OMB Circular A-123 - Management's Responsibility for Internal Control
December 21, 2004
MEMORANDUM TO THE CHIEF FINANCIAL OFFICERS, CHIEF OPERATION OFFICERS, CHIEF INFORMATION OFFICERS, AND PROGRAM MANAGERS
FROM: Linda M. Springer
SUBJECT: Revisions to OMB Circular A-123, Management’s Responsibility for Internal Control
OMB Circular No. A-123 defines management's responsibility for internal control in Federal agencies. A re-examination of the existing internal control requirements for Federal agencies was initiated in light of the new internal control requirements for publicly-traded companies contained in the Sarbanes-Oxley Act of 2002. Circular A-123 and the statute it implements, the Federal Managers’ Financial Integrity Act of 1982, are at the center of the existing Federal requirements to improve internal control.
This circular reflects policy recommendations developed by a joint committee of representatives from the Chief Financial Officer Council (CFOC) and the President’s Council on Integrity and Efficiency (PCIE). The policy changes in this circular are intended to strengthen the requirements for conducting management’s assessment of internal control over financial reporting. The circular also emphasizes the need for agencies to integrate and coordinate internal control assessments with other internal control-related activities.
The revised circular is effective for FY 2006. Agencies should take steps in FY 2005 to prepare for its implementation. OMB plans to continue to work closely with the CFOC and the PCIE to provide further implementation guidance.
December 21, 2004
CIRCULAR NO. A-123
TO THE HEADS OF EXECUTIVE DEPARTMENTS AND ESTABLISHMENTS
SUBJECT: Management’s Responsibility for Internal Control
1. Purpose. This Circular provides guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on internal control. The attachment to this Circular defines management’s responsibilities related to internal control and the process for assessing internal control effectiveness along with a summary of the significant changes. The Circular provides updated internal control standards and new specific requirements for conducting management’s assessment of the effectiveness of internal control over financial reporting (Appendix A). This Circular emphasizes the need for integrated and coordinated internal control assessments that synchronize all internal control-related activities.
This revision to the Circular will become effective in Fiscal Year 2006 and supersede all previous versions. In the interim, OMB Circular No. A-123, "Management Accountability and Control," revised, June 21, 1995 should continue to be followed.
2. Authority. The Circular is issued under the authority of the Federal Managers' Financial Integrity Act of 1982 as codified in 31 U.S.C. 3512.
3. Policy. Management is responsible for establishing and maintaining internal control to achieve the objectives of effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations. Management shall consistently apply the internal control standards to meet each of the internal control objectives and to assess internal control effectiveness. When assessing the effectiveness of internal control over financial reporting and compliance with financial-related laws and regulations, management must follow the assessment process contained in Appendix A. Annually, management must provide assurances on internal control in its Performance and Accountability Report, including a separate assurance on internal control over financial reporting, along with a report on identified material weaknesses and corrective actions.
4. Actions Required. Agencies and individual Federal managers must take systematic and proactive measures to (i) develop and implement appropriate, cost-effective internal control for results-oriented management; (ii) assess the adequacy of internal control in Federal programs and operations; (iii) separately assess and document internal control over financial reporting consistent with the process defined in Appendix A (iv) identify needed improvements; (v) take corresponding corrective action; and (vi) report annually on internal control through management assurance statements.
5. Effective Date. This Circular is effective beginning with Fiscal Year 2006.
6. Applicability. This Circular is applicable to each executive agency, with the exception of the requirements in the appendix. The requirements of Appendix A are applicable to the 24 CFO Act agencies.
7. Inquiries. Further information concerning this Circular may be obtained from the Financial Standards and Grants Branch, Office of Federal Financial Management, Office of Management and Budget, Washington, DC 20503, 202/395-3993.
8. Copies. Copies of this Circular may be obtained from www.omb.gov.
Joshua B. Bolte
Significant Revisions to OMB Circular A-123
New Requirements in Appendix A –
Internal Control over Financial Reporting
TABLE OF CONTENTS
Management has a fundamental responsibility to develop and maintain effective internal control. The proper stewardship of Federal resources is an essential responsibility of agency managers and staff. Federal employees must ensure that Federal programs operate and Federal resources are used efficiently and effectively to achieve desired objectives. Programs must operate and resources must be used consistent with agency missions, in compliance with laws and regulations, and with minimal potential for waste, fraud, and mismanagement.
Management is responsible for developing and maintaining effective internal control. Effective internal control provides assurance that significant weaknesses in the design or operation of internal control, that could adversely affect the agency’s ability to meet its objectives, would be prevented or detected in a timely manner.
Internal Control -- organization, policies, and procedures – are tools to help program and financial managers achieve results and safeguard the integrity of their programs. This Circular provides guidance on using the range of tools at the disposal of agency managers to achieve desired program results and meet the requirements of the Federal Managers' Financial Integrity Act (FMFIA) of 1982. The FMFIA encompasses accounting and administrative controls. Such controls include program, operational, and administrative areas as well as accounting and financial management.
The importance of internal control is addressed in many statutes and executive documents. The FMFIA establishes overall requirements with regard to internal control. The agency head must establish controls that reasonably ensure that: "(i) obligations and costs are in compliance with applicable law; (ii) funds, property, and other assets are safeguarded against waste, loss, unauthorized use or misappropriation; and (iii) revenues and expenditures applicable to agency operations are properly recorded and accounted for to permit the preparation of accounts and reliable financial and statistical reports and to maintain accountability over the assets."1 In addition, the agency head annually must evaluate and report on the control and financial systems that protect the integrity of Federal programs (Section 2 and Section 4 of FMFIA respectively). The three objectives of internal control are to ensure the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. The safeguarding of assets is a subset of all of these objectives.
Instead of considering internal control as an isolated management tool, agencies should integrate their efforts to meet the requirements of the FMFIA with other efforts to improve effectiveness and accountability. Thus, internal control should be an integral part of the entire cycle of planning, budgeting, management, accounting, and auditing. It should support the effectiveness and the integrity of every step of the process and provide continual feedback to management.
