iytr
UNITED STATES
ENVIRONMENTAL PROTECTION AGENCY
INTERNAL CONTROL GUIDANCE
for
MANAGERS AND COORDINATORS
"A GUIDE TO SUCCESSFUL
IMPLEMENTA TION OF FMFIA"
OFFICE OF THE COMPTROLLER
RESOURCE MANAGEMENT DIVISION
AGENCY INTERNAL CONTROL STAFF
HEADQUARTERS LIBRARY
g ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
-------�
* fi
-------�
I UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
/ WASHINGTON, DC. 20460
*•' PRtH*0
AUG
TO: EPA Program Managers and Internal Control Coordinators
I am pleased to provide you with this new document entitled
EPA Internal Control Guidance for Managers and Coordinator?;.
This document consolidates Agency, OMB and GAO guidance regarding
the Federal Managers' Financial Integrity Act (FMFIA).
The Federal Managers' Financial Integrity Act was passed in
1982 to provide a means for strengthening the Federals
Government's procedures for maintaining accounting systems an':]
internal controls for its resources. Various policies and
procedures are now in place at EPA for accomplishing t.he
objectives of the Integrity Act, and we have provided training to
educate managers in their internal control responsibilities.
There is, however, always room for streamlining the
Integrity Act process and to accomplish the same good results
with less paperwork and effort. Thus, your continuing
commitment to improving EPA's internal control process remains a
vital key to our successful implementation of FMFIA. It is wirh
this in mind that we developed this manual. We hope you will find
it useful as a reference guide and source document in satisfying
the Integrity Act requirements. ^-^
/:
J. Sandy, Director
irce Management Division
jfce of thie Comptroller /
u
-------�
-------�
FOREWARD
The Federal Managers' Financial Integrity Act (FMFIA) provides
discipline by which Federal managers are to strengthen controls
over the Government's limited resources. So that EPA's managers
may better understand their FMFIA requirements regarding on-going
evaluations and annual reporting on the adequacy of their
internal control systems, we developed this manual.
USE OF THIS GUIDE:
J
This guide may be used in several ways:
• to develop, maintain and evaluate your programs
• to assure your programs are being run efficiently and
effectively
• to clarify, consolidate, streamline and update your various
internal control guidelines for these programs
• to keep managers and coordinators informed, updated
and involved in the internal control program
AUDIENCE:
This guide is for:
• Every EPA Manager - Administrator. Deputy Administrator,
Regional Administrators, Deputy Regional
Administrators, Associate Administrators,
Assistant Administrators, Division Directors,
Otlice Directors, Lab Directors, Other
Managerial/Supervisory Staff
* Internal Control Coordinator*
Congress promoted this call for agency accountability by passing
the Federal Managers' Financial Integrity Act of 1982 (P.L. 97-
255), which requires establishing internal accounting and
administrative controls which (1) comply with Comptroller General
standards and (2) provide reasonable assurance that:
o Obligations and costs are in compliance with
legislation, Agency directives and regulations;
o Funds, property and other assets are safeguarded; and
o Revenues and expenditures applicable to Agency
operations are properly documented and recorded.
-------�
Questions or requests -for further information on the topics
discussed in this manual should be directed to: Director of the
Internal Control Staff within the Resource Management Division,
PM-225, Washington, D.C. 20460.
11
-------�
INTERNAL CONTROL GUIDANCE
FOR MANAGERS AND COORDINATORS
TABLE OF CONTENTS
Chapter Page
A. Planning and Organizing the EPA Process A-l
B. Segmenting the Agency into Assessable Units B-l
C. Documenting Existing Internal Controls C-l
D. Conducting Risk Assessments D-l
E. Developing a Management Control Plan E-l
F. Conducting Internal Control Evaluations: F-l
Internal Control Reviews or Alternative Internal
Control Reviews
G. Maintaining the Internal Control Corrective Action G-l
Tracking System
H. Developing Annual Assurance Letters H-l
I. Evaluating EPA's Internal Controls Process 1-1
(Quality Assurance)
ADDENDUM - USEFUL INFORMATION Tab
1. Historical Background 1
2. Overview of Federal Requirements and Guidelines 2
3. Assessable Units r "" 3
4. Subject Index 4
APPENDIX - REFERENCE DOCUMENTS (issued under separate cover)
1. Federal Managers' Financial Integrity Act (1)
of 1982
2. GAO Standards for Internal Control in the (2)
Federal Government
3. OMB Guidelines for the Evaluation and (3)
Improvement of and Reporting On Internal
Control Systems in the Federal Government
4. OMB Circular A-123, Revised August 1986 on (4)
Internal Control Systems
5. EPA Resource Management Directive, Section . (5)
2560 - Internal Control
6. Office of the Comptroller Quality Assurance (6)
Guide to "A Simple Approach to Performing
Internal Control Evaluations"
iii
-------�
-------�
MANAGER'S OVERVIEW
OF ERA'S FMFIA PROCESS
ORGANIZE
THE
PROCESS
Update Records
Ensure Full Coverage
Address Yearly
Guidance Issues
ASSESS
RISK
. -HOT' Program?
• Public or Financial
Embarrassment?
* Secure Procedures?
• Summarize Results
DEVELOP
ACTION
PLANS
PERFORM
INTERNAL
CONTROL
EVALUATIONS
ALTERNATIVE
INTERNAL
CONTROL
REVIEW
CHG Audit
GAO Audit
Management Reviews
Other Internal/
External Studies
FORMAL
INTERNAL
CONTROL
REVIEW
IMPLEMENT
CORRECTIVE
ACTION
ESTABLISH
FORMAL
FOLLOW-UP
SYSTEM
(QUALITY
ASSURANCE)
PREPARE
ANNUAL
ASSURANCE
LETTER
DEVELOP
MANAGEMENT
CONTROL
PLAN
-------�
CALENDAR OF KEY EVENTS
OFFICIAL/ORG.
ITEM
OARM
AU Managers
EPR Managers
AU Managers
AU Managers
EPfl Managers
AU Managers
issues Annual Guidance :
" i
submit 1st Quarter CATS Report-to Internal
Control Staff (ICS) via Internal Control
Coordinator (ICC)
address issues in Annual Guidance
submit 2nd Quarter CATS Report to, ICS
via ICC ''•-
ensure programs have proper internal
control documentation
ensure their performance standards
include internal control responsibilities
submit 3rd Quarter CATS Report to ICS
via ICC
AU Managers
OARM issues Guidance for Assurance Letter
and Management Control Plan
develop Assurance Letter and Update
5-Year Management Control Plan
Primary Organization Heads (AAs and RAs)
prepare individual Assurance Letters
Primary Organization Heads
submit Assurance Letter to Senior
Control Official
Internal
AU Managers
AU Managers
OARM
AA For OARM
AA For OARM
submit 4th Quarter CATS Report to
ICS via ICC
submit updated 5-Year MCP to ICS via ICC
prepares EPA Assurance Letter and Briefing
Material
MILESTONES
Jan 31
Feb 20
March
Apr 15
May
June
July 15
July 30
August
September
Oct 31
Oct 31
Oct 31
November
briefs Deputy Administrator on Assurance Letters Dec 15
submits Agency 5-Year MCP to OMB Dec 20
Administrator signs Assurance Letter
Administrator Submits Letter to President and Congress
Dec 20
Dec 31
-------�
EPA'S FMFIA GUIDANCE
CHAPTER A. PLANNING AND ORGANIZING THE EPA PROCESS
I. PURPOSE
This chapter discusses the factors involved in planning and
organizing the internal control process at EPA.
Every federal agency must carefully plan and organize the
internal control process. EPA managers should evaluate, improve,
and report on internal controls efficiently and effectively.
This includes providing for quality control over the entire
process. The following represent key elements in organizing the
internal control process:
- Assigning responsibilities;
- Modifying performance agreements;
Developing a work plan;
- Training;
- Documentation;
Evaluating and reporting; and
Internal tracking.
II. RESPONSIBILITIES
OMB Circular A-123 assigns basic responsibilities for internal
control to a senior Agency official, heads of organizational
units, and managers in general. EPA Resource Management
Directive 2560 elaborates on these assignments and designates
staff responsible for planning, organizing, and implementing
EPA's FMFIA process. (See Addendum 1 for a detailed listing of
responsibilities.)
A. Assistant Administrator. OARM - The Assistant
Administrator for Administration and Resources Management
(AA/OARM), the Agency's senior internal control official, is
responsible for directing the Agency-wide effort to
implement FMFIA. This includes evaluating, improving, and
reporting on internal controls. The AA/OARM assures the EPA
Administrator that staff conducted the internal control
process thoroughly, conscientiously, and in accordance with
OMB Guidelines.
A-l
-------�
B. Primary Organization Heads (POHsl - The 22 primary
organization heads (POHs) are responsible for implementing
the internal control process in their areas of
responsibility. This includes assuring the Agency head that
he/she knows the importance of internal controls, believes
that his/her organizational area meets internal control
objectives, and that EPA personnel conscientiously performed
the evaluation process in line with appropriate guidelines.
The POHs must also ensure that all managers within the
organization are fulfilling their internal control
responsibilities.
c. Internal Control staff - The Internal Control Staff
(ICS) of the Resource Management Division (RMD) in the
Office of the Comptroller has staff responsibility for
coordinating the Agency's efforts to implement the FMFIA.
This includes planning, organizing, and directing the
evaluation, improvement, and reporting of internal controls.
The ICS also provides centralized support to Agency
components as appropriate.
D. Internal Control Coordinators - Primary Organization
Heads (POHs) designate Internal Control Coordinators (ICCs),
representing the POHs, in each primary organization to work
with the ICS in organizing and directing the internal
control process. The ICCs are responsible for coordinating,
monitoring, and implementing the Agency guidance in their
organizations. The ICCs are also responsible for ensuring
that progress is made in implementing FMFIA so that the POHs
can provide the requisite "reasonable assurance."
E. Program Managers - All EPA managers are responsible for
operating effective and efficient systems of internal
control. Periodically, they must evaluate the internal
control systems and take actions to correct identified
weaknesses. To stress the importance of this program, OMB
Circular A-123 requires managers to have internal controls
included in their performance standards.
Exhibit I presents a mosaic of manager's responsibilities.
III. MODIFYING PERFORMANCE AGREEMENTS
OMB Circular A-123 requires that each Senior Executive Service,
Merit Pay and any other employee with significant internal
control responsibilities maintain written performance agreements
against which a manager's internal control performance can be
recognized. The agreement outlines internal control
responsibilities and establishes performance standards which are
specific to the employee under evaluation. The agreement also
A-2
-------�
sets forth the criteria for measuring outstanding, satisfactory
or unsatisfactory performance.
Exhibit II presents suggested language for performance standards.
You can modify it to meet your specific circumstances and include
it as part of a general management standard or as a separate
performance standard.
IV. DEVELOPING A WORK PLAN
A yearly work plan is critical to the careful organization and
efficient implementation of the internal control process. Each
ICC must develop an annual work plan and send a copy to the
Director of the Internal Control Staff at the beginning of each
calendar year. The ICS provides guidance, including a benchmark
work plan, which the ICC may use as a guide in developing his/her
own work plan.
A. Purpose - The work plan helps the ICC:
1. Structure an internal control program with the
organization;
2. Implement the FMFIA process thoroughly and
conscientiously;
3. Involve management; and
4. Meet deadlines.
B. Contents - The annual work plan should include:
1. Planned training of personnel;
2. Updating the quarterly CATS reports;
3. Milestones for completing the risk assessments,
Management Control Plan, annual assurance letter,
documentation, etc. (The Office of Inspector General
notes in their 1987 reviews that many offices have weak
or old documentation and require that it be kept
updated at all times);
4. Conducting and documenting any Internal Control
Reviews (ICRs) or Alternative Internal Control Reviews
(AICRs) as reported in the prior year Assurance Letter
or scheduled subsequently;
5. Establishing the necessary procedures to assist
managers in identifying or assessing program weaknesses
and to enable the POH to provide reasonable assurance;
A-3
-------�
6. Coordinating with the Audit Follow-Up Coordinator
and appropriate managers to consider findings from
significant internal audits and other studies. (The
Office of Inspector General reported this areas as a
weakness in our Internal control program in both its
1986 and 1987 Final Reports);
7. Requiring that managers (SES, Merit Pay, and
equivalent employees) outline their internal control
responsibilities in their performance standards. The
Office of Inspector General has repeatedly reported to
the Administrator that the Agency is "weak11 in this
area.
Exhibit III illustrates two alternatives for ICCs to develop
their Primary Organization's sample work plan.
V. TRAINING
Adequate training of personnel is critical to planning and
organizing the internal control process. Options available to
ICCs to ensure that managers and supervisors receive appropriate
training include:
A. A three-day Agency course for new supervisors which
includes an overview of the FMFIA process;
B. FMFIA courses sponsored by the Office of Personnel
Management and the Association of Government Accountants;
C. Internal Control Staff-sponsored training and question-
and-answer sessions upon request;
D. Video-tapes available from the Internal Control Staff;
and
E. Training offered by the ICCs.
Since the Office of the Inspector General (OIG) reviews the
annual assurance letter which requires statistics on dates and
attendees at training sessions, the ICC must maintain a list of
all employees attending FMFIA courses.
VI. DOCUMENTATION
The OMB Guidelines require EPA to document all program activities
and administrative functions at the event cycle level. Event
cycles are the related processes or actions to carry out a
recurring responsibility. The ICC works closely with the program
A-4
-------�
managers to create the necessary documentation. For instance, in
the Budget Division of the Comptroller's Office, event cycles
include:
A. Developing OMB Budget Submission;
B. Developing President's budget justification;
C. Responding to Congressional inquiries; and
D. Developing the Agency's Operating Budget Plan.
Primary organisation heads (POHs) are responsible for developing
internal control documentation for all recurring
responsibilities. Internal Control Documentation should not be
confused with program documentation which includes written
policies, manuals, memoranda, organization charts, decision
tables, completed questionnaires, software, and related written
materials. Chapter C, Documenting Existing internal Controls*
elaborates on EPA's procedures for documenting the internal
control process.
VII. EVALUATING AND REPORTING
The next step in planning and organizing the internal control
process is evaluating and reporting. This step includes
scheduling risk assessments and internal control evaluations and
preparing the annual assurance letter.
A. Factors - In scheduling the evaluating process with the
managers, the ICCs should consider these factors:
1. Resources;
2. The cyclical nature of certain operations; and
3. The need for risk analyses and similar evaluations
to comply with other statutory or regulatory
requirements and to provide reasonable assurance of
compliance.
Management must schedule and complete all evaluation
procedures early enough to provide data for the annual
assurance letter to the President and Congress.
B. Risk Assessments - Management must complete risk
assessments (RAs) for all Agency activities once every three
years to identify potential vulnerabilities in Agency
operations. EPA tentatively scheduled the next risk
assessment for 1989. (See Chapter D for more details.)
A-5
-------�
C. Management Control Plan - All Assessable Unit Managers
must develop a five-year Management Control Plan (MCP). The
MCP includes all of the vital information related to the
assessable unit and details the planned ICRs and AICRs for
each sub-unit (division). (See Chapter E for explicit
details and instructions.)
D. Internal Control Reviews/Alternative Internal Control
Reviews - Management must conduct Internal Control Reviews
(ICRs) and/or Alternative Internal Control Reviews (AICRs)
continually throughout the year. Management should base the
schedule of reviews on the results of risk assessments and
considerations such as management priorities and resource
limitations. In this way, managers and ICCs may evaluate
and improve both highly vulnerable and less vulnerable
Agency activities. (Chapter F provides further detail.)
E. Classified Activities - Management must include in FMFIA
evaluations and reporting those activities requiring special
handling or security precautions. An -example is activities
related to Confidential Business Information. Managers must
ensure that the staff participating in the evaluations of
these activities have the appropriate clearances and that
the staff properly handle the internal control
documentation.
F. Annual Assurance Letter - FMFIA requires EPA to submit
an assurance letter to the President and Congress by
December 31 of each year. This letter reports on whether
EPA's internal control systems comply with FMFIA
requirements. To the extent that the systems do not comply,
the Administrator must identify and report material
weaknesses and offer plans for corrective actions.
To gather the necessary information, the ICS requests an
assurance letter from the POHs. The ICS recommends that all
divisions of that Primary Organization develop assurance
letters for the purpose of:
1. Including all managers in the process;
2. Providing reasonable assurance to the POH; and
3. Having signed letters to back up the POH assurance
letter.
Also, each Assessable Unit Manager provides a completed
Quality Control Evaluation Report (QCER) to his/her ICC in
order for the ICC to prepare the overall QCER for his/her
organization. The ICS then prepares an Agency QCER to
determine whether the POHs have conducted the process
thoroughly and conscientiously.
A-6
-------�
No later than October 31 of each year, each POH must report
on the status of his or her internal control systems to the
AA/OARM. (Chapter H explains this process further.)
VIII. INTERNAL TRACKING
The ICS is responsible for developing and maintaining a system
designed to capture the corrective actions revealed in the POHs
annual assurance letter.
EPA's Internal Control Corrective Action Tracking System (CATS)
tracks and follows-up identified weaknesses and corrective
actions that occur in a one-year reporting period. The report
will also track corrective actions that are carried forward from
previous year's reporting. CATS is automated to allow ease in
tracking, monitoring, and updating for the ICC and the ICS.
