[Federal Register Volume 60, Number 125 (Thursday, June 29, 1995)] [Notices] [Pages 33876-33882] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 95-15828] ======================================================================= ----------------------------------------------------------------------- OFFICE OF MANAGEMENT AND BUDGET Management Accountability and Control AGENCY: Office of Management and Budget. ACTION: Final Revision of OMB Circular No. A-123. ----------------------------------------------------------------------- SUMMARY: This Notice revises Office of Management and Budget (OMB) Circular No. A-123, ``Management Accountability and Control.'' The Circular, which was previously titled ``Internal Control Systems,'' implements the Federal Managers' Financial Integrity Act of 1982 (FMFIA). FOR FURTHER INFORMATION CONTACT: Office of Management and Budget, Office of Federal Financial Management, Management Integrity Branch, Room 6025, New Executive Office Building, Washington, DC 20503, telephone (202) 395-6911 and fax (202) 395-3952. For a copy of the revised Circular, contact Office of Administration, Publications Office, room 2200, New Executive Office Building, Washington, DC 20503, or telephone (202) 395-7332. ELECTRONIC ACCESS: This Circular is also accessible on the U.S. Department of Commerce's FedWorld Network under the OMB Library of Files.The Telnet address for FedWorld via Internet is ``fedworld.gov''. The World Wide Web address is ``http://www.fedworld.gov/ ftp.htm#omb''. For file transfer protocol (FTP) access, the address is ``ftp://fwux.fedworld.gov/pub/omb/omb.htm''. The telephone number for the FedWorld help desk is (703) 487-4608. SUPPLEMENTARY INFORMATION: A. Background Circular No. A-123 was last issued on August 4, 1986. On March 13, 1995 the Office of Management and Budget requested public comments on a revised version of the Circular (60 FR 13484). The revision announced here alters requirements for executive agencies on evaluating management controls, consistent with recommendations made by the National Performance Review. The Circular now integrates many policy issuances on management control into a single document, and provides a framework for integrating management control assessments with other work now being performed by agency managers, auditors and evaluators. The Circular emphasizes that management controls should benefit rather than encumber management, and should make sense for each agency's operating structure and environment. By giving agencies the discretion to determine which tools to use in arriving at the annual assurance statement to the President and the Congress, the Circular represents an important step toward a streamlined management control program that incorporates the reinvention principles of this Administration. B. Analysis of Comments Thirty-three responses were received from 23 Federal agencies and the [[Page 33877]] American Institute of Certified Public Accountants (AICPA). Of the 33 responses, 14 simply agreed with the proposed revision and made no comments on the document, although some had minor comments on a proposal by the Chief Financial Officers' Council to streamline reporting. Almost all of the remaining 19 responses were also in favor of the revision, but made some specific suggestions. A summary of the transmittal memorandum and the five sections of the Circular follows. Each section indicates which comments were accepted and which were not accepted. Transmittal Memorandum. This memorandum, signed by the OMB Director, summarizes the purpose, authority, and policy reflected in the Circular, the actions required, and related administrative information. Four agencies made comments relating to the memorandum. Comments Accepted: The statement describing management accountability is now repeated in Section I of the Circular. The definition of management controls (which appears in both the memorandum and Section II) has been amended to state that controls should ensure reliable ``and timely'' information. The requirement that agencies report annually on management controls is now explicitly stated in the memorandum. In addition, OMB has added instructions on accessing the Circular electronically. Comment Not Accepted: One agency suggested that performance appraisals be used to hold managers accountable for management control responsibilities. OMB supports this concept but prefers that the specific content of appraisals be left to each agency. Section I. Introduction. This section describes a framework for agency management control programs that integrates management control activities with other management requirements and policies, such as the Government Performance and Results Act (GPRA), the Chief Financial Officers (CFOs) Act, the Inspector General (IG) Act, and other congressional and Executive Branch requirements. The foundation of this policy is that management control activities are not stand-alone management practices, but rather are woven into the day-to-day operational responsibilities of agency managers. Agencies are encouraged to plan for how the requirements of the Circular will be implemented. Agencies are also encouraged to establish senior level management councils to address management accountability and related issues within the broad context of agency operations. Comments Accepted: At the suggestion of three agencies, the language illustrating how controls can be integrated into the overall management process has been clarified. The text now indicates more clearly that the examples used to make this point are in fact examples, not new Circular requirements. Because the Act encompasses agency operations, as well as program and administrative areas, appropriate language has been included in the Circular. In addition, the Circular states that 24 agencies are covered by the CFOs Act, which reflects the legislation last year that made the Social Security Administration an independent