective actions have been taken and the desired results achieved. This determination should be in writing, and along with other appropriate documentation, should be available for review by appropriate officials. (See also role of senior management council in Section III.)
As managers consider IG and GAO audit reports in identifying and correcting management control deficiencies, they must be mindful of the statutory requirements for audit followup included in the IG Act, as amended. Under this law, management has a responsibility to complete action, in a timely manner, on audit recommendations on which agreement with the IG has been reached. 5 U.S.C. Appendix 3. (Management must make a decision regarding IG audit recommendations within a six month period and implementation of management's decision should be completed within one year to the extent practicable.) Agency managers and the IG share responsibility f or ensuring that IG Act requirements are met.
Reporting Pursuant to Section 2. 31 U.S.C. 3512(d)(2) (commonly referred to as Section 2 of the Integrity Act) requires that annually by December 31, the head of each executive agency submit to the President and the Congress (i) a statement on whether there is reasonable assurance that the agency's controls are achieving their intended objectives; and (ii) a report on material weaknesses in the agency's controls. OMB may provide guidance on the composition of the annual report.
Statement of Assurance. The statement on reasonable assurance represents the agency head's informed judgment as to the overall adequacy and effectiveness of management controls within the agency. The statement must take one of the following forms: statement of assurance; qualified statement of assurance, considering the exceptions explicitly noted; or statement of no assurance.
In deciding on the type of assurance to provide, the agency head should consider information from the sources described in Section III of this Circular, with input from senior program and administrative officials and the IG. The agency head must describe the analytical basis for the type of assurance being provided, and the extent to which agency activities were assessed. The statement of assurance must be signed by the agency head.
- Report on Material Weaknesses. The Integrity Act report must include agency plans to correct the material weaknesses and progress against those plans.
Reporting Pursuant to Section 4. 31 U.S.C. 3512(d)(2)(B) (commonly referred to as Section 4 of the Integrity Act) requires an annual statement on whether the agency's financial management systems conform with government-wide requirements. These financial systems requirements are presented in OMB Circular No. A-127, "Financial Management Systems," section 7. If the agency does not conform with financial systems requirements, the statement must discuss the agency's plans for bringing its systems into compliance.
If the agency head judges a deficiency in financial management systems and/or operations to be material when weighed against other agency deficiencies, the issue must be included in the annual Integrity Act report in the same manner as other material weaknesses.
Distribution of Integrity Act Report. The assurance statements and information related to both Sections 2 and 4 should be provided in a single Integrity Act report. Copies of the report are to be transmitted to the President; the President of the Senate; the Speaker of the House of Representatives; the Director of OMB; and the Chairpersons and Ranking Members of the Senate Committee on Governmental Affairs, the House Committee on Government Reform and Oversight, and the relevant authorizing and appropriations committees and subcommittees. In addition, 10 copies of the report are to be provided to OMB's Office of Federal Financial Management, Management Integrity Branch. Agencies are also encouraged to make their reports available electronically.
Streamlined Reporting. The Government Management Reform Act (GMRA) of 1994 (P.L. 103-356) permits OMB for fiscal years 1995 through 1997 to consolidate or adjust the frequency and due dates of certain statutory financial management reports after consultation with the Congress. GMRA prompted the CFO Council to recommend to OMB a new approach towards financial management reporting which could help integrate management initiatives. This proposal is being pilot-tested by several agencies for FY 1995. Further information on the implications of this initiative for other agencies will be issued by OMB after the pilot reports have been evaluated. In the meantime, the reporting requirements outlined in this Circular remain valid except for those agencies identified as pilots by OMB.
Under the CFO Council approach, agencies would consolidate Integrity Act information with other performance-related reporting into a broader "Accountability Report" to be issued annually by the agency head. This report would be issued as soon as possible after the end of the fiscal year, but no later than March 31 for agencies producing audited financial statements and December 31 for all other agencies. The proposed "Accountability Report" would integrate the following information: the Integrity Act report, management's Report on Final Action as required by the IG Act, the CFOs Act Annual Report (including audited financial statements), Civil Monetary Penalty and Prompt Payment Act reports, and available information on agency performance compared to its stated goals and objectives, in preparation for implementation of the GPRA.
Government Corporations. Section 306 of the Chief Financial Officers Act established a reporting requirement related to management controls for corporations covered by the Government Corporation and Control Act. 31 U.S.C. 9106. These corporations must submit an annual management report to the Congress not later than 180 days after the end of the corporation's fiscal year. This report must include, among other items, a statement on control systems by the head of the management of the corporation consistent with the requirements of the Integrity Act.
The corporation is required to provide the President, the Director of OMB, and the Comptroller General a copy of the management report when it is submitted to Congress.
 This Circular's use of the term "material weakness" should not be confused with use of the same term by government auditors to identify management control weaknesses which, in their opinion, pose a risk or a threat to the internal control systems of an audited entity, such as a program or operation. Auditors are required to identify and report those types of weaknesses at any level of operation or organization, even if the management of the audited entity would not report the weaknesses outside the agency.