Management must update Internal Control CATS reports quarterly
and submit them to the ZC8. (Chapter a provides further detail
and examples.)
-------�
-------�
Exhibit I
MANAGER'S CALENDAR!
OF RESPONSIBILITIES
JANUARY FEBRUARY MARCH
APRIL
MAY
JUNE
T
Read yearly guidance
Develop quarterly reports on
Corrective Action
Review preceding year's agency
and PO's Annual Summary Letters
Perform on-going responsibilities
I
Address issues raised in Yearly
Guidance
Develop quarterly reports on
Corrective Action
' Perform on-going responsibilities
I
Ensure managers' performance
standards include internal control
responsibilities
Perform on-going responsibilities
I
On-going Responsibilities
Notify ICC of restructuring leading to reorganization
Assess risk of new programs resulting from reorganization
Develop documentation of internal management controls
Ask ICC for internal control training as appropriate
Conduct internal control evaluations as planned or as needed
Perform quality assurance tests, such as:
- "Are the corrective actions effectively correcting the problem?"
- "Am I performing reviews as prescribed and do they meet the
required criteria?"
- "Do my performance standards include internal control language?"
• Perform on-going responsibilities
• Review Assurance Letter guidance
• Review MCP instructions
• Develop division level Assurance
Letters
* Include OIG and GAO audits in
Assurance Letter
• Perform on-going responsibilities
• Develop Division -level Assurance
Letters
• Update and submit to ICC the 5-year
MCP
• Prepare year-end report on Corrective
Actions
• Submit PO's annual Assurance Letter
• Submit Quality Control Evaluation
report •
Perform on-going responsibilities
1
JULY
AUGUST SEPTEMBER OCTOBER NOVEMBER DECEMBER
-------�
-------�
Exhibit II
Page 1 of 2
SUGGESTED LANGUAGE FOR PERFORMANCE STANDARDS
Assistant Administrator/Regional Administrator
Implements the FMFIA by carrying out the responsibilities of the
Primary Organization Head outlined in EPA Resource Management
Directive 2560, including establishing, maintaining, evaluating,
improving, and reporting on internal controls.
Outstanding; Carries out all duties/responsibilities under EPA
Resource Management Directive 2560 in a "thorough and
conscientious" manner. Aggressively seeks to improve management
controls in the organization, communicates FMFIA responsibilities
to all managers and supervisors, and ensures internal control
reviews or management reviews are performed on 30 percent or more
of the organization.
Satisfactory; Performs all duties as required under EPA Resource
Management Directive 2560.
Unsatisfactory: Does not support the FMFIA and does not carry
out responsibilities under EPA Resource Management Directive
2560.
Senior Executive Support
Carries out responsibilities for internal control by effectively
implementing EPA Resource Management Directive 2560.
Outstanding: Takes action to aggressively improve internal
controls in the organization. Communicates responsibilities and
support of FMFIA to all managers/supervisors. Supports the
Primary Organization Head in all steps of the internal control
process. Performs internal control reviews or management reviews
for 30 percent or more of the program or functional area. Wprk
is timely and of high quality.
Satis factory: Takes appropriate action to ensure that all
guidance required by the Internal Control Staff is implemented
and completed in a timely manner.
Unsatisfactory; Does not follow the guidance of the Internal
Control Staff on implementing EPA Resource Management Directive
2560. Does not examine internal controls.
-------�
o
LU
a:
o
a.
v
o
a:
a.
i/>
"
,
.
.
•
* *
* «
* *
* *
* * *
* * *
* * +
* « *
* *
* *
! i
01
u
o t- S o
" II *
a fc ? 1
2 L 1 *
e «> « «i o
._ !— t.
4-- 5 >- < «••
« S c
01 B> TO «- O V>
I t- 3 C 01 U O
fll O V 4V **
O 4V •*- 4V — »
S 55 S gS S 2
s ° &• s s £ £
U 4V >r- O> U) O
c •*• t- t- » — * ^
E ! S «0< |1
4V 3 — 11
< tn o o
•
t
C
\
2
o
4->
«
g
0
i
at!
1
4t
*
*
*
*
*
41 *
I S
« *
* *
* *
« *
* *
* *
C IA en
0 u
a, .- -
Identify and address FMFIA traini
Attend Second ICC meeting
Submit 2nd Quarter CATS report to
Review revised documentation with
•
* * *
* * *
« « *
* * *
* * *
« * *
K * #
# * *
* * *
*
*
It
|
5
*
1
*
i
£ (J
a —
c S 0 *>
o *" k
«- 01 — * O
4J U O 4V Q.
a c i- t. «>
1 1 g cl .. 1
* 3 " ^ §,'4!C4V
_» ni- C 1— CUIDfQt-
0 C« fi < 0 4v 3 — 0
£. .^ 4V g (J 4V 4V _ < a. CL
v4V4vS
C o 4> tn "- a> _i > — >-
5 K -• « « c . "u P „
" S « g t x 8 - « M
_ u o i a o c o c <
g s g ^8 3 ?ils"
O TJ 3 3 •" T3
4V t- ta C4V t. (DUC4V
e — . 8 CM "~ o w 4v 4v3^a
o < a: a: w w
-------�
ERA'S SEGMENTATION
EACH IS AN
ASSESSABLE UNIT
ASSISTANT &
REGIONAL
ADMINISTRATORS
STAFF
AND
SUPPORT
OFFICES
DIVISIONS
LABORATORIES
BRANCHES
(optional)
SEGMENTATION =
EPA's level of responsibility
to manage the internal control
program.
-------�
-------�
CHAPTER B. SEGMENTING THE
I. PURPOSE
This chapter discusses EPA's procedures for segmenting the Agency
into assessable units (AUs). Segmentation of an agency is
essential to performing a systematic evaluation of the internal
control systems in a large, complex organization such as EPA.
OMB Guidelines - The OMB Guidelines outline a phased approach for
agencies to evaluate, improve, and report on their internal
controls. One phase of the OMB approach calls for agencies to
segment themselves into organizational units, programs, and
functions. Collectively, these segments are called "assessable
units (AUs)." An assessable unit is a "program operation or
administrative function that is the subject of a risk assessment.
An assessable unit is comprised of related event cycles."
A basic goal of segmentation is to develop an agency-wide
inventory of assessable units which can be the subject of a risk
assessment. The inventory should provide complete coverage of
all program and administrative functions. Addendum 3 includes an
inventory of EPA's assessable units.
II. PROCEDURES
There is no single method for segmenting an agency into
components, programs, and functions in order to evaluate its
internal control system. Agencies vary widely in organizational
structure and the nature of activities conducted. As a result,
agencies are given considerable flexibility in identifying their
assessable units.
In developing the inventory of AUs, Internal Control Coordinators
should tap information sources such as budget materials,
organization charts, agency manuals, and program and financial
management information systems. In developing an inventory,
consider the following factors:
A. Existing organizational structure;
B. Nature and size of agency programs and administrative
functions;
C. Numbers of sub-programs or sub-functions within a
program or function;
D. Numbers of separate organizational units operating the
program;
-------�
E. Degree of independence of the program or function;
F. Differences in operating systems;
G. Degree of centralization or decentralization;
H. Budget levels; and
I. Numbers of personnel.
The degrees of independence, centralization, and decentralization
are particularly significant. A program or administrative
function could operate in several locations. Since the program
or administrative function and internal control system may vary
by location, it may be necessary to perform separate risk
assessments or internal control reviews for each location.
Therefore, when classifying programs and functions operating at
several locations, two procedures are possible. One, identify
the locations first and then list the programs and functions
operating within each location. Or identify the programs and
functions first and then, for each multi-location program and
function, identify and list the locations at which it operates.
Either approach is acceptable as long as coverage is complete.
EPA is segmented mostly by division within a primary
organization. In some instances, however, the size of a branch
sparked the need for further segmentation. Refer to Addendum 3
for EFA's segmentation.
Once the ICC develops the program's inventory, the ICC should
document the information. The inventories provide the means for
organizing and managing the evaluation process.
A. Objectives of the Segmentation Process - Segmentation is
a prerequisite to preparing complete internal control
documentation and to conducting risk assessments and
internal control reviews. Therefore, it is important to
achieve all segmentation objectives.
The first objective is to divide EPA into discrete units
suitable for specific analysis. The second objective is to
ensure complete coverage of all EPA programs and functions.
B. Responsibilities - In general, it is the responsibility
of the Internal Control Staff
-------�
2. Considering the nine general factors discussed on
. page B-l;
3. Determining the level at which the Agency will be
segmented; and
4. Communicating its determination to the Internal
Control Coordinators, along with any recommendations
concerning optional actions.
The Internal Control Coordinators (iCCs) are responsible for
identifying the inventories of assessable units (AUs) and AU
managers for their organizations and communicating this
information to the ICS. The ICCs ensure that assessable
units cover all programs and functions.
Once the ICCs identify the inventories of assessable units,
the ICS then:
1. Reviews the ICC submissions;
2. Makes any necessary changes and determinations;
3. Prepares a final Agency-wide inventory of AUs; and
4. Distributes official copies of the AU inventory to
each organizations's ICC.
C. Updating the AU Inventory - .Occasionally, changes may
occur which result in the creation of new AUs or the
elimination of old ones. Therefore, the ICC must coordinate
with the ICS to keep the Agency-wide AU inventory current.
*,
A change in organizational structure may warrant a risk
assessment of the affected function. To ensure appropriate
consideration of vulnerability, management must report any
reorganization or new divisions to the ICS as soon as
possible. If the reorganization creates a new budget
program activity/function, or abolishes or absorbs an old
one, the ICC must submit to the ICS a new certification of
the AUs pertinent to that primary organization.
The AU Manager should work with their ICC to perform a risk
assessment as a result of a change in the primary
organization's segmentation.
At present, the majority of Agency assessable units are
divisions, or smaller. While the Agency was initially
segmented by budgeting program elements (PEs), the decision
to switch to division-based segmentation was effected due to
evolvement of a better program.
B-3
-------�
-------�
INTERNAL CONTROL
DOCUMENTATION
For each assessable unit:
Identify each series of related steps that make up
a distinct and separate process or activity (event cycle).
EXAMPLE: Annual grant reviews; The Productivity Program;
review of permits; inspections.
For each event cycle:
List all desired goals or standards that ensure that the
component's mission and objectives are accomplished
efficiently and effectively (control objectives).
EXAMPLE: Plans are communicated throughout ail management levels;
Lines of responsibility are clearly defined and documented;
Reports are accurate and timely.
For each desired goal:
Identify specific management processes or documents designed
to achieve the desired goals or to reduce risks to acceptable
levels (control techniques).
EXAMPLE: Planning calendars; Separation of duties; internal
procedures for delegating programs to states.
-------�
INTERNAL CONTROL
DOCUMENTATION
Every Assessable Unit Manager (Division, Office or Lab)
needs to prepare documentation of internal controls for
their "repetitive" activities.
AU #9999
AUMGR: J.Jones
W
_l
Q.
1
111
Event
Cycle
Annual Grant Review
Control . i
Objectives
Report accurate & timely
Lines ol responsibility clearly defined
Control
Techniques
Planning calendars
Separation of duties
AU # 9998
AUMGR: Jane Doe
CM
u
-I
Q.
X
UJ
Event Control
Cycle Objectives
Site Inspection * Plans are communicated throughout
all management levels
- Proper attire is worn during inspection
- All contaminated items are disposed of
properly
Control
Techniques
• Planning calendars
- Issue to team prior to inspection
- Proper disposal unit available
upon completion of inspection
AU #9997
AUMGR: J. Smith
UJ
SL
X
UJ
Event
Cycle
Productivity Candidates
Control
Objectives
Selection process is equitable and
justified
Control
Techniques
Planning calendars
Quarterly rankings
-------�
CHAPTER C. DOCUMENTING EXISTING INTERNAL CONTROLS
I. PURPOSE
This chapter discusses EPA's procedures for documenting the
internal control process.
Documentation is one of the specific GAO standards for
implementing FMFIA:
"Internal control systems and all transactions and
other significant events are to be clearly documented,
and the documentation is to be readily available for
examination."
Program documentation includes written policies, manuals,
memoranda, organization charts, decision tables, completed
questionnaires, software, and related written materials.
Internal control documentation is written in a specific format;
it relates the "what", "why", and "how" of a specific program's
task.
A. Functions - Internal control documentation:
l. Describes the internal control methods and
measures;
2. Communicates responsibilities and authorities for
operating these methods and measures; and
3. Serves as a reference for persons reviewing the
internal controls and their functioning.
To comply with the GAO specific standard, the documentation of
internal control systems, transactions, and other significant
events must help managers in controlling their operations.
Documentation should also help auditors or others in analyzing
operations. The OI6 has consistently found this to be a weakness
in EPA's Internal Control Program.
Documentation includes identification of each assessable unit's
event cycles ("what") and related objectives ("why") and control
techniques ("how"). Refer to Addendum l for definitions of event
cycle, control objective, and control technique.
B. Minimum Requirements - To fulfill the purposes listed
above, internal control documentation should:
1. Appear in management directives and administrative,
policy, and accounting manuals;
C-l
-------�
2. Be complete and accurate; and
3. Help trace the event and related information
through the entire event cycle.
In other words, the documentation identifies the cycle of
activities that an AU performs, the objectives in each event
cycle, and the techniques used to achieve each objective.
Exhibits IV and V illustrate internal control documentation for
Regional units and Program units.
II. ROLES AND RESPONSIBILITIES
The Internal Control Staff (ICS) provides guidance and sets
deadlines in developing internal control documentation throughout
EPA.
The ICS delegated the responsibility for organizing the
documentation process to the ICCs. The ICCs provide guidance and
specific instruction on documentation to senior managers and
their staffs.
Managers are responsible for developing and maintaining complete
and accurate documentation for all program and administrative
functions.
Ill. PROCEDURES
After the ICCs identify all assessable units, the following steps
occur:
A. Identify all event cycles for each assessable unit - The
AU Manager can group all operations within a program or
function into one or more categories of related activities.
These activities make up the events that fulfill the mission
of the program or function. These are the event cycles.
They are the processes followed to perform related
activities, create the necessary documentation, and gather
and report data.
Typical examples of event cycles commonly found in EPA
operations are:
1. Policy and planning (for example, the OIG reviews
the Agency's implementation of the Internal Control
Program);
2. Program cycles (for example, various Superfund
functions);
C-2
-------�
3. Administrative cycles (personnel, procurement',
budget, etc.)' and
4. Assets management.
B. List all internal control obiectives for each event
cycle - Control objectives are the goals for a specific
event cycle. Control objectives are necessary to minimize
the risk of waste, inefficiency, loss, unauthorized use, or
misappropriation. Furthermore, control objectives:
1. Ensure adherence to laws, regulations, and
policies;
2. Ensure that reliable data are obtained, maintained,
and recorded;
3. Safeguard resources against loss due to errors and
irregularities; and
4. Promote effective and efficient operations.
The control objectives for an event cycle should be
complete, logical, and give full consideration to the
related risks. For example, some common control objectives
associated with payroll event cycles are:
1. Payroll personnel must make payments only in return
for services rendered; and
2. Payroll personnel must record and distribute
payroll charges promptly.
Some common control objectives associated with management
event cycles are:
1. Developing and maintaining planning calendars for
specific events (for example, audit follow-up, contract
management, and individual personnel training); and
2. Policies and procedures to ensure that the program
achieves the objectives in accordance with laws and
regulations.
C. Identify specific internal control techniques - Internal
control techniques are the processes or documents necessary
to achieve the control objectives. Written procedures,
policy memoranda, and guidance documents usually outline
control techniques. Control techniques prevent specific
risks from occurring. Each control objective should have a
control technique explicitly linked to it.
C-3
-------�
Some common ^control techniques are:
1. Separation of duties;
2. Execution of transactions;
3. Appropriate documentation;
4. Control over access to resources;
5. Adequate supervision; and
6. Reviews and evaluations.
04
-------�
Exhibit IV
Page 1 of 4
REGIONAL
SAMPLES
FY1987FMFIA
INTERNAL CONTROL DOCUMENTATION
Region: 6
Assessable Unit: Air, Pesticides and Toxics Division
Prepared by: Hank May
Date: May 19,1987
Dollars:
FTEs:
EVENT CYCLE
Radiation Program
Implementation
CONTROL OBJECTIVES
Assist States in emergency
response planning.
Characterize and identify
hazardous radioactive sites.
Assist in implementation of
standards.
CONTROL TECHNIQUES
Efforts are coordinated with the
Special Assistant for Emergency
Preparedness in HQ.
Monthly Activity Reports are
prepared for review by both HQ
and Region Officials.
Semi-annual meeting of national
program involving all Regions,
providing an opportunity for
direct interaction in emergency
planning.
Initial catalog distributed for
review and update.
All work coordinated through
Environmental Studies Branch.
Semi-annual meetings provide a
forum for generic problem
resolution.
Work Groups normally includes
one or more Regional Reps from
areas where problem is most
severe to ensure that regulation
development properly considers
implementation of enforcement
consideration.
Enforcement requirements for
radionclide NESHAPs will
incorporate input from Regions,
which will be involved in their
enforcement.