agency from the Department of Health and Human Services. Comments Not Accepted: Two agencies questioned elimination of the Management Control Plan. The importance of planning has not been diminished in the new Circular, but OMB will no longer dictate the scope and content of an agency's planning document. An agency may choose, for example, to meet the Circular's planning requirement by addressing management controls in a broader strategic plan for agency management. Section II. Establishing Management Controls. This section defines management controls, and requires agency managers to develop and implement appropriate management controls. Included in this section are general and specific management control standards, drawn in large part from the standards issued by the General Accounting Office (GAO). By including these standards in the Circular, OMB is continuing its efforts to integrate various management control policies into a single document to make it easier for Federal managers to implement good management controls. Comments Accepted: Four agencies questioned whether the definition of internal controls as a subset of management controls should be limited to conditions ``that could have a material effect on [the entity's] financial statements.'' One agency pointed out that deficiencies in internal controls related to events that have less than a major impact on financial statements, like security weaknesses or conflict of interest problems, could be reportable under the Integrity Act. OMB agrees and has deleted the restrictive phrase. In response to one agency's comment, language on developing management controls has been expanded to emphasize that controls must be developed as programs are initially implemented, as well as reengineered. At another agency's suggestion, a statement has been included on the value of drawing on the expertise of the CFO and IG as controls are developed. Responding to two agencies' comments on the standards for management controls, the standard on compliance with law has been expanded to included compliance with regulations, and the standard on delegation of authority now clearly states that managers should ensure that authority, responsibility and accountability are defined and delegated. Comments Not Accepted: The AICPA recommended that the Circular adopt the framework and definitions of internal controls developed by the Committee of Sponsoring Organizations of the Treadway Commission (the COSO framework). OMB has carefully reviewed the COSO approach and feels confident that the Circular incorporates virtually all of the concepts underlying the COSO framework. It is critical, however, for the Circular to present these concepts in language that is meaningful to Federal program managers as well as financial managers. Therefore, OMB has decided to retain the Circular's broader terminology. One agency questioned OMB's authority to (i) include management control standards in the Circular and (ii) modify the language of GAO's Standards for Internal Control. OMB has included GAO in discussions about the Circular's revision since the beginning of the effort, and has provided GAO with the opportunity to comment on numerous drafts of the document. GAO has not objected to inclusion of the standards in the Circular, nor has GAO questioned the document's specific language. OMB believes that the Circular accurately incorporates the GAO standards, and appropriately updates the language to reflect developments in this area since GAO issued its standards in 1983. Two agencies recommended more flexibility in the standard relating to separation of duties, arguing that the principle may be overly rigid in an era of downsizing. One agency described the difficulty of applying this standard in small field offices, and suggested that alternative controls based on advanced technology, such as systems access controls and automated audit trails, may be appropriate. While OMB believes that separation of duties is a key management control standard, it recognizes the validity of these examples. The standard has not been modified because appropriate flexibility is already provided; the language states that key duties ``should'' be separated among individuals. One agency questioned whether the Circular adequately emphasizes the [[Page 33878]] concept of reasonable assurance. OMB recognizes the importance of this concept, and believes that its inclusion as one of the general management control standards is sufficient. Section III. Assessing and Improving Management Controls. This section states that agency managers should continuously monitor and improve the effectiveness of management controls. This continuous monitoring, and other periodic evaluations, should provide the basis for the agency head's annual assessment of and report on management controls. Agencies are encouraged to use a variety of information sources to arrive at the annual assurance statement to the President and the Congress. Several examples of sources of information are included in this section. The role of the agency's senior management council in making recommendations on the annual assurance statement and on which deficiencies in management controls should be considered material is also addressed. Comments Accepted: OMB recognizes the need to clarify how the term ``material weakness'' as used in the Circular differs from the same term as used by Federal auditors. This issue was raised by one agency in its written comments, and by other parties in discussions of earlier drafts. The Circular now recognizes that Federal auditors are required to identify and report weaknesses that, in their opinion, pose a risk or threat to the internal control systems of an entity (such as a program or operation) even if the management of that entity would not report the weakness outside the agency. Comments Not Accepted: Two agencies found the Circular's requirements on assessing and documenting