Federal managers must carefully consider the appropriate balance between controls and risk in their programs and operations. Too many controls can result in inefficient and ineffective government; agency managers must ensure an appropriate balance between the strength of controls and the relative risk associated with particular programs and operations. The benefits of controls should outweigh the cost. Agencies should consider both qualitative and quantitative factors when analyzing costs against benefits.
A. Agency Implementation. Internal control guarantees neither the success of agency programs, nor the absence of waste, fraud, and mismanagement, but is a means of managing the risk associated with Federal programs and operations. Managers should define the control environment (e.g., programs, operations, or financial reporting) and then perform risk assessments to identify the most significant areas within that environment in which to place or enhance internal control. The risk assessment is a critical step in the process to determine the extent of controls. Once significant areas have been identified, control activities should be implemented. Continuous monitoring and testing should help to identify poorly designed or ineffective controls and should be reported upon periodically. Management is then responsible for redesigning or improving upon those controls. Management is also responsible for communicating the objectives of internal control and ensuring the organization is committed to sustaining an effective internal control environment.
Appropriate internal control should be integrated into each system established by agency management to direct and guide its operations. As stated earlier in this document, internal control applies to program, operational, and administrative areas as well as accounting and financial management.
Generally, identifying and implementing the specific procedures necessary to ensure effective internal control, and determining how to assess the effectiveness of those controls, is left to the discretion of the agency head. While the procedures may vary from agency to agency, management should have a clear, organized strategy with well-defined documentation processes that contain an audit trail, verifiable results, and specify document retention periods so that someone not connected with the procedures can understand the assessment process.
To ensure senior management involvement, many agencies have established their own senior management council, often chaired by the agency's lead management official, to address management accountability and related issues within the broader context of agency operations. Relevant issues for such a council include ensuring the agency's commitment to an appropriate system of internal control; actively overseeing the process of assessing internal controls, including non-financial as well as financial reporting objectives; recommending to the agency head which control deficiencies are material to disclose in the annual FMFIA report; and providing input for the level and priority of resource needs to correct these deficiencies. (See also Section IV.C. Role of a Senior Management Council.)
Internal control is an integral component of an organization’s management that provides reasonable assurance that
the following objectives are being achieved: effectiveness and efficiency of operations, reliability of financial reporting, and
compliance with applicable laws and regulations.2
Internal control, in the broadest sense, includes the plan of organization, methods and procedures adopted by management to meet its goals. Internal control includes processes for planning, organizing, directing, controlling, and reporting on agency operations.
The three objectives of internal control are:
- Effectiveness and efficiency of operations,
- Reliability of financial reporting, and
- Compliance with applicable laws and regulations.
The safeguarding of assets is a subset of all of these objectives. Internal control should be designed to provide reasonable assurance regarding prevention of or prompt detection of unauthorized acquisition, use or disposition of assets.
Management is responsible for developing and maintaining internal control activities that comply with the following standards to meet the above objectives:
- Control Environment,
- Risk Assessment,
- Control Activities,
- Information and Communications, and
A. Control Environment
The control environment is the organizational structure and culture created by management and employees to sustain organizational support for effective internal control. When designing, evaluating or modifying the organizational structure, management must clearly demonstrate its commitment to competence in the workplace. Within the organizational structure, management must clearly: define areas of authority and responsibility; appropriately delegate the authority and responsibility throughout the agency; establish a suitable hierarchy for reporting; support appropriate human capital policies for hiring, training, evaluating, counseling, advancing, compensating and disciplining personnel; and uphold the need for personnel to possess and maintain the proper knowledge and skills to perform their assigned duties as well as understand the importance of maintaining effective internal control within the organization.
The organizational culture is also crucial within this standard. The culture should be defined by management’s leadership in setting values of integrity and ethical behavior but is also affected by the relationship between the organization and central oversight agencies and Congress. Management’s philosophy and operational style will set the tone within the organization. Management’s commitment to establishing and maintaining effective internal control should cascade down and permeate the organization’s control environment which will aid in the successful implementation of internal control systems.
B. Risk Assessment
Management should identify internal and external risks that may prevent the organization from meeting its objectives. When identifying risks, management should take into account relevant interactions within the organization as well as with outside organizations. Management should also consider previous findings; e.g., auditor identified, internal management reviews, or noncompliance with laws and regulations when identifying risks. Identified risks should then be analyzed for their potential effect or impact on the agency.
C. Control Activities
Control activities include policies, procedures and mechanisms in place to help ensure that agency objectives are met. Several examples include: proper segregation of duties (separate personnel with authority to authorize a transaction, process the transaction, and review the transaction); physical controls over assets (limited access to inventories or equipment); proper authorization; and appropriate documentation and access to that documentation.
Internal control also needs to be in place over information systems – general and application control. General control applies to all information systems such as the mainframe, network and end-user environments, and includes agency-wide security program planning, management, control over data center operations, system software acquisition and maintenance. Application control should be designed to ensure that transactions are properly authorized and processed accurately and that the data is valid and complete. Controls should be established at an application’s interfaces to verify inputs and outputs, such as edit checks. General and application control over information systems are interrelated, both are needed to ensure complete and accurate information processing. Due to the rapid changes in information technology, controls must also adjust to remain effective.
D. Information and Communications
Information should be communicated to relevant personnel at all levels within an organization. The information should be relevant, reliable, and timely. It is also crucial that an agency communicate with outside organizations as well, whether providing information or receiving it. Examples include: receiving updated guidance from central oversight agencies; management communicating requirements to the operational staff; operational staff communicating with the information systems staff to modify application software to extract data requested in the guidance.
Monitoring the effectiveness of internal control should occur in the normal course of business. In addition, periodic reviews, reconciliations or comparisons of data should be included as part of the regular assigned duties of personnel. Periodic assessments should be integrated as part of management’s continuous monitoring of internal control, which should be ingrained in the agency’s operations. If an effective continuous monitoring program is in place, it can level the resources needed to maintain effective internal controls throughout the year.
Deficiencies found in internal control should be reported to the appropriate personnel and management responsible for that area. Deficiencies identified, whether through internal review or by an external audit, should be evaluated and corrected. A systematic process should be in place for addressing deficiencies.
