1 / 33

OMB Circular A-123, Management s Responsibility for Internal Control and Internal Control Review Processes for Acquisiti

OMB Circular A-123, Management's Responsibility for Internal Control. Revision Issued: December 2004Effective: Beginning in Fiscal Year 2006Purpose: Provides guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by:- establishing,- assessing,- correcting, and- reportingon internal control.Authority: Includes but is not limited to Federal Managers' Financial Integrity Act of 1982 as codified in 31 U.S.C. 3512 .

Download Presentation

OMB Circular A-123, Management s Responsibility for Internal Control and Internal Control Review Processes for Acquisiti

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. OMB Circular A-123, Management’s Responsibility for Internal Control and Internal Control Review Processes for Acquisition and Financial Assistance Kate B. Oliver and Patricia E. Corrigan DOI Office of Acquisition and Property Management U.S. Department of the Interior Business Conference Hunt Valley, Maryland May 24, 2006

    2. OMB Circular A-123, Management’s Responsibility for Internal Control Revision Issued: December 2004 Effective: Beginning in Fiscal Year 2006 Purpose: Provides guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by: - establishing, - assessing, - correcting, and - reporting on internal control. Authority: Includes but is not limited to Federal Managers’ Financial Integrity Act of 1982 as codified in 31 U.S.C. 3512 Statutory requirements that should also be considered as part of an agency’s internal control framework include: FMFIA Government Performance and Results Act (GPRA) Chief Financial Officers Act, as amended (CFO Act) Inspector General Act of 1978, as amended (IG Act) Federal Financial Management Improvement Act of 1996 (FFMIA) Federal Information Security Management Act of 2002 (FISMA) Improper Payments Information Act of 2002 (IPIA) Single Audit Act, as amended Clinger-Cohen Act of 1996 Statutory requirements that should also be considered as part of an agency’s internal control framework include: FMFIA Government Performance and Results Act (GPRA) Chief Financial Officers Act, as amended (CFO Act) Inspector General Act of 1978, as amended (IG Act) Federal Financial Management Improvement Act of 1996 (FFMIA) Federal Information Security Management Act of 2002 (FISMA) Improper Payments Information Act of 2002 (IPIA) Single Audit Act, as amended Clinger-Cohen Act of 1996

    3. Internal Controls Defined Internal controls are the organization, policies, procedures, actions, and activities that management implements to ensure that goals and objectives are met. Effective internal control provides assurance that significant weaknesses in the design or operation of internal control, that could adversely affect the agency’s ability to meet its objectives, would be prevented or detected in a timely manner. Internal control should be an integral part of the entire cycle of planning, budgeting, management, accounting, and auditing. It should support the effectiveness and the integrity of every step of the process and provide continual feedback to management. Internal control – organization, policies, and procedures – are tools to help managers achieve results and safeguard the integrity of their programs and it applies to program, operational, and administrative areas not just accounting and financial management.

    4. Internal Control Objectives Internal control is an integral component of an organization’s management that provides reasonable assurance that the following objectives are being achieved: - Effectiveness and efficiency of program activities and operations - Reliable, complete, and timely data are maintained - Compliance with applicable laws and regulations - Programs and resources are protected from waste, fraud, and mismanagement

    5. RISK Internal control guarantees neither the success of agency programs, nor the absence of waste, fraud, and mismanagement, BUT is a means of managing the risk associated with Federal programs and operations. Managers should define the control environment (e.g., programs, operations, reporting) and perform risk assessments to identify the most significant areas within that environment in which to place or enhance internal control. The risk assessment is a critical step in the process to determine the extent of controls. Once significant areas have been identified, control activities should be implemented. Continuous monitoring and testing should help identify poorly designed or ineffective controls and should be reported. Management is then responsible for redesigning or improving upon those controls. Financial Reporting, Revenue Management, Funds Management, Financial Assistance (grants and cooperative agreements), Inventory Management Environmental Management, Custodial Collections, Custodial Distributions, Budget Execution, Human Capital Management, Procurement, Contracting, Franchise Activities, Credit Program Management, Real Property Management, and Information Technology are control environments. Agency managers must ensure an appropriate balance between the strength of controls and the relative risk associated with particular programs and operations. We cannot rely on auditors instead of doing our own internal control reviews BUT we must consider results of OIG, GAO, and other reviews in performing risk assessments and preparing assurance statements.Financial Reporting, Revenue Management, Funds Management, Financial Assistance (grants and cooperative agreements), Inventory Management Environmental Management, Custodial Collections, Custodial Distributions, Budget Execution, Human Capital Management, Procurement, Contracting, Franchise Activities, Credit Program Management, Real Property Management, and Information Technology are control environments. Agency managers must ensure an appropriate balance between the strength of controls and the relative risk associated with particular programs and operations. We cannot rely on auditors instead of doing our own internal control reviews BUT we must consider results of OIG, GAO, and other reviews in performing risk assessments and preparing assurance statements.