the sufficiency of management controls to be inadequate, and suggested that the Circular provide more specific guidance in these areas. In keeping with the philosophy behind the Circular, OMB prefers to give agencies the latitude to expand upon the Circular's requirements in these areas, if they believe it is necessary, rather than to impose uniform criteria for determining, for example, what should be reported as a material weakness. Along those lines, OMB has chosen not to adopt the definitions used by Federal auditors of a reportable condition and material weakness, as advocated by one agency and the AICPA. Those definitions are weighted heavily toward technical, financially-oriented terms that are probably not meaningful to Federal program managers. They also focus on financial statements as the primary end-product of an internal control structure. While financial statements are important tools for the agency head in arriving at an assurance statement on management controls, they are not the only source of information for making this determination. Therefore, it is important that the Circular use language that accurately reflects the broad nature of agency management controls. Two agencies felt that the Circular should require that agencies test their management controls. OMB agrees that testing is an important method for determining whether controls actually work, and encourages agencies to use some form of testing. Because testing is already implicit in several of the information sources to be used to assess controls, and is less feasible for other information sources, it is not included as a blanket requirement. Three agencies commented on the composition of an agency's senior management council; two felt that the Circular should be more specific in discussing membership, while one found this section too prescriptive. OMB believes that the current language adequately addresses the importance of including both line and staff management and involving the IG, without infringing on the agency's ability to determine the council's membership. Section IV. Correcting Management Control Deficiencies. This section states that agency management is responsible for taking timely and effective action to correct management control deficiencies. Correcting these deficiencies is an integral part of management's responsibilities and must be considered a priority by the agency. The only comment received on this section reflected a misunderstanding of the Circular's requirements on corrective action plans. Plans must be developed, tracked, and reported for all material weaknesses (weaknesses included in the Integrity Act report). For weaknesses that are not included in the report, plans should be developed and tracked at a level deemed appropriate by the agency. Section V. Reporting on Management Controls. This section describes the required components of the agency's annual Integrity Act report and its distribution to the President and the Congress. This section also describes a initiative to streamline reporting by consolidating Integrity Act information with other performance-related reporting into a broader ``Accountability Report'' to be issued annually by the agency head. Lastly, this section presents Integrity Act requirements as they pertain to government corporations pursuant to the CFOs Act. Comments Accepted: At the suggestion of two commenters, agencies are now encouraged to make their Integrity Act reports available electronically. The reference to a House committee has been changed to reflect the nomenclature of the 104th Congress. This section also describes an new approach towards financial management reporting that could help integrate management initiatives. This approach is being pilot-tested by several agencies for FY 1995. Further information on the implications of this initiative for other agencies will be issued by OMB after the pilot reports have been evaluated. Comments Not Accepted: One agency questioned the wisdom of permitting agencies to provide a qualified statement of assurance. OMB expects agencies to provide the most direct possible statement of assurance. The option of a qualified statement recognizes that in some cases, the most accurate statement of assurance is one that is qualified by exceptions that are explicitly noted. The same agency suggested new language in the reporting section to recognize that the Circular broadens the scope of internal control accountability beyond the requirements of the Integrity Act. OMB disagrees with the premise that the link between management controls and program performance is a new one. While the Integrity Act uses financially oriented terminology, the Act ``clearly encompasses program and administrative areas, as well as the more traditional accounting and financial management areas'' (House Report 98-937, ``First-Year Implementation of the Federal Managers' Financial Integrity Act,'' Committee on Government Operations, August 2, 1984, p. 1). General Issues. Some comments were not limited to specific sections of the Circular. Comments Accepted: In response to one agency's suggestion, the acronym ``FMFIA'' has been replaced throughout the Circular by the term ``Integrity Act'' to better emphasize the purpose and scope of the law. OMB has also modified the term ``should'' in several instances where specific agency action is required. Comments Not Accepted: Two agencies proposed that the Circular broaden the linkage between management controls and other management initiatives, particularly performance measurement and implementation of GPRA. OMB encourages agencies to integrate their efforts to evaluate management controls and program performance, but is not [[Page 33879]] prepared at this time to include policy guidance on performance measurement in this Circular. One agency proposed inclusion of language describing the applicability of the Circular to discretionary policy matters, as had been done in