Circular
No. A-123
Revised
June 21, 1995
TO THE
HEADS OF EXECUTIVE DEPARTMENTS AND ESTABLISHMENTS
FROM: Alice
M. Rivlin, Director
SUBJECT: Management
Accountability and Control
1. Purpose
and Authority. As Federal employees develop and implement strategies
for reengineering agency programs and operations, they should design
management structures that help ensure accountability for results,
and include appropriate, cost-effective controls. This Circular
provides guidance to Federal managers on improving the accountability
and effectiveness of Federal programs and operations by establishing,
assessing, correcting, and reporting on management controls.
The Circular
is issued under the authority of the Federal Managers' Financial
Integrity Act of 1982 as codified in 31 U.S.C. 3512.
The Circular
replaces Circular No. A-123, "Internal Control Systems," revised,
dated August 4, 1986, and OMB's 1982 "Internal Controls Guidelines"
and associated "Questions and Answers" document, which are hereby
rescinded.
2. Policy.
Management accountability is the expectation that managers are responsible
for the quality and timeliness of program performance, increasing
productivity, controlling costs and mitigating adverse aspects of
agency operations, and assuring that programs are managed with integrity
and in compliance with applicable law.
Management
controls are the organization, policies, and procedures used to
reasonably ensure that (i) programs achieve their intended results;
(ii) resources are used consistent with agency mission; (iii) programs
and resources are protected from waste, fraud, and mismanagement;
(iv) laws and regulations are followed; and (v) reliable and timely
information is obtained, maintained, reported and used for decision
making.
3. Actions
Required. Agencies and individual Federal managers must take
systematic and proactive measures to (i) develop and implement appropriate,
cost-effective management controls for results-oriented management;
(ii) assess the adequacy of management controls in Federal programs
and operations; (iii) identify needed improvements; (iv) take corresponding
corrective action; and (v) report annually on management controls.
4. Effective
Date. This Circular is effective upon issuance.
5. Inquiries.
Further information concerning this Circular may be obtained from
the Management Integrity Branch, Office of Federal Financial Management,
Office of Management and Budget, Washington, DC 20503, 202/395-6911.
6. Copies.
Copies of this Circular may be obtained by telephoning the Executive
Office of the President, Publication Services, at 202/395-7332.
7. Electronic
Access. This document is also accessible on the U.S. Department
of Commerce's FedWorld Network under the OMB Library of Files.
- The Telnet
address for FedWorld via Internet is "fedworld.gov".
- The World
Wide Web address is "http://www.fedworld.gov/ftp.htm#omb".
- For file
transfer protocol (FTP) access, the address is "ftp://fwux.fedworld.gov/pub/omb/omb.htm".
The telephone
number for the FedWorld help desk is 703/487-4608.
Attachment
Note to Internet
Users: This document, with associated explanatory material, was
published in the Federal Register on June 29, 1995, Volume 60, Number
125, pages 33876-33872. This can be accessed from the Federal Register
Online via GPO Access [wais.access.gpo.gov].
Attachment
I. Introduction
II. Establishing
Management Controls
III. Assessing
and Improving Management Controls
IV. Correcting
Management Control Deficiencies
V. Reporting
on Management Controls
I. INTRODUCTION
The proper stewardship
of Federal resources is a fundamental responsibility of agency managers
and staff. Federal employees must ensure that government resources
are used efficiently and effectively to achieve intended program results.
Resources must be used consistent with agency mission, in compliance
with law and regulation, and with minimal potential for waste, fraud,
and mismanagement.
To support
results-oriented management, the Government Performance and Results
Act (GPRA, P.L. 103-62) requires agencies to develop strategic
plans, set performance goals, and report annually on actual performance
compared to goals. As the Federal government implements this legislation,
these plans and goals should be integrated into (i) the budget process,
(ii) the operational management of agencies and programs, and (iii)
accountability reporting to the public on performance results, and
on the integrity, efficiency, and effectiveness with which they
are achieved.
Management
accountability is the expectation that managers are responsible
for the quality and timeliness of program performance, increasing
productivity, controlling costs and mitigating adverse aspects of
agency operations, and assuring that programs are managed with integrity
and in compliance with applicable law.
Management
controls -- organization, policies, and procedures -- are tools
to help program and financial managers achieve results and safeguard
the integrity of their programs. This Circular provides guidance
on using the range of tools at the disposal of agency managers to
achieve desired program results and meet the requirements of the
Federal Managers' Financial Integrity Act (FMFIA, referred to as
the Integrity Act throughout this document).
Framework.