Federal agencies are subject to numerous legislative and regulatory requirements that promote and support effective internal control. Effective internal control is a key factor in achieving agency missions and program results through improved accountability. Identifying internal control weaknesses and taking related corrective actions are critically important to creating and maintaining a strong internal control infrastructure that supports the achievement of agency objectives. Recent government-wide initiatives have been implemented to improve program management, as well as financial management, including tracking corrective actions for material weaknesses in internal control related to financial reporting, imposing accelerated reporting due dates for more timely financial information, and assessing the effectiveness and efficiency of program operations using the Program Assessment Rating Tool (PART). Activities conducted as part of these initiatives support an agency’s overall internal control framework. Statutory requirements that should also be considered as part of an agency’s internal control framework include:
Federal Managers Financial Integrity Act of 1982 (FMFIA)
The FMFIA requires agencies to establish and maintain internal control. The agency head must annually evaluate and report on the control and financial systems that protect the integrity of Federal programs; Section 2 and Section 4 respectively. The requirements of FMFIA serve as an umbrella under which other reviews, evaluations and audits should be coordinated and considered to support management’s assertion about the effectiveness of internal control over operations, financial reporting, and compliance with laws and regulations.
Government Performance and Results Act (GPRA)
To support results-oriented management, GPRA requires agencies to develop strategic plans, set performance goals, and report annually on actual performance compared to goals. With the implementation of this legislation, these plans and goals are integrated into (i) the budget process, (ii) the operational management of agencies and programs, and (iii) accountability reporting to the public on performance results, and on the integrity, efficiency, and effectiveness with which they are achieved. Similarly, the PART’s primary purpose is to assess program effectiveness and improve program performance. The PART has also become an integral part of the budget process when making funding resource allocations or decisions.
Chief Financial Officers Act, as amended (CFO Act)
The CFO Act requires agencies to both establish and assess internal control related to financial reporting. The Act requires the preparation and audit of financial statements. In this process, auditors report on internal control and compliance with laws and regulations related to financial reporting. Therefore, the agencies covered by the Act have a clear opportunity to improve internal control over their financial activities, and to evaluate the controls that are in place. The Accountability of Tax Dollars Act of 2002 amended the CFO Act to expand the types of Federal agencies that are required to prepare audited financial statements.
Meeting the accelerated financial statement reporting due date also provides incentive for agencies to have added discipline and effective internal control to routinely produce reliable financial information. Deficiencies in internal control need to be mitigated to ensure timely and accurate financial information.
Inspector General Act of 1978, as amended (IG Act)
The IG Act provides for independent reviews of agency programs and operations. IGs are required to submit semiannual reports to Congress on significant abuses and deficiencies identified during the reviews and the recommended actions to correct those deficiencies. IGs and/or external auditors are required by the Government Auditing Standards3 and OMB Bulletin No. 01-02, Audit Requirements of Federal Financial Statements, as amended4 to report material weaknesses in internal control related to financial reporting and noncompliance with laws and regulations as part of the financial statement audit. Auditors also provide recommendations for correcting the material weaknesses. Agency managers, who are required by the IG Act to follow up on audit recommendations, should use these reviews to identify and correct problems resulting from inadequate or poorly designed controls, and to build appropriate controls into new programs. Audit work planned by the IG should be coordinated with management’s assessment requirements to ensure cost effectiveness and avoid duplication.
Federal Financial Management Improvement Act of 1996 (FFMIA)
The FFMIA requires agencies to have financial management systems that substantially comply with the Federal financial management systems requirements, standards promulgated by the Federal Accounting Standards Advisory Board (FASAB), and the U.S. Standard General Ledger (USSGL) at the transaction level. Financial management systems shall have general and application controls in place in order to support management decisions by providing timely and reliable data. The agency head shall make a determination annually about whether the agency’s financial management systems substantially comply with the FFMIA. If the systems are found not to be compliant, management shall develop a remediation plan to bring those systems into substantial compliance. Management shall determine whether non-compliances with FFMIA should also be reported as non-conformances with Section 4 of FMFIA.
Federal Information Security Management Act of 2002 (FISMA)
The FISMA provides, "…a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets…" Agencies are required to provide information security controls proportionate with the risk and potential harm of not having those controls in place. Agency heads are required to annually report on the effectiveness of the agencies’ security programs. "Significant deficiencies" found under FISMA must also be reported as material weaknesses under FMFIA.
Improper Payments Information Act of 2002 (IPIA)
The IPIA requires agencies to review and, "…identify programs and activities that may be susceptible to significant improper payments." Agencies must annually submit estimates of improper payments, corrective actions to reduce the improper payments, and statements as to whether its current information systems and infrastructure can support the effort to reduce improper payments. The nature and incidence of improper payments shall be considered when assessing the effectiveness of internal control.
Single Audit Act, as amended
The Single Audit Act, as amended requires financial statement audits of non-Federal entities that receive or administer grant awards of Federal monies. The financial statement audits include testing the effectiveness of internal control and determining whether the award monies have been spent in compliance with laws and regulations. Each Federal agency which provides Federal awards shall review the audits of the recipients to determine whether corrective actions are implemented with respect to audit findings.
Clinger-Cohen Act of 1996 (formerly known as the Information Technology Management Reform Act)
The Clinger-Cohen Act requires agencies to use a disciplined capital planning and investment control (CPIC) process to maximize the value of and assess and manage the risks of the information technology acquisitions. The Act requires that agencies "(1) establish goals for improving the efficiency and effectiveness of agency operations and, as appropriate, the delivery of services to the public through the effective use of information technology; (2) prepare an annual report…on the progress in achieving the goals; (3) ensure that performance measurements are prescribed for information technology used by, or to be acquired for, the executive agency and that the performance measurements measure how well the information technology supports programs of the executive agency; (4) where comparable processes and organizations in the public or private sectors exist, quantitatively benchmark agency process performance against such processes in terms of cost, speed, productivity, and quality of outputs and outcomes; (5) analyze the missions of the executive agency and, based on the analysis, revise the executive agency’s mission-related processes and administrative processes as appropriate before making significant investments in information technology that is to be used in support of the performance of those missions; and (6) ensure that the information security policies, procedures, and practices of the executive agency are adequate."