    6. Who is Responsible for Internal Control in Federal Agencies? Management has a fundamental responsibility to develop and maintain effective internal control. The proper stewardship of Federal resources is an essential responsibility of agency managers and staff. Federal employees must ensure that Federal programs operate and Federal resources are used efficiently and effectively to achieve desired objectives. Programs must operate and resources must be used consistent with agency missions, in compliance with laws and regulations, and with minimal potential for waste, fraud, and mismanagement.

    7. Actions Required by Management Agencies and individual Federal managers must take systematic and proactive measures to: Develop and implement appropriate, cost-effective internal control for results-oriented management; Assess the adequacy of internal control in Federal programs and operations; Identify needed improvements; Take corresponding corrective action; and Report annually on internal control through management assurance statements.

    8. QUIZ Internal control only applies to accounting and financial management. (True/False) Internal control is basically a post-award “inspection”-type process. (True/False) Internal control guarantees the success of agency programs and the absence of waste, fraud, and mismanagement. (True/False) OMB Circular A-123 (Revised) states that only Federal managers are responsible for ensuring that Federal programs operate and Federal resources are used efficiently and effectively to achieve desired objectives. (True/False) Internal control is a means of identifying and managing risk associated with Federal programs and operations. (True/False) Internal controls are the organization, policies, procedures, actions, and activities that management implements to ensure that goals and objectives are met. (True/False) Federal managers must report annually on internal control through management assurance statements. (True/False) False False False False True True True False False False False True True True

    9. Internal Control Standards – Two Approaches OLD CIRCULAR A-123 General Control Standards Compliance with Laws and Regulations Reasonable Assurance and Safeguards Integrity, Competence, and Attitude Specific Standards Delegation of Authority and Organization Separation of Duties and Supervision Access to and Accountability for Resources Recording and Documentation Resolution of Audit Findings and Other Deficiencies CIRCULAR A-123 (Revised) Emphasizes management’s responsibility for developing and maintaining internal control activities that comply with standards related to: Control Environment Risk Assessment Control Activities Information and Communications Monitoring

    10. Control Environment Emphasizes importance of establishing organizational structure and culture by management and employees to sustain support for effective internal control. This includes: Well defined areas of authority and responsibility; Appropriate delegation of authority and responsibility throughout the agency; Establishment of a suitable hierarchy for reporting; Supporting appropriate human capital policies for hiring, training, evaluating, counseling, advancing, compensating and disciplining personnel; and Upholding the need for personnel to possess and maintain the proper knowledge and skills to perform their assigned duties as well as understand the importance of maintaining effective internal control within the organization.

    11. Control Environment (Continued) The organizational culture is also crucial within the control environment standard. The culture should be defined by management’s leadership in setting values of integrity and ethical behavior. Management’s philosophy and operational style will set the tone within the organization. Management’s commitment to establishing and maintaining effective internal control should cascade down and permeate the organization’s control environment which will aid in the successful implementation of internal control systems.

    12. Risk Assessment Management should identify internal and external risks that may prevent the organization from meeting its objectives. When identifying risks, management should take into account relevant interactions within the organization as well as with outside organizations. Management should also consider previous findings, e.g., auditor identified, internal management reviews, or non-compliance with laws and regulations when identifying risks. Identified risks should then be analyzed for their potential effect or impact on the agency.

    13. Control Activities Control activities include policies, procedures and mechanisms in place to address or mitigate risk and help ensure internal control objectives are met. Examples include: Proper segregation of duties and supervision; Access to and accountability for resources, e.g., physical control over assets; Appropriate recording and documentation and access to that documentation; and General and application controls over information systems

    14. Information and Communications Information should be communicated to all relevant personnel at all levels within an organization. Information should be relevant, reliable, and timely. It is also crucial that an agency communicate with outside organizations as well, whether providing information or receiving it. Examples include: Receiving updated guidance from central oversight offices; Management communicating requirements to the operational staff; Operational staff communicating with the information systems staff to modify application software to extract data requested in the guidance.

    15. Monitoring I Monitoring the effectiveness of internal control should occur in the normal course of business. In addition, periodic reviews, reconciliations or comparisons of data should be included as part of the regular assigned duties of personnel. Periodic assessments should be integrated as part of management’s continuous monitoring of internal control, which should be ingrained in the agency’s operations. NEWS FLASH: If an effective continuous monitoring program is in place, it can level the resources needed to maintain effective internal controls throughout the year.

    16. Monitoring II Deficiencies found in internal control should be reported to the appropriate personnel and management responsible for that area. Please note, you cannot prepare an annual internal control assurance statement for your function if: Deficiencies identified, whether through internal review or by an external audit, are not evaluated and corrected. A systematic process is not in place for addressing deficiencies.

    17. The Old A-123 Standards are Still in the Revised A-123 but Instead of Standing Alone as in the Old Process, the Standards are Now Grouped and Assessments Can be Made Through a More Comprehensive Framework That Better Identifies the Sources of Systemic and Compliance Weaknesses This is called a “Cause-and-effect”, an Ishikawa, or a Fishbone diagram. It is a wonderful tool for illustrating how various factors might be linked to potential problems or effects.This is called a “Cause-and-effect”, an Ishikawa, or a Fishbone diagram. It is a wonderful tool for illustrating how various factors might be linked to potential problems or effects.

    18. GAO Framework for Assessing the Acquisition Function at Federal Agencies Issued September 2005 Developed to assess the strengths and weaknesses of agencies’ acquisition functions. Framework comprises four interrelated cornerstones that promote an efficient, effective, and accountable acquisition function: - Organizational Alignment and Leadership - Policies and Processes - Human Capital - Knowledge and Information Management

    19. Organizational Alignment and Leadership Appropriate placement of the acquisition function in the agency, with stakeholders having clearly defined roles and responsibilities. While there is no single, optimal way to organize an agency’s acquisition function, each agency must assess whether the current placement of its acquisition function is meeting organizational needs and that any associated risk is identified and mitigated. Committed leadership enables officials to make strategic decisions that achieve agency-wide acquisitions more effectively and efficiently. Critical success factors to be evaluated/assessed in this area include: - Assuring appropriate placement of the acquisition function - Organizing the acquisition function to operate strategically - Clearly defining and integrating roles and responsibilities - Clear, strong, and ethical executive leadership - Effective communications and continuous improvement

    20. Policies and Processes Implementing strategic decisions to achieve desired agency-wide outcomes requires clear and transparent policies and processes that are implemented consistently. Policies: establish expectations about management of a function Processes: means by which management functions will be performed and implemented in support of agency missions. Effective policies and processes govern the planning, award, administration, and oversight of acquisition efforts, with a focus on assuring that these efforts achieve intended results. Critical success factors to be evaluated/assessed in this area include: - Partnering with internal organizations - Assessing internal requirements and the impact of external events - Managing and engaging suppliers - Monitoring and providing oversight to achieve desired outcomes - Enabling financial accountability - Using sound Capital Investment strategies

    21. Human Capital Successfully acquiring goods and services and executing and monitoring contracts to help the agency meet its missions requires valuing and investing in the acquisition workforce. Agencies must think strategically about attracting, developing, and retaining talent, and creating a results-oriented culture within the acquisition workforce. Critical success factors to be evaluated/assessed in this area include: - Commitment to human capital management - Integration and alignment - Data-driven human capital decisions - Targeted investments in people - Human capital approaches tailored to meet organizational needs - Empowerment and inclusiveness - Unit and individual performance linked to organizational goals

    22. Knowledge and Information Management Effective knowledge and information management provides credible, reliable, and timely data to make acquisition decisions. Each stakeholder in the acquisition process-program and acquisition personnel who decide which goods and services to buy; project managers who receive goods and services from contractors; contract administrators who oversee compliance with the contracts; finance which pays for the goods and services; policy and management-need meaningful data to perform their respective roles and responsibilities. Critical success factors to be evaluated/assessed in this area include: - tracking acquisition data - tracking financial data into meaningful formats - analyzing goods and services spending - safeguarding the integrity of operations and data stewardship

    23. The GAO Framework is Built on a Foundation of Strong Internal Control Which Serves as the First Line of Defense in Safeguarding Assets and Preventing and Detecting Errors and Weaknesses

    24. DOI OIG Framework to Promote Accountability in Interior’s Grants Management Issued: Fall 2005 Identified internal controls necessary to effectively manage grants and create a culture of accountability and stewardship: - Produce Reliable Data - Solicit Competition - Monitor Grants Effectively - Write Effective Grant Agreements - Provide Adequate Training - Streamline Policies and Procedures - Establish Measurable Goals (performance metrics)

    25. Each One of the Controls Identified in the OIG Framework Fits Into at Least One of the Four Major Standard Categories Identified Below

    26. Assessing Internal Control In conducting your reviews of internal control in the acquisition and financial assistance functions, use the standards in the GAO and OIG frameworks as the “lens” or the evaluation factors with which to assess the functions, identify areas of risk and weakness, and develop and implement corrective action plans. Additional sources of information in preparing for and conducting reviews include: Knowledge gained from the daily operation of programs and systems OIG and GAO reports, including audits, inspections, reviews, investigations Management reviews conducted (i) expressly for the purpose of assessing internal control, or (ii) for other purposes with an assessment of internal control as a by-product of the review Program evaluations, past reviews, corrective action plans Annual performance plans and reports pursuant to GPRA Single Audit reports (for financial assistance) The agency’s Performance and Accountability Report Agency Budget and Strategic Plan Performance plans

    27. Assessing Internal Control Identify deficiencies from reviews and other sources of information described above. Report deficiencies in accordance with annual guidelines, e.g., PFM’s Guidelines for FY 2006 Internal Control and Audit Follow-up Programs, as supplemented by PAM’s FY 2006 Internal Control/Departmental Functional Review Guidance for Acquisition, Financial Assistance, and Property Management. A control deficiency or combination of control deficiencies that in management’s judgment represents significant deficiencies in the design or operation of internal control that could adversely affect the function’s ability to meet its internal control objectives is a reportable condition (to be tracked and monitored within the bureau). A reportable condition that the agency head determines to be significant enough to be reported outside the agency shall be considered a material weakness. Managers and staff are encouraged to identify control deficiencies, as this reflects positively on the bureau’s commitment to recognizing and addressing management problems. Failing to report a known reportable condition reflects adversely on the bureau and continues to place its operations at risk..

    28. Assessing Internal Control In preparing their reports and assurance statements, bureaus must carefully compare and review the results of all the reviews conducted during the reporting cycle and consider whether systemic weaknesses exist that adversely affect internal control across organizational or program lines. They must then develop a plan of action for addressing these types of weaknesses in addition to the individual corrective action plans resulting from each review.

    29. Correcting Internal Control Deficiencies Corrective actions plans must be developed to correct deficiencies identified in reviews. Managers are responsible for taking timely and effective action to implement corrective actions. Progress must be tracked at the appropriate level to ensure timely and effective results. Completion of material weakness corrective action plans must be reviewed and validated by the DOI Office of Financial Management and/or OIG staff. Therefore, bureaus/offices are expected to maintain appropriate supporting documentation regarding corrective action plan implementation in order to support closure.

    30. Reporting on Internal Control DOI has established an integrated organizational structure to implement its internal control program. This structure uses the building block principle: It starts with the individual program manager and ascends to the Bureau and Office Director, to the program assistant secretary, and ultimately to the Secretary. Bureaus and offices should ensure that subordinate managers provide assurance statements to support the Bureau or Office Director’s assurance to the program assistant secretary. As indicated in the 2006 Internal Control/Departmental Functional Review Guidance for Acquisition, Financial Assistance, and Property Management, Bureau and office acquisition managers must coordinate issuance of their annual internal control assessment report with their respective Bureau Management Control Coordinator and ensure that their reports are signed by the Assistant Director – Administration, or bureau equivalent, prior to submission to the Office of Acquisition and Property Management.

    31. Reporting on Internal Control Bureau internal control assessment reports for both acquisition and financial assistance must include the following: findings of management reviews performed and corrective action plans implemented (including timeframes for complete implementation of corrective actions); summary findings of applicable OIG, GAO, and third party Notices of Finding and Recommendations, and corrective plans implemented (including timeframes for complete implementation of corrective actions); bureau-wide targets review and supplementary reports; and an assurance statement regarding the adequacy of bureau-wide internal controls, i.e., assurance that processes are in place for the bureaus to: (1) prevent or promptly detect unauthorized acquisition, use, or disposition of assets; and (2) implement and monitor corrective actions for identified compliance or systemic weaknesses in order to bring identified weaknesses in bureau acquisition and financial assistance processes/procedures into compliance with applicable laws, regulations, and policy.

    32. Assurance Statements Bureaus/offices have two assurance statement requirements during FY 2006: Assurance statement on the effectiveness of internal controls over financial reporting as of 06/30/2006 due to the Assistant Secretary – Policy, Management and Budget (AS/PMB) and the Office of Financial Management by July 31, 2006; and FY 2006 Final Assurance Statement covering all programs and operations is due to the AS/PMB and Office of Financial Management on or before September 15, 2006. The assurance statements that you prepare for acquisition, financial assistance, and property management must be included in your bureau’s/office’s Final Assurance Statement covering all programs and operations, i.e., Assurance Statement #2.

    33. Assurance QUIZ – Double Jeopardy Management is required to: a. Provide absolute assurance of internal control OR b. Provide reasonable assurance of internal control

    34. RESOURCES DOI Office of Acquisition and Property Management Website: http://www.doi.gov/pam (GAO Framework can be accessed under “Acquisition”) DOI Office of Financial Management Website: http://www.doi.gov/pfm DOI Office of Inspector General Website: http://www.oig.doi.gov Office of Management and Budget Website: http://www..whitehouse.gov/omb Government Accountability Office Website: http://www.gao.gov

More Related