The importance of management controls is addressed, both explicitly
and implicitly, in many statutes and executive documents. The
Federal Managers' Financial Integrity Act (P.L. 97-255) establishes
specific requirements with regard to management controls. The agency
head must establish controls that reasonably ensure that: (i) obligations
and costs comply with applicable law; (ii) assets are safeguarded
against waste, loss, unauthorized use or misappropriation; and (iii)
revenues and expenditures are properly recorded and accounted for.
31 U.S.C. 3512(c)(1). In addition, the agency head annually must
evaluate and report on the control and financial systems that protect
the integrity of Federal programs. 31 U.S.C. 3512(d)(2). The Act
encompasses program, operational, and administrative areas as well
as accounting and financial management.
Instead of
considering controls as an isolated management tool, agencies should
integrate their efforts to meet the requirements of the Integrity
Act with other efforts to improve effectiveness and accountability.
Thus, management controls should be an integral part of the entire
cycle of planning, budgeting, management, accounting, and auditing.
They should support the effectiveness and the integrity of every
step of the process and provide continual feedback to management.
For instance,
good management controls can assure that performance measures are
complete and accurate. As another example, the management control
standard of organization would align staff and authority with the
program responsibilities to be carried out, improving both effectiveness
and accountability. Similarly, accountability for resources could
be improved by more closely aligning budget accounts with programs
and charging them with all significant resources used to produce
the program's outputs and outcomes.
Meeting the
requirements of the Chief Financial Officers Act (P.L. 101-576,
as amended) should help agencies both establish and evaluate management
controls. The Act requires the preparation and audit of financial
statements for 24 Federal agencies. 31 U.S.C. 901(b), 3515. In this
process, auditors report on internal controls and compliance with
laws and regulations. Therefore, the agencies covered by the Act
have a clear opportunity both to improve controls over their financial
activities, and to evaluate the controls that are in place.
The Inspector
General Act (P.L. 95-452, as amended) provides for independent
reviews of agency programs and operations. Offices of Inspectors
General (OIGs) and other external audit organizations frequently
cite specific deficiencies in management controls and recommend
opportunities for improvements. Agency managers, who are required
by the Act to follow up on audit recommendations, should use these
reviews to identify and correct problems resulting from inadequate,
excessive, or poorly designed controls, and to build appropriate
controls into new programs.
Federal managers
must carefully consider the appropriate balance of controls in their
programs and operations. Fulfilling requirements to eliminate regulations
("Elimination of One-Half of Executive Branch Internal Regulations,"
Executive Order 12861) should reinforce to agency managers that
too many controls can result in inefficient and ineffective government,
and therefore that they must ensure an appropriate balance between
too many controls and too few controls. Managers should benefit
from controls, not be encumbered by them.
Agency
Implementation. Appropriate management controls should be integrated
into each system established by agency management to direct and
guide its operations. A separate management control process need
not be instituted, particularly if its sole purpose is to satisfy
the Integrity Act's reporting requirements.
Agencies need
to plan for how the requirements of this Circular will be implemented.
Developing a written strategy for internal agency use may help ensure
that appropriate action is taken throughout the year to meet the
objectives of the Integrity Act. The absence of such a strategy
may itself be a serious management control deficiency.
Identifying
and implementing the specific procedures necessary to ensure good
management controls, and determining how to evaluate the effectiveness
of those controls, is left to the discretion of the agency head.
However, agencies should implement and evaluate controls without
creating unnecessary processes, consistent with recommendations
made by the National Performance Review.
The President's
Management Council, composed of the major agencies' chief operating
officers, has been established to foster governmentwide management
changes ("Implementing Management Reform in the Executive Branch,"
October 1, 1993). Many agencies are establishing their own senior
management council, often chaired by the agency's chief operating
officer, to address management accountability and related issues
within the broader context of agency operations. Relevant issues
for such a council include ensuring the agency's commitment to an
appropriate system of management controls; recommending to the agency
head which control deficiencies are sufficiently serious to report
in the annual Integrity Act report; and providing input for the
level and priority of resource needs to correct these deficiencies.
(See also Section III of this Circular.)
II. ESTABLISHING
MANAGEMENT CONTROLS
Definition
of Management Controls. Management controls are the organization,
policies, and procedures used by agencies to reasonably ensure that
(i) programs achieve their intended results; (ii) resources are used
consistent with agency mission; (iii) programs and resources are protected
from waste, fraud, and mismanagement; (iv) laws and regulations are
followed; and (v) reliable and timely information is obtained, maintained,
reported and used for decision making.
