[Federal Register Volume 60, Number 125 (Thursday, June 29, 1995)]
[Notices]
[Pages 33876-33882]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 95-15828]
=======================================================================
-----------------------------------------------------------------------
OFFICE OF MANAGEMENT AND BUDGET
Management Accountability and Control
AGENCY: Office of Management and Budget.
ACTION: Final Revision of OMB Circular No. A-123.
-----------------------------------------------------------------------
SUMMARY: This Notice revises Office of Management and Budget (OMB)
Circular No. A-123, ``Management Accountability and Control.'' The
Circular, which was previously titled ``Internal Control Systems,''
implements the Federal Managers' Financial Integrity Act of 1982
(FMFIA).
FOR FURTHER INFORMATION CONTACT: Office of Management and Budget,
Office of Federal Financial Management, Management Integrity Branch,
Room 6025, New Executive Office Building, Washington, DC 20503,
telephone (202) 395-6911 and fax (202) 395-3952. For a copy of the
revised Circular, contact Office of Administration, Publications
Office, room 2200, New Executive Office Building, Washington, DC 20503,
or telephone (202) 395-7332.
ELECTRONIC ACCESS: This Circular is also accessible on the U.S.
Department of Commerce's FedWorld Network under the OMB Library of
Files.
The Telnet address for FedWorld via Internet is
``fedworld.gov''.
The World Wide Web address is ``http://www.fedworld.gov/
ftp.htm#omb''.
For file transfer protocol (FTP) access, the address is
``ftp://fwux.fedworld.gov/pub/omb/omb.htm''.
The telephone number for the FedWorld help desk is (703) 487-4608.
SUPPLEMENTARY INFORMATION:
A. Background
Circular No. A-123 was last issued on August 4, 1986. On March 13,
1995 the Office of Management and Budget requested public comments on a
revised version of the Circular (60 FR 13484).
The revision announced here alters requirements for executive
agencies on evaluating management controls, consistent with
recommendations made by the National Performance Review. The Circular
now integrates many policy issuances on management control into a
single document, and provides a framework for integrating management
control assessments with other work now being performed by agency
managers, auditors and evaluators.
The Circular emphasizes that management controls should benefit
rather than encumber management, and should make sense for each
agency's operating structure and environment. By giving agencies the
discretion to determine which tools to use in arriving at the annual
assurance statement to the President and the Congress, the Circular
represents an important step toward a streamlined management control
program that incorporates the reinvention principles of this
Administration.
B. Analysis of Comments
Thirty-three responses were received from 23 Federal agencies and
the
[[Page 33877]]
American Institute of Certified Public Accountants (AICPA). Of the 33
responses, 14 simply agreed with the proposed revision and made no
comments on the document, although some had minor comments on a
proposal by the Chief Financial Officers' Council to streamline
reporting. Almost all of the remaining 19 responses were also in favor
of the revision, but made some specific suggestions.
A summary of the transmittal memorandum and the five sections of
the Circular follows. Each section indicates which comments were
accepted and which were not accepted.
Transmittal Memorandum. This memorandum, signed by the OMB
Director, summarizes the purpose, authority, and policy reflected in
the Circular, the actions required, and related administrative
information. Four agencies made comments relating to the memorandum.
Comments Accepted: The statement describing management
accountability is now repeated in Section I of the Circular. The
definition of management controls (which appears in both the memorandum
and Section II) has been amended to state that controls should ensure
reliable ``and timely'' information. The requirement that agencies
report annually on management controls is now explicitly stated in the
memorandum. In addition, OMB has added instructions on accessing the
Circular electronically.
Comment Not Accepted: One agency suggested that performance
appraisals be used to hold managers accountable for management control
responsibilities. OMB supports this concept but prefers that the
specific content of appraisals be left to each agency.
Section I. Introduction. This section describes a framework for
agency management control programs that integrates management control
activities with other management requirements and policies, such as the
Government Performance and Results Act (GPRA), the Chief Financial
Officers (CFOs) Act, the Inspector General (IG) Act, and other
congressional and Executive Branch requirements. The foundation of this
policy is that management control activities are not stand-alone
management practices, but rather are woven into the day-to-day
operational responsibilities of agency managers.
Agencies are encouraged to plan for how the requirements of the
Circular will be implemented. Agencies are also encouraged to establish
senior level management councils to address management accountability
and related issues within the broad context of agency operations.