-------�
Exhibit IV
Page 2 of 4
REGIONAL
SAMPLES
FY 1987 FMFIA
INTERNAL CONTROL DOCUMENTATION
Region: 6
Assessable Unit: Air, Pesticides and Toxics Division
Prepared by: Hank May
Date: May 19,1987
Dollars:
FTEs:
EVENT CYCLE
CONTROL OBJECTIVES
Review Environmental Impact
Statements for radiation
facilities.
CONTROL TECHNIQUES
Monthly reports by Regions
identify EIS reviews under way
or completed.
Office of Federal Activities
serves as principal contact for
this activity.
-------�
REGIONAL
SAMPLES
Exhibit IV
Page 3 of 4
FY 1987 FMFIA
INTERNAL CONTROL DOCUMENTATION
Region: 6
Assessable Unit: Water Management Division
Prepared by: Norm E. Thomas
Date: May 5,1987
Dollars:
FTEs:
EVENT CYCLE
Permit Issuance
Determination on
Requests for
Variances from
Permit Effluent
Limitations
Evidentiary
Hearings
Pretreatment
Program
CONTROL OBJECTIVES
Issue permits in nonapproved
States to industries and
municipalities to reduce
permit backlog.
Resolve requests for waivers
and variances from effluent
limitation requirements.
Conduct and settle evidentiary
hearings requested by
dischargers and public interest
groups.
Control toxic pollutants from
indirect dischargers through
implementation of the
pretreatment program.
CONTROL TECHNIQUES
Regions submit priority list of
permits to be issued during
fiscal year.
Issue industrial permits based
on the second round industrial
permit strategy.
Issue municipal permits consistent
with National Municipal Policy
and WOS.
Issue general permits where
possible to reduce minor permit
backlog.
Conduct permit quality review of
EPA issued permits.
Quarterly tracking of EPA and
NEDES States through SPMS and
OWOGAS.
Conduct evaluation, review and
subsequent permit (See above for
Permit Controls).
Assist in the development of resolution
of hearing requests.
Track hearings through evidentiary
hearing system.
Issue AOs or referrals where
necessary requiring POTWs with
non-approved pretreatment programs.
-------�
REGIONAL
SAMPLES
FY1987FMFIA
INTERNAL CONTROL DOCUMENTATION
Exhibit IV
Page 4 of 4
Region: 6
Assessable Unit: Water Management Division
Prepared by: Norm E. Thomas
Date:
Dollars:
FTEs:
MayS, 1987
EVENT CYCLE
State Programs
CONTROL OBJECTIVES
Work with States to foster
State NPDES program approval
and where necessary State
Program modifications
regulations.
To ensure adequate program
implementation of delegated
NPDES programs.
CONTROL TECHNIQUES
Implement programs where
necessary in POTWs with
non-approved pre-treatment
programs.
Assess adequacy of State
regulations.
EPA HO official approval
of program and program
modification.
Conduct permit quality reviews.
Quarterly assessment through
SPMS and OWOGAS of NPDES
State progress in permits
issuance.
On-going evaluation by Regions
via Memorandum of Agreement
establishing permit overview
role.
Review State programs through
QNCRs and assess adequacy of
State regulations.
-------�
I
• PROGRAM SAMPLES
h Exhibit V Page 1 of 3
INTERNAL CONTROL REVIEW
EVALUATING CONTROL TECHNIQUES: Air Quality & Stationary Source Planning & Standards
Assessable Unit
FUNCTION: EVENT CYCLE:
Pollutant Strategies
& Air Standards Development
TYPE OF CONTROL
CONTROL OBJECTIVE
1 . Review & revision of
the NAAQS
D
O
C
U
M
E
N
T
A
T
1
0
N
R
E
C
O
R
D
S
X
X
X
X
A
U
T
H
0
R
1
Z
A
T
1
0
N
X
X
X
X
X
S
T
R
U
C
T
U
R
E
X
X
S
U
p
E
R
V
1
S
1
0
N
X
S
E
C
U
R
1
T
Y
0
T
H
E
R
X
SPECIFIC TECHNIQUES
CASAC review of criteria
documents & staff papers
RIA
Working Group
Steering Committee
Options Selection
Red Border
OMB review
Public hearings & comment
CASAC review of proposal
Public docket
ATS & GEMS
-------�
-------�
ME
RISK
0)
UJ
O
i
CL
UJ
UJ
OC
u.
O
UJ
cc
UJ
>
o
li
D d
I
?*2
— a
ll
-E|
'
C
« «
2 ||
u> a»,fi
|||
= 11
55I
-5
if €.
*2 c o
*
=
B
•!
i
o
_>,
o S
1
E &
E • '
I1
if
&l
« a
—
i
in
.1
m
-------�
ERA'S RISK ASSESSMENT
SCORING*
HEADQUARTER'S PROGRAM OFFICES
*.
(OAR, OPTS, OSWER and OW)
HEADQUARTER'S SUPPORT OFFICES
(OA, OARM, OEA, OECM, OIG, OGC, OPPE and ORD)
REGIONAL OFFICES
(REGIONS I • X)
HIGH
MEDIUM
LOW
63 or greater
41 to 62
0 to 40
* Based on 1986 Risk Assessments. This scale may change for the 1989 Risk Assessment.
-------�
CHAPTER D. RISK ASSESSMENT PROCESS
I. PURPOSE * .
This chapter discusses EPA's procedures for conducting risk
assessments (RAs) of Agency assessable units. OMB requires
agencies to conduct risk assessments once every five years.
However, EPA has established a three year risk assessment cycle,
due to changes in EPA's authorizing statutes and major
fluctuations in EPA's budgets. The next EPA risk assessment will
be in 1989 and every three years thereafter.
A. Requirement -- The OMB Guidelines require agencies to
assess the risk of funds, property, and other assets of
assessable units (AUs) to waste, loss, unauthorized use, and
misappropriation. Managers conduct risk assessments after
the ICC segments the Agency into assessable units.
B. Objectives - Assessable Unit managers conduct risk
assessments on AUs to determine whether:
1.:: "Obligations and costs comply with the law;
2. .Funds, property, and other assets are adequately
safeguarded against waste, loss, unauthorized use, or
•misappropriation; and
3. Revenues and .expenditures of Agency operations are
properly recorded and accounted for to:
a. Permit preparation of accounts and reliable
financial and statistical reports; and
1 " .
b. Maintain accountability over assets.
II. ROLES AND RESPONSIBILITIES
' ' • .- i x»
The Internal Control Staff (ICS) of -the Office1of the Comptroller
(OC) coordinates .the overall "EPA risk assessment1 process. At the
primary organization level, the Internal Control Coordinator
(ICC) coordinates the risk assessment process for that
organization. In turn, the ICC designates an AU manager to
conduct the risk assessment at the assessable unit level.
Well in advance of the risk assessment process, ICS provides each
ICC, to distribute to the AU managers, the appropriate guidance
and schedule for conducting the risk assessment in their
respective primary organizations. The schedule indicates the
deadlines and organizational responsibilities for performing each
step of the EPA risk assessment process.
D-l
-------�
3. PROCEDURES
OMB Circular A-123 requires agencies to maintain an ongoing risk
assessment process covering all agency components and AUs.
A. Cycle - EPA will conduct risk assessments once every ;
three years. In addition, EPA Resource Management Directive
2560 requires EPA primary organization heads (POHs) to
conduct risk assessments for each assessable unit as
required by schedules established with the Office of
Administration and Resources Management (OARM).
B. Risk Assessments Outside the Regular Cycle -
Occasionally, reorganization within the Agency may occur
which results in the creation of a new assessable unit
between risk assessment cycles. To ensure appropriate
consideration of risk, the manager of the newly created
assessable unit must complete a risk assessment form and
forward it to the internal Control staff. Exhibit VI,
located at the end of this chapter, illustrates a sample
risk assessment form. Furthermore, OMB Circular A-123
requires that risk assessments be conducted on new or
substantially revised programs and the results reflected in
the Management Control Plan (MCP).
C. Four-Step Process - The OMB Guidelines provide the basis
for EPA's risk assessment process. It consists of the four
steps illustrated in the graphic at the beginning of this
chapter.
control environment" refers to several factors which
have a major impact on the effectiveness of EPA
internal controls. The OMB Guidelines list the
following factors and accompanying questions to
consider in evaluating the general control environment
of an assessable unit:
a. Management Attitude - Does management
communicate to employees the importance of
establishing and maintaining a strong internal
control system?
b. Organization Structure - Have the
organizational units needed to perform necessary
functions been identified? Have appropriate
reporting relationships among these units been
established?
c. Personnel - Are organization personnel
competent? What about their integrity?,
D-2
-------�
d. Delegation and Communication.of Authority and
Responsibility - Has authority been delegated
appropriately or limited to ensure that
^responsibilities are effectively discharged?
e. Policies and Procedures - Are the policies and
"^procedures of the organization defined and
1documented? Have all employees been informed of
how the organization is to perform in various
situations? - -
f. Budgeting and Reporting Practices - Have
' organizational budgeting arid-reporting practices,
goals, and accomplishments been specified and
communicated to employees?
O •' ..i- 7 -t. *•••••.. v.
g. Organizational Checks and Balances - Have
appropriate financial' and'rmanagement controls,
internal auditing, and other checks and balances
been established? «._••.-•••.•
T » :
_h. ADP Consideration - What are the strengths and
:'weaknesses; of the ADP "system? Do appropriate ADP
controls exist? '
Managers determine these factors by reviewing
documented policies and procedures, talking with
management-and other personnel,: observing
organizational practices, and drawing"! upon
familiarity with the operation of the assessable
'' .^unit. ""•_ ' '•.'••• "' : r- '*•»•••".-".
"Management evaluates the"general control
environment by completing Questions 1-8 of the EPA
' Risk.Assessment Form, illustrated in Exhibit VI.
"2- Analyze Risk - The second step is to analyze the
potential-of each assessable unit for waste"} loss,
unauthorized use, or^misappropriation' of funds,
property, and other assets.
The AU manager must consider the following factors in
evaluating'risk:
a. Purpose and characteristics of the program or
administrative' function; - •
t • ••'
' b. Budget level of the program or administrative
function; * •
D-3
-------�
c. Financial and nonf inaneial impact: on personnel
and organizations outside of EPA;
. d. Age and life expectancy of the program or
administrative function;
e. Degree to which the program or administrative
function is centralized or decentralized;
f. Special concerns for a program or
administrative function;
g. Prior reviews of the program or administrative
function; and
h. Management responsiveness to recommendations
from the Inspector General, the General Accounting
Office, and other evaluators.
The OMB Guidelines, attached as Appendix 3, discuss
these factors in greater detail. .
Questions 9-22 of the EPA Risk Assessment Form,
illustrated in Exhibit VI, help the manager to evaluate
the risk factors.
The analyst (or any other "program expert") should also
provide any additional information which would affect
the overall rating of any individual risk factor.
3. perform Preliminary Evaluation of safeguards - The third
step involves determining the existence and adequacy of
assessable unit internal controls. The, primary
consideration is whether appropriate internal controls exist
to prevent — or at least minimize — the risk of waste,
loss, unauthorized use, or misappropriation.
This evaluation can only be performed if the assessable unit
has internal control documentation in place. (For
documentation requirements, see Chapter C.)
At this stage, an in-depth evaluation of existing internal
controls would be inappropriate. The evaluator's judgment
should be thorough and based on a working knowledge of the
assessable unit.
One way of evaluating safeguards is the "worst case
scenario" approach. With this method, the evaluator tries
to determine what loss(es) might realistically occur if
there were no safeguards or if existing safeguards were
inadequate. Then, the evaluator determines the safeguards
necessary to prevent the anticipated losses.
D-4
-------�
Questions 23-24 of the EPA Risk Assessment Form, shown'in
Exhibit VI, help the evaluator to conduct a preliminary
assessment of'safeguard factors, t . > . •-.,
4. Summarize the Risk Assessments - The ICS collects all of
the completed EPA Risk Assessment Forms and categorizes them
into three groups - Headquarters Program Offices,
Headquarters Support Offices, and Regional Offices - to
provide office-specific information for each of these groups
and to allow comparisons to be made between similar
assessable units. For each of these three groups, the ICS
separately determines the normal distribution, determines
cutoff points for moderately and highly vulnerable rankings,.
and ranks the assessable units according to risk.
The ICS then distributes a scoring sheet to each office
which lists the current risk assessment score for each
assessable unit within that particular office. The scoring
sheet lists each assessable unit within the office by its
proper title, and also includes an analysis sheet which
explains how the ICS determined the scoring categories for
that office. It is important that each AD manager list the
office being reviewed by its proper title when completing
the form.
After each rating is conducted and risk assessments
assigned, the assessable units scoring high must address
their potential vulnerability by conducting an internal
control review or alternative internal control review by the
end of the following fiscal year. Managers of highly
vulnerable assessable units must report on their actions in
that year's annual assurance letter. (See Chapter K)
These ratings are significant because they are also
reflected on other EPA documents, such as the Management
Control Plan and the annual assurance letter. As stated in
the OMB Circular A-123 Revised, "Risk assessments are to be
considered as part of developing the MCP." Thus it is
important for the AU managers to make a conscientious effort
to plan and conduct a thorough and timely risk assessment
within their assessable unit.
Addendum 3 lists the assessable units for all of EPA. For
each of these three office groups, the list contains each
assessable unit number and the proper title of the
assessable unit. Although not listed on Addendum 3, the.
complete EPA Assessable Unit listing also contains the
numerical risk assessment score, and an alphabetical risk
assessment score indicating a high (H), medium (M), or low
(L) score, resulting from the FY 1986 Risk Assessments.
D-5
-------�
Questions or requests for further information regarding the
risk assessment scores or process may be directed to the
Internal Control Staff, Resource Management Division,
PM-225.
D-6
-------�
Exhibit VI
Page 1 of 3
EPA RISK ASSESSMENT FORM
WHY TO FILE:
(1) New Program
(2) Reorgani zation
(3) Changing Legislation
(4) Resegmentation
(5) New Assessment in 1989
HOW TO FILE:
(1) Each Assessable Unit Manager (usually Division Director)
prepares Risk Assessment Form
(2) Based on personal knowledge, answers all questions.
(3) Multiple answers may be appropriate, Internal Control
Staff only counts highest number if more than one block
is marked.
(4) Assessable Unit Manager signs and dates form and
delivers to Program's Internal Control Coordinator
(5) Internal Control Coordinator signs and dates form and
delivers to Agency Internal Control Staff
(6) Agency Internal Control Staff assigns numerical and
alphabetic risk assessment score
(7) Program's Internal Control Coordinator notified of
rating.
(8) Program's ICC notifies AU Manager of rating
WHO WILL HELP:
(1) Contact Program's ICC
(2) Contact Agency Internal Control Staff (382-4160)
-------�
EPA RISK ASSESSMENT FORM
PRIMARY ORGANIZATION
ASSESSABLE UNIT NAME
AU MANAGER'S NAME
AU NUMBER
TITLE
Exhibit VI
Page 2 of 3
5ENERAL CONTROL ENVIRONMENT:
Score
Score
1. Emphasis on Internal Controls:
Major ( ) 1
Moderate ( ) 2
Minor ( ) 3
2. Organizational Structure:
Organization chart current, ( ) 1
job descriptions complete,
reporting requirements clear
Factors acceptable but ( ) 3
improvements needed
Major improvements needed ( ) 5
3. Personnel Considerations:
Adequate no. of qualified and (') 1
trained personnel
Mo. of qualified personnel ( ) 3
adequate but some training
needed
Insufficient personnel/ ( > 5
majority of staff unqualified
or untrained
4. Delegation of Authority:
Limited and precise ( } 1
Broad and precise ( ) 2
Limited and vague ( ) 3
Broad and vague ( ) 4
No written authority < } 5
No written authority { ) 5
5. Coverage by Written Procedures:
Extensive, detailed, and enforced ( ) 1
Essentials only, but enforced < ) 2
Extensive, only partial enforcement ( ) 3
Partial coverage and enforcement ( ) 4
No written procedures < ) 5
6. Budgetary/Organizational/Performance
Goals:
Goals established and accomplish* ( ) 1
ments monitored
Goals established, some monitoring ( } 2
Goals established, but no monitoringC ) 3
Goals used informally with little ( ) 4
or no follow-up
Goals not established ( ) 5
7. Adequacy of Checks and Balances:
Not applicable ( ) 0
Adequate ( ) 1
Need improvement ( ) 3
Required but totally lacking ( ) 5
8. ADP Usage - Operation and-Reporting:
Not a factor ( ) 0
Minor factor ( > 1
Moderate factor ( } 3
Major factor ( ) 5
ANALYSIS OF INHERENT RISK:
9. Nature of Program(s):
Note of.the following ( ) 0
Interagency agreements ( ) 1
Contracts ( ) 2
Contracts i grants ( ) 3
Assistance programs - grants ( ) 4
Assistance programs - ( ) 5
cooperative agreements
10. Legislative Authority:
Limited and precise
Broad and precise
Limited and vague
Broad and vague
11. External Impact or Sensitivity:
Not applicable
LOM
Moderate
High
( ) 0
( ) 1
( ) 3
( ) 5
( ) 0
< > 1
( ) 3
( ) 5
-------�
Exhibit VI
Page 3 of 3
Score
Score
12. Status of Authorizing Legislation:
Relatively stable (
Covered by sunset (
Recently reauthorized (
Reauthorization within 3 years (
Expiration within 3 years (
17. Interaction Across Organization:
Exclusive to one primary organization ) 1
Within two primary organizations < ) 2
More than two primary organizations ( ) 3
Involvement with other Fed Agencies ( ) 4
Involvement with other organizations ( ) 5
13. Budget Level/Property Controlled:
Zero ( ) 0
Up to $5 mi 11 ion
$5 - $25 million
$26 * $50 million
$51 - $100 million
Over $100 million
( ) 1
( ) 2
( ) 3
( ) 4
( ) 5
18. Recent Audits/Evaluations:
Within last 9 months
Between 9 and 24 months
More than 2 years
14. Changes in Funding/Staff Resource Levels:
Program reassignment in last ( ) 1
18 months
0-6% increase from last year ( ) 2
Over 6% increase from last year ( ) 3
0-6% decrease from last year ( ) 4
Over 6% decrease from last year ( ) 5
15. Age of Program(s) or Activity(ies):
More than 10 years
7-10 years
4-6 years
1-3 years
Less than 1 year
16. Type of Administration:
EPA Headquarters only
EPA Headquarters-Regions
Joint EPA-State
Third Party involvement
Total third party
( ) 1
( ) 2
( ) 3
( ) 4
( ) 5
( ) 1
( ) 2
( ) 3
( ) 4
( ) 5
( ) 1
( ) 3
< ) 5
19. Recent Instances of Errors/Irregularities:
None in the last 18 months ( ) 1
Minor findings, errors corrected ( ) 2
Major findings, errors corrected ( ) 3
Minor findings, errors outstanding ( ) 4
Major findings, errors outstanding ( ) 5
20. Adequacy of Reports:
Accurate and timely ( ) 1
Accurate but sometimes late ( ) 2
Accurate but usually late ( ) 3
Sometimes inaccurate and/or late ( ) 4
Usually inadequate and late ( ) 5
21. Type of Transaction Document:
Non-convertible instruments ( ) 1
Convertible to services only ( ) 3
Directly convertible to cash ( ) 5
22. Operational Tine Constraints:
Not a significant factor ( ) 1
A moderate factor ( ) 3
A significant daily factor ( ) 5
PRELIMINARY ASSESSMENT OF SAFEGUARDS:
23. Assumed Effectiveness of Existing
Controls:
High ( ) 1
Moderate < ) 3
Low ( ) 4
No existing controls ( ) 5
24. Costs/Benefits of Existing Controls:
Costs well worth the benefits ( ) 1
Question whether costs outweigh ( ) 3
the benefits
Costs outweigh the benefits ( ) 5
COMMENTS;
25.