Management
controls, in the broadest sense, include the plan of organization,
methods and procedures adopted by management to ensure that its
goals are met. Management controls include processes for planning,
organizing, directing, and controlling program operations. A subset
of management controls are the internal controls used to assure
that there is prevention or timely detection of unauthorized acquisition,
use, or disposition of the entity's assets.
Developing
Management Controls. As Federal employees develop and execute
strategies for implementing or reengineering agency programs and
operations, they should design management structures that help ensure
accountability for results. As part of this process, agencies and
individual Federal managers must take systematic and proactive measures
to develop and implement appropriate, cost-effective management
controls. The expertise of the agency CFO and IG can be valuable
in developing appropriate controls.
Management
controls guarantee neither the success of agency programs, nor the
absence of waste, fraud, and mismanagement, but they are a means
of managing the risk associated with Federal programs and operations.
To help ensure that controls are appropriate and cost-effective,
agencies should consider the extent and cost of controls relative
to the importance and risk associated with a given program.
Standards.
Agency managers shall incorporate basic management controls in the
strategies, plans, guidance and procedures that govern their programs
and operations. Controls shall be consistent with the following
standards, which are drawn in large part from the "Standards for
Internal Control in the Federal Government," issued by the General
Accounting Office (GAO).
General management
control standards are:
- Compliance
With Law. All program operations, obligations and costs must
comply with applicable law and regulation. Resources should be
efficiently and effectively allocated for duly authorized purposes.
- Reasonable
Assurance and Safeguards. Management controls must provide
reasonable assurance that assets are safeguarded against waste,
loss, unauthorized use, and misappropriation. Management controls
developed for agency programs should be logical, applicable, reasonably
complete, and effective and efficient in accomplishing management
objectives.
- Integrity,
Competence, and Attitude. Managers and employees must have
personal integrity and are obligated to support the ethics programs
in their agencies. The spirit of the Standards of Ethical Conduct
requires that they develop and implement effective management
controls and maintain a level of competence that allows them to
accomplish their assigned duties. Effective communication within
and between offices should be encouraged.
Specific management
control standards are:
- Delegation
of Authority and Organization. Managers should ensure that
appropriate authority, responsibility and accountability are defined
and delegated to accomplish the mission of the organization, and
that an appropriate organizational structure is established to
effectively carry out program responsibilities. To the extent
possible, controls and related decision-making authority should
be in the hands of line managers and staff.
- Separation
of Duties and Supervision. Key duties and responsibilities
in authorizing, processing, recording, and reviewing official
agency transactions should be separated among individuals. Managers
should exercise appropriate oversight to ensure individuals do
not exceed or abuse their assigned authorities.
- Access
to and Accountability for Resources. Access to resources and
records should be limited to authorized individuals, and accountability
for the custody and use of resources should be assigned and maintained.
- Recording
and Documentation. Transactions should be promptly recorded,
properly classified and accounted for in order to prepare timely
accounts and reliable financial and other reports. The documentation
for transactions, management controls, and other significant events
must be clear and readily available for ex amination.
- Resolution
of Audit Findings and Other Deficiencies. Managers should
promptly evaluate and determine proper actions in response to
known deficiencies, reported audit and other findings, and related
recommendations. Managers should complete, within established
timeframes, all actions that correct or otherwise resolve the
appropriate matters brought to management's attention.
Other policy
documents may describe additional specific standards for particular
functional or program activities. For example, OMB Circular No.
A-127, "Financial Management Systems," describes government-wide
requirements for financial systems. The Federal Acquisition Regulations
define requirements for agency procurement activities.
III. ASSESSING
AND IMPROVING MANAGEMENT CONTROLS
Agency managers
should continuously monitor and improve the effectiveness of management
controls associated with their programs. This continuous monitoring,
and other periodic evaluations, should provide the basis for the agency
head's annual assessment of and report on management controls, as
required by the Integrity Act. Agency management should determine
the appropriate level of documentation needed to support this assessment.
Sources
of Information. The agency head's assessment of management controls
can be performed using a variety of information sources. Management
has primary responsibility for monitoring and assessing controls,
and should use other sources as a supplement to -- not a replacement
for -- its own judgment. Sources of information include:
- Management
knowledge gained from the daily operation of agency programs and
systems.
- Management
reviews conducted (i) expressly for the purpose of assessing management
controls, or (ii) for other purposes with an assessment of management
controls as a by-product of the review.
- IG and GAO
reports, including audits, inspections, reviews, investigations,
outcome of hotline complaints, or other products.
- Program
evaluations.