Comments Accepted: At the suggestion of three agencies, the
language illustrating how controls can be integrated into the overall
management process has been clarified. The text now indicates more
clearly that the examples used to make this point are in fact examples,
not new Circular requirements. Because the Act encompasses agency
operations, as well as program and administrative areas, appropriate
language has been included in the Circular. In addition, the Circular
states that 24 agencies are covered by the CFOs Act, which reflects the
legislation last year that made the Social Security Administration an
independent agency from the Department of Health and Human Services.
Comments Not Accepted: Two agencies questioned elimination of the
Management Control Plan. The importance of planning has not been
diminished in the new Circular, but OMB will no longer dictate the
scope and content of an agency's planning document. An agency may
choose, for example, to meet the Circular's planning requirement by
addressing management controls in a broader strategic plan for agency
management.
Section II. Establishing Management Controls. This section defines
management controls, and requires agency managers to develop and
implement appropriate management controls. Included in this section are
general and specific management control standards, drawn in large part
from the standards issued by the General Accounting Office (GAO). By
including these standards in the Circular, OMB is continuing its
efforts to integrate various management control policies into a single
document to make it easier for Federal managers to implement good
management controls.
Comments Accepted: Four agencies questioned whether the definition
of internal controls as a subset of management controls should be
limited to conditions ``that could have a material effect on [the
entity's] financial statements.'' One agency pointed out that
deficiencies in internal controls related to events that have less than
a major impact on financial statements, like security weaknesses or
conflict of interest problems, could be reportable under the Integrity
Act. OMB agrees and has deleted the restrictive phrase.
In response to one agency's comment, language on developing
management controls has been expanded to emphasize that controls must
be developed as programs are initially implemented, as well as
reengineered. At another agency's suggestion, a statement has been
included on the value of drawing on the expertise of the CFO and IG as
controls are developed.
Responding to two agencies' comments on the standards for
management controls, the standard on compliance with law has been
expanded to included compliance with regulations, and the standard on
delegation of authority now clearly states that managers should ensure
that authority, responsibility and accountability are defined and
delegated.
Comments Not Accepted: The AICPA recommended that the Circular
adopt the framework and definitions of internal controls developed by
the Committee of Sponsoring Organizations of the Treadway Commission
(the COSO framework). OMB has carefully reviewed the COSO approach and
feels confident that the Circular incorporates virtually all of the
concepts underlying the COSO framework. It is critical, however, for
the Circular to present these concepts in language that is meaningful
to Federal program managers as well as financial managers. Therefore,
OMB has decided to retain the Circular's broader terminology.
One agency questioned OMB's authority to (i) include management
control standards in the Circular and (ii) modify the language of GAO's
Standards for Internal Control. OMB has included GAO in discussions
about the Circular's revision since the beginning of the effort, and
has provided GAO with the opportunity to comment on numerous drafts of
the document. GAO has not objected to inclusion of the standards in the
Circular, nor has GAO questioned the document's specific language. OMB
believes that the Circular accurately incorporates the GAO standards,
and appropriately updates the language to reflect developments in this
area since GAO issued its standards in 1983.
Two agencies recommended more flexibility in the standard relating
to separation of duties, arguing that the principle may be overly rigid
in an era of downsizing. One agency described the difficulty of
applying this standard in small field offices, and suggested that
alternative controls based on advanced technology, such as systems
access controls and automated audit trails, may be appropriate. While
OMB believes that separation of duties is a key management control
standard, it recognizes the validity of these examples. The standard
has not been modified because appropriate flexibility is already
provided; the language states that key duties ``should'' be separated
among individuals.
One agency questioned whether the Circular adequately emphasizes
the
[[Page 33878]]
concept of reasonable assurance. OMB recognizes the importance of this
concept, and believes that its inclusion as one of the general
management control standards is sufficient.
Section III. Assessing and Improving Management Controls. This
section states that agency managers should continuously monitor and
improve the effectiveness of management controls. This continuous
monitoring, and other periodic evaluations, should provide the basis
for the agency head's annual assessment of and report on management
controls. Agencies are encouraged to use a variety of information
sources to arrive at the annual assurance statement to the President
and the Congress. Several examples of sources of information are
included in this section. The role of the agency's senior management
council in making recommendations on the annual assurance statement and
on which deficiencies in management controls should be considered
material is also addressed.
Comments Accepted: OMB recognizes the need to clarify how the term
``material weakness'' as used in the Circular differs from the same
term as used by Federal auditors. This issue was raised by one agency
in its written comments, and by other parties in discussions of earlier
drafts. The Circular now recognizes that Federal auditors are required
to identify and report weaknesses that, in their opinion, pose a risk
or threat to the internal control systems of an entity (such as a
program or operation) even if the management of that entity would not
report the weakness outside the agency.