the 1986 version. OMB does not believe that this language is necessary because it is clear that the President and agency head have full discretion over policymaking functions, including determining and interpreting policy, determining program need, making resource allocation decisions, and pursuing rulemaking. Two agencies suggested that the Circular specifically address OMB's High Risk Program. OMB has chosen not to do so because implementation of the management control program outlined in the Circular will likely eliminate the need for separate tracking of high risk areas. If agencies report their most serious management deficiencies to the President and the Congress as envisioned by the Circular, the Integrity Act reports will essentially reflect the highest risk areas in government, and a separate High Risk Program may no longer be necessary. John B. Arthur, Associate Director for Administration. EXECUTIVE OFFICE OF THE PRESIDENT Office of Management and Budget [Circular No. A-123, Revised] June 21, 1995. To the Heads of Executive Departments and Establishments From: Alice M. Rivlin, Director Subject: Management Accountability and Control 1. Purpose and Authority. As Federal employees develop and implement strategies for reengineering agency programs and operations, they should design management structures that help ensure accountability for results, and include appropriate, cost- effective controls. This Circular provides guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on management controls. The Circular is issued under the authority of the Federal Managers' Financial Integrity Act of 1982 as codified in 31 U.S.C. 3512. The Circular replaces Circular No. A-123, ``Internal Control Systems,'' revised, dated August 4, 1986, and OMB's 1982 ``Internal Controls Guidelines'' and associated ``Questions and Answers'' document, which are hereby rescinded. 2. Policy. Management accountability is the expectation that managers are responsible for the quality and timeliness of program performance, increasing productivity, controlling costs and mitigating adverse aspects of agency operations, and assuring that programs are managed with integrity and in compliance with applicable law. Management controls are the organization, policies, and procedures used to reasonably ensure that (i) programs achieve their intended results; (ii) resources are used consistent with agency mission; (iii) programs and resources are protected from waste, fraud, and mismanagement; (iv) laws and regulations are followed; and (v) reliable and timely information is obtained, maintained, reported and used for decision making. 3. Actions Required. Agencies and individual Federal managers must take systematic and proactive measures to (i) develop and implement appropriate, cost-effective management controls for results-oriented management; (ii) assess the adequacy of management controls in Federal programs and operations; (iii) identify needed improvements; (iv) take corresponding corrective action; and (v) report annually on management controls. 4. Effective Date. This Circular is effective upon issuance. 5. Inquiries. Further information concerning this Circular may be obtained from the Management Integrity Branch, Office of Federal Financial Management, Office of Management and Budget, Washington, DC 20503, 202/395-6911. 6. Copies. Copies of this Circular may be obtained by telephoning the Executive Office of the President, Publication Services, at 202/395-7332. 7. Electronic Access. This document is also accessible on the U.S. Department of Commerce's FedWorld Network under the OMB Library of Files. The Telnet address for FedWorld via Internet is ``fedworld.gov''. The World Wide Web address is ``http:// www.fedworld.gov/ftp.htm#omb''. For file transfer protocol (FTP) access, the address is ``ftp://fwux.fedworld.gov/pub/omb/omb.htm''. The telephone number for the FedWorld help desk is 703/487-4608. Attachment. Attachment I. Introduction The proper stewardship of Federal resources is a fundamental responsibility of agency managers and staff. Federal employees must ensure that government resources are used efficiently and effectively to achieve intended program results. Resources must be used consistent with agency mission, in compliance with law and regulation, and with minimal potential for waste, fraud, and mismanagement. To support results-oriented management, the Government Performance and Results Act (GPRA, P.L. 103-62) requires agencies to develop strategic plans, set performance goals, and report annually on actual performance compared to goals. As the Federal government implements this legislation, these plans and goals should be integrated into (i) the budget process, (ii) the operational management of agencies and programs, and (iii) accountability reporting to the public on performance results, and on the integrity, efficiency, and effectiveness with which they are achieved. Management accountability is the expectation that managers are responsible for the quality and timeliness of program performance, increasing productivity, controlling costs and mitigating adverse aspects of agency operations, and assuring that programs are managed with integrity and in compliance with applicable law. Management controls--organization, policies, and procedures--are tools to help program and financial managers achieve results and safeguard the integrity of their programs. This Circular provides guidance on using the range of tools at the disposal of agency managers to achieve desired program results and meet the requirements of the Federal Managers' Financial Integrity Act (FMFIA, referred to as the Integrity Act throughout this document). Framework. The importance of management controls is addressed, both explicitly and implicitly, in many statutes and executive documents. The Federal Managers' Financial Integrity Act (P.L. 97- 255) establishes specific requirements with regard to management controls. The agency head must establish controls that reasonably ensure that: (i) obligations and costs comply with applicable law; (ii) assets are safeguarded against waste, loss, unauthorized use or misappropriation; and (iii) revenues and expenditures are properly recorded and accounted for. 31 U.S.C. 3512(c)(1). In addition, the agency head annually must evaluate and report on the control and financial systems that protect the integrity of Federal programs. 