A. Developing Internal Control. It is management’s responsibility to develop and maintain effective internal control. As agencies develop and execute strategies for implementing or reengineering agency programs and operations, they should design management structures that help ensure accountability for results. As part of this process, agencies and individual Federal managers must take systematic and proactive measures to develop and implement appropriate, cost-effective internal control. The degree to which studies and analysis are performed will vary depending on the complexity and risk associated with a given program or operation. The expertise of the agency CFO can be valuable in developing appropriate control and the IG can be valuable in providing advice or consultation. Decisions made during this process should be documented and readily available for review.
Agency managers should continuously monitor and improve the effectiveness of internal control associated with their programs. This continuous monitoring, and other periodic assessments, should provide the basis for the agency head's annual assessment of and report on internal control, as required by FMFIA.
Agency management should determine the appropriate level of documentation needed to support this assessment. Documentation should be appropriately detailed and organized and contain sufficient information to support management’s assertion. Documentation should also include appropriate representations from officials and personnel responsible for monitoring, improving and assessing internal controls. Specific assessment and documentation requirements to support management’s assurance statement on internal control over financial reporting are defined in Appendix A.
A. Sources of Information. The agency head's assessment of internal control can be performed using a variety of information sources. Management has primary responsibility for assessing and monitoring controls, and should use other sources as a supplement to -- not a replacement for -- its own judgment. Sources of information include:
- Management knowledge gained from the daily operation of agency programs and systems.
- Management reviews conducted (i) expressly for the purpose of assessing internal control, or (ii) for other purposes with an assessment of internal control as a by-product of the review.
- IG and GAO reports, including audits, inspections, reviews, investigations, outcome of hotline complaints, or other products.
- Program evaluations.
- Audits of financial statements conducted pursuant to the CFO Act, as amended, including: information revealed in preparing the financial statements; the auditor's reports on the financial statements, internal control, and compliance with laws and regulations; and any other materials prepared relating to the statements.
- Reviews of financial systems which consider whether the requirements of FFMIA and OMB Circular No. A-127, Financial Management Systems 5 are being met.
- Annual evaluations and reports pursuant to FISMA and OMB Circular No. A-130, Management of Federal Information Resources 6.
- Annual performance plans and reports pursuant to GPRA.
- PART assessments.
- Annual reviews and reports pursuant to IPIA.
- Single Audit reports for grant-making agencies.
- Reports and other information provided by the Congressional committees of jurisdiction.
- Other reviews or reports relating to agency operations, e.g. for the Department of Health and Human Services, quality control reviews of the Medicaid and Temporary Assistance for Needy Families programs.
- Results from tests of key controls performed as part of the assessment of internal control over financial reporting conducted in accordance with the requirements in Appendix A.
Use of a source of information should take into consideration whether the process included an evaluation of internal control. Agency management should avoid duplicating reviews which assess internal control, and should coordinate their efforts with other evaluations to the extent practicable.
If a Federal manager determines that there is insufficient information available upon which to base an assessment of internal control, then appropriate reviews should be conducted which will provide such a basis.
B. Identification of Deficiencies. Agency managers and employees should identify deficiencies in internal control from the sources of information described above and the results of their assessment process. Agency employees and managers shall report control deficiencies to the next supervisory level, which will allow the chain of command structure to determine the relative importance of each deficiency.
A control deficiency or combination of control deficiencies that in management’s judgment represent significant deficiencies in the design or operation of internal control that could adversely affect the organization's ability to meet its internal control objectives is a reportable condition (internally tracked and monitored within the agency). A reportable condition that the agency head determines to be significant enough to be reported outside the agency shall be considered a material weakness7 and included in the annual FMFIA assurance statement and reported in the agency’s annual PAR. As it relates to financial reporting, agencies should also consider qualitative as well as quantitative measures to determine material items. This designation requires a judgment by agency managers as to the relative risk and significance of reportable conditions. In identifying and assessing the relative importance of reportable conditions, consideration should be given to the views of the agency's IG. Definitions of reportable conditions and material weaknesses for management’s assessment of internal control over financial reporting are provided in Appendix A Section II. Scope. Additionally, definitions and reporting requirements are summarized in Exhibit 1. The "significant deficiencies" identified under FISMA must be reported as material weaknesses in the annual FMFIA report.
Agency managers and staff should be encouraged to identify control deficiencies, as this reflects positively on the agency's commitment to recognizing and addressing management problems. Failing to report a known reportable condition would reflect adversely on the agency and continue to place the agency’s operations at risk. Agencies should carefully consider whether systemic weaknesses exist that adversely affect internal control across organizational or program lines.
C. Role of a Senior Management Council. Many agencies use a Senior Management Council to assess and monitor deficiencies in internal control. A Senior Management Council, which may include the Chief Financial Officer, the Senior Procurement Executive, the Chief Information Officer, and the managers of other functional offices, should be involved in identifying and ensuring correction of systemic weaknesses relating to their respective functions. Consideration should be given to involving the IG in a consulting capacity but not to conduct management’s assessment of internal controls. Such councils generally recommend to the agency head which reportable conditions are deemed to be material weaknesses to the agency as a whole, and should therefore be included in the annual FMFIA assurance statement and reported in the agency’s PAR. This council should be responsible for overseeing the timely implementation of corrective actions related to material weaknesses. Such a council may also be useful in determining when sufficient action has been taken to declare that a reportable condition or material weakness has been corrected. While the establishment of such a council is not a requirement of this document, a Senior Management Council or similar construct is encouraged.
Agency managers are responsible for taking timely and effective action to correct deficiencies identified by the variety of sources discussed in Section IV, Assessing Internal Control. Correcting deficiencies is an integral part of management accountability and must be considered a priority by the agency.
The extent to which corrective actions are tracked by the agency should be commensurate with the severity of the deficiency. Corrective action plans should be developed for all material weaknesses, and progress against plans should be periodically assessed and reported to agency management. Management should track progress to ensure timely and effective results. For reportable conditions that are not included in the FMFIA report, corrective action plans should be developed and tracked internally at the appropriate level.
A summary of the corrective action plans for material weaknesses shall be included in the agency’s PAR. The summary discussion shall include a description of the material weakness, status of corrective actions, and timeline for resolution.