SIGNATURES: AU MANAGER
1C COORDINATOR
Date:
Date:
-------�
-------�
THE MANAGEMENT
CONTROL PLAN (MCP)
What it can do for you:
• Identifies inventory of assessable units
• Shows rating of each assessable unit (high, medium
or low)
• Identifies areas of management concern
• Reports on past reviews and shows where future
reviews are planned (over 5 years)
• Allows managers to plan and participate in joint
reviews with other managers in Headquarters,
Regions and field locations
• Allows managers to make maximum use of travel
and personnel resources
• Allows managers to observe what other managers
are reviewing in similarly structured programs
• Allows managers to share successful approaches
to addressing problem areas
• Eases paperwork burden and streamlines process
via a computerized d-Base system.
-------�
-------�
CHAPTER E. DEVELOPMENT OF A MANAGEMENT CONTROL PLAN
I. PURPOSE
The primary purpose of the Management Control Plan (MCP) is to
facilitate implementation of the FMFIA. The MCP is a written
document displaying the risk assessments, planned actions and
internal control evaluations which management will undertake to
provide reasonable assurance that controls are in place and
effectively working.
The objectives of the MCP are to:
Identify assessable unit (AU) component inventory;
- Show the risk rating of each AU (high, medium, or low);
Provide for needed internal control evaluations over a
five-year period;
- Monitor areas of management concern; and
- Assist managers and Internal Control Coordinators in
developing their assurance letters each year.
The 1987 memo from the Deputy Director of OMB, attached at tne
end of this chapter as Exhibit VII, emphasizes the significance
of the MCP:
"This 'MCP' represents your strategy for achieving the
goals of the Integrity Act and OMB Circular A-123 and
you can expect that tbis plan will be reviewed
carefully by Congress since it will reflect your
program to improve your Agency's delivery of services
in a more controlled and improved management fashion."
II. REQUIREMENTS
OMB Circular A-123 Revised (attached as Appendix 4) requires each
agency to develop a Management Control Plan to provide for
necessary evaluations over a five-year period. OMB requires
agencies to: .
- Base the MCP upon the schedule of actions in each major
component;
- Identify the senior managers responsible;
E-l*
-------�
- Act upon high risk components and material weaknesses
during the first year of the MCP; and
- Update their MCP annually.
OMB required the first MCP to be issued and in effect by December
31, 1987. With the Administrator's review and approval, EPA
submitted a summary of its 1987 Management Control Plan to OMB in
December, 1987. Exhibit VIII, at the end of this chapter,
provides a copy of the transmittal letter and 3 excerpts from
this 1987 EPA Management control Plan.
(The 1987 EPA Management Control Plan in its entirety is
available from the Internal Control Staff, Resource Management
Division.)
III. ROLES AMD RESPONSIBILITIES
AU Manager - Each assessable unit manager within each
Primary organization is responsible for completing an MCP
every year. The AU manager submits the completed MCP to the
Primary Organization (PO) Internal Control Coordinator by
the specified date.
PO Internal Control Coordinator - Assembles the PO's
complete MCP in numerical sequence, and ensures legibility,
clarity, and accuracy. Resolves any discrepancies before
submitting the MCP to the ICS.
internal Control Staff - The ICS gathers all of the
completed MCPs, summarizes the data, and prepares an overall
EPA Management Control Plan. Based upon the Administrator's
review and approval, EPA submits the consolidated MCP to OMB
at the end of the calendar year.
IV. PROCEDURES FOR COMPLETING THE MCP
Exhibit IX provides a Program Office, Support Office, and
Regional Office sample MCP reporting form with required and
optional information. Exhibit X provides a blank MCP reporting
form for use by AU managers. The instructions for completing the
MCP form follow:
TTTT.T: INFORMATION - The Agency name, form name, and five-
year period covered by the MCP are preprinted.
HEADER INFORMATION BLOCK '
Primary Organization (PO) - Enter the proper name of
the PO of which the Assessable Unit (AU) is a part.
E-2
-------�
Regions I through X, Headquarter's AA-ships (i.e., the
' Office of Air and Radiation), the Office of General
Counsel', and the Office of Inspector General are
Primary Organizations. These are the ONLY'titles to
appear in this line.' .-
Assessable Unit fAU) - Enter the proper name' of the
Assessable Unit. (Usually a division — see Addendum 3
• if you are unsure of your proper" title.) ?
. .•'•- ' '
AU Number - Enter the number' assigned to the AU in the
1986 Risk Assessment. For a new AU, enter the number
provided by"the PO Internal Control Coordinator.
I * " * " *
AU Manager - Enter the name of the AU 'manager.
t • -, • ' '. ^ -t - - • . • *
1986 Risk Assessment Rating - Enter the rating .(high,
medium, or low)- which the AU received in the 1986 risk
assessment. For a new AU, 'enter the .rating received
from the ICS based on the risk assessment conducted by
the AU manager.
MAIN INFORMATION BLOCK
Sub-unit - Determine and enter the proper names of the
AU's sub-units. Examples of AU sub-units might be
branches,,-staffs, groups, labs, etc.
**••''"'' ' . ' ~'' "" ' . • ' .
' No. foptional) - Enter numbers/letters used to
identify sub-units.
Other Information (optional) - Enter the names of
the sub-unit managers.
. Completed Reviews - List reviews (either ICR or AICR)
conducted in the AU in 1986 (or current reporting year)
on the lines across from the appropriate sub-unit.
Note if reviews covered multiple sub-units or the
ventire AU. Types of reviews include:
Internal Control•Reviews (detailed reviews
following OMB Guidelines)
Alternative Internal Control Reviews such as:
- Management Reviews (reviews of management
functions)
Program Reviews (reviews of programmatic
functions)
- GAO or OIG Audits (audit.reviews other
than investigations)
Other Reviews (reviews not falling in the
above categories)
E-3
-------�
Reviews listed must .test controls and produce a written
report. In a footnote, describe any review reported as
an "Other Review". If you cannot list all reviews on
the form, use blank forms as continuation sheets and
number them "1 of .'"
Planned Reviews - List reviews (either ICR or AICR)
planned for 1987-1991. As the years pass, the
reporting periods will be 1988-1991, 1989-1991, and so
forth. Reference the instructions for Completed
Reviews when completing this section.
Significant Weaknesses - This column serves two
purposes. (1) Optional but recommended: Enter
weaknesses reported to the Administrator or identified
in reviews reported in the MCP. (2) Required: Enter
weaknesses reported to the President in the assurance
letter on the lines of the appropriate sub-units. Note
if they involved multiple sub-units or the entire AU.
In a footnote with an "*", describe the weakness, the
year identified, and the year corrected or scheduled
for correction.
/»
AU MANAGER SIGNATURE - After completing the form, the AU
manager must sign and date it.
PLEASE DIRECT QUESTIONS ABOUT THESE PROCEDURES OR THE MCP FORM TO
YOUR PRIMARY ORGANIZATION INTERNAL CONTROL COORDINATOR.
E-4
-------�
EXECUTIVE OFFICE OF THE PRESIDENT
OFFICE OF MANAGEMENT AND BUDGET
WASHNQTON. O.C. 206O3
Dacentoer
1987
M-88-08
MEMORANDUM FOR HEADS OF DEPARTMENTS AND ESTABLISHMENTS
FROM:
Joseph R. Wright, Jr.
Chairman, President's Counci
Integrity and Efficiency
Deputy Director of the of
and Budget
SUBJECT:
anagement
Achieving the Goals of/' the Federal Managers'
Financial Integrity Act
The Federal Managers' Financial Integrity Act requires that
you forward to the President and the Congress a report on your
Agency's activities, problems and accomplishments in the areas of
financial and operating controls by the end of this month.
This Act and the implementing guidance contained in OMB
Circular A-123 "Internal Control Systems," have resulted in a
government-wide program that identified more than 1,500 material
weaknesses in the way we operate our Executive Branch agencies—
we have already corrected over 1,100 of them.
While our progress in some areas is impressive, much
remains to be done for us to be able to certify that all agency
heads are truly "in control" of their operations. In order to
make sure this happens, your agency already has been asked to
prepare a Management Control Plan (MCP) which is to be issued and
in effect by December 31, 1987. This Plan will be .reviewed by
your Inspector General and include an inventory of your agency's
operations, "risk ratings" of the various areas and a
description of the internal control reviews that will be
performed over the next five years.
__ — ••
This "MCP" represents your strategy for achieving the goals
of the Integrity Act and OMB Circular A-123 and you can expect
that this plan will be reviewed carefully by Congress since it
will reflect your program to improve your agency's delivery of
services in a more controlled and improved management fashion.
—_ -^^
since this is the first time for the plan, I request that
you and your Deputy personally review and approve your agency's
plan. During 1988, I would like you to ask your Deputy to
personally continue to oversee the program by monitoring
adherence to the time frames for conducting scheduled control
reviews and correcting identified major—or "material"
weaknesses. Slippage in either area will seriously impair the
program and reflect adversely on our ability to meet the goals of
the Act.
-------�
Exhibit VII
Page 2 of 2
Our Chief Financial Officer of the Government, Gerald R.
Riso, will be working with your people to review the HCP's and
advise you of their completeness and adequacy. However, you and
your deputy's continued oversight of the program is necessary if
we are to achieve the planned results. After all, this is our
Administration's promise to the taxpayers, and the congress, that
they are getting the government they pay for. Thank you.
cc: Deputy Heads of Departments and Establishments
President's Council on Integrity and Efficiency
President's Council on Management Improvement
Agency Chief Financial Officers
-------�
«
,f Exhibit VIII
^ Page 1 of 8
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
OFFICE OF
ADMINISTRATION
AND RESOURCES
Mr. Gerald Riso MANAGEMENT
Associate Director for Management
Office of Management and Budget
Washington, D.C. 20503
<£
Dea
I am pleased to enclose EPA1a 1987 Management Control Plan
(MCP) as required by OMB Circular A-123, revised August 1986, on
Internal Controls. The Administrator has reviewed and supports
EPA's MCP.
This plan reflects our Agency's continuing effort to imple-
ment the requirements of the Circular and the Federal Managers'
Financial Integrity Act. Not only does this plan detail our
managers' accomplishments, it also demonstrates their continuing
commitment for reviewing the risk in their programs and improving
controls in concert with other management processes.
Consistent with OMB13 guidance, our plan summarizes the
Agency's risk assessment evaluations, planned actions, and
internal control reviews and alternative reviews to be undertaken
to provide reasonable assurance that controls are in place and
working. Each primary organization at EPA has prepared a detailed
MCP showing the types of reviews conducted in 1986 as well as the
types of reviews planned for 1987 through 1991. In total, EPA
conducted 13 Internal Control Reviews and 875 Alternate Internal
Control Reviews in 1986. The reviews planned for 1987 through
1991 consists of 72 Internal Control Reviews and 2,682 Alternate
Internal Control Reviews.
If you have any questions about our plan, please give me a
call or have your staff contact John J. Sandy, Director of our
Resource Management Division, on 382-4425.
Sincerely,
C. Morgan Kinghorn
Acting "Assistant Administrator
for Administration and
Resources Management
Enclosure
-------�
-------�
Exhibit VIII
Page 2 of 8
£
f
55
e
I
CD
I
o>
0
W
3
-------�
Exhibit VIII
Page 3 of 8
0 —*
-H W
S
f-< I cs I I I i i vn
t-4 CN rt fl
•f I
I I I I
o
«
in
CN
r-i \c i no
8
CN
r-
(N
CD
82
£ u
82
2*>
£2
a
§
•H
£
^ I I I »4 I I I I
CM
M
H-l > >
> >
§8
Sx
§8
i ni 0\
Q qj
cc o:
fi
CO
u
-p.*
tw
%
¥J
£
<4J >W fl)
O 0 S
JJ
c
I ^ I 04
8
•H
1
i—I
I
C in
•-1 -H \J
0) C -^
C fl H-
3 »^ *»j
q cu <
^» M
2J
3
8
si:
5 S
d 88
a s
S mc$
44 -H -J M4
^-1 4-1
O O
in
tn
8
o
4J
u
^4 in f*>
c4
0>
u
-1-4
gl
^^
13
a
-------�
Exhibit VIII
Page 4 of 8
Q 0)
5 •**
1 e
•••I -^
Q >
S * 3
4J u en C u
-I
O O O O
pf> r*i m r>
CM
e e e 6 e
a a a a a
'ft 1 1
•H E £
1
S-2
'5 J
0) "-<
en 4
v t!
M C
°S
M-l >
0 g,
8 a!
"* -y
VM C
LU FH
O
s
•*4
(0
•H
I
S 1
-F-l 71
n -r
•«-i • c
^ a.
g
•H
tn
•H
•iH
Q
Q
t
tn
U
-H
i
ID
O
•^
.£
* tn
I
t
(C M
4J O
«3 4J
en
s
r-
.^i..
I
a
4-1
2
-i OJ
o -y
2 S
u Ul
OJ 0)
JJ -U
a: a:
CJ O
-------�
Exhibit VIII
Page 5 of 8
e
N
•U
9 H
X. in
i-4 ai
& 8
(N —I
9
e e 8
222
222
e
m
u
-^
Q
I
S
Ul
*J
CO
•H
c
tn
jj
t
ui
O
in
o
(N
i-l
£
•s
•T:
0)
cn
S
•1-1
tn
(0
4J
Cfl
s 1
.•4 ro
I
S
00
s
SL
O
«N
§
8
1
o
M
o
C -i
1-1 <
n ii
-------�
Exhibit VIII
Page 6 of 8
o>
I
B
e
CO
i
^H
e
Ll
4J
g
g
a
•&
§ -6
S Ll
ctt
g
e
(J W >"» W **
8 -fiS1 s 3
c X
i 2
CN M
e s
3 3 1
j
CO
g
• H
CD
I
g
•(H
n
-H
Q
4J
•^
2:
Li
2
CO
i
< CO U
•H —( —4
-
0 MI
a u
4J Q
M 4J
•£ "
n ro
Sis
i;
a:
o
Li
-H 0)
0 *i
Li C
S S
Li Lr
09 0»
tx a:
u O
-------�
Exhibit VIII
Page 7 of 8
a
01
•H -H
B JS
i* -H
m u
a:
u
in
e e
0) CD
•U (0
e
fM
6 6
2 2
11
in o">
e e
2 2
e
u a
& o
*&
0-2
".1
4J
•r* 01
73 W
3 eu
< -u
u
!
?
If
fl) ^j
0 W
9 Wi
jj o
.u a, ««
4J M O O
m •<•*
.2 c » o>
JTJ -H Q CJ
PS g
8
? 8
••H •<-!
a -2
0 5
Q
-§
I
a
£
i
ITS
.^4
U
V
JJ
Si
0) fi
5^
to
MU aj
58
VM I-H
n-i >_»
O
01
-^
.^
Q
CN
O
a
•«4
5,
s
•H
4J
fl
in
t*
u
-rH
C
J4
S
o
OJ
O
cn
^ 0
* 8
UJ -H
1
8
C -H
i- <
II II
X X.