- Audits of
financial statements conducted pursuant to the Chief Financial
Officers Act, as amended, including: information revealed in preparing
the financial statements; the auditor's reports on the financial
statements, internal controls, and compliance with laws and regulations;
and any other materials prepared relating to the statements.
- Reviews
of financial systems which consider whether the requirements of
OMB Circular No. A-127 are being met.
- Reviews
of systems and applications conducted pursuant to the Computer
Security Act of 1987 (40 U.S.C. 759 note) and OMB Circular No.
A-130, "Management of Federal Information Resources."
- Annual performance
plans and reports pursuant to the Government Performance and Results
Act.
- Reports
and other information provided by the Congressional committees
of jurisdiction.
- Other reviews
or reports relating to agency operations, e.g. for the Department
of Health and Human Services, quality control reviews of the Medicaid
and Aid to Families with Dependent Children programs.
Use of a source
of information should take into consideration whether the process
included an evaluation of management controls. Agency management
should avoid duplicating reviews which assess management controls,
and should coordinate their efforts with other evaluations to the
extent practicable.
If a Federal
manager determines that there is insufficient information available
upon which to base an assessment of management controls, then appropriate
reviews should be conducted which will provide such a basis.
Identification
of Deficiencies. Agency managers and employees should identify
deficiencies in management controls from the sources of information
described above. A deficiency should be reported if it is or should
be of interest to the next level of management. Agency employees
and managers generally report deficiencies to the next supervisory
level, which allows the chain of command structure to determine
the relative importance of each deficiency.
A deficiency
that the agency head determines to be significant enough to be reported
outside the agency (i.e. included in the annual Integrity Act report
to the President and the Congress) shall be considered a "material
weakness." [1] This designation requires a judgment
by agency managers as to the relative risk and significance of deficiencies.
Agencies may wish to use a different term to describe less significant
deficiencies, which are reported only internally in an agency. In
identifying and assessing the relative importance of deficiencies,
particular attention should be paid to the views of the agency's
IG.
Agencies should
carefully consider whether systemic problems exist that adversely
affect management controls across organizational or program lines.
The Chief Financial Officer, the Senior Procurement Executive, the
Senior IRM Official, and the managers of other functional offices
should be involved in identifying and ensuring correction of systemic
deficiencies relating to their respective functions.
Agency managers
and staff should be encouraged to identify and report deficiencies,
as this reflects positively on the agency's commitment to recognizing
and addressing management problems. Failing to report a known deficiency
would reflect adversely on the agency.
Role of
A Senior Management Council. Many agencies have found that a
senior management council is a useful forum for assessing and monitoring
deficiencies in management controls. The membership of such councils
generally includes both line and staff management; consideration
should be given to involving the IG. Such councils generally recommend
to the agency head which deficiencies are deemed to be material
to the agency as a whole, and should therefore be included in the
annual Integrity Act report to the President and the Congress. (Such
a council need not be exclusively devoted to management control
issues.) This process will help identify deficiencies that although
minor individually, may constitute a material weakness in the aggregate.
Such a council may also be useful in determining when sufficient
action has been taken to declare that a deficiency has been corrected.
IV. CORRECTING
MANAGEMENT CONTROL DEFICIENCIES
Agency managers
are responsible for taking timely and effective action to correct
deficiencies identified by the variety of sources discussed in Section
III. Correcting deficiencies is an integral part of management accountability
and must be considered a priority by the agency.
The extent
to which corrective actions are tracked by the agency should be
commensurate with the severity of the deficiency. Corrective action
plans should be developed for all material weaknesses, and progress
against plans should be periodically assessed and reported to agency
management. Management should track progress to ensure timely and
effective results. For deficiencies that are not included in the
Integrity Act report, corrective action plans should be developed
and tracked internally at the appropriate level.
A determination
that a deficiency has been corrected should be made only when sufficient
corrective actions have been taken and the desired results achieved.
This determination should be in writing, and along with other appropriate
documentation, should be available for review by appropriate officials.
(See also role of senior management council in Section III.)
As managers
consider IG and GAO audit reports in identifying and correcting
management control deficiencies, they must be mindful of the statutory
requirements for audit followup included in the IG Act, as amended.
Under this law, management has a responsibility to complete action,
in a timely manner, on audit recommendations on which agreement
with the IG has been reached. 5 U.S.C. Appendix 3. (Management must
make a decision regarding IG audit recommendations within a six
month period and implementation of management's decision should
be completed within one year to the extent practicable.) Agency
managers and the IG share responsibility f or ensuring that IG Act
requirements are met.