Management shall maintain more detailed corrective action plans internally which shall be available for OMB review. Management’s process for resolution and corrective action of identified material weaknesses in internal control must:
- Provide for appointment of an overall corrective action accountability official from senior agency management. The corrective action accountability official should report to the agency’s Senior Management Council, if applicable.
- Require prompt resolution and corrective actions.
- Maintain accurate records of the status of the identified material weaknesses through the entire process of resolution and corrective action.
- Assure that the corrective action plans are consistent with laws, regulations, and Administration policy.
- Assure that performance appraisals of appropriate officials reflect effectiveness in resolving or implementing corrective action for identified material weaknesses8.
A determination that a reportable condition has been corrected should be made only when sufficient corrective actions have been taken and the desired results achieved. This determination should be in writing, and along with other appropriate documentation supporting the determination, should be available for review by appropriate officials. (See also Section IV.C. Role of a Senior Management Council.)
As managers consider IG and GAO audit reports in identifying and correcting internal control deficiencies, they must be mindful of the statutory requirements for audit follow-up included in the IG Act, as amended and OMB Circular A-50, Audit Followup. Management has a responsibility to complete action, in a timely manner, on audit recommendations on which agreement with the IG has been reached. Management must make a decision regarding IG audit recommendations within a six month period after issuance of the audit report and implement management's decision within one year to the extent practicable.
A. Annual Assurance Statements. The assurance statements and information related to Section 2, Section 4, and internal control over financial reporting should be provided in a single FMFIA report section of the annual PAR labeled "Management Assurances." The section should include the annual assurance statements, summary of material weaknesses and non-conformances, and summary of corrective action plans. Management’s assurance statement relating to internal control over financial reporting and any related material weaknesses and corrective actions shall be separately identified.
B. Reporting Pursuant to Section 2. 31 U.S.C. 3512(d) (2) (commonly referred to as Section 2 of the FMFIA) requires that annually the head of each executive agency submit to the President and the Congress (i) a statement on whether there is reasonable assurance that the agency's controls are achieving their intended objectives; and (ii) a report on material weaknesses in the agency's controls.
Statement of Assurance. The statement of assurance represents the agency head's informed judgment as to the overall adequacy and effectiveness of internal control within the agency. The statement must take one of the following forms:
- Unqualified statement of assurance (no material weaknesses reported);
- Qualified statement of assurance, considering the exceptions explicitly noted (one or more material weaknesses reported); or
- Statement of no assurance (no processes in place or pervasive material weaknesses).
In deciding on the type of assurance to provide, the agency head should consider information from the sources described in Section III of this Circular, with input from senior program and administrative officials and the IG. The agency head must describe the analytical basis for the type of assurance being provided, and the extent to which agency activities were assessed. Management is precluded from concluding that the agency’s internal control is effective (unqualified statement of assurance) if there are one or more material weaknesses. The statement of assurance must be signed by the agency head.
- Statement of Assurance for Internal Control over Financial Reporting. Management is required to provide a separate assurance over the effectiveness of the internal controls over financial reporting. This assurance is a subset of the overall Statement of Assurance and is based on the results of management’s assessment conducted in accordance with the requirements in Appendix A. Refer to Appendix A Section V. Management’s Assurance Statement on Internal Control over Financial Reporting for a further discussion.
C. Reporting Pursuant to Section 4. 31 U.S.C. 3512(d) (2) (B) (commonly referred to as Section 4 of the FMFIA) requires an annual statement on whether the agency's financial management systems conform to government-wide requirements. These financial systems requirements are mandated by the FFMIA and OMB Circular No. A-127, Financial Management Systems, section 7. If the agency’s systems do not substantially conform to financial systems requirements, the statement must list the nonconformances and discuss the agency's plans for bringing its systems into substantial compliance. Financial management systems include both financial and financially-related (or mixed) systems.
D. Government Corporations. For government corporations, Section 306 of the Chief Financial Officers Act established a reporting requirement related to the internal controls for corporations covered by the Government Corporation and Control Act. These corporations must submit an annual management report to the Congress. This report must include, among other items, a statement on control systems by the head of the management of the corporation consistent with the requirements of the FMFIA. The corporation is required to provide the President, the Director of OMB, and the Comptroller General a copy of the management report when it is submitted to Congress.
Exhibit 1: Summary of A-123 reporting requirements
APPENDIX A: INTERNAL CONTROL OVER FINANCIAL REPORTING
TABLE OF CONTENTS
III. Assessing Internal Control over Financial Reporting
V. Management’s Assurance Statement on Internal Control over Financial
VI. Correcting Material Weaknesses in Internal Control over Financial
This Appendix provides a methodology for agency management to assess, document, and report on the internal controls over financial reporting. This document also encourages an integrated approach to assessing the internal controls over financial reporting considering the current legislative and regulatory environment in which Federal entities operate.
Effective internal control over financial reporting provides reasonable assurance that misstatements, losses, or
noncompliance with applicable laws and regulations, material in relation to financial reports, would be prevented or
The Sarbanes-Oxley Act of 2002 required that management of publicly-traded companies strengthen their processes for assessing and reporting on the internal controls over financial reporting. The passage of the Sarbanes-Oxley Act served as an impetus for the Federal government to reevaluate its current policies relating to internal control over financial reporting and management’s related responsibilities. While the Sarbanes-Oxley Act created a new requirement for managers of publicly-traded companies to report on the internal controls over financial reporting, Federal managers have been subject to similar internal control reporting requirements for many years.
Federal agencies are subject to numerous legislative and regulatory requirements that promote and support effective internal control. The Federal Managers’ Financial Integrity Act (FMFIA) of 1982 provides the statutory basis for management’s responsibility for and assessment of internal control. In addition, the Chief Financial Officers Act (CFO Act) of 1990 requires agency CFOs to, "develop and maintain an integrated agency accounting and financial management system, including financial reporting and internal controls, which … complies with applicable … internal control standards…" The Federal Financial Management Improvement Act (FFMIA) of 1996 and OMB Circular No. A-127, Financial Management Systems also instruct agencies to maintain an integrated financial management system that complies with Federal system requirements, FASAB Standards, and the USSGL at the transaction level. The Inspector General Act (IG Act) of 1978, as amended requires that IGs submit semiannual reports to the Congress on significant abuses and deficiencies identified during these reviews and the recommended actions to correct those deficiencies. The GAO Government Auditing Standards (Yellow Book) and OMB Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, as amended require auditors to test and report on internal control as part of a Federal agency financial statement audit, including a description of reportable conditions and material weaknesses in internal control over financial reporting.