O *J
-------�
Exhibit VIII
Page 8 of 8
V
<-* "i
jQ ri
I f4
•5
> *w
'S
ONI*
CO *» 0)
03
IS
M4 J
sss
a,
3
* -
S
CO
Oi
2
&
8
S
°"S
Q
fl
M
a
I
09
"5
(0
g
"a»
c -2 g
0 fl> -H
2 S
to
O O O
•H M o
i i i S 6 S i
1 ' '232'
*o *n T *o *o x *o
s a} Q M i) o fi
E s = s S F-( S
g
*w
8
Q 3
•rH
4) ^H
5 &
8
<4-i
o
0)
«
8
jj
(t
O
fN
a «
S «
S
g
CO
3 O
4J (Q
S T3
32 ^
_w
Q
(0
'5» -H
s a
tN
I
u
CL
—J
0
LT)
— (
"
•a
?
jj
«
4J
en
CO
a
o>
«a
a
ff
g
n
">
- -
°
-------�
-------�
Exhibit IX
Page 1 of 3
I
8
§C 00
CD rH
jj
^£
r- 0)
00 C
•H (0
eu
1
•H
>
rH JJ
0)
rH
0
o
JJ
•H
C
D
±
3
CO
&
§
u
n)
0)
(U
Q
g
VJ
O> O -H VJ -i-t
•<-t i-l 0> tO JJ Qj JJ
jj tp vj a; c e
VJ -H O O1 3 -H UJ
jj c DJ •onjoro(tj
JJ 01 3 £ O C JJ
(D CO C JJ D (0 (0 CO
CO r-l CO
tu (c <:
JJ 'rH iS
1 fO *U fVj
£ »* "^ M S
(1J f ^JL M— ( M-J (0
•r^ ^^^ O C O ^™*
| ^5j ° c S1
e i .H "jj ^
(6 CO rH CO (0 JJ
Vj CO O~ rO 3 " C
Dfi 0) D.' C rH (C
O to 3 (5 nj vj
VJ W W t-J > O
O-i *£ [i3
rH
ON r — oo
1 00 00
f^.
CO
s
^ >
^ C^^x
QJ a^^
•rH ^fi^Sjf*
> JJ
0) -H
3
6 O
f0 QJ
Vj CO
Vj O
PM <
vo vo
00 03
to
.C J£ i C
fO JJ QJ rH fO
4-1 £3 C *O (C U
O N O> J3 -H C OQ
3 E U E <
S« QJ C i C J<
Uj ^1 C QQ QI »H c fQ
C^ 2^ C O C7*
0) l-l 1-1 tO-r-|l-} C<
JJ O O d) JJ O fO
(C JJ JJ O n$ •• -IH SB ••
•r-l O O S-l 3 M-l E U-I
fQ) Q) 3 rH OJ O flj CJ
VJ Vj O *0 -H C JJ -H
H'QO | ^ ^ S ^ o
>i 0)
80 >
1 JJ -H
JJ rH C -H JJ
O tt) rH O
CO i-i > QJ 0) «-J
0) JJ C W C CO
O O *~JD O JJ
JJ C JJ -H C
C VJ O rH W JJ (0
u) O CO rH Q 3 V-i
> «_4 U -r-t E J3 O
C &> 3t -rJ
•l Vj JJ JJ
s|
JJ CO
y ( C
OJ O
Ci --H
O JJ
VJ «S
(i JJ O
^ C J3
° i <
? D1
<]J (0 JJ
— » c c
> OJ 0!
(US Vj
tt O
ON O
00 ON
rH (M CO
0)
LU
O.
LU
O
u.
O
oc
0
o
oc
0.
-------�
Exhibit IX
Page 2 of 3
CD
M-l
U-l
U
85
1o
* * * *
So
N 4-> rH
••H -r4 O4
C C 04
rtj D 01
t7>
vj CD ••
O i
CD C
CTlrH
V£>
oo
< 2
g s
B I S
S g a
< td £
EH S 4->
S < oo
CO
CQ •-«
CD JJ
CO C
CO 13 CD
CD CD 'O
C 4J -r-t
^ U CO
fC O CJ
JJ) Qi V-i
? 0) Oi
u
4J O
C CO 4J
O -U CQ
4-1 C QJ
•H CD C
&t3 J*
flj
CO --* 9
5! |
C^ ^
1
r^'S
GO C
o^ d
r**4 ((J
•H
0*
i
CD
•H
>
CD
ID
00 T>
O> CD
r-l 4J
CD
7?
o
U
4J
"rH
D
CO
O
£
to
CD
P-
£
CD
4-)
•H
EH
6
z
88 ti
T3 CD -H O
m CD u 4J Qj
Cu 4-* CD *0 CD
0) -H > 4-> |E
CS rt} 4r-|
>W rH -S TO E rH
O CD M -r-t tO
»,* ^^t ^^ C
CO C O «H *H
gO O 'O r-l Qu
0) jJ (L) (0
•H V^ 4-> -H tT>
•*-> QJ E U O C
_[_) Vj Qj ffj r| 1
•rt t3 tj> X C -H
EC O CD -H <0
-H 10 M g u_, 5
rH Q, 3 v C X>
MOO s^x 3 H
iC -H -H U SO
U-l U CD CQ CD 4-> O
(0 1 1 > CD O CD TO
S CD (D -l—i 4J U
-H CD CD CD vi CD 15 O
t^ PJ *rH *r-l rH H I > (Tj > CU
ftS rH CD CD CJ (0 CD rH
(0 & K )aC CtifOC
>-i Ij CD -H (i, O
CD 3 CO CQ 4-* J^ CO *H -rH
fl^ G ^C ^ C CJ <^ U 4-)
fi, CO W M CO
00
QQ co ff\ oo oo
•n
O
cbu
-U CD j
£ a - d
^5
o
U
g'r?
is
«
CQ V-i
ffi CT1
VD
00
g
CO
1
&
O CQ
rH tJ
O CD
-H (8
x S
S •
o E
4J ••
CD Vi
C •€>
•H C
<0 rH
•O CD
CO CD C^
5-1 3 U
BJD CD
pt
-H CD
CQ CD
t3 3 V4
>i
U
4J
^S
•i-l
to
q-l Q
oS
CD Oi
•H O
> rH
$l
W 5*'"
CD x:
m CU
£
o
»*-! 1
o o w
f U pfl m
^ QJ VJ
j^ >*S S1
^^nK pu
J*1
c 0°^
CD rH 4J
cf g.2
O^ 3 £
Sl|
VO
00
c?
I
X CD
•i-l
C E
O g
(0 CO
I-H -rH
.C -H Li
C Q {Jt
M 33
rH CN
ui
o.
(0
LU
O
U.
cc
o
0.
Q.
s
g
CO
CO
U
CD
I
S
-------�
Exhibit IX
Page 3 of 3
"^^
9
PS
.§§
4-» "-'
<0
N 4J
•H -H >£>
CCO
co n oo
D1
cu
ftJ
• VI
vi CU
O rH V" CU | C
s'l
>i (8
vi o)
O
C CO 4J
>0 CU
O 4J CO
•H 0 «
u-i c d
•H CU C
d -D J*
"to i- s
K
rH QJ
cr> >
CE
1
r- ct
CO C
cys c
rH CO
fH
Cb
•H
0
vo
OO T3
4-i
e vi c c
O QJ-H D
4->
CO
•H 1
i — i CO
fj O 4J
•• 01 4-> -i-l
tW XT 3 rH
O U < -H
* 4-> 4J -H
a) c c co
-H CU CU CO
cu § i £
Q£ Ik4 V^ ^*N
3 3 C -D
. CJ U O 3
JJ O O -H 4J
R> Ck^ p^
£
00
00
1
CD
a
3 rH
8g
^fo
Mgmt. Review of
ment Planning &
up Procedures
n
\s>
CO
J.
o
c
CO
Vi 4->
CD rH
CU vi
o cu
> CO
vi O
w •
^r>
•
c ••
-rH VI
1
1
3
I
^1
4-> >1
VI JJ
CU -rH
QjrH
O -H
U-'
v O
C-*>4J 4^
O, co vi
^ 'C V_i 4^
CU O Q.-H
•H -rH
CU U CU CO
ft (0 4-> rH
to o a,
• c cu *
4J CO rH VI
Qi E*i CO U
s:
o
cJs
*
4J
L^p i. j
p^
•rH
M
vo
00
cu
1
a,
a>
rH
cu
4J
rH
CO CO
3 4->
CO CO
I8
M-4 DI
O rcf
*§ <
Transaction Revi
MT Office Phone
vo
oo
CO
cu
rH VI
(0 3
•rH T3
o cu
c y
c £
U-I
cu
rH CO
A rH
5
> CO)
CU 3 -rH
02 O >
CJ CU
< O 05
o rt
rH rH
cr** 0*1
o
UJ
CU
.CO rH
J 4J 4O 4J
3fe co cc cu c
^kfl> ?> rH cu
"^*L •-• jQ e. >i
£&> CU (0 CU 4J
Cr-J O >H OVH
O O CU flj CO «-•
-H v. tx (£ c* rp
4-> 4-> CO
(0 CO O O C CO
vi t3 O O 1C 4J
B§SS£g
< ft- t 1 1 1
ID
CO
1
c
8
rH
CO
••H C
o cu
C -0
c 'Jo
•r-i Cm
fe s: o
O1 vi •
C CD DL* •
•H
C rH
c o ••
co vi vi
rH {N
1
LU
Q.
CO
LU
O
u.
O
O
O
LU
QC
cu
Vl
3
4->
-H
05
V>
Vl
CU
£
r>
<
-------�
-------�
Exhibit X
H
ti-
ll
CP
Q) ..
*
IS
•
• * W
0>
ft (_
^sii^
isf
•f« CO
en
w *-«
V
«t
BS
8
1
9)
CO
0)
0)
-------�
-------�
INTERNAL CONTROL EVALUATIONS
ALTERNATIVE JNTERNAL
CONTROL REVIEW
FORMAL INTERNAL
CONTROL REVIEW
(Not as difficult as an ICR)
EVAUJATg INTERNAL CONTROLS
^- Wit HIM EVENT CYCLES x
TEST INTERNAL CONTROti
, TECHNIQUES
EVALUATE AND REPORT
TEST RESULTS
Determine internal control
objectives for each event cycle
Determine whether appropriate
internal control techniques are in place
Evaluate adequacy of internal control
techniques
Select a representative sample
of transactions
Determine whether internal control
•techniques are being satisfactorily
implemented
Evaluate test results
Draw conclusions
Develop recommendations for
corrective action
Prepare ICR report
* An AICR does not require as intensive a review as the formal ICR.
-------�
-------�
CHAPTER E. -INTERNAL CONTROL EVALUATIONS;
, ;. INTERNAL CONTROL REVIEWS OR -
ALTERNATIVE INTERNAL CONTROL REVIEWS-:
I. PURPOSE
This chapter discusses EPA's procedures, for conducting.'.internal
control reviews (lCRs).--and alternative internal control.reviews
(AICRS). .. - •, .. ; •-.":.';., - .-. ' .v.-'. j": -. ' :•">.>•..
An Internal Control Review MCR) is a detailed examination of a
system of internal control in accordance with EPA internal
control review guidance dated October.1983. The purpose is to
determine whether adequate control measures exist 'and are
implemented to .prevent or detect potential risks..cost-
effectively.'. • .-.. . . ...
An Alternative internal Control Review fAICR) is any review of
internal controls which does not use the full event cycle
methodology required "by OMB and EPA guidelines.,
j .1 •-.""." " ' .i-t '
Inspector General audits, computer security reviews, management
studies, and reviews conducted in accordance with other OMB
Circulars (financial^A-127 and ADP-A-130) are examples of
alternative internal control reviews. Such reviews usually focus
on high risk areas/activities and determine whether the control
techniques in an agency component are operating in-compliance
with OMB Circular A-123. They may focus on medium or low risk
areas as deemed appropriate by the All manager. AICRs .must •
determine overall compliance and include testing of controls.
If you are conducting an AICR, it must: • • ;• -; •-.•„•
-.. Test internal, controls (located: in the-internal .control
documentation) ;. •••* • . '..*'•'-. , r * - 4 • -,
: .."*., "' . -. . * • : •:: \. •*':',,• ~ •. •• ,. •. •'•• ..
i~ Result in a written-report identifying the .area reviewed,
and its risk rating, the reviewer, the findings, and the
recommendations;.. and . . • ••• - ~ :. ,. -..-• - .= -. ,!
Specify corrective action, if needed. " ,»
Exhibit ,xi, located.at the end of this chapter,-illustrates a
sample AICR report. • • . " •, -.
!+..;•• . . , • -
The decision to conduct an ICR or an AICR is a management
decision that depends on the degree of risk in the activity, the
length of time since the function was last reviewed, the amount
of resources flowing through the function, and the amount of
resources available to conduct the review. EPA does not provide
resources in its budget allowances to carry out the internal
control program.
F-l
-------�
While the procedures for conducting an ICR are somewhat different
than those for an AICR, the requirements,, purpose, roles and
responsibilities discussed below are the same for both the ICR
and the AICR processes.
A. Requirement - FMFIA, OMB Circular A-123 (revised), and
the OMB Guidelines require agencies to conduct ICRs/AICRs on
an ongoing basis. In addition, EPA Resource Management
Directive 2560 requires EPA officials to schedule and
perform SOME ICRs/AICRs annually as a basis for providing
"reasonable assurance" to the EPA Administrator.
B. Objectives - ICRs/AICRs are conducted to:
1. Determine whether adequate internal control
objectives and techniques exist and are implemented
cost-effectively to prevent or detect potential risks;
2. Identify weaknesses in either the design or
functioning of the internal control system which should
be corrected and develop recommendations to correct
them; and
3. Provide information for the annual report on the
status of internal controls in the organization.
The results of the risk assessment process, discussed, in
Chapter D, often provide a basis for planning the ICR/AICR.
Exhibit XII compares ICRs/AICRs with risk assessments.
II. ROLES AND RESPONSIBILITIES
The Internal Control Coordinators (ICCs) are responsible for
coordinating ICRs/AICRs within the Agency's primary
organizations. The ICCs should periodically review AICR reports
to ensure the organization understands the criteria of the AICR.
A line manager usually conducts the actual ICR/AICR. This
section refers to the person who performs the ICR/AICR as the
"ICR analyst."
The ICS is available to review your ICR report for completeness
and accuracy. The ICS will also serve as a "sounding board" for
possible AICR methods and techniques.
F-2
-------�
III. SCHEDULING ICRs/AICRs
Based on the Management Control Plan, the ICR analyst should
conduct ICRs/AICRs. Timely completion of an ICR/AICR is
important. The primary focus; however, should be on thoroughness
and quality rather than on a specific completion date. ' Exhibit
XIII illustrates a sample action plan for completing internal
control reviews. • • '
In scheduling and conducting an ICR/AICR, the ICC and ICR analyst
should consider factors such as the results of risk assessments,
management priorities, available resources, and other planned or
ongoing management initiatives. This planning will help,to avoid
duplication of effort and excessive demands on Agency staff. The
timing of the review should also consider the size, scope and
objective of the review in order that sufficient time be allowed
for completion and resolution of report findings prior to the
annual certification reporting.
IN ANY CASE, SOME ICRS/AICRS MUST BE CONDUCTED EVERY YEAR IN
ORDER TO PROVIDE THE ADMINISTRATOR, THE PRESIDENT, AND THE
CONGRESS WITH THE "REASONABLE ASSURANCE" WHICH FMFIA REQUIRES.
Ordinarily, an ICC or an ICR analyst would schedule an ICR/AICR
if: '"'."• - :' ' ' ' •'
A. The risk assessment of the previous fiscal year rated a
program or function as highly vulnerable;
. s • • ». - . ...
B. A risk assessment or other review identified weaknesses
which EPA management judges to"-be material;
C. A risk assessment pr other review identified material
weaknesses that: ' " " '• ' - . ,
- ,-' i
1. Impair fulfillment of the Agency's mission;
2. Deprive the public of needed Government services;
3. Violate statutory or regulatory requirements; or
4. Result in a conflict of interest; or
D. A program or function involves a high level of. resources
(money, people, equipment, etc.) is complex, or is heavily
delegated and may always be considered potentially
vulnerable.
F-3
-------�
IV. PROCEDURES FOR CONDUCTING INTERNAL CONTROL EVALUATIONS
Some of the requirements for conducting Internal Control Reviews
(ICR) also apply to Alternative Internal Control Reviews (AICR),
with differences occurring only in the steps and depth of the
review. This section presents general guidance for conducting
the more extensive ICR. This section notes where the ICR
guidance also applies to AICRs.
EPA's ICR process is based on OMB's Guidelines and is specified
in two documents:
OARM's Guide to thePreliminary Review Processr September 1983;
and
OARM's Guide for Performing internal Control Reviews. October
1983.
These guides should be available from the Internal Control
Coordinators. The ICS can also make these available.