31 U.S.C. 3512(d)(2). The Act encompasses program, operational, and administrative areas as well as accounting and financial management. Instead of considering controls as an isolated management tool, agencies should integrate their efforts to meet the requirements of the Integrity Act with other efforts to improve effectiveness and accountability. Thus, management controls should be an integral part of the entire cycle of planning, budgeting, management, accounting, and auditing. They should support the effectiveness and the integrity of every step of the process and provide continual feedback to management. For instance, good management controls can assure that performance measures are complete and accurate. As another example, the management control standard of organization would align staff and authority with the program responsibilities to be carried out, improving both effectiveness and accountability. Similarly, accountability for resources could be improved by more closely aligning budget accounts with programs and charging them with all significant resources used to produce the program's outputs and outcomes. Meeting the requirements of the Chief Financial Officers Act (P.L. 101-576, as amended) should help agencies both establish and evaluate management controls. The Act requires the preparation and audit of financial statements for 24 Federal agencies. 31 U.S.C. 901(b), 3515. In this process, auditors report on internal controls and [[Page 33880]] compliance with laws and regulations. Therefore, the agencies covered by the Act have a clear opportunity both to improve controls over their financial activities, and to evaluate the controls that are in place. The Inspector General Act (P.L. 95-452, as amended) provides for independent reviews of agency programs and operations. Offices of Inspectors General (OIGs) and other external audit organizations frequently cite specific deficiencies in management controls and recommend opportunities for improvements. Agency managers, who are required by the Act to follow up on audit recommendations, should use these reviews to identify and correct problems resulting from inadequate, excessive, or poorly designed controls, and to build appropriate controls into new programs. Federal managers must carefully consider the appropriate balance of controls in their programs and operations. Fulfilling requirements to eliminate regulations (``Elimination of One-Half of Executive Branch Internal Regulations,'' Executive Order 12861) should reinforce to agency managers that too many controls can result in inefficient and ineffective government, and therefore that they must ensure an appropriate balance between too many controls and too few controls. Managers should benefit from controls, not be encumbered by them. Agency Implementation. Appropriate management controls should be integrated into each system established by agency management to direct and guide its operations. A separate management control process need not be instituted, particularly if its sole purpose is to satisfy the Integrity Act's reporting requirements. Agencies need to plan for how the requirements of this Circular will be implemented. Developing a written strategy for internal agency use may help ensure that appropriate action is taken throughout the year to meet the objectives of the Integrity Act. The absence of such a strategy may itself be a serious management control deficiency. Identifying and implementing the specific procedures necessary to ensure good management controls, and determining how to evaluate the effectiveness of those controls, is left to the discretion of the agency head. However, agencies should implement and evaluate controls without creating unnecessary processes, consistent with recommendations made by the National Performance Review. The President's Management Council, composed of the major agencies' chief operating officers, has been established to foster governmentwide management changes (``Implementing Management Reform in the Executive Branch,'' October 1, 1993). Many agencies are establishing their own senior management council, often chaired by the agency's chief operating officer, to address management accountability and related issues within the broader context of agency operations. Relevant issues for such a council include ensuring the agency's commitment to an appropriate system of management controls; recommending to the agency head which control deficiencies are sufficiently serious to report in the annual Integrity Act report; and providing input for the level and priority of resource needs to correct these deficiencies. (See also Section III of this Circular.) II. Establishing Management Controls Definition of Management Controls. Management controls are the organization, policies, and procedures used by agencies to reasonably ensure that (i) programs achieve their intended results; (ii) resources are used consistent with agency mission; (iii) programs and resources are protected from waste, fraud, and mismanagement; (iv) laws and regulations are followed; and (v) reliable and timely information is obtained, maintained, reported and used for decision making. Management controls, in the broadest sense, include the plan of organization, methods and procedures adopted by management to ensure that its goals are met. Management controls include processes for planning, organizing, directing, and controlling program operations. A subset of management controls are