Recent government-wide initiatives have also contributed to improvements in financial management and placed greater emphasis on implementing and maintaining effective internal control over financial reporting. These initiatives include aggressive OMB quarterly tracking of corrective actions for material weaknesses in internal control related to financial reporting, accelerated financial reporting due dates, and the emphasis on demonstrating the availability of timely and accurate financial management information for management decisions.
The FMFIA and OMB Circular A-123 apply to each of the three objectives of internal control: effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations. While the standards of internal control shall be applied consistently toward each of the objectives, this Appendix, however, requires agencies to specifically document the process and methodology for applying the standards when assessing internal control over financial reporting. This Appendix also requires management to use a separate materiality level when assessing internal control over financial reporting (See Appendix A Section II. Scope). The agency head’s annual assurance statement on the effectiveness of internal control over financial reporting required by this Appendix is a subset of the assurance statement required under FMFIA on the overall internal control of the agency.
A. Objectives of Internal Control over Financial Reporting
Internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting. Reliability of financial reporting means that management can reasonably make the following assertions:
- All reported transactions actually occurred during the reporting period and all assets and liabilities exist as of the reporting date (existence and occurrence);
- All assets, liabilities, and transactions that should be reported have been included and no unauthorized transactions or balances are included (completeness);
- All assets are legally owned by the agency and all liabilities are legal obligations of the agency (rights and obligations);
- All assets and liabilities have been properly valued, and where applicable, all costs have been properly allocated (valuation);
- The financial report is presented in the proper form and any required disclosures are present (presentation and disclosure);
- The transactions are in compliance with applicable laws and regulations (compliance);
- All assets have been safeguarded against fraud and abuse; and
- Documentation for internal control, all transactions, and other significant events is readily available for examination.
B. Definition of Financial Reporting
Internal control over financial reporting should assure the safeguarding of assets from waste, loss, unauthorized use, or misappropriation as well as assure compliance with laws and regulations pertaining to financial reporting. Financial reporting includes annual financial statements of an agency as well as other significant internal or external financial reports. Other significant financial reports are defined as any financial reports that could have a material effect on a significant spending, budgetary or other financial decision of the agency or that is used to determine compliance with laws and regulations on the part of the agency. An agency needs to determine the scope of financial reports that are significant, i.e., which reports are included in the assessment of internal control over financial reporting. In addition to the annual financial statements, significant reports might include: quarterly financial statements; financial statements at the operating division or program level; budget execution reports; reports used to monitor specific activities such as specific revenues, receivables, or liabilities; reports used to monitor compliance with laws and regulations such as the Anti-Deficiency Act, etc.
C. Planning Materiality
Materiality for financial reporting is the risk of error or misstatement that could occur in a financial report that would impact management’s or users’ decisions or conclusions based on such report. The planning materiality for the assessment should be designed as to ensure that items required to be reported will be detected. Therefore, the planning materiality should be at a lower threshold than the reporting materiality as defined below. Materiality should be determined for each financial report included in the scope of the assessment. Materiality may differ from report to report. Materiality shall be considered when determining the extent of testing or work required to assess internal control over financial reporting as well as what deficiencies should be reported. Management must determine whether the internal controls over a financial report is sufficient to prevent or detect errors or misstatements that would be considered material for a specific financial report. Therefore, the extent of work performed and reporting threshold for control deficiencies must be determined on a report by report basis. Additionally, agencies should consider qualitative as well as quantitative measures to determine material items.
D. Definition of Deficiencies13
A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A design deficiency exists when a control necessary to meet the control objective is missing or an existing control is not properly designed, so that even if the control operates as designed the control objective is not always met. An operation deficiency exists when a properly designed control does not operate as designed or when the person performing the control is not qualified or properly skilled to perform the control effectively.
A reportable condition is a control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote14 likelihood that a misstatement of the entity’s financial statements, or other significant financial reports, that is more than inconsequential will not be prevented or detected.
A material weakness in internal control is a reportable condition, or combination of reportable conditions, that results in more than a remote15 likelihood that a material misstatement of the financial statements, or other significant financial reports, will not be prevented or detected. Material weaknesses in internal control over financial reporting shall be included in the annual FMFIA report, but separately identified.
A summary of the above definitions and corresponding reporting requirements are summarized in Exhibit 1.
A. Establish a Senior Assessment Team
The success of an agency's assessment will depend in large part on who will be responsible to carry out or direct the assessment. Given the significance and breadth of the assessment, a senior assessment team should be established that includes senior executives and derives its authority and support from the head of the agency or the Chief Financial Officer. The senior assessment team could be a subset of the Senior Management Council. The senior assessment team could take many forms, such as a financial management improvement committee. The senior assessment team, at a minimum, should provide oversight of the assessment process and is responsible for:
- Ensuring that assessment objectives are clearly communicated throughout the agency;
- Ensuring that the assessment is carried out in a thorough, effective, and timely manner;
- Identifying and ensuring adequate funding and resources are made available;
- Identifying staff and/or securing contractors to perform the assessment;
- Determining the scope of the assessment, i.e., those financial reports covered by the assessment; and
- Determining the assessment design and methodology.
B. Evaluate Internal Control at the Entity Level
Internal control at the entity level refers to those elements of the five components of internal control that have an overarching or pervasive effect on the agency. Specific elements of internal control that should be evaluated at this level are discussed below.
