OMB Circular A-123, Management

1
OMB Circular A-123, Managements Responsibility
for Internal Controland Internal Control Review
Processes for Acquisition and Financial Assistance

• Kate B. Oliver and Patricia E. Corrigan
• DOI Office of Acquisition and Property Management
• U.S. Department of the Interior Business
  Conference
• Hunt Valley, Maryland
• May 24, 2006

2
OMB Circular A-123, Managements Responsibility
for Internal Control

• Revision Issued December 2004
• Effective Beginning in Fiscal Year 2006
• Purpose Provides guidance to Federal managers
  on improving the accountability and effectiveness
  of Federal programs and operations by
• - establishing,
• - assessing,
• - correcting, and
• - reporting
• on internal control.
• Authority Includes but is not limited to
  Federal Managers Financial Integrity Act of 1982
  as codified in 31 U.S.C. 3512

3
Internal Controls Defined

• Internal controls are the organization, policies,
  procedures, actions, and activities that
  management implements to ensure that goals and
  objectives are met.
• Effective internal control provides assurance
  that significant weaknesses in the design or
  operation of internal control, that could
  adversely affect the agencys ability to meet its
  objectives, would be prevented or detected in a
  timely manner.
• Internal control should be an integral part of
  the entire cycle of planning, budgeting,
  management, accounting, and auditing. It should
  support the effectiveness and the integrity of
  every step of the process and provide continual
  feedback to management.
• Internal control organization, policies, and
  procedures are tools to help managers achieve
  results and safeguard the integrity of their
  programs and it applies to program, operational,
  and administrative areas not just accounting and
  financial management.

4
Internal Control Objectives

• Internal control is an integral component of an
  organizations management that provides
  reasonable assurance that the following
  objectives are being achieved
• - Effectiveness and efficiency of program
  activities and operations
• - Reliable, complete, and timely data are
  maintained
• - Compliance with applicable laws and
  regulations
• - Programs and resources are protected from
  waste, fraud, and
• mismanagement

5
RISK

• Internal control guarantees neither the success
  of agency programs, nor the absence of waste,
  fraud, and mismanagement, BUT is a means of
  managing the risk associated with Federal
  programs and operations.
• Managers should define the control environment
  (e.g., programs, operations, reporting) and
  perform risk assessments to identify the most
  significant areas within that environment in
  which to place or enhance internal control.
• The risk assessment is a critical step in the
  process to determine the extent of controls.
• Once significant areas have been identified,
  control activities should be implemented.
• Continuous monitoring and testing should help
  identify poorly designed or ineffective controls
  and should be reported.
• Management is then responsible for redesigning or
  improving upon those controls.

6
Who is Responsible for Internal Control in
Federal Agencies?

• Management has a fundamental responsibility to
  develop and maintain effective internal control.
  The proper stewardship of Federal resources is an
  essential responsibility of agency managers and
  staff.
• Federal employees must ensure that Federal
  programs operate and Federal resources are used
  efficiently and effectively to achieve desired
  objectives.
• Programs must operate and resources must be used
  consistent with agency missions, in compliance
  with laws and regulations, and with minimal
  potential for waste, fraud, and mismanagement.

7
Actions Required by Management

• Agencies and individual Federal managers must
  take systematic and proactive measures to
• Develop and implement appropriate, cost-effective
  internal control for results-oriented management
• Assess the adequacy of internal control in
  Federal programs and operations
• Identify needed improvements
• Take corresponding corrective action and
• Report annually on internal control through
  management assurance statements.

8
QUIZ

• Internal control only applies to accounting and
  financial management. (True/False)
• Internal control is basically a post-award
  inspection-type process. (True/False)
• Internal control guarantees the success of agency
  programs and the absence of waste, fraud, and
  mismanagement. (True/False)
• OMB Circular A-123 (Revised) states that only
  Federal managers are responsible for ensuring
  that Federal programs operate and Federal
  resources are used efficiently and effectively to
  achieve desired objectives. (True/False)
• Internal control is a means of identifying and
  managing risk associated with Federal programs
  and operations. (True/False)
• Internal controls are the organization, policies,
  procedures, actions, and activities that
  management implements to ensure that goals and
  objectives are met. (True/False)
• Federal managers must report annually on internal
  control through management assurance statements.
  (True/False)

9
Internal Control Standards Two Approaches

• OLD CIRCULAR A-123
• General Control Standards
• Compliance with Laws and Regulations
• Reasonable Assurance and Safeguards
• Integrity, Competence, and Attitude
• Specific Standards
• Delegation of Authority and Organization
• Separation of Duties and Supervision
• Access to and Accountability for Resources
• Recording and Documentation
• Resolution of Audit Findings and Other
  Deficiencies