An ICR begins after event cycle documentation is complete. As
discussed in Chapter C, documentation is the process which
identifies the event cycles, specifies the internal control
objectives relating to each cycle, and details the control
techniques that apply to the cycles. (Chapters C and D discuss
the steps required for documentation.)
Most of the AUs characterized as "highly vulnerable" and most of
the issues on which ICRs are scheduled are too large and
complicated for a single, detailed analytic project. The ICR
analyst should begin the ICR by identifying the relatively risky
event cycles and objectives. That way, the ICR analyst can
invest scarce analytic resources on the most productive areas.
The steps the ICR analyst should consider include:
- Reviewing all relevant GAO documentation;
- Reviewing the risk assessment, any preliminary reviews,
GAO reports, management studies, and the like to understand
the risks associated with the program or function;
- Identifying the relatively risky event cycles in the
assessable unit; . •
- Identifying the most important internal control
objectives; and
- Selecting the appropriate focus or subject for the review
and writing an explanation of the rationale for the
selection.
F-4
-------�
EPA's Internal Control Review process consists of:
- Evaluating internal controls within event cycles;
- Testing internal control techniques; and
- Reporting ;the, results.
The following pages discuss these steps in greater-detail.
A. Evaluating Internal Controls Within Event Cycles - This
step consists of evaluating existing internal control
objectives for an event cycle, determining whether
appropriate internal control techniques are in place, and
identifying necessary, inadequate, and unnecessary internal
control techniques. The following paragraphs describe each
of these substeps.
1. Identifying Internal Control Objectives - The ICR
.analyst.first reviews the internal control objectives
for the event cycle. The internal-control objective
should already be listed in the event cycle
documentation.
The ICR analyst should review the event cycle
documentation to determine whether the list of internal
control objectives for each event cycle is complete,
.logical, and relevant to the event cycle. If internal
control objectives are not adequately documented, the
. .. ICC should assist the ICR analyst in developing and
documenting appropriate internal control objectives for
the event cycles. (For examples of documentation, see
Chapter C.)
* > •
2. Determining Whether Appropriate Internal Control
. Techniques Are In Place - Next, the ICR analyst should
continue to examine the event cycle,documentation and
determine whether appropriate internal control
•techniques are in place to enable the internal control
objectives to be*met effectively arid efficiently.
(Internal control objectives are established because a
risk exists. Internal control techniques are
implemented to prevent the risk from occurring.)
If internal control techniques, are not, adequately
documented, the ICC should assist the ICR analyst in
•. i• -.developing and documenting the appropriate internal
control techniques;. (For examples of documentation,
see chapter C.)
-F-5
-------�
3. Evaluating the Adequacy of Internal Control
Techniques - Finally, the ICR analyst should identify
the internal control techniques which are necessary,
inadequate, and unnecessary.
The ICR analyst roust determine whether the application
of the internal control techniques accomplishes the
internal control objectives. To make this
determination, the ICR analyst must analyze the
narrative explanation or flowchart of the event cycle
to determine whether waste, loss, unauthorized use, or
misappropriation could occur even if the techniques
were followed.
The analysis should establish that the stated internal
control techniques are:
a. Necessary and adequate;
b. Unnecessary or excessive, in part, and should
either be eliminated or modified; or
c. Insufficient and additional techniques are
needed.
B. Testing the Internal Control Techniques - The ICR
analyst tests the internal control techniques to determine
whether they are functioning as intended. This step
consists of selecting a representative sample of
transactions and examining those transactions to determine
whether the internal control techniques are being
satisfactorily implemented.
A transaction is any distinct action, process, or business
which consumes significant Agency resources (time, money, or
manpower). Examples of transactions include contracts,
applications, and procurements.
1. Selecting a Test Sample - In selecting'the test
sample, the ICR analyst should consider the:
a. Total number of transactions from which the
sample will be drawn;
b. Nature of the transactions; and
c. Anticipated compliance or non-compliance with
the internal control techniques.
The sample should be large enough to provide an
adequate basis for drawing valid conclusions. When the
transactions vary in dollar amounts, locale, personnel,
F-6
-------�
or other significant -ways, the ICR1 analyst should
include in the test sample transactions which represent
•each major variety of transaction.
2. Examining the Transaction - The ICR analyst should
thoroughly examine each transaction to determine
whether all of the appropriate internal control
- techniques have been applied to the transaction.
For example, a completed procurement award may consist
of a set of files. The ICR analyst should "review the
files to determine whether the advertisements,
evaluation, and other relevant procedures were properly
followed. Or, i'f the internal control technique
*•requires an entry in a log or a register, the ICR
analyst should determine whether the entry was made.
Similarly, if the internal control technique calls for
a review, the ICR analyst should determine whether the
review was performed. The ICR should perform similar
checks for each 'internal control technique.
Sometimes an internal control technique appears to be
inadequate, for a given condition, or the technique does
not appear to function properly. In these cases, the
ICR analyst should determine whether personnel are
compensating for these shortcomings by using other
safeguards or whether there are other internal controls
in place which provide sufficient safeguards but are
not subject to the ICR.
Additionally, if testing reveals that internal control
techniques are not being properly applied, the ICR
analyst should consider enlarging the testing, sample.
Larger samples help to minimize testing errors.
One special problem ICR analysts should look for is the
signature of an unauthorized person who appears to be
handling several aspects of a transaction. Ordinarily,
to ensure adequate internal control, a transaction
should be divided between two or more people.
Signatures by unauthorized persons may be a sign of
significant internal control problems. In such cases,
ICR analysts should request assistance from their ICC.
9.. Evaluating and Reporting the Results - As the ICR
analyst completes each testing step, the test results must
be evaluated. Subsequently, the ICR analyst should prepare
a report of the ICR/AICR findings. The report should
include any conclusions and recommendations for corrective
action(s).
F-7
-------�
1. Evaluating Test Results - As each .testing step is
completed, the ICR analyst must note any necessary
control techniques which do .not appear to function as
intended or for which there is no other compensation.
The ICR analyst must also begin to consider how to
address such shortcomings. Such considerations might
include instituting new controls, improving existing
controls, or accepting the risk(s) associated with the
shortcoming.
It is important at this time for ICR analysts to
discuss potential findings with those immediately
responsible for the activity before concluding analysis
to ensure that they have received accurate information
and have interpreted the information correctly.
Validation of findings by using other sources will
provide assurance that the analysis is proceeding
effectively.
The ICR analyst should record the testing results in
the ICR work file. There should be sufficient
information to determine whether or not the established
internal control techniques were applied to any given
.transaction.
2. Drawing Conclusions - Among other things, the ICR
analyst might conclude that:
a. The existing internal control techniques are
consistently applied and adequate internal
controls are maintained;
b. The internal control techniques are applied
" satisfactorily, in general, although some
improvements are needed;
c. The internal control techniques are excessive;
or
d. Additional internal control techniques are
needed.
•If the conclusion is that improvements are heeded,
existing techniques are excessive, or additional
techniques are needed, the ICR analyst should review
the ICR test results and other findings to ensure that
the conclusion is warranted.
The ICR analyst also may want to review such
conclusions with the Internal Control Staff (ICS) to
ensure that the information is accurate and
representative, the conclusions are logical and
F-8
-------�
appropriate, and the recommended corrective action is
cost-effective.
3. Recommending Corrective Action - The primary
purpose of the ICR/AICR report is to identify the
internal control weaknesses disclosed by the ICR/AICR
and communicate the need for corrective action to the
managers of a program or function. The recommendations
may include possible improvements in the economy and
efficiency of the internal controls.
The ICR analyst should discuss corrective action for
each type of identified weakness by addressing the
following questions:
a. In what way(s) is the general control
environment inadequate to provide for the proper
functioning of specific internal controls?
b. In what areas are necessary internal control
techniques non-existent or inadequate?
c. In what areas are necessary internal control
techniques not functioning as intended?
- d. In what areas are internal control techniques
excessive', ineffective, or inefficient?
•..'••- . - "• ' ','"..
e. 'In what ways are executive, legislative, or
other management requirements' 'excessive?
The report should include recommendations for
correcting or improving the situation. In evaluating
possible alternatives, the ICR analyst should consider
both the costs and anticipated benefits of changes if
internal control objectives are to be achieved cost-
effectively.
4. Reporting Contents - To support the analysis, the
ICR/AICR report must contain sufficient background to
'explain fully the conclusions and recommendations
presented. The report must stand on its own as a
record of the review. The report should be easy to
read, logical, and comprehensive so that a minimum of
questions arise as to scope, approach, assumptions, and
results. At a minimum, the ICR report should contain:
a. The name of the primary organization, the
assessable unit, and the event cycle(s) covered by
the ICR;
F-9
-------�
b. A brief description of the purpose of the
event cycle(s);
c. The scope, limitations, and' purpose of the
ICR;
,• *
d. For each area tested, a listing of the tests
and analyses performed, the resources utilized
(interviews, reports, automated and manual
systems, source documents), method of sample
selection as well as the number and dollar value
of both the total universe and sample of
transactions covered by the ICR. (It is
important also to qualify the limitations of
testing; for example, how far was the transaction
traced?)
e. Appropriate information concerning the areas
in which internal control techniques are needed,
inadequate, or excessive — including the cause of
any noted deficiency and the actual or potential
adverse impact of each.inadequate or excessive
•internal control technique.
f. Recommendations for corrective actions,
including any changes to the internal control
techniques, procedural manuals, or operating
policies in effect. The recommendations should be
addressed to the organizational unit that can
implement the actions and discuss the costs and
benefits associated with the corrective action.
g. An action plan which describes any corrective
:.- actions planned or taken as well as deadlines, or
milestones, for accomplishing the plan.
When the ICR analyst completes the report, he/she
should forward a copy to the ICC for review and
approval. After the ICC reviews and approves the
report, the ICC should forward one copy of the ICR
report to the ICS. The ICS will request AICR reports
as deemed necessary
D. Documenting the Review
1. ICR Report - The OMB Guidelines require adequate
documentation of the ICR process as it occurs. The ICR
documentation provides a record of the methods used,
the personnel involved (and their individual roles),
the key factors considered, the conclusions reached,
and a record of ICR work completed to date. This
information is essential to support the adequacy of the
F-10
-------�
ICR process and the conclusions reached; to evaluate
the personnel involved in the ICR, and to conduct
subsequent risk assessments and iCRs.
The ICR documentation should be. complete, accurate, legible,
and neatly and logically arranged.
Minimally, the ICR documentation should include:
a. The names and roles of personnel who perform
the various steps in the ICR process;
b. The start and completion dates of each ICR
step (or substep);
c. Copies of, or references to, pertinent laws,
regulations, manuals, and operating procedures —
especially those containing the event cycles and
internal control techniques;
d. Copies of the internal control documentation
for'each'event cycle;
e. Copies of, or excerpts from, GAO, OIG, and EPA
management reports and studies concerning an event
cycle;
f. Notes of interviews and similar observations;
*
g. Copies of important documents used in the
event cycle process (such as forms, registers,
logs, checklists, and reports);
h. The completed narrative description/flowchart
of the event cycle process'and internal control
techniques;
i. The description and explanation of any
internal control•technique considered.unnecessary,
excessive, or additional and necessary;
j'. The approximate size of the sampling universe
from which the test sample was drawn; ' '
* • > **
"~ k. The size of the test sample;
1. An-explanation of how the test sample items
were selected, and why the number of items sampled
was considered sufficient;
•F-ll
-------�
m. Clear identification of each document included
• ' i in the test sample — such as a purchase order
number or the social security number and name of a
person whose time card was examined;
n. The purpose of the test (for example, to
determine whether purchase order files contained
evidence of purchasing authority);
o. A summary of the overall test results and the
conclusions reached on the basis of those results;
p. Notes on discussions of internal control
weaknesses with operating personnel or managers,
including the concurrence or nonconcurrence of
those people with the conclusions and
recommendations;
q. Conclusions on the adequacy of stated internal
control techniques;
r. Recommendations for any corrective action; and
s. Any other relevant documents or information.
2. AICR Report - Similar to the ICR, an AICR requires
complete and accurate documentation. At minimum, the
AICR must test internal controls, must result in a
written report identifying the area reviewed, the
methods used, the personnel involved, the findings, and
the recommendations and must specify corrective action,
if needed. The depth and scope of an AICR are at the
manager's discretion. An AICR can concentrate on a
selection of objectives within an event rather than the
entire event as the ICR does.
E. Implementing Corrective Actions - The ICR/AICR is not
complete once the recommendations have been made. First,
the control weaknesses identified by the ICR analyst must be
validated by further investigation and by review with
management. Second, in consultation with the ICR analyst,
management must determine that the recommended actions are
logical, feasible, and cost-beneficial. Third, each of the
recommended corrective actions must be implemented as timely
and as cost-effectively as possible without compromising the
integrity of the internal control system. The implementation
stage of the ICR/AICR consists of three basic activities
which deserve special consideration:
1- Setting Priorities for Implementation -
Management should review all recommendations and set
implementation priorities according to the perceived
F-12
-------�
materiality of the weakness, the cost-effectiveness of
the recommendation, and the ease or difficulty of
implementation, *.'"".'
Management .should concentrate initially on implementing
recommendations to correct material weaknesses wherein
the risk of loss, waste, or abuse is substantial and
the, correction of which is justified through cost/
benefit, analysis. Once these key recommendations have
been implemented, management can institute any minor
change's in procedures or controls which are required to
correct less significant weaknesses.
2. . Developing a Plan of Action for Implementation -
The final ICR/AICR report should include a plan of
action to implement priority control recommendations.
The action plan should describe the control weaknesses
listed in the final report/ and list in sequence the
milestones or points of accomplishment required to
achieve the recommended corrective action. In order to
communicate the actions to be taken and to facilitate
monitoring of the implementation process as well as the
assignment of responsibility, a plan of action must:
a. Divide each milestone' into concrete and
distinct tasks;
b. Assign each task to the employee most
directly responsible for the particular
activity;
c. Assign dates for the accomplishment of each
task; and
d. Contain a plan to monitor and enforce
compliance with the recommended changes.
In assigning responsibilities for implementation, bear
in mind that implementation should not be the exclusive
responsibility of one individual. To be effective, an
internal control system must be comprehensive and must
involve staff throughout the organization. Bringing
staff and management together to implement the
corrective actions helps to foster a sense of team
responsibility within the organization and may broaden
lines of communication. These characteristics
contribute to an overall organizational philosophy of
internal control.
3. Monitoring the Internal control Corrective Action
System - OMB Circular A-123 (Revised) calls for agency
managers to consider the recommendations resulting from
F-13
-------�
risk assessments and ICRs/AICRs and to take appropriate
corrective actions as promptly as possible. The
Circular recommends establishing a formal follow-up
system to record and track recommendations and
projected action dates and to monitor whether changes
occur as scheduled.
'„ In 1984, EPA developed the automated Internal Control
. Corrective Action Tracking System (CATS) to monitor the
status of reported weaknesses and corrective actions
taken to address them. Refer to Chapter 6 for a
detailed discussion of CATS.
F. Reference Material - For detailed information'on EPA's
Internal Control'Review process, see the following
documents:
OARM's Guide for Performing Internal Control Reviews
(October 1983);
OARM's Procedures for Conducting Internal Control
Reviews (June 1984);
Financial Manager*s Quality Assurance Guide. Office of
the Comptroller (Appendix 6).
F-14
-------�
SAMPLE AICR REPORT
Exhibit XI
Page 1 of 10
Superfund Multi-Site Cooperative Agreement
Program/Financial Review
April 22-24, 1987
Review Team:
Michael Slater, Budget Analyst, Superfund Program
Joe Penwell, Accounting Technician, Comptroller's Office
Deborah Flood, Project Officer, Superfund Program
Irene Alexakos, Superfund Program Contact, Alaska Operations
Office
Wednesday, April 22
9:30 a.m. - Entrance Meeting with ADEC officials
-Discussion of purpose
-Question/Answer
10:00 a.m. - Data Collection/Records Review - Slater/Penwell
(see attached)
10:00 a.m. - Program Review Discussion - Flood/Alexakos with ADEC staff
to 12 Noon (see attached)
Thursday, April 23
8:00 a.m. - Continue Records Review
- Conduct interviews, where needed, to supplement data
Friday, April 24
- Prepare Draft Record of Findings
2:00 p.m. - Discuss Findings with ADEC
-------�
Exhibit XI
Page 2 of 10
DOCUMENTATION REQUESTED FOR EPA REVIEW OF
ALASKA MULTI-SITE COOPERATIVE AGREEMENT
April 22-24, 1987
1. Personnel list of ADEC staff involved in state Superfund program: name,
grade, job classification (or position description), compensation and
location.
2. Superfund timesheets, timecards, payroll summary reports for 1985, 1986
and to date in 1987.
3. MSCA file: including written EPA approval of sites, site files for PAs
and Sis, contractor progress reports (technical and budget).
4. State MSCA bid records, bids submitted, price analysis, contract award
and statement of work.
5. State procurement guidelines, contract management guidelines.
6. Contract work plans, invoices, payment vouchers and cnange orders.
7. State Superfund MSCA budget logs, budget and actual charges.
8. Documentation of state indirect charge rate.
9. State audit reports from 1985 and 1986, if available.
-------�
Exhibit XI
Page 3 of 10
PROGRAM REVIEW EVALUATION CRITERIA
Purpose:
}. Assess state progress in meeting cooperative agreement commitments
2. Assess state performance
3. Assess financial record Keeping
4. Assess overall program
Review Method:
1. Review MSCA quarterly reports.
2. Review cost documentation available in state files.
3. Conduct interviews with appropriate staff to obtain information on
activities and procedures. Interviews also used to clarify information
found in files.