The assessment should include obtaining a sufficient knowledge of the control environment to understand management's attitude, awareness, and actions concerning the control environment. The assessment should consider the collective effect on the control environment, since management's strengths and weaknesses can have a pervasive effect on internal control. Specific elements of the control environment that should be considered include:
- Integrity and ethical standards
- Commitment to competence
- Management philosophy and operating style
- Organizational structure
- Assignment of authority and responsibility
- Human resource policies and practices
The assessment should include obtaining sufficient knowledge of the agency's process on how management considers risks relevant to financial reporting objectives and decides about actions to address those risks. The assessment should determine how management identifies risks, estimates the significance of risks, assesses the existence of risks in the current environment, and relates them to financial reporting. The results of this assessment at the agency-wide level will drive the extent of testing and review performed at the process, transaction, or application level. Some significant circumstances or events that can affect risk include:
- Complexity or magnitude of programs, operations, transactions, etc;
- Accounting estimates;
- Related party transactions;
- Extent of manual processes or applications;
- Decentralized versus centralized accounting and reporting functions;
- Changes in operating environment;
- New personnel or significant personnel changes;
- New or revamped information systems;
- Significant new or changed programs or operations;
- New technology; and
- New or amended laws, regulations, or accounting standards.
Control activities are the policies and procedures that help ensure that management directives are carried out and that management's assertions in its financial reporting are valid. The assessment should include obtaining an understanding of the control activities applicable at the entity level, such as:
- Policies and procedures;
- Management objectives (clearly written and communicated throughout the agency);
- Planning and reporting systems;
- Analytical review and analysis;
- Segregation of duties;
- Safeguarding of records; and
- Physical and access controls.
Information and Communication
The assessment should include obtaining an understanding of the information system(s) relevant to financial reporting. Such an understanding should include:
- The type and sufficiency of reports produced;
- The manner in which information systems development is managed;
- Disaster recovery;
- Communication of employees' control related duties and responsibilities; and
- How incoming external communication is handled.
The assessment should include obtaining an understanding of the major types of activities the agency uses to monitor internal control over financial reporting, including the source of the information related to those activities, and how those activities are used to initiate corrective actions. Several examples include:
- Self assessments by management;
- Evaluations by the IG or external auditor; and
- Direct testing.
C. Evaluate Internal Control at the Process, Transaction, or Application Level
Determine Significant Accounts or Groups of Accounts
For each financial report identified in the scope of the assessment, identify those accounts or groups of accounts that individually or collectively could have a material effect on the financial report. Agencies should consider qualitative as well as quantitative measures to determine material items.
Identify and Evaluate the Major Classes of Transactions
For each significant account or group of accounts, identify the major classes of transactions that materially affect those accounts. In identifying transactions, specifically consider whether a class of transactions is routine, non-routine, or represents an accounting estimate. This type of classification can help the senior assessment team identify the inherent risk and the controls necessary to adequately mitigate such risks. The assessment should include obtaining an understanding of the specific processes and document flow involved in each class of transactions. Thoroughly understanding the processes and document flow will help in understanding where errors could occur and what control objectives and techniques may prevent or detect those errors.
Understand the Financial Reporting Process
Obtaining an understanding of the process and workflow that links the accounting system to the financial report(s). Often times, financial information is not directly transferable from the accounting system to the financial report, but requires intervening calculations, summarizations, etc. This represents another point where errors can be introduced into the financial report, and it is important to understand where such errors could occur and what control objectives and control techniques can prevent or detect these errors.
Gain an Understanding of Control Design to Achieve Management's Assertions
Prepare a control evaluation(s) for each significant account or group of accounts that aligns specific controls with management's assertions for each account or group of accounts. An individual assessment of the potential effectiveness of the design of the controls for each account or group of accounts should be made considering the risk of error and the controls that are designed and in place to prevent or detect such errors. Assessing the effectiveness of the design of a control is concerned with whether the control is suitably designed to prevent or detect a material error related to an account or group of accounts. Procedures to obtain such evidential matter ordinarily include inquiries of appropriate agency personnel; inspection of documents, reports, or electronic files; and observation of the application of specific controls. This is sometimes referred to as a "walk-through" and helps the senior assessment team ensure its understanding of the controls. An assessment of the control design should identify controls as effective, moderately effective, or not effective.
Controls Not Adequately Designed
If a control over a significant account or group of accounts is missing or its design is determined to be not effective considering the associated risk of error, the senior assessment team does not need to test this control for the purpose of concluding on control effectiveness. This instance should be noted in the report of deficiencies and suggestions for improvement. However, management may nevertheless seek to further test affected transactions to determine if there was any actual loss, fraud, error, improper payment, or noncompliance resulting from those ineffective controls.
Test Controls and Assess Compliance to Support Management's Assertions
For those controls whose design is deemed effective or moderately effectively, the senior assessment team should test those controls to determine the extent to which the controls were applied, the consistency of their application, and who applied them. Tests of controls ordinarily include procedures such as inquiries of appropriate agency personnel; inspection of documents, reports, or electronic files, indicating performance of the control; observation of the application of specific control; and reperformance of the application of the control by the senior assessment team. If testing indicates that a significant control is not operating as designed, it should be reported as a deficiency.
D. Overall Assessment of the Design and Operation of Internal Control over Financial Reporting
The final step in the assessment is an overall conclusion as to the design and operation of the internal controls over financial reporting based on the assessments at the entity level and the process, transaction, or application level. The overall assessment should conclude whether the internal controls over financial reporting are operating effectively or whether material weaknesses exist in the design or operation. A template for the Statement of Assurance can be found in Exhibit 2.
E. Reliance on Other Work to Accomplish Assessment
The assessment of internal control over financial reporting should be coordinated with other activities to avoid duplication of efforts with similar activities. For example, agencies are required to perform reviews of financial systems under FFMIA or information security under FISMA. Reviews performed by management, or at management’s direction, may be used to help accomplish this assessment. Management may consult with the agency IG to plan and coordinate related work. The IG may be involved in a consulting capacity but shall not conduct management’s assessment of internal controls over financial reporting.
Control weaknesses at a service organization could have a material impact on the controls of the customer organization. Therefore, management of cross-servicing agencies will need to provide an annual assurance statement to its customer agencies in advance to allow its customer agencies to rely upon that assurance statement. Management of cross-servicing agencies shall test the controls over the activities for which it performs for others on a yearly basis. These controls shall be highlighted in management’s assurance statement that is provided to its customers. Cross-servicing and customer agencies will need to coordinate the timing of the assurance statements.
A. Documenting Internal Control over Financial Reporting
The senior assessment team should document its understanding of the agency's internal control over financial reporting. The form and extent of documentation depends in part on the nature and complexity of the agency's controls, the more extensive and complex the controls, the more extensive the documentation. Documentation may be electronic, hard copy format, or both and be readily available for examination. Documentation could include organizational charts, flow charts, questionnaires, decision tables, or memoranda. Documentation may already exist as part of normal agency policy or procedure; however, the senior assessment team should separately identify, verify, and maintain the documentation it uses in making its assessment. The documentation prepared by internal or external auditors may also be used, but again, the senior assessment team must take responsibility and verify and maintain that documentation. Documentation should also include appropriate representations from officials and personnel responsible for monitoring, improving and assessing internal controls. After an initial assessment, subsequent assessments may focus on updating existing documentation. All documentation and records shall be properly managed and maintained; therefore, agencies will need to establish, or review existing retention policies for documentation (paper and electronic media).
B. Documenting the Assessment of Effectiveness
The senior assessment team must also document the assessment process of internal control over financial reporting, including:
- The establishment of the senior assessment team, its authority and members;
- Contracting actions if contractors are used to perform or assist in the assessment;
- Communications with agency management and employees regarding the assessment;
- Key decisions of the senior assessment team;
- The assessment methodology and guide;
- The assessment of internal control at the entity level;
- The assessment of internal control at the process, transaction, or application level;
- The testing of controls and related results; and
- Identified deficiencies and suggestions for improvement.
The documentation may be electronic, hard copy format, or both, and should be available for review. Documentation should also include appropriate representations from officials and personnel responsible for monitoring, improving and assessing internal controls.
An agency’s management is required to include an assurance statement on the internal controls over financial reporting in its annual Performance and Accountability Report as described in Section VI. Reporting on Internal Control. This statement is management’s assessment of the effectiveness of the agency’s internal control over financial reporting as of June 30 of that fiscal year (see Exhibit 2). This assurance statement is required to include the following:
- A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the agency.
- A statement identifying the OMB Circular A-123, Management’s Responsibility for Internal Control as the framework used by management to conduct the assessment of the effectiveness of the agency’s internal control over financial reporting.
- An assessment of the effectiveness of the agency’s internal control over financial reporting as of June 30, including an explicit conclusion as to whether the internal controls over financial reporting are effective.
- If a material weakness is discovered by June 30, but corrected by September 30, a statement identifying the material weakness, the corrective action taken, and that it has been resolved by September 30.
- If a material weakness is discovered after June 30, but prior to September 30, the statement identifying the material weaknesses should be updated to include the subsequently identified material weakness.
In its assurance statement on the internal controls over financial reporting, management is required to state a direct conclusion about whether the agency’s internal controls over financial reporting are effective. The statement must take one of the following forms:
- Unqualified statement of assurance (no material weaknesses reported);
- Qualified statement of assurance, considering the exceptions explicitly noted (one or more material weaknesses reported); or
- Statement of no assurance (no processes in place or pervasive material weaknesses).
Management is precluded from concluding that the agency’s internal control over financial reporting is effective if there are one or more material weaknesses. Management must make the final determination with regard to what constitutes a material weakness. Management is required to disclose all material weaknesses that exist as of June 30 of the current fiscal year.
Management may be able to accurately represent that internal control over financial reporting, as of June 30 of the agency’s current fiscal year, is effective even if one or more material weaknesses existed during the period. To make this representation, management must have implemented improvements in internal control over financial reporting to mitigate the material weaknesses and have satisfactorily tested the effectiveness over a period of time that is adequate for it to determine whether, as of June 30 of the current fiscal year, the design and operation of the internal controls over financial reporting are effective.
A. Agencies Obtaining Audit Opinions on Internal Control
This Circular does not require a separate audit opinion on internal control over financial reporting. Agencies may at their discretion elect to receive an audit opinion on internal control over financial reporting. Agencies electing to receive an audit opinion on internal control over financial reporting may adjust the "as of" reporting date of June 30 to coincide with the "as of" date of the audit opinion on internal control. Refer to Appendix A Section VI. Correcting Material Weakness in Internal Control over Financial Reporting for special circumstances requiring an opinion level of assurance.
Each agency shall establish systems to assure the prompt and proper resolution and implementation of corrective action on identified material weaknesses. These systems shall provide for a complete record of action taken on the material weaknesses identified. Management’s process for resolution and corrective action of the identified material weaknesses in the internal controls over financial reporting must also meet the standards listed in Section V. Correcting Internal Control Deficiencies.
If the agency cannot meet the deadlines outlined in the approved corrective action plan, OMB may, at its discretion, require the agency to obtain an independent audit opinion of their internal control over financial reporting as part of their financial statement audit.
Exhibit 2: Sample Annual Assurance Statement on Internal Control over Financial Reporting
3 The Government Auditing Standards, June 2003 (GAO-03-673G) can be found on the GAO website at www.gao.gov. The Government Auditing Standards are commonly known as the "Yellow Book."
4 The OMB Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, as amended can be found on the OMB website at www.omb.gov.
5 The OMB Circular No. A-127, Financial Management Systems can be found on the OMB website at www.omb.gov.
6 The OMB Circular No. A-130, Management of Federal Information Resources can be found on the OMB website at www.omb.gov.
7 This Circular's use of the term "material weakness" is similar to the same term used by auditors to identify internal control weaknesses found during a financial statement audit (see OMB Bulletin 01-02 or GAO "Yellow Book"). This Circular’s use of the same term encompasses not only financial reporting, but also encompasses weaknesses found in program operations and compliance with applicable laws and regulations. Material weaknesses for the purposes of this Circular are determined by management, whereas material weaknesses reported as part of a financial statement audit are determined by independent auditors.
9 The definition of control deficiency and definitions of reportable condition and material weakness relative to financial reporting are based upon the definitions provided in Auditing Standard No. 2 – An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements issued by the Public Company Accounting Oversight Board (PCAOB).
13 The definition of control deficiency and definitions of reportable condition and material weakness relative to financial reporting are based upon the definitions provided in Auditing Standard No. 2 – An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements issued by the Public Company Accounting Oversight Board (PCAOB).