V. REPORTING
ON MANAGEMENT CONTROLS
Reporting Pursuant
to Section 2. 31 U.S.C. 3512(d)(2) (commonly referred to as Section
2 of the Integrity Act) requires that annually by December 31, the
head of each executive agency submit to the President and the Congress
(i) a statement on whether there is reasonable assurance that the
agency's controls are achieving their intended objectives; and (ii)
a report on material weaknesses in the agency's controls. OMB may
provide guidance on the composition of the annual report.
- Statement
of Assurance. The statement on reasonable assurance represents
the agency head's informed judgment as to the overall adequacy
and effectiveness of management controls within the agency. The
statement must take one of the following forms: statement of assurance;
qualified statement of assurance, considering the exceptions explicitly
noted; or statement of no assurance.
In deciding
on the type of assurance to provide, the agency head should
consider information from the sources described in Section III
of this Circular, with input from senior program and administrative
officials and the IG. The agency head must describe the analytical
basis for the type of assurance being provided, and the extent
to which agency activities were assessed. The statement of assurance
must be signed by the agency head.
- Report
on Material Weaknesses. The Integrity Act report must include
agency plans to correct the material weaknesses and progress against
those plans.
Reporting
Pursuant to Section 4. 31 U.S.C. 3512(d)(2)(B) (commonly referred
to as Section 4 of the Integrity Act) requires an annual statement
on whether the agency's financial management systems conform with
government-wide requirements. These financial systems requirements
are presented in OMB Circular No. A-127, "Financial Management Systems,"
section 7. If the agency does not conform with financial systems
requirements, the statement must discuss the agency's plans for
bringing its systems into compliance.
If the agency
head judges a deficiency in financial management systems and/or
operations to be material when weighed against other agency deficiencies,
the issue must be included in the annual Integrity Act report in
the same manner as other material weaknesses.
Distribution
of Integrity Act Report. The assurance statements and information
related to both Sections 2 and 4 should be provided in a single
Integrity Act report. Copies of the report are to be transmitted
to the President; the President of the Senate; the Speaker of the
House of Representatives; the Director of OMB; and the Chairpersons
and Ranking Members of the Senate Committee on Governmental Affairs,
the House Committee on Government Reform and Oversight, and the
relevant authorizing and appropriations committees and subcommittees.
In addition, 10 copies of the report are to be provided to OMB's
Office of Federal Financial Management, Management Integrity Branch.
Agencies are also encouraged to make their reports available electronically.
Streamlined
Reporting. The Government Management Reform Act (GMRA) of 1994
(P.L. 103-356) permits OMB for fiscal years 1995 through 1997 to
consolidate or adjust the frequency and due dates of certain statutory
financial management reports after consultation with the Congress.
GMRA prompted the CFO Council to recommend to OMB a new approach
towards financial management reporting which could help integrate
management initiatives. This proposal is being pilot-tested by several
agencies for FY 1995. Further information on the implications of
this initiative for other agencies will be issued by OMB after the
pilot reports have been evaluated. In the meantime, the reporting
requirements outlined in this Circular remain valid except for those
agencies identified as pilots by OMB.
Under the
CFO Council approach, agencies would consolidate Integrity Act information
with other performance-related reporting into a broader "Accountability
Report" to be issued annually by the agency head. This report would
be issued as soon as possible after the end of the fiscal year,
but no later than March 31 for agencies producing audited financial
statements and December 31 for all other agencies. The proposed
"Accountability Report" would integrate the following information:
the Integrity Act report, management's Report on Final Action as
required by the IG Act, the CFOs Act Annual Report (including audited
financial statements), Civil Monetary Penalty and Prompt Payment
Act reports, and available information on agency performance compared
to its stated goals and objectives, in preparation for implementation
of the GPRA.
Government
Corporations. Section 306 of the Chief Financial Officers Act
established a reporting requirement related to management controls
for corporations covered by the Government Corporation and Control
Act. 31 U.S.C. 9106. These corporations must submit an annual management
report to the Congress not later than 180 days after the end of
the corporation's fiscal year. This report must include, among other
items, a statement on control systems by the head of the management
of the corporation consistent with the requirements of the Integrity
Act.
The corporation
is required to provide the President, the Director of OMB, and the
Comptroller General a copy of the management report when it is submitted
to Congress.
[1]
This Circular's use of the term "material weakness" should not be
confused with use of the same term by government auditors to identify
management control weaknesses which, in their opinion, pose a risk
or a threat to the internal control systems of an audited entity,
such as a program or operation. Auditors are required to identify
and report those types of weaknesses at any level of operation or
organization, even if the management of the audited entity would
not report the weaknesses outside the agency.
Top
of Page
|