the internal controls used to assure that there is prevention or timely detection of unauthorized acquisition, use, or disposition of the entity's assets. Developing Management Controls. As Federal employees develop and execute strategies for implementing or reengineering agency programs and operations, they should design management structures that help ensure accountability for results. As part of this process, agencies and individual Federal managers must take systematic and proactive measures to develop and implement appropriate, cost-effective management controls. The expertise of the agency CFO and IG can be valuable in developing appropriate controls. Management controls guarantee neither the success of agency programs, nor the absence of waste, fraud, and mismanagement, but they are a means of managing the risk associated with Federal programs and operations. To help ensure that controls are appropriate and cost-effective, agencies should consider the extent and cost of controls relative to the importance and risk associated with a given program. Standards. Agency managers shall incorporate basic management controls in the strategies, plans, guidance and procedures that govern their programs and operations. Controls shall be consistent with the following standards, which are drawn in large part from the ``Standards for Internal Control in the Federal Government,'' issued by the General Accounting Office (GAO). General management control standards are: Compliance With Law. All program operations, obligations and costs must comply with applicable law and regulation. Resources should be efficiently and effectively allocated for duly authorized purposes. Reasonable Assurance and Safeguards. Management controls must provide reasonable assurance that assets are safeguarded against waste, loss, unauthorized use, and misappropriation. Management controls developed for agency programs should be logical, applicable, reasonably complete, and effective and efficient in accomplishing management objectives. Integrity, Competence, and Attitude. Managers and employees must have personal integrity and are obligated to support the ethics programs in their agencies. The spirit of the Standards of Ethical Conduct requires that they develop and implement effective management controls and maintain a level of competence that allows them to accomplish their assigned duties. Effective communication within and between offices should be encouraged. Specific management control standards are: Delegation of Authority and Organization. Managers should ensure that appropriate authority, responsibility and accountability are defined and delegated to accomplish the mission of the organization, and that an appropriate organizational structure is established to effectively carry out program responsibilities. To the extent possible, controls and related decision-making authority should be in the hands of line managers and staff. Separation of Duties and Supervision. Key duties and responsibilities in authorizing, processing, recording, and reviewing official agency transactions should be separated among individuals. Managers should exercise appropriate oversight to ensure individuals do not exceed or abuse their assigned authorities. Access to and Accountability for Resources. Access to resources and records should be limited to authorized individuals, and accountability for the custody and use of resources should be assigned and maintained. Recording and Documentation. Transactions should be promptly recorded, properly classified and accounted for in order to prepare timely accounts and reliable financial and other reports. The documentation for transactions, management controls, and other significant events must be clear and readily available for examination. Resolution of Audit Findings and Other Deficiencies. Managers should promptly evaluate and determine proper actions in response to known deficiencies, reported audit and other findings, and related recommendations. Managers should complete, within established timeframes, all actions that correct or otherwise resolve the appropriate matters brought to management's attention. Other policy documents may describe additional specific standards for particular functional or program activities. For example, OMB Circular No. A-127, ``Financial Management Systems,'' describes government-wide requirements for financial systems. The Federal Acquisition Regulations define requirements for agency procurement activities. III. Assessing and Improving Management Controls Agency managers should continuously monitor and improve the effectiveness of management controls associated with their programs. This continuous monitoring, and other periodic evaluations, should provide the basis for the agency head's annual [[Page 33881]] assessment of and report on management controls, as required by the Integrity Act. Agency management should determine the appropriate level of documentation needed to support this assessment. Sources of Information. The agency head's assessment of management controls can be performed using a variety of information sources. Management has primary responsibility for monitoring and assessing controls, and should use other sources as a supplement to--not a replacement for--its own judgment. Sources of information include: Management knowledge gained from the daily operation of agency programs and systems. Management reviews conducted (i) expressly for the purpose of assessing management controls, or (ii) for other purposes with an assessment of management controls as a by-product of the review. IG and GAO reports, including audits, inspections, reviews, investigations, outcome of hotline complaints, or other products. Program evaluations. Audits of financial statements conducted pursuant to the Chief Financial Officers Act, as amended, including: information revealed in preparing the financial statements; the auditor's reports on the