• CIRCULAR A-123 (Revised)
• Emphasizes managements responsibility for
  developing and maintaining internal control
  activities that comply with standards related
  to
• Control Environment
• Risk Assessment
• Control Activities
• Information and Communications
• Monitoring

10
Control Environment

• Emphasizes importance of establishing
  organizational structure and culture by
  management and employees to sustain support for
  effective internal control. This includes
• Well defined areas of authority and
  responsibility
• Appropriate delegation of authority and
  responsibility throughout the agency
• Establishment of a suitable hierarchy for
  reporting
• Supporting appropriate human capital policies for
  hiring, training, evaluating, counseling,
  advancing, compensating and disciplining
  personnel and
• Upholding the need for personnel to possess and
  maintain the proper knowledge and skills to
  perform their assigned duties as well as
  understand the importance of maintaining
  effective internal control within the
  organization.

11
Control Environment (Continued)

• The organizational culture is also crucial within
  the control environment standard. The culture
  should be defined by managements leadership in
  setting values of integrity and ethical behavior.
• Managements philosophy and operational style
  will set the tone within the organization.
• Managements commitment to establishing and
  maintaining effective internal control should
  cascade down and permeate the organizations
  control environment which will aid in the
  successful implementation of internal control
  systems.

12
Risk Assessment

• Management should identify internal and external
  risks that may prevent the organization from
  meeting its objectives.
• When identifying risks, management should take
  into account relevant interactions within the
  organization as well as with outside
  organizations.
• Management should also consider previous
  findings, e.g., auditor identified, internal
  management reviews, or non-compliance with laws
  and regulations when identifying risks.
• Identified risks should then be analyzed for
  their potential effect or impact on the agency.

13
Control Activities

• Control activities include policies, procedures
  and mechanisms in place to address or mitigate
  risk and help ensure internal control objectives
  are met. Examples include
• Proper segregation of duties and supervision
• Access to and accountability for resources, e.g.,
  physical control over assets
• Appropriate recording and documentation and
  access to that documentation and
• General and application controls over information
  systems

14
Information and Communications

• Information should be communicated to all
  relevant personnel at all levels within an
  organization.
• Information should be relevant, reliable, and
  timely.
• It is also crucial that an agency communicate
  with outside organizations as well, whether
  providing information or receiving it.
• Examples include
• Receiving updated guidance from central oversight
  offices
• Management communicating requirements to the
  operational staff
• Operational staff communicating with the
  information systems staff to modify application
  software to extract data requested in the
  guidance.

15
Monitoring I

• Monitoring the effectiveness of internal control
  should occur in the normal course of business.
• In addition, periodic reviews, reconciliations or
  comparisons of data should be included as part of
  the regular assigned duties of personnel.
• Periodic assessments should be integrated as part
  of managements continuous monitoring of internal
  control, which should be ingrained in the
  agencys operations.
• NEWS FLASH If an effective continuous monitoring
  program is in place, it can level the resources
  needed to maintain effective internal controls
  throughout the year.

16
Monitoring II

• Deficiencies found in internal control should be
  reported to the appropriate personnel and
  management responsible for that area.
• Please note, you cannot prepare an annual
  internal control assurance statement for your
  function if
• Deficiencies identified, whether through internal
  review or by an external audit, are not evaluated
  and corrected.
• A systematic process is not in place for
  addressing deficiencies.

17
The Old A-123 Standards are Still in the Revised
A-123 but Instead of Standing Alone as in the Old
Process, the Standards are Now Grouped and
Assessments Can be Made Through a More
Comprehensive Framework That Better Identifies
the Sources of Systemic and Compliance Weaknesses
Control Environment
Risk Assessment
Defects/Weaknesses
Information and Communications
Monitoring
Control Activities
Potential Causes
Effect
18
GAO Framework for Assessing the Acquisition
Function at Federal Agencies

• Issued September 2005
• Developed to assess the strengths and weaknesses
  of agencies acquisition functions.
• Framework comprises four interrelated
  cornerstones that promote an efficient,
  effective, and accountable acquisition function
• - Organizational Alignment and Leadership
• - Policies and Processes
• - Human Capital
• - Knowledge and Information Management

19
Organizational Alignment and Leadership

• Appropriate placement of the acquisition function
  in the agency, with stakeholders having clearly
  defined roles and responsibilities.
• While there is no single, optimal way to organize
  an agencys acquisition function, each agency
  must assess whether the current placement of its
  acquisition function is meeting organizational
  needs and that any associated risk is identified
  and mitigated.
• Committed leadership enables officials to make
  strategic decisions that achieve agency-wide
  acquisitions more effectively and efficiently.
• Critical success factors to be evaluated/assessed
  in this area include
• - Assuring appropriate placement of the
  acquisition function
• - Organizing the acquisition function to
  operate strategically
• - Clearly defining and integrating roles and
  responsibilities
• - Clear, strong, and ethical executive
  leadership
• - Effective communications and continuous
  improvement

20
Policies and Processes

• Implementing strategic decisions to achieve
  desired agency-wide outcomes requires clear and
  transparent policies and processes that are
  implemented consistently.
• Policies establish expectations about management
  of a function
• Processes means by which management functions
  will be performed and implemented in support of
  agency missions.
• Effective policies and processes govern the
  planning, award, administration, and oversight of
  acquisition efforts, with a focus on assuring
  that these efforts achieve intended results.
• Critical success factors to be evaluated/assessed
  in this area include
• - Partnering with internal organizations
• - Assessing internal requirements and the
  impact of external events
• - Managing and engaging suppliers
• - Monitoring and providing oversight to achieve
  desired outcomes
• - Enabling financial accountability
• - Using sound Capital Investment strategies

21
Human Capital

• Successfully acquiring goods and services and
  executing and monitoring contracts to help the
  agency meet its missions requires valuing and
  investing in the acquisition workforce.
• Agencies must think strategically about
  attracting, developing, and retaining talent, and
  creating a results-oriented culture within the
  acquisition workforce.
• Critical success factors to be evaluated/assessed
  in this area include
• - Commitment to human capital management
• - Integration and alignment
• - Data-driven human capital decisions
• - Targeted investments in people
• - Human capital approaches tailored to meet
  organizational needs
• - Empowerment and inclusiveness
• - Unit and individual performance linked to
  organizational goals

22
Knowledge and Information Management

• Effective knowledge and information management
  provides credible, reliable, and timely data to
  make acquisition decisions.
• Each stakeholder in the acquisition
  process-program and acquisition personnel who
  decide which goods and services to buy project
  managers who receive goods and services from
  contractors contract administrators who oversee
  compliance with the contracts finance which pays
  for the goods and services policy and
  management-need meaningful data to perform their
  respective roles and responsibilities.
• Critical success factors to be evaluated/assessed
  in this area include
• - tracking acquisition data
• - tracking financial data into meaningful
  formats
• - analyzing goods and services spending
• - safeguarding the integrity of operations and
  data stewardship

23
The GAO Framework is Built on a Foundation of
Strong Internal Control Which Serves as the First
Line of Defense in Safeguarding Assets and
Preventing and Detecting Errors and Weaknesses
Policies and Processes (includes Monitoring
Processes)
Organizational Alignment And Leadership
Defects/ Weaknesses
Knowledge and Information Management
Human Capital
E
Effect
Potential Causes
24
DOI OIG Framework to Promote Accountability in
Interiors Grants Management

• Issued Fall 2005
• Identified internal controls necessary to
  effectively manage grants and create a culture of
  accountability and stewardship
• - Produce Reliable Data
• - Solicit Competition
• - Monitor Grants Effectively
• - Write Effective Grant Agreements
• - Provide Adequate Training
• - Streamline Policies and Procedures
• - Establish Measurable Goals (performance
  metrics)

25
Each One of the Controls Identified in the OIG
Framework Fits Into at Least One of the Four
Major Standard Categories Identified Below
Policies and Processes (Includes Monitoring
Processes)
Organizational Alignment and Leadership
Defects/Weaknesses, e.g. Lack of Accountability
and Transparency
Knowledge and Information Management
Human Capital
Potential Causes
Effect
26
Assessing Internal Control

• In conducting your reviews of internal control in
  the acquisition and financial assistance
  functions, use the standards in the GAO and OIG
  frameworks as the lens or the evaluation
  factors with which to assess the functions,
  identify areas of risk and weakness, and develop
  and implement corrective action plans.
• Additional sources of information in preparing
  for and conducting reviews include
• Knowledge gained from the daily operation of
  programs and systems
• OIG and GAO reports, including audits,
  inspections, reviews, investigations
• Management reviews conducted (i) expressly for
  the purpose of assessing internal control, or
  (ii) for other purposes with an assessment of
  internal control as a by-product of the review
• Program evaluations, past reviews, corrective
  action plans
• Annual performance plans and reports pursuant to
  GPRA
• Single Audit reports (for financial assistance)
• The agencys Performance and Accountability
  Report
• Agency Budget and Strategic Plan
• Performance plans

27
Assessing Internal Control

• Identify deficiencies from reviews and other
  sources of information described above.
• Report deficiencies in accordance with annual
  guidelines, e.g., PFMs Guidelines for FY 2006
  Internal Control and Audit Follow-up Programs, as
  supplemented by PAMs FY 2006 Internal
  Control/Departmental Functional Review Guidance
  for Acquisition, Financial Assistance, and
  Property Management.
• A control deficiency or combination of control
  deficiencies that in managements judgment
  represents significant deficiencies in the design
  or operation of internal control that could
  adversely affect the functions ability to meet
  its internal control objectives is a reportable
  condition (to be tracked and monitored within the
  bureau).
• A reportable condition that the agency head
  determines to be significant enough to be
  reported outside the agency shall be considered a
  material weakness.
• Managers and staff are encouraged to identify
  control deficiencies, as this reflects positively
  on the bureaus commitment to recognizing and
  addressing management problems. Failing to
  report a known reportable condition reflects
  adversely on the bureau and continues to place
  its operations at risk..