Comments Not Accepted: Two agencies found the Circular's
requirements on assessing and documenting the sufficiency of management
controls to be inadequate, and suggested that the Circular provide more
specific guidance in these areas. In keeping with the philosophy behind
the Circular, OMB prefers to give agencies the latitude to expand upon
the Circular's requirements in these areas, if they believe it is
necessary, rather than to impose uniform criteria for determining, for
example, what should be reported as a material weakness.
Along those lines, OMB has chosen not to adopt the definitions used
by Federal auditors of a reportable condition and material weakness, as
advocated by one agency and the AICPA. Those definitions are weighted
heavily toward technical, financially-oriented terms that are probably
not meaningful to Federal program managers. They also focus on
financial statements as the primary end-product of an internal control
structure. While financial statements are important tools for the
agency head in arriving at an assurance statement on management
controls, they are not the only source of information for making this
determination. Therefore, it is important that the Circular use
language that accurately reflects the broad nature of agency management
controls.
Two agencies felt that the Circular should require that agencies
test their management controls. OMB agrees that testing is an important
method for determining whether controls actually work, and encourages
agencies to use some form of testing. Because testing is already
implicit in several of the information sources to be used to assess
controls, and is less feasible for other information sources, it is not
included as a blanket requirement.
Three agencies commented on the composition of an agency's senior
management council; two felt that the Circular should be more specific
in discussing membership, while one found this section too
prescriptive. OMB believes that the current language adequately
addresses the importance of including both line and staff management
and involving the IG, without infringing on the agency's ability to
determine the council's membership.
Section IV. Correcting Management Control Deficiencies. This
section states that agency management is responsible for taking timely
and effective action to correct management control deficiencies.
Correcting these deficiencies is an integral part of management's
responsibilities and must be considered a priority by the agency.
The only comment received on this section reflected a
misunderstanding of the Circular's requirements on corrective action
plans. Plans must be developed, tracked, and reported for all material
weaknesses (weaknesses included in the Integrity Act report). For
weaknesses that are not included in the report, plans should be
developed and tracked at a level deemed appropriate by the agency.
Section V. Reporting on Management Controls. This section describes
the required components of the agency's annual Integrity Act report and
its distribution to the President and the Congress. This section also
describes a initiative to streamline reporting by consolidating
Integrity Act information with other performance-related reporting into
a broader ``Accountability Report'' to be issued annually by the agency
head. Lastly, this section presents Integrity Act requirements as they
pertain to government corporations pursuant to the CFOs Act.
Comments Accepted: At the suggestion of two commenters, agencies
are now encouraged to make their Integrity Act reports available
electronically. The reference to a House committee has been changed to
reflect the nomenclature of the 104th Congress.
This section also describes an new approach towards financial
management reporting that could help integrate management initiatives.
This approach is being pilot-tested by several agencies for FY 1995.
Further information on the implications of this initiative for other
agencies will be issued by OMB after the pilot reports have been
evaluated.
Comments Not Accepted: One agency questioned the wisdom of
permitting agencies to provide a qualified statement of assurance. OMB
expects agencies to provide the most direct possible statement of
assurance. The option of a qualified statement recognizes that in some
cases, the most accurate statement of assurance is one that is
qualified by exceptions that are explicitly noted.
The same agency suggested new language in the reporting section to
recognize that the Circular broadens the scope of internal control
accountability beyond the requirements of the Integrity Act. OMB
disagrees with the premise that the link between management controls
and program performance is a new one. While the Integrity Act uses
financially oriented terminology, the Act ``clearly encompasses program
and administrative areas, as well as the more traditional accounting
and financial management areas'' (House Report 98-937, ``First-Year
Implementation of the Federal Managers' Financial Integrity Act,''
Committee on Government Operations, August 2, 1984, p. 1).
General Issues. Some comments were not limited to specific sections
of the Circular.
Comments Accepted: In response to one agency's suggestion, the
acronym ``FMFIA'' has been replaced throughout the Circular by the term
``Integrity Act'' to better emphasize the purpose and scope of the law.
OMB has also modified the term ``should'' in several instances where
specific agency action is required.
Comments Not Accepted: Two agencies proposed that the Circular
broaden the linkage between management controls and other management
initiatives, particularly performance measurement and implementation of
GPRA. OMB encourages agencies to integrate their efforts to evaluate
management controls and program performance, but is not
[[Page 33879]]
prepared at this time to include policy guidance on performance
measurement in this Circular.
One agency proposed inclusion of language describing the
applicability of the Circular to discretionary policy matters, as had
been done in the 1986 version. OMB does not believe that this language
is necessary because it is clear that the President and agency head
have full discretion over policymaking functions, including determining
and interpreting policy, determining program need, making resource
allocation decisions, and pursuing rulemaking.
Two agencies suggested that the Circular specifically address OMB's
High Risk Program. OMB has chosen not to do so because implementation
of the management control program outlined in the Circular will likely
eliminate the need for separate tracking of high risk areas. If
agencies report their most serious management deficiencies to the
President and the Congress as envisioned by the Circular, the Integrity
Act reports will essentially reflect the highest risk areas in
government, and a separate High Risk Program may no longer be
necessary.
John B. Arthur,
Associate Director for Administration.
EXECUTIVE OFFICE OF THE PRESIDENT
Office of Management and Budget
[Circular No. A-123, Revised]
June 21, 1995.
To the Heads of Executive Departments and Establishments
From: Alice M. Rivlin, Director
Subject: Management Accountability and Control
1. Purpose and Authority. As Federal employees develop and
implement strategies for reengineering agency programs and
operations, they should design management structures that help
ensure accountability for results, and include appropriate, cost-
effective controls. This Circular provides guidance to Federal
managers on improving the accountability and effectiveness of
Federal programs and operations by establishing, assessing,
correcting, and reporting on management controls.
The Circular is issued under the authority of the Federal
Managers' Financial Integrity Act of 1982 as codified in 31 U.S.C.
3512.
The Circular replaces Circular No. A-123, ``Internal Control
Systems,'' revised, dated August 4, 1986, and OMB's 1982 ``Internal
Controls Guidelines'' and associated ``Questions and Answers''
document, which are hereby rescinded.
2. Policy. Management accountability is the expectation that
managers are responsible for the quality and timeliness of program
performance, increasing productivity, controlling costs and
mitigating adverse aspects of agency operations, and assuring that
programs are managed with integrity and in compliance with
applicable law.
Management controls are the organization, policies, and
procedures used to reasonably ensure that (i) programs achieve their
intended results; (ii) resources are used consistent with agency
mission; (iii) programs and resources are protected from waste,
fraud, and mismanagement; (iv) laws and regulations are followed;
and (v) reliable and timely information is obtained, maintained,
reported and used for decision making.
3. Actions Required. Agencies and individual Federal managers
must take systematic and proactive measures to (i) develop and
implement appropriate, cost-effective management controls for
results-oriented management; (ii) assess the adequacy of management
controls in Federal programs and operations; (iii) identify needed
improvements; (iv) take corresponding corrective action; and (v)
report annually on management controls.
4. Effective Date. This Circular is effective upon issuance.
5. Inquiries. Further information concerning this Circular may
be obtained from the Management Integrity Branch, Office of Federal
Financial Management, Office of Management and Budget, Washington,
DC 20503, 202/395-6911.
6. Copies. Copies of this Circular may be obtained by
telephoning the Executive Office of the President, Publication
Services, at 202/395-7332.
7. Electronic Access. This document is also accessible on the
U.S. Department of Commerce's FedWorld Network under the OMB Library
of Files.
The Telnet address for FedWorld via Internet is
``fedworld.gov''.
The World Wide Web address is ``http://
www.fedworld.gov/ftp.htm#omb''.
For file transfer protocol (FTP) access, the address is
``ftp://fwux.fedworld.gov/pub/omb/omb.htm''.
The telephone number for the FedWorld help desk is 703/487-4608.
Attachment.
Attachment
I. Introduction
The proper stewardship of Federal resources is a fundamental
responsibility of agency managers and staff. Federal employees must
ensure that government resources are used efficiently and
effectively to achieve intended program results. Resources must be
used consistent with agency mission, in compliance with law and
regulation, and with minimal potential for waste, fraud, and
mismanagement.
To support results-oriented management, the Government
Performance and Results Act (GPRA, P.L. 103-62) requires agencies to
develop strategic plans, set performance goals, and report annually
on actual performance compared to goals. As the Federal government
implements this legislation, these plans and goals should be
integrated into (i) the budget process, (ii) the operational
management of agencies and programs, and (iii) accountability
reporting to the public on performance results, and on the
integrity, efficiency, and effectiveness with which they are
achieved.
Management accountability is the expectation that managers are
responsible for the quality and timeliness of program performance,
increasing productivity, controlling costs and mitigating adverse
aspects of agency operations, and assuring that programs are managed
with integrity and in compliance with applicable law.
Management controls--organization, policies, and procedures--are
tools to help program and financial managers achieve results and
safeguard the integrity of their programs. This Circular provides
guidance on using the range of tools at the disposal of agency
managers to achieve desired program results and meet the
requirements of the Federal Managers' Financial Integrity Act
(FMFIA, referred to as the Integrity Act throughout this document).
Framework. The importance of management controls is addressed,
both explicitly and implicitly, in many statutes and executive
documents. The Federal Managers' Financial Integrity Act (P.L. 97-
255) establishes specific requirements with regard to management
controls. The agency head must establish controls that reasonably
ensure that: (i) obligations and costs comply with applicable law;
(ii) assets are safeguarded against waste, loss, unauthorized use or
misappropriation; and (iii) revenues and expenditures are properly
recorded and accounted for. 31 U.S.C. 3512(c)(1). In addition, the
agency head annually must evaluate and report on the control and
financial systems that protect the integrity of Federal programs. 31
U.S.C. 3512(d)(2).
The Act encompasses program, operational, and administrative
areas as well as accounting and financial management.
Instead of considering controls as an isolated management tool,
agencies should integrate their efforts to meet the requirements of
the Integrity Act with other efforts to improve effectiveness and
accountability. Thus, management controls should be an integral part
of the entire cycle of planning, budgeting, management, accounting,
and auditing. They should support the effectiveness and the
integrity of every step of the process and provide continual
feedback to management.
For instance, good management controls can assure that
performance measures are complete and accurate. As another example,
the management control standard of organization would align staff
and authority with the program responsibilities to be carried out,
improving both effectiveness and accountability. Similarly,
accountability for resources could be improved by more closely
aligning budget accounts with programs and charging them with all
significant resources used to produce the program's outputs and
outcomes.
Meeting the requirements of the Chief Financial Officers Act
(P.L. 101-576, as amended) should help agencies both establish and
evaluate management controls. The Act requires the preparation and
audit of financial statements for 24 Federal agencies. 31 U.S.C.
901(b), 3515. In this process, auditors report on internal controls
and
[[Page 33880]]
compliance with laws and regulations. Therefore, the agencies covered
by the Act have a clear opportunity both to improve controls over
their financial activities, and to evaluate the controls that are in
place.
The Inspector General Act (P.L. 95-452, as amended) provides for
independent reviews of agency programs and operations. Offices of
Inspectors General (OIGs) and other external audit organizations
frequently cite specific deficiencies in management controls and
recommend opportunities for improvements. Agency managers, who are
required by the Act to follow up on audit recommendations, should
use these reviews to identify and correct problems resulting from
inadequate, excessive, or poorly designed controls, and to build
appropriate controls into new programs.
Federal managers must carefully consider the appropriate balance
of controls in their programs and operations. Fulfilling
requirements to eliminate regulations (``Elimination of One-Half of
Executive Branch Internal Regulations,'' Executive Order 12861)
should reinforce to agency managers that too many controls can
result in inefficient and ineffective government, and therefore that
they must ensure an appropriate balance between too many controls
and too few controls. Managers should benefit from controls, not be
encumbered by them.
Agency Implementation. Appropriate management controls should be
integrated into each system established by agency management to
direct and guide its operations. A separate management control
process need not be instituted, particularly if its sole purpose is
to satisfy the Integrity Act's reporting requirements.
Agencies need to plan for how the requirements of this Circular
will be implemented. Developing a written strategy for internal
agency use may help ensure that appropriate action is taken
throughout the year to meet the objectives of the Integrity Act. The
absence of such a strategy may itself be a serious management
control deficiency.
Identifying and implementing the specific procedures necessary
to ensure good management controls, and determining how to evaluate
the effectiveness of those controls, is left to the discretion of
the agency head. However, agencies should implement and evaluate
controls without creating unnecessary processes, consistent with
recommendations made by the National Performance Review.
The President's Management Council, composed of the major
agencies' chief operating officers, has been established to foster
governmentwide management changes (``Implementing Management Reform
in the Executive Branch,'' October 1, 1993). Many agencies are
establishing their own senior management council, often chaired by
the agency's chief operating officer, to address management
accountability and related issues within the broader context of
agency operations. Relevant issues for such a council include
ensuring the agency's commitment to an appropriate system of
management controls; recommending to the agency head which control
deficiencies are sufficiently serious to report in the annual
Integrity Act report; and providing input for the level and priority
of resource needs to correct these deficiencies. (See also Section
III of this Circular.)
II. Establishing Management Controls
Definition of Management Controls. Management controls are the
organization, policies, and procedures used by agencies to
reasonably ensure that (i) programs achieve their intended results;
(ii) resources are used consistent with agency mission; (iii)
programs and resources are protected from waste, fraud, and
mismanagement; (iv) laws and regulations are followed; and (v)
reliable and timely information is obtained, maintained, reported
and used for decision making.
Management controls, in the broadest sense, include the plan of
organization, methods and procedures adopted by management to ensure
that its goals are met. Management controls include processes for
planning, organizing, directing, and controlling program operations.
A subset of management controls are the internal controls used to
assure that there is prevention or timely detection of unauthorized
acquisition, use, or disposition of the entity's assets.
Developing Management Controls. As Federal employees develop and
execute strategies for implementing or reengineering agency programs
and operations, they should design management structures that help
ensure accountability for results. As part of this process, agencies
and individual Federal managers must take systematic and proactive
measures to develop and implement appropriate, cost-effective
management controls. The expertise of the agency CFO and IG can be
valuable in developing appropriate controls.
Management controls guarantee neither the success of agency
programs, nor the absence of waste, fraud, and mismanagement, but
they are a means of managing the risk associated with Federal
programs and operations. To help ensure that controls are
appropriate and cost-effective, agencies should consider the extent
and cost of controls relative to the importance and risk associated
with a given program.
Standards. Agency managers shall incorporate basic management
controls in the strategies, plans, guidance and procedures that
govern their programs and operations. Controls shall be consistent
with the following standards, which are drawn in large part from the
``Standards for Internal Control in the Federal Government,'' issued
by the General Accounting Office (GAO).
General management control standards are:
Compliance With Law. All program operations,
obligations and costs must comply with applicable law and
regulation. Resources should be efficiently and effectively
allocated for duly authorized purposes.
Reasonable Assurance and Safeguards. Management
controls must provide reasonable assurance that assets are
safeguarded against waste, loss, unauthorized use, and
misappropriation. Management controls developed for agency programs
should be logical, applicable, reasonably complete, and effective
and efficient in accomplishing management objectives.
Integrity, Competence, and Attitude. Managers and
employees must have personal integrity and are obligated to support
the ethics programs in their agencies. The spirit of the Standards
of Ethical Conduct requires that they develop and implement
effective management controls and maintain a level of competence
that allows them to accomplish their assigned duties. Effective
communication within and between offices should be encouraged.
Specific management control standards are:
Delegation of Authority and Organization. Managers
should ensure that appropriate authority, responsibility and
accountability are defined and delegated to accomplish the mission
of the organization, and that an appropriate organizational
structure is established to effectively carry out program
responsibilities. To the extent possible, controls and related
decision-making authority should be in the hands of line managers
and staff.
Separation of Duties and Supervision. Key duties and
responsibilities in authorizing, processing, recording, and
reviewing official agency transactions should be separated among
individuals. Managers should exercise appropriate oversight to
ensure individuals do not exceed or abuse their assigned
authorities.
Access to and Accountability for Resources. Access to
resources and records should be limited to authorized individuals,
and accountability for the custody and use of resources should be
assigned and maintained.
Recording and Documentation. Transactions should be
promptly recorded, properly classified and accounted for in order to
prepare timely accounts and reliable financial and other reports.
The documentation for transactions, management controls, and other
significant events must be clear and readily available for
examination.
Resolution of Audit Findings and Other Deficiencies.
Managers should promptly evaluate and determine proper actions in
response to known deficiencies, reported audit and other findings,
and related recommendations. Managers should complete, within
established timeframes, all actions that correct or otherwise
resolve the appropriate matters brought to management's attention.
Other policy documents may describe additional specific
standards for particular functional or program activities. For
example, OMB Circular No. A-127, ``Financial Management Systems,''
describes government-wide requirements for financial systems. The
Federal Acquisition Regulations define requirements for agency
procurement activities.
III. Assessing and Improving Management Controls
Agency managers should continuously monitor and improve the
effectiveness of management controls associated with their programs.
This continuous monitoring, and other periodic evaluations, should
provide the basis for the agency head's annual
[[Page 33881]]
assessment of and report on management controls, as required by the
Integrity Act. Agency management should determine the appropriate
level of documentation needed to support this assessment.
Sources of Information. The agency head's assessment of
management controls can be performed using a variety of information
sources. Management has primary responsibility for monitoring and
assessing controls, and should use other sources as a supplement
to--not a replacement for--its own judgment. Sources of information
include:
Management knowledge gained from the daily operation of
agency programs and systems.
Management reviews conducted (i) expressly for the
purpose of assessing management controls, or (ii) for other purposes
with an assessment of management controls as a by-product of the
review.
IG and GAO reports, including audits, inspections,
reviews, investigations, outcome of hotline complaints, or other
products.
Program evaluations.
Audits of financial statements conducted pursuant to
the Chief Financial Officers Act, as amended, including: information
revealed in preparing the financial statements; the auditor's
reports on the financial statements, internal controls, and
compliance with laws and regulations; and any other materials
prepared relating to the statements.
Reviews of financial systems which consider whether the
requirements of OMB Circular No. A-127 are being met.
Reviews of systems and applications conducted pursuant
to the Computer Security Act of 1987 (40 U.S.C. 759 note) and OMB
Circular No. A-130, ``Management of Federal Information Resources.''
Annual performance plans and reports pursuant to the
Government Performance and Results Act.
Reports and other information provided by the
Congressional committees of jurisdiction.
Other reviews or reports relating to agency operations,
e.g. for the Department of Health and Human Services, quality
control reviews of the Medicaid and Aid to Families with Dependent
Children programs.
Use of a source of information should take into consideration
whether the process included an evaluation of management controls.
Agency management should avoid duplicating reviews which assess
management controls, and should coordinate their efforts with other
evaluations to the extent practicable.
If a Federal manager determines that there is insufficient
information available upon which to base an assessment of management
controls, then appropriate reviews should be conducted which will
provide such a basis.
Identification of Deficiencies. Agency managers and employees
should identify deficiencies in management controls from the sources
of information described above. A deficiency should be reported if
it is or should be of interest to the next level of management.
Agency employees and managers generally report deficiencies to the
next supervisory level, which allows the chain of command structure
to determine the relative importance of each deficiency.
A deficiency that the agency head determines to be significant
enough to be reported outside the agency (i.e. included in the
annual Integrity Act report to the President and the Congress) shall
be considered a ``material weakness.'' \1\ This designation requires
a judgment by agency managers as to the relative risk and
significance of deficiencies. Agencies may wish to use a different
term to describe less significant deficiencies, which are reported
only internally in an agency. In identifying and assessing the
relative importance of deficiencies, particular attention should be
paid to the views of the agency's IG.
\1\ This Circular's use of the term ``material weakness'' should
not be confused with use of the same term by government auditors to
identify management control weaknesses which, in their opinion, pose
a risk or a threat to the internal control systems of an audited
entity, such as a program or operation. Auditors are required to
identify and report those types of weaknesses at any level of
operation or organization, even if the management of the audited
entity would not report the weaknesses outside the agency.
---------------------------------------------------------------------------
Agencies should carefully consider whether systemic problems
exist that adversely affect management controls across
organizational or program lines. The Chief Financial Officer, the
Senior Procurement Executive, the Senior IRM Official, and the
managers of other functional offices should be involved in
identifying and ensuring correction of systemic deficiencies
relating to their respective functions.
Agency managers and staff should be encouraged to identify and
report deficiencies, as this reflects positively on the agency's
commitment to recognizing and addressing management problems.
Failing to report a known deficiency would reflect adversely on the
agency.
Role of A Senior Management Council. Many agencies have found
that a senior management council is a useful forum for assessing and
monitoring deficiencies in management controls. The membership of
such councils generally includes both line and staff management;
consideration should be given to involving the IG. Such councils
generally recommend to the agency head which deficiencies are deemed
to be material to the agency as a whole, and should therefore be
included in the annual Integrity Act report to the President and the
Congress. (Such a council need not be exclusively devoted to
management control issues.) This process will help identify
deficiencies that although minor individually, may constitute a
material weakness in the aggregate. Such a council may also be
useful in determining when sufficient action has been taken to
declare that a deficiency has been corrected.
IV. Correcting Management Control Deficiencies
Agency managers are responsible for taking timely and effective
action to correct deficiencies identified by the variety of sources
discussed in Section III. Correcting deficiencies is an integral
part of management accountability and must be considered a priority
by the agency.
The extent to which corrective actions are tracked by the agency
should be commensurate with the severity of the deficiency.
Corrective action plans should be developed for all material
weaknesses, and progress against plans should be periodically
assessed and reported to agency management. Management should track
progress to ensure timely and effective results. For deficiencies
that are not included in the Integrity Act report, corrective action
plans should be developed and tracked internally at the appropriate
level.
A determination that a deficiency has been corrected should be
made only when sufficient corrective actions have been taken and the
desired results achieved. This determination should be in writing,
and along with other appropriate documentation, should be available
for review by appropriate officials. (See also role of senior
management council in Section III.)
As managers consider IG and GAO audit reports in identifying and
correcting management control deficiencies, they must be mindful of
the statutory requirements for audit followup included in the IG
Act, as amended. Under this law, management has a responsibility to
complete action, in a timely manner, on audit recommendations on
which agreement with the IG has been reached. 5 U.S.C. Appendix 3.
(Management must make a decision regarding IG audit recommendations
within a six month period and implementation of management's
decision should be completed within one year to the extent
practicable.) Agency managers and the IG share responsibility for
ensuring that IG Act requirements are met.
V. Reporting on Management Controls
Reporting Pursuant to Section 2. 31 U.S.C. 3512(d)(2) (commonly
referred to as Section 2 of the Integrity Act) requires that
annually by December 31, the head of each executive agency submit to
the President and the Congress (i) a statement on whether there is
reasonable assurance that the agency's controls are achieving their
intended objectives; and (ii) a report on material weaknesses in the
agency's controls. OMB may provide guidance on the composition of
the annual report.
Statement of Assurance. The statement on reasonable
assurance represents the agency head's informed judgment as to the
overall adequacy and effectiveness of management controls within the
agency. The statement must take one of the following forms:
statement of assurance; qualified statement of assurance,
considering the exceptions explicitly noted; or statement of no
assurance.
In deciding on the type of assurance to provide, the agency head
should consider information from the sources described in Section
III of this Circular, with input from senior program and
administrative officials and the IG. The agency head must describe
the analytical basis for the type of assurance being provided, and
the extent to which agency activities were assessed. The statement
of assurance must be signed by the agency head.
Report on Material Weaknesses. The Integrity Act report
must include agency plans to correct the material weaknesses and
progress against those plans.
[[Page 33882]]
Reporting Pursuant to Section 4. 31 U.S.C. 3512(d)(2)(B)
(commonly referred to as Section 4 of the Integrity Act) requires an
annual statement on whether the agency's financial management
systems conform with government-wide requirements. These financial
systems requirements are presented in OMB Circular No. A-127,
``Financial Management Systems,'' section 7. If the agency does not
conform with financial systems requirements, the statement must
discuss the agency's plans for bringing its systems into compliance.
If the agency head judges a deficiency in financial management
systems and/or operations to be material when weighed against other
agency deficiencies, the issue must be included in the annual
Integrity Act report in the same manner as other material
weaknesses.
Distribution of Integrity Act Report. The assurance statements
and information related to both Sections 2 and 4 should be provided
in a single Integrity Act report. Copies of the report are to be
transmitted to the President; the President of the Senate; the
Speaker of the House of Representatives; the Director of OMB; and
the Chairpersons and Ranking Members of the Senate Committee on
Governmental Affairs, the House Committee on Government Reform and
Oversight, and the relevant authorizing and appropriations
committees and subcommittees. In addition, 10 copies of the report
are to be provided to OMB's Office of Federal Financial Management,
Management Integrity Branch. Agencies are also encouraged to make
their reports available electronically.
Streamlined Reporting. The Government Management Reform Act
(GMRA) of 1994 (P.L. 103-356) permits OMB for fiscal years 1995
through 1997 to consolidate or adjust the frequency and due dates of
certain statutory financial management reports after consultation
with the Congress. GMRA prompted the CFO Council to recommend to OMB
a new approach towards financial management reporting which could
help integrate management initiatives. This proposal is being pilot-
tested by several agencies for FY 1995. Further information on the
implications of this initiative for other agencies will be issued by
OMB after the pilot reports have been evaluated. In the meantime,
the reporting requirements outlined in this Circular remain valid
except for those agencies identified as pilots by OMB.
Under the CFO Council approach, agencies would consolidate
Integrity Act information with other performance-related reporting
into a broader ``Accountability Report'' to be issued annually by
the agency head. This report would be issued as soon as possible
after the end of the fiscal year, but no later than March 31 for
agencies producing audited financial statements and December 31 for
all other agencies. The proposed ``Accountability Report'' would
integrate the following information: the Integrity Act report,
management's Report on Final Action as required by the IG Act, the
CFOs Act Annual Report (including audited financial statements),
Civil Monetary Penalty and Prompt Payment Act reports, and available
information on agency performance compared to its stated goals and
objectives, in preparation for implementation of the GPRA.
Government Corporations. Section 306 of the Chief Financial
Officers Act established a reporting requirement related to
management controls for corporations covered by the Government
Corporation and Control Act. 31 U.S.C. 9106. These corporations must
submit an annual management report to the Congress not later than
180 days after the end of the corporation's fiscal year.
This report must include, among other items, a statement on
control systems by the head of the management of the corporation
consistent with the requirements of the Integrity Act.
The corporation is required to provide the President, the
Director of OMB, and the Comptroller General a copy of the
management report when it is submitted to Congress.
[FR Doc. 95-15828 Filed 6-28-95; 8:45 am]
BILLING CODE 3110-01-P