financial statements, internal controls, and compliance with laws and regulations; and any other materials prepared relating to the statements. Reviews of financial systems which consider whether the requirements of OMB Circular No. A-127 are being met. Reviews of systems and applications conducted pursuant to the Computer Security Act of 1987 (40 U.S.C. 759 note) and OMB Circular No. A-130, ``Management of Federal Information Resources.'' Annual performance plans and reports pursuant to the Government Performance and Results Act. Reports and other information provided by the Congressional committees of jurisdiction. Other reviews or reports relating to agency operations, e.g. for the Department of Health and Human Services, quality control reviews of the Medicaid and Aid to Families with Dependent Children programs. Use of a source of information should take into consideration whether the process included an evaluation of management controls. Agency management should avoid duplicating reviews which assess management controls, and should coordinate their efforts with other evaluations to the extent practicable. If a Federal manager determines that there is insufficient information available upon which to base an assessment of management controls, then appropriate reviews should be conducted which will provide such a basis. Identification of Deficiencies. Agency managers and employees should identify deficiencies in management controls from the sources of information described above. A deficiency should be reported if it is or should be of interest to the next level of management. Agency employees and managers generally report deficiencies to the next supervisory level, which allows the chain of command structure to determine the relative importance of each deficiency. A deficiency that the agency head determines to be significant enough to be reported outside the agency (i.e. included in the annual Integrity Act report to the President and the Congress) shall be considered a ``material weakness.'' \1\ This designation requires a judgment by agency managers as to the relative risk and significance of deficiencies. Agencies may wish to use a different term to describe less significant deficiencies, which are reported only internally in an agency. In identifying and assessing the relative importance of deficiencies, particular attention should be paid to the views of the agency's IG. \1\ This Circular's use of the term ``material weakness'' should not be confused with use of the same term by government auditors to identify management control weaknesses which, in their opinion, pose a risk or a threat to the internal control systems of an audited entity, such as a program or operation. Auditors are required to identify and report those types of weaknesses at any level of operation or organization, even if the management of the audited entity would not report the weaknesses outside the agency. --------------------------------------------------------------------------- Agencies should carefully consider whether systemic problems exist that adversely affect management controls across organizational or program lines. The Chief Financial Officer, the Senior Procurement Executive, the Senior IRM Official, and the managers of other functional offices should be involved in identifying and ensuring correction of systemic deficiencies relating to their respective functions. Agency managers and staff should be encouraged to identify and report deficiencies, as this reflects positively on the agency's commitment to recognizing and addressing management problems. Failing to report a known deficiency would reflect adversely on the agency. Role of A Senior Management Council. Many agencies have found that a senior management council is a useful forum for assessing and monitoring deficiencies in management controls. The membership of such councils generally includes both line and staff management; consideration should be given to involving the IG. Such councils generally recommend to the agency head which deficiencies are deemed to be material to the agency as a whole, and should therefore be included in the annual Integrity Act report to the President and the Congress. (Such a council need not be exclusively devoted to management control issues.) This process will help identify deficiencies that although minor individually, may constitute a material weakness in the aggregate. Such a council may also be useful in determining when sufficient action has been taken to declare that a deficiency has been corrected. IV. Correcting Management Control Deficiencies Agency managers are responsible for taking timely and effective action to correct deficiencies identified by the variety of sources discussed in Section III. Correcting deficiencies is an integral part of management accountability and must be considered a priority by the agency. The extent to which corrective actions are tracked by the agency should be commensurate with the severity of the deficiency. Corrective action plans should be developed for all material weaknesses, and progress against plans should be periodically assessed and reported to agency management. Management should track progress to ensure timely and effective results. For deficiencies that are not included in the Integrity Act report, corrective action plans should be developed and tracked internally at the appropriate level. A determination that a deficiency has been corrected should be made only when sufficient corrective actions have been taken and the desired results achieved. This determination should be in writing, and along with other appropriate documentation, should be available for review by appropriate officials. (See also role of senior management council in Section III.) As managers consider IG and GAO audit reports in identifying and correcting management control deficiencies, they must be mindful of the statutory requirements for audit followup included in the IG Act, as amended. Under this law, management has a responsibility to complete action, in a timely manner, on audit recommendations on which agreement with the IG has been reached. 5 U.S.C. Appendix 3. (Management must make a decision regarding IG audit recommendations within a six month period and implementation of management's decision should be completed within one year to the extent practicable.) Agency managers and the IG share responsibility for ensuring that IG Act requirements are met. V. Reporting on Management Controls Reporting Pursuant to Section 2. 31 U.S.C. 3512(d)(2) (commonly referred to as Section 2 of the Integrity Act) requires that annually by December 31, the head of each executive agency submit to the President and the Congress (i) a statement on whether there is reasonable assurance that the agency's controls are achieving their intended objectives; and (ii) a report on material weaknesses in the agency's controls. OMB may provide guidance on the composition of the annual report. Statement of Assurance. The statement on reasonable assurance represents the agency head's informed judgment as to the overall adequacy and effectiveness of management controls within the agency. The statement must take one of the following forms: statement of assurance; qualified statement of assurance, considering the exceptions explicitly noted; or statement of no assurance. In deciding on the type of assurance to provide, the agency head should consider information from the sources described in Section III of this Circular, with input from senior program and administrative officials and the IG. The agency head must describe the analytical basis for the type of assurance being provided, and the extent to which agency activities were assessed. The statement of assurance must be signed by the agency head. Report on Material Weaknesses. The Integrity Act report must include agency plans to correct the material weaknesses and progress against those plans. [[Page 33882]] Reporting Pursuant to Section 4. 31 U.S.C. 3512(d)(2)(B) (commonly referred to as Section 4 of the Integrity Act) requires an annual statement on whether the agency's financial management systems conform with government-wide requirements. These financial systems requirements are presented in OMB Circular No. A-127, ``Financial Management Systems,'' section 7. If the agency does not conform with financial systems requirements, the statement must discuss the agency's plans for bringing its systems into compliance. If the agency head judges a deficiency in financial management systems and/or operations to be material when weighed against other agency deficiencies, the issue must be included in the annual Integrity Act report in the same manner as other material weaknesses. Distribution of Integrity Act Report. The assurance statements and information related to both Sections 2 and 4 should be provided in a single Integrity Act report. Copies of the report are to be transmitted to the President; the President of the Senate; the Speaker of the House of Representatives; the Director of OMB; and the Chairpersons and Ranking Members of the Senate Committee on Governmental Affairs, the House Committee on Government Reform and Oversight, and the relevant authorizing and appropriations committees and subcommittees. In addition, 10 copies of the report are to be provided to OMB's Office of Federal Financial Management, Management Integrity Branch. Agencies are also encouraged to make their reports available electronically. Streamlined Reporting. The Government Management Reform Act (GMRA) of 1994 (P.L. 103-356) permits OMB for fiscal years 1995 through 1997 to consolidate or adjust the frequency and due dates of certain statutory financial management reports after consultation with the Congress. GMRA prompted the CFO Council to recommend to OMB a new approach towards financial management reporting which could help integrate management initiatives. This proposal is being pilot- tested by several agencies for FY 1995. Further information on the implications of this initiative for other agencies will be issued by OMB after the pilot reports have been evaluated. In the meantime, the reporting requirements outlined in this Circular remain valid except for those agencies identified as pilots by OMB. Under the CFO Council approach, agencies would consolidate Integrity Act information with other performance-related reporting into a broader ``Accountability Report'' to be issued annually by the agency head. This report would be issued as soon as possible after the end of the fiscal year, but no later than March 31 for agencies producing audited financial statements and December 31 for all other agencies. The proposed ``Accountability Report'' would integrate the following information: the Integrity Act report, management's Report on Final Action as required by the IG Act, the CFOs Act Annual Report (including audited financial statements), Civil Monetary Penalty and Prompt Payment Act reports, and available information on agency performance compared to its stated goals and objectives, in preparation for implementation of the GPRA. Government Corporations. Section 306 of the Chief Financial Officers Act established a reporting requirement related to management controls for corporations covered by the Government Corporation and Control Act. 31 U.S.C. 9106. These corporations must submit an annual management report to the Congress not later than 180 days after the end of the corporation's fiscal year. This report must include, among other items, a statement on control systems by the head of the management of the corporation consistent with the requirements of the Integrity Act. The corporation is required to provide the President, the Director of OMB, and the Comptroller General a copy of the management report when it is submitted to Congress. [FR Doc. 95-15828 Filed 6-28-95; 8:45 am] BILLING CODE 3110-01-P