28
Assessing Internal Control

• In preparing their reports and assurance
  statements, bureaus must carefully compare and
  review the results of all the reviews conducted
  during the reporting cycle and consider whether
  systemic weaknesses exist that adversely affect
  internal control across organizational or program
  lines. They must then develop a plan of action
  for addressing these types of weaknesses in
  addition to the individual corrective action
  plans resulting from each review.

29
Correcting Internal Control Deficiencies

• Corrective actions plans must be developed to
  correct deficiencies identified in reviews.
• Managers are responsible for taking timely and
  effective action to implement corrective actions.
• Progress must be tracked at the appropriate level
  to ensure timely and effective results.
• Completion of material weakness corrective action
  plans must be reviewed and validated by the DOI
  Office of Financial Management and/or OIG staff.
  Therefore, bureaus/offices are expected to
  maintain appropriate supporting documentation
  regarding corrective action plan implementation
  in order to support closure.

30
Reporting on Internal Control

• DOI has established an integrated organizational
  structure to implement its internal control
  program. This structure uses the building block
  principle It starts with the individual program
  manager and ascends to the Bureau and Office
  Director, to the program assistant secretary, and
  ultimately to the Secretary.
• Bureaus and offices should ensure that
  subordinate managers provide assurance statements
  to support the Bureau or Office Directors
  assurance to the program assistant secretary.
• As indicated in the 2006 Internal
  Control/Departmental Functional Review Guidance
  for Acquisition, Financial Assistance, and
  Property Management, Bureau and office
  acquisition managers must coordinate issuance of
  their annual internal control assessment report
  with their respective Bureau Management Control
  Coordinator and ensure that their reports are
  signed by the Assistant Director
  Administration, or bureau equivalent, prior to
  submission to the Office of Acquisition and
  Property Management.

31
Reporting on Internal Control

• Bureau internal control assessment reports for
  both acquisition and financial assistance must
  include the following
• findings of management reviews performed and
  corrective action plans implemented (including
  timeframes for complete implementation of
  corrective actions)
• summary findings of applicable OIG, GAO, and
  third party Notices of Finding and
  Recommendations, and corrective plans implemented
  (including timeframes for complete implementation
  of corrective actions)
• bureau-wide targets review and supplementary
  reports and
• an assurance statement regarding the adequacy of
  bureau-wide internal controls, i.e., assurance
  that processes are in place for the bureaus to
  (1) prevent or promptly detect unauthorized
  acquisition, use, or disposition of assets and
  (2) implement and monitor corrective actions for
  identified compliance or systemic weaknesses in
  order to bring identified weaknesses in bureau
  acquisition and financial assistance
  processes/procedures into compliance with
  applicable laws, regulations, and policy.

32
Assurance Statements

• Bureaus/offices have two assurance statement
  requirements during FY 2006
• Assurance statement on the effectiveness of
  internal controls over financial reporting as of
  06/30/2006 due to the Assistant Secretary
  Policy, Management and Budget (AS/PMB) and the
  Office of Financial Management by July 31, 2006
  and
• FY 2006 Final Assurance Statement covering all
  programs and operations is due to the AS/PMB and
  Office of Financial Management on or before
  September 15, 2006.
• The assurance statements that you prepare for
  acquisition, financial assistance, and property
  management must be included in your
  bureaus/offices Final Assurance Statement
  covering all programs and operations, i.e.,
  Assurance Statement 2.

33
Assurance QUIZ Double Jeopardy

• Management is required to
• a. Provide absolute assurance of internal
  control
• OR
• b. Provide reasonable assurance of internal
  control

ANSWER b - Provide reasonable assurance of
internal control. Reasonable assurance that
internal control processes are in place for the
bureaus to (1) prevent or promptly detect
unauthorized acquisition, use, or disposition of
assets and (2) implement and monitor corrective
actions for identified compliance or systemic
weaknesses in order to bring identified
weaknesses in bureau acquisition and financial
assistance processes/procedures into compliance
with applicable laws, regulations, and policy.
34
RESOURCES

• DOI Office of Acquisition and Property Management
  Website
• http//www.doi.gov/pam (GAO Framework can be
  accessed under Acquisition)
• DOI Office of Financial Management Website
  http//www.doi.gov/pfm
• DOI Office of Inspector General Website
  http//www.oig.doi.gov
• Office of Management and Budget Website
  http//www..whitehouse.gov/omb
• Government Accountability Office Website
  http//www.gao.gov