-------�
Exhibit XI
Page 4 of 10
PROGRAM REVIEW
Administration
Who is the State Project Officer on the MSCA. Is it the SPO's responsibility
to keep activities on schedule. Response.
Do the wor*yedrs cnarged against tne MSCA match the workyears allocated.
Yes/No.
Wnat are tne reasons for any identified deficiencies/deviations from tne
allocation. Response.
Wnat is the current staffing level. Response.
What are the specific job duties/responsibilities of each person. Response.
What does each staff person do on a typical day. Is this proportional to the
extent these staff person positions are funded by the MSCA. Response.
How is tne job performance of each staff person evaluated. Wnat specific
tastes is the job performance based on. Response.
Could certain tasks performed fay staff persons be more properly covered under
another program. Yes/No. Explain.
Program Development
Wnat do you see as the primary emphasis of ADEC'S Superfund Program. Response.
Who is your EPA counterpart. How do you communicate with your EPA
counterpart. Primarily on an informal basis/formal basis. Both. How
frequently do you communicate. Response.
How do you feel about the level of EPA oversiynt. Too little. Too mucn.
Adequate. Response.
Wnere are your policies/guidelines kept. Response.
How are policies/guidelines (both ADEC and EPA) disseminated. Response.
What is the availability of technical expertise for evaluating:
Tne contractor's work plans, site investigation reports, MRS documents.
Response.
Regulations, policy and guidance and their application to the MSCA.
Response.
To wnom do you turn for tecnnical or policy assistance. Response.
How is confidential or predecisional information protected. Response.
How are important pnone conversations documented, e.g. regulatory
interpretation, clarification of EPA guidance, etc. Response.
-------�
Exhibit XI
Page 5 of 10
What overall community relations program exists. How is it implemented.
Response.
Training
Is tnere an established training plan for staff charged to the MSCA. Response.
How does the state evaluate staff skills and training needs annually.
Response.
How Mill training be conducted. Response.
Information Management
What types of tracking systems have been developed. Site related or financial
related. How is information tracked which is reported in the quarterly
report. Response.
Wnat additional steps are anticipated for data management. Response.
Site Inspection Activities
How many site inspections does ADEC participate in with the contractor.
Response.
Wnat information is provided to the property owner during the inspection.
Response.
How is the contractor's performance monitored. Quality and timeliness.
Response.
What public response has there been to the contractor. Concern, full
cooperation. Response.
What procedure is used to decide what sampling will take place at sites. Is
EPA invited to participate in the decision. Response.
What procedures are followed to insure that all data is QA/QC'd. Who
documents this information. Response.
Wno reviews work plans, site inspection reports to insure their quality. Are
there specific procedures. Response.
Is there a procedure followed for release of site inspection reports.
Response.
-------�
SAMPLE AICR REPORT
Exhibit XI
Page 6 of 10
AOEC MSCA FINANCIAL REVIEW
HOCESS AND BABBLER SITE
Findings
The contractor costs for a work plan should not have been
incurred because EPA agreed that ADF.C should substitute the Union
Oil Chemical site for the Rogers and Babbler site before the ADEC
contract with Tryck, Nyman and Hayes (TIMH) was signed. "fWH
worked concurrently on these two sites. Total cost of $1,032.86
is questioned.
History
10/07/85 EPA and ADEC agreed to drop the Rogers and
Babbler and Fort Yukon City Dump sites from the list of site
investigations in the MSCA and to add the Union Chemical Company
site.
10/09/85 The original contract between ADEC and TNH was
signed and effective.
11/05/85 7NH included a wcrk plan for Rogers &
Dabbler and Union Chemical in the package it sent to AUKC. INM
explained, "A work plan has been included for Rogers and Babbler
because the work effort has already been expended, as authorized
by your previous correspondence." Mo correspondence from ADEC to
TWH dated prior to 12/17/85 was included in the file provided to
the reviewers.
J2/85 TNH invoiced ADEC for $586.61 of costs
incurred during the period November 1 to 30, 1985; paid by ADfvC.
04/86 TNH invoiced ADEC for $446.25 of costs
incurred during the period March L to 31, 1986; paid by ADEC.
ALASKA GOLD/FROWriER TANNING SUPPLEMENTAL ACCOUNT
findings
AOEC continued to task its contractor for site investigation
activities after the final Site Investigation Reports had been
accepted by ADEC and EPA. The MSCA was limited to completion of
Preliminary Assessments (PAs) and Site Investigations (Sis),
therefore EPA is questioning all costs incurred on Alaska Gold
and Frontier Tanning after the SI reports were accepted. The
total cost incurred through March 31, 1987 was $4,702.
History
01/03/86 TWH submitted draft SI reports for Alaska
Gold and Frontier Tanning to ADEC
01/24/86 ADEC approved draft reports for final copy
with limited editing requests.
02/14/86 ADEC requested TNH do "additional- work at
Alaska Gold and Frontier Tanning sites because of the potential
-------�
Exhibit XI
Page 7 of 10
immediate threat to public health." AOEC authorized $500 for
development of "INH work plans to sample or resarople drinking
water, sample the potentially affected subsistence fishery and
compute multiple Hazardous Rankir.g System (HNS) scores.
02/21/86 A record of a phone call from ADEC to TNH
during which springtime "site investigation follow up" work at
Alaska Gold was discussed. Activities to be included were,
assessing background levels of mercury and arsenic, sampling
water columns, sediment sampling and investigating groundwater
flew direction.
03/J2/86 TWK delivered final Alaska Gold SI report to
AOEC. "...Only the Dredge No. b site has been scored," the cover
letter reported.
06/03/86 TNH sent a work plan and cost estimate to
ADEC for "supplemental sampling at Alaska Cold and Frontier
Tanning." The work plan included sampling five wells at Alaska
Gold, a bioassay of fish tissue from Nome and sampling three
wells at Frontier Tanning.
07/01/86 TWH sent ADEC a supplemental report for
Alaska Cold sampling. The INH project manager stated, "I believe
all work is complete on this site investigation. I am requesting
final approval and acceptance... for project close out."
07/25/86 ADEC requested TWH complete the following
work by August 22nd: A work plan for SIf at Alaska Cold, e.g.
examine well data, sample dredge spoils, assess direct contact
exposure (at Steadman Field), measure background levels, sample
air and dust exposure. ADEC asked TWH to, "please develop cost
estimates and work plans. All work must be initiated and when
possible, sampling completed before the end of September 1986."
Site inspection follow up work was never authorized as part of
the MSCA, consequently, ADEC is responsible for costs incurred by
its contractor on work authorized outside of the scope of the
MSCA.
09/29/86 TWH submitted a final report for Frontier
fanning, including HRS documentation, and requested approval for
project (site) close out.
10/08/86 TNH identified current obligations, including
$6,768 for Nome Supplemental (ost.) and $5/,988 for Nome follow
up. Supplemental and follow up work at Nome were never
authorized by EPA under the MSCrt. Any costs incurred against
these obligations are the responsibility of ADEC and questioned
under the scope of the MSCA.
10/15/86 ADEC accepted as complete TWH's final reports
for Alaska Cold and Frontier Tanning; a brief addendum was
expected following resampling of drinking water wells.
10/23/86 ADEC identified priority activities to INH.
Alaska Gold was described as "high priority" but further actions
were to be dependent upon the results of the TAT effort.
10/24/86 ADEC requested TNH give "highest priority" to
analyzing fish samples from Nome and authorized $1800 for
analysis and $6bO for report preparation. ADEC also requested a
work plan and cost proposal for the following activities:
install two high volume air samplers (one at Steadman Field),
-------�
Exhibit XI
Page 8 of 10
train a local person to take samples, analyze samples and
determine an MRS air route score. EPA never authorized this work
to be done under the HSCA.
11/14/86 ADEC informed TNH to discard previous fish
samples from Nome and prepare a new work plan and cost estimate
for supplies needed to make a new effort to analyze burbot.
01/07/8/ ADEC identified a CtLRCLA schedule and budget
agreed to at a previous ADEC - TNH meeting. The Alaska Gold
original work (completed) was $18,700, the Nome work plan for air
sampling (due 05/03/87) was $1,400, the supplemental fish
sampling (due 05/15/87) was $3,000, and complete air sampling
with revised HRS rescoring (due O6/30/87) was budgeted at $15,000
(est.). EPA only authorized the cost of the original work at the
Alaska Gold site. ADEC is responsible for authorizing its
contractor to do work outside of the scope of the MSCA and costs
incurred on these projects are questioned.
02/25/87 AOEC confirmed that 1NH work products,
including Alaska Gold and Frontier Tanning reports were accepted
and the accounts closed. ADEC requested TNH keep the Alaska Gold
and Frontier Tanning supplemental sampling account (TNH account
number 4/07.3) open for more fish sampling or HRS revision after
Steadman Field sample analysis. EPA never authorized this work
to be done under the MSCA.
03/1O/87 ADEC notified TMH that ADEC personnel would
be collecting samples in Nome to assist with the air route HRS
score. ADEC directed TWH to charge the cost of analysis to the
Alaska Cold supplemental sampling account (#4/0/.3) on a cost
basis.
04/01/87 ADEC notified TWH to stop work on Nome
activity and close the supplemental sampling account (#4707.3).
THE SECOND GROUP OF SITE INVESTIGATIONS
Findings
The second group of sites to be worked on by ADEC and its
contractor, INH, was proposed as an ammendment to the MSCA on May
1, 1986. There was been some confusion about which sites were
authorized under the MSCA that EPA approved on May 23, 1986.
There is no doubt that the seven sites listed in both the 1985
MSCA and the 1986 proposal were qualified for site
investigations. EPA questions the costs incurred at five sites
that were never formally approved for site investigation work
under the original MSCA or its ammendments, MSCA guidance
stipulates that written approval of sites by the EPA Project
Officer is required before costs can be incurred against an MSCA.
EPA questions all costs incurred to investigate Union Oil
Gravel Pit, Soldotna Landfill, North Pole Refinery (MAPCO), M£M
Enterprises, and Alaska Electroplate, However, the EPA Project
Officer has judged that EPA will probably approve the costs of
-------�
Exhibit XI
Page 9 of 10
investigating those sites that would have been authorized had the
MSCA procedures been followed more closely. The total cost
through March 1987 for the sites in question is $23,719.
History
04/07/86 ftDEC requested that TNH prepare twelve
workplans under the existing. MSCA and ADEC's $280,000 contract
with TNH. Seven sites were encompassed by the 1985 MSCA but five
were not, EPA questions the costs incurred at the five sites
listed above, in part because ADEC authorized contract work
before working with the Project Officer to develop an approved
list of sites appropriate for investigations.
06/24/86 TWH proposed a budget for the second part of
the site investigation contract. AOEC and TWH had developed a
two phase process to lower the average cost of site
investigations. Phase 1 was budgeted to cover geographic areas
and identify those sites that would require more attention to
sampling and analysis in Phase II.
The phased approach was successful in keeping the average
cost per site to a minimum (less than $19,000 each through March
1987). However, the Phase I costs should have been itemized by
site for cost recovery purposes. The shared costs incurred in
geographical areas should have been reasonably allocated to the
sites that benefitted from common cost items. As it stands, the
cumulative Phase I costs, including a significant budget overrun,
would have to be allocated equally across all Phase I sites.
Unless some more exact assignment of costs to specific sites can
be achieved, the Phase I costs will probably not be recoverable
from responsible parties.
07/03/86 ftDEC authorized work on the sites in question
by approving IfJH's work plans and budgets.
10/23/86 ADEC prioritized TNH's site work; M&M
Enterprises - "high"; Soldotna - "medium". Worth Pole Refinery -
"low" (prepare a cost proposal and work plan regarding RCRA
wastes released), Union Oil Gravel Pit ~ "low" (NFA). There had
not yet been official authorization of these sites under the EPA-
ADEC MSCA. EPA questions all costs incurred under the state's
contract for activities not explicitly identified in the MSCA.
REIMBURSE MERIT OF CONTRACTOR FOR LOST EQUIPMENT
Findings
TNH lost a sampling dredge while conducting a site
investigation for ADEC under the MSGA. The State Participation
in the Superfund Remedial Program manual describes the rules for
CERCLA funded equipment purchase in appendix T. The contractor
was expected to be equipped for the tasks involved when the state
awarded the site investigation contract. If the contractor
subsequently used MSCA funds to purchase equipment, such as the
sampling dredge in this case, the State or EPA must retain
title.
There is no evidence that the State or EPA had title to the
-------�
Exhibit XI
Page 10 of 10
original or replacement dredge. ftDLC is now responsible for
either recovering the cost of the replacement dredge from the
contractor or obtaining title to the equipment, justifying its
use on the MSCA project and negotiating its disposition with EPA
at the conclusion of the MSCA. The total cost in question is
$734.
History
10/09/85 ADEC awarded the MSCA site investigation
contract to FNH. 1IUH was assumed to be equipped to handle the
tasks described in the request for proposal.
07/86 TNH lost its sampling dredge while working
on a GERCLA site investigation for ADEC and requested that ADEC
increase the not-to-exceed amount to pay for the dredge. Unless
provisions were made to acquire this equipment for EPA under the
MSCA, the replacement dredge cannot be funded from the MSCA.
INCREASE.IN THE MSCA AWARD AND BUDGET REPROGRAMMING
Findings
The second ammendment to the EPA-ADEC MSCA on May 23, 1986
increased the amount from $300,000 to $500,000. The cover letter
from EPA stated that all of the $200,000 increase was placed in
the contractual services budget class. El>A provided AOGC the
ability to reprogram funds "upon verbal approval (from) the EPA
Project Officer."
In order to make it clear what activities are being funded,
all reprcgramming of funds should be confirmed in writing with an
Assistance Amendment form, initiated by the Project Officer and
signed by the award and recipient officials. The May 23rd
ammendment was technically invalidated by the handwritten budget
adjustments made by the ADEC authorizing official. The use of
the ammendment form by both EPA and ADEC would provide more
clarity in the budget, activities and sites agreed to by both
agencies under the MSCA. We recommend that an ammendment be made
to accurately define the status of the MSCA as it is understood
following the recent program and financial review. For example,
the contractual budget ADEC has been working with was $410,000 of
the $500,000 available.
-------�
Exhibit XII
COMPARING RISK ASSESSMENTS TO ICRs/AICRs
RISK ASSESSMENT
Initial diagnosis
Based on existing data
Completed for all assessable units
Yields subsequent actions
Internal control review
Other review
Corrective action (if needed)
ICR/ AICR
In-depth diagnosis
Based on test results
May be performed on
selected assessable units
Yields corrective actions
Improvement of existing
controls
Elimination of excessive
controls
Establishment of new
controls
-------�
Exhibit XIII
I
S
i
i
i
S
0
S
o
n
tn
3
-8
S to
QJ fl) 3 CL '
JJ rH 4J O1 ffi
fg Q ?3 **i "3 •'
4) -iH
(U ifl
•M K»
(rt flJ 0)
1 5M
4J i-t ,C -U
c
-------�
THE
TRACKING SYSTEM
STEP 1
STEP 2
AU Manager Reports
Planned and
Corrected Actions
POH's
Assurance
Letter
ICS Transfers Information
to CATS
OFFICE
OPRM
OAR
OW
REGION 1
DESCRIPTION
YEAR/ITEM #
.88-1
88-2
88-3
88-4
STATUS
2
3
3
4
Status Code:
" 1 - Significantly delayed
2 - Behind schedule
3 - On schedule
4 - Completed
STEP 3
STEP 4
ICC Ensures Quarterly
Update of
Corrective Action
DESCRIPTION
YEAR/ITEM #
88-1
88-2
88-3
88-4
1
2
2
2
3
QUARTER
2 3
2
3
3
4
3
3
4
4
4
4
4
4
4
Note: Corrective Action should
be completed by the fourth
quarter
ICS Reports on Yearly
Status of Corrective
Actions to Senior
Internal Control Official
CARRY OVER
14
NEW
360
REMAINING
75
-------�
ICS:
"WHO USES THE TRACKING SYSTEM"
IG:
GAO:
Senior
Management:
To ensure that reported corrective actions are meeting the
plans prepared by the AU manager in the primary organization's
assurance letter.
To ensure that presidential-level and agency weaknesses are
reported, corrected and eliminated.
To ensure that weaknesses reported to the President/Congress
are corrected.
To ensure that the Agency complies with FMFIA and that
weaknesses receive the proper attention.
-------�
CHAPTER G. CORRECTIVE ACTION TRACKING SYSTEM
I. ,. PURPOSE ...-'..
This chapter discusses EPA's process for monitoring and reporting
internal control corrective actions. -
In 1984, EPA developed the automated Internal Control Corrective
Action Tracking System (CATS) to monitor the status of reported
material weaknesses in POH's assurance letters and corrective
actions established to address them.
II. REQUIREMENTS
In addition to requiring EPA to identify and report material
weaknesses in internal control systems, the Federal Manager's
Financial Integrity Act of 1982 (FMFIA) requires EPA to report
plans and schedules for correcting identified weaknesses.
OMB Circular A-123 (Revised) calls for EPA managers to consider
the recommendations that.result from risk assessments and
internal control reviews or alternative internal control reviews
and to take appropriate corrective .actions as promptly as
possible. The OMB Circular recommends establishing a formal
follow-up system to record and track recommendations and
projected action dates and to monitor whether management
implements changes as scheduled.
EPA Resource Management Directive 2560 states the Agency's goals
of selecting cost-effective actions to correct material
weaknesses, developing action plans, initiating corrective
actions, monitoring progress, and reporting performance through a
corrective action tracking system.
III. ROLES AND RESPONSIBILITIES .
f
The Resource Management Division (RMD) of the Office of the
Comptroller monitors EPA's internal control corrective actions
through CATS.
The Internal Control Coordinator (ICC) of each primary.
organization has the appropriate responsible manager for
corrective action prepare the quarterly CATS reports for the
,primary organization. ..
Primary Organization Heads (PORs) coordinate the POH's updates
and submit the quarterly Internal Control CATS reports to the
internal control, Staff of RMD. . .
G-l
-------�
IV. INTERNAL CONTROL CATS REPORTS '
A. Report Types - The Internal Control CATS produces two
types of reports. The first is a detailed CATS report for
each EPA primary organization (see Exhibit XIV) which is
printed on wide (15 inch), tractor-fed computer paper in
compressed type.
The second type is a CATS management summary report. This
report sorts action items in order of completion status,
with delayed items at the front and completed items at the
end. CATS tallies the number and percentage of action items
in each category of completion status and tabulates them for
each office. This summary report enables the Internal
Control Staff to brief management on quarterly progress and
present graphic illustrations.
From here on, the discussion will be about the first
Internal Control Corrective Action System Report, which is
the FOH's and the ICC's responsibility.
B. Style and Format - The amount of space allowed for the
item on a full-sized printout of the detailed CATS report
restricts the amount of information that can be provided on
any action in the CATS report. This minimizes work and
prevents the consolidated EPA report from being
unnecessarily lengthy. As a result, the CATS report writing
style must be cryptic or brief rather than writing.in
formal, complete sentences.
In the "Description" column, you will find the capitalized
item names as typed in by the ICS. All other text is typed
in upper and lower case, as appropriate. Text begins at the
left edge of the block in the space immediately to the right
of the column dividing line.
Office names abut the left edge border line of the report
(even if the name runs to two or three lines). In other
columns, for ease of reading, sentences or paragraphs which
extend beyond one line are indented two spaces. New
paragraphs begin at the left edge of the block.
V. PROCEDURES
The POH must submit (through the ICC) the quarterly Internal
Control CATS report to the Internal Control Staff no later than 2
weeks after the end of each quarter or as the ICS designates.
(The quarters end in December, March, June, and September.) The
POH either prepares the report on EPA personal computers using a
Lotus 1-2-3 template or can legibly hand-write or type the
updates.
G-2
-------�
The Internal Control CATS report is provided to the POH's ICC
with all pertinent information typed through a Lotus 1-2-3
program. The information regarding action -items either was
picked up from previous Internal Control CATS reports or from the
POH's assurance letter.
The first quarter of the tracking cycle is the October-December
period, when.management prepares the annual assurance letters.
The reporting cycle concludes after the following September, by
which time management must complete all corrective actions from
the prior year's assurance letters. More complex corrective
actions may be carried .over into the following year. In order to
avoid carry over items, the ICS encourages ;that major weaknesses
be identified in phases for corrective action rather than a major
item carried over a number of years.
The POHs may submit the reports to the ICS as hard copy
(preferably typed), on computer floppy diskettes, or transmitted
electronically using a personal computer, a modem, and a
telephone.
The ICS has provided the following information for the PO:
A. Column l; Office - The ICS has entered the primary
office name, omitting the initial words "Office of".
B. Column 2; Item Number - Subject - The ICS has developed
an action item two-part numbering system. The first part
consists of two digits indicating the calendar year of the
PO assurance letter in which the item first appears. New
reporting cycles begin on October 1 of each year. For
example, items appearing in a 1988 assurance letter cycle
will be numbered "88-1," "88-2", etc. Items carried forward
from the previous assurance letter cycle retain their
original numbers, e.g., "87-16". The ICS assigns these item
numbers.
C. Column 3; Description - To the right of "NAME: ", the
ICS has inserted a brief name for the action item which
should not extend beyond the top line of the block. Beneath
the name, the ICS has typed a brief description of the
action item (as it appears on the POH's assurance letter).
The manager of the office responsible for correcting the
action item completes the reports as discussed below.
D. Column 4 and Beyond; Quarter-end Status Description -
Enter one of the following status code numbers in the first
line of the block:
G-3
-------�
1 = Significantly delayed ' : . , '
2 — Somewhat behind schedule
3 = On schedule
4 - Completed
Exhibit XIV illustrates the placement of the code number.
In the remainder of the block, describe as specifically as
possible the status of the action item, but do not exceed
the space available within the block. To the extent
possible, note specific milestones and dates in the initial
December 31 report and note date changes, progress, and
problems arising in subsequent quarters.
G-4
-------�
Exhibit XIV
Page 1 of 2
i
:
i
.
1
i
ii
U
4.
QC
a_
i
^
EPA INTERNAL CONTROL CORRECT
S
t
Ul »— «c i— =9 8» H
M
S ii
s ;U
C .2-fc.S t!
— *• . "~ B
u> O* 81 ^ II
is! JS t S j!
g -g % 5 ii L
S " £ 3 ii E
"" S -3 "" B <
& -3 - s :: i
- ffi*Siis
s 8 * - 1 i
£ It S J S i
g i J -g I j
§ 5 J5 ~ ii :
** ill
„- = -=>« s .
— ii
: - ii
« . s ::
C3 !». II
E *m
— .» P ?^
i
i
fe
.=
ii
gi
"is
5 3 t.
|"t
Is*
55 «
If 2
58:
•A
*•
i
i
i
s
.ii
5 »
-* fe. «•
^;
in
== u
feS5 •£
.. S t
I1S
•Nl
g S
i |
i *
? J i
1 :: :: :: :: :: :: - r: :: ::
£
5
cn
S3
turn-
&
S
X
K
^
^
i
•s •: ~ S -3 ::•:•::::: ::
II
s s-s
fe i S S
~ £ KB
ea iyi -* — .
B hf
ii I1
uj -S i_ — in
S »*- «= *^ w
1— OJ *»
«C -v o< -a >- •
as* «= t: s
ffl ^ I 5 i |
u it* _« a
i.?l ill
kl> — M 0 W
S £ — it »- &
« :: :: :: ~ :: :: :: " - =
g
• ^ IH
•S C . .S jc
•S o- - ^x»^»-M«»
_i£E±iu S — u. —
^ «= "S . - z: s " .2 s,
S Si=£ =S5 fe.F
S A £
.
4/»
i!
t ;
^ i
g S
& 5
"2. &
|l I
si ~
7
i!
If
l! i
- .. — _ „ „ „ „ .
t :: :: :: :: :: :: :: s :: r.
u
s
_
w
g>
s
§
^
i
T. •: i: :: :: :: :: :: :: :: ::
5"
"S
1
Ii
•K Z
Ul " .t
S fc &
"S £
i = s-
5 5 •£
|lf
.11?..
-. :: :: :: :: ^ :: :: :: :: ::
•£
»- j
M
It
*^
WU k- C
11^
B*l
s*?
STJ-"
ll§
i§!
li-
» e
isi
fl i
HI
t«i
Hi
£g|tt j
||'|f
— in t* ^
LU • — «a
s
s s
ii !
s | j
2 •£
*•
ii f
.„.-.. .. .. — « ~ .. .. —
r. :: r. :: r :: :: :: :: - ~
&
S
tn
g
ua
ffi
S
§
d
1
T :::::: i: :: = n :::: ^
5
|
i!
gS
K «
B 3
SI
i ?
» :: :: :: :: ~ n :: :: :: ::
1 "
II
OVERALL PR06RESS STATUS CODE
Prograning coepleted and datl generi
!
!
*
sll
Sj| .'; .;
|||
ill
S "** —*
gst g. *
i!1
a
m
1
S
a
M
*.*
.jj
•g
i
u
3
1
1
CD
Oi
f
at
••B
>.
S
'|
tn
s
':
i
A.
0
|
CJ
i
i
i
0
&
«
i
^
-------�
Exhibit XIV
Page 2 of 2
ss
cn
&
I
i
I; "> -
ii
i)
ca ^ «x ^- Z3> cn ii
* !!
1 £ !l
^ .2* IgL — j
S *-."!!
§ fill
1 ^2! !
s * ' s i
s szSr
m- U» •• — " 1
K S10 M. !
Ste.* S !
" "I 1
M S«~i
Is F
j
cn »- «t i— => co i
1
u :
s -5 I
1 Iff!
«n """ «• i
2 |-S S !
* 5 BI "S !
tO ** -M 1
g2' » !
<• -01
o- * 1 S \
- E "", B i
iftt (tea!
& = B *• i
— — — ~ „ ~ i
cn ^- .
-
.
1
»s?
' « gn
e . s
£.§b
• 22
|tj
i=i
s &
|5j
— BL sai
III
Iff
to 1* c "o
iltfl
!g = !~'-s
|| |||
i I'il s
i || S.S.S
?
ii
II
i S
•sjj r
• JJi 1
1
in
e
i
^
i
- «. i
in is •*•> *•
ill:
Sat B>
« f=
u -^ *j ca. v
a «i a Q u
u C — ui *C
B a || «
s s ? f 1
ffi * Z* fc S
Mf?*f
-J U W D O **
_> -o •« -»j tn
2 -« * -B » S
iisllF
0 S
2 S 3
ss -
-^ Ol C
a b .s
>o i- ti
a fe » S
= "*• D <=
ill?
K -1 f .1
cn in ""' •
_• -S S. » i
a! .5 S S B-
£C •— U — O
Si
I
^
*-
1
5- ""*
if
-• -3
s«
<*
i|i
ll&
CN
1 i
.5 3
•••* VI
•*
i S
il i
i
=
cn
a
SF
d
i
1 1 ;
= §|
• *"» e
ill
=5^
»||
llf i
1
1
cn » '
X E
oe a.
a a
L
s s
»u ++
~ ss
CJ ^- U>
III
T-SI
gi5
!!!
ua
a
I £
- i
Jb S !
II 1 I
ii I i
-------�
ANNUAL ASSURANCE LETTER FLOW
(EVERY LEVEL IS INVOLVED)
Each Responsible EPA Program Manager
Prouides reasonable assurance based on working knowledge
Regional
Administrator
(10)
Assistant
Administrator
(12)
Inspector General
General Counsel
Prouides reasonable assurance of primary organization
based on manager's recommendation
Internal Control Staff
Senior Internal
Control Official
(AA for OARM)
(Coordinates and manages effort)
Prouides briefing and recommends administrator's
signature based on POH's letters
Submits Rnnual Report by December 31
-------�
-------�
CHAPTER H. ANNUAL ASSURANCE LETTER
I. PURPOSE
' -f *
The purpose of the annual assurance letter is to assure the '
President and Congress that, as required by FMFIA:
EPA internal control systems" operate effectively;
- * -i ." '! r
- EPA recognizes internal controls as important management
tools;
- EPA continually conducts internal control evaluations and
makes improvements; " .
- EPA identifies existing, material weaknesses; and
EPA corrects identified weaknesses; ''--.'
This chapter discusses EPA's procedures for preparing the annual
assurance letter .to the President and Congress concerning the
status of' EPA's internal" control systems. \ - ' •
II. ROLES AND RESPONSIBILITIES
The following paragraphs describe the responsibilities of EPA
personnel involved in the preparation of the annual assurance
letter' and accompanying Quality Control Evaluation Report (QCER),
The steps involved in preparing the letters are presented in
sequential order in paragraph 3 of this chapter.
A. The Internal Control Staff. Office of" the Comptroller,
acting for the Assistant Administrator for Administration
and Resources (AA/OARH) as the Agency Senior Internal
Control Official: . •- ...'.., . .
1. Provides guidance to EPA's Internal Control
Coordinators (ICCs) concerning the Agency's annual
assurance letter process; •
2. " Discusses issues with POHs to determine Agency
level material weaknesses based on knowledge of IG
audits and pulse of Agency;
3. Consolidates the annual assurance letters" of EPA's
primary organization heads (POHs); and
4. Prepares' the EPA annual assurance letter, Quality
Control Evaluation Report Statistics and briefing
material of EPA's process for the Administrator.
H-l
-------�
B. The Internal Control Coordinators coordinate the
preparation of the POH annual assurance letters and reports.
C. The Program Managers are recommended to prepare an
assurance letter for the program (or division) for which
they are responsible. '
D. The Primary Organization Heads (POHs) review, sign, and
submit the annual assurance letter and Quality Control
Evaluation Report to the AA/OARM, through the ICS, by
October' 31.
E. The Comptroller, Deputy Comptroller, and Resource
Management Division Director of the Office of the
Comptroller reviews EPA's annual assurance letter.
F. The Aaencv Senior Internal Control Official located in
the Office of Administration and Resources Management
reviews EPA's annual assurance letter and submits it to the
Administrator.
G. The Administrator reviews, signs, and submits EPA's
annual assurance letter to the President and Congress by
December 31.
III. PROCEDURES
The process for preparing EPA's annual assurance letter consists
of:
Preparing the primary organization head (POH) letter
and QCER;
Preparing EPA's annual assurance letter; and
Submitting EPA's annual assurance letter to the
President and Congress.
The following paragraphs discuss these steps in greater detail.
A. Step One - Preparing POH Material - This.material
consists of answers to an Internal Control Quality Control
Evaluation Report and a POH assurance letter, discussed
below. The ICS uses the information from both documents to
prepare the EPA annual assurance letter and background
material.
The ICS distributes a blank Quality Control Evaluation
Report form and a sample POH assurance letter with guidance
to each POH in July. By October 31, the POH must complete
and return the QCER and the assurance letter to the ICS.
H-2
-------�
1. Quality Control Evaluation Report - This report
determines whether the POHs conducted the internal
control process in a "thorough and conscientious"
manner as required by the OMB Guidelines.
The form examines six aspects of internal controls:
a. Orientation and awareness of managers
' ' concerning FMFIA responsibilities;
b. Segmentation of the organization;
c. Documentation of activities;
d. Assessment of vulnerabilities;
e. Review of controls; and
i , - ^
f. Tracking and reporting.
Two QCERs are provided-along with assurance letter guidance,
(1) the QCER for the ICC and POH to sign, and (2) the QCER
for each AU manager to use to evaluate his/her program.
Exhibits XV and XVI illustrate both QCER forms.
2. Sample POH Assurance Letter - The sample POH
assurance letter serves as a model for reporting on the
status of internal controls within an EPA primary
organization. The final letters provide reasonable
assurance to the Assistant Administrator for OARM that
,,the primary organizations' internal controls function
as intended. Exhibit XVII 'illustrates a copy of the
sample POH assurance letter.'
. The POH assurance letter must describe:
a. Any material weaknesses disclosed by any
internal control evaluations or other reports;
b. The action plans for correcting the
weaknesses; and
•^ < •
c. The status of actions taken to correct any
weaknesses identified in any prior year reports.
The POH should not rely only oh personal knowledge.
Before providing reasonable assurance to the
Administrator, the POH should consider the following:
H-3
-------�
a. Degree of compliance with EPA Resource
.Management Directive 2560;
b. Weaknesses identified by EPA internal control
reviews and alternative internal control reviews;
c. Alternative internal control review findings
identified by Office of the Inspector General or
General Accounting Office audits, management/
program reviews, ADP security reviews, risk
.analyses, or other studies;
d. Issues raised in documented reviews of
operations, functions, or facilities that involved
testing transactions or data to ensure or improve
mission objectives;
e. Internal control weaknesses of improvements
identified in documented meetings with key
managers and supervisors;.and
f. Internal control weaknesses and improvements
identified in writing by managers/supervisors and
certification that they review internal controls
on a continuing basis.
B. Step Two- Preparing EPA/sAnnual Assurance Letter -In
preparing the annual assurance letter, the ICS completes the
following steps:
l. Once the POHs prepare their individual letters, the
ICS consolidates the information from these responses
to produce the first draft of EPA's annual assurance
letter.
2. The ICS prepares statistical data and briefing
material to be used in briefings at all levels of the
sign-off process.
3. The ICS then submits the letter to the Comptroller
and the AA/OARH for review and approval. By December
15 of each year, the AA/OARM must submit the annual
assurance letter to the Administrator.
C. StepThree- Submitting EPA's Annual Assurance to the
President and Congress - By December 31 of each year, the
Administrator must review, approve, sign and submit EPA's
annual assurance letter to the president and congress.
H-4
-------�
1. Contents - The annual assurance letter addresses
the status of EPA's internal controls as of September
30, the fiscal year end. In EPA's annual assurance
letter, the Administrator must state whether the Agency
conducted its internal control evaluation in accordance
with OMB Guidelines, and whether EPA's internal control
systems:
a. Fully comply with the GAO Standards; and
b. Provide reasonable assurances that:
1. Obligations and costs comply with the
law;
2. Funds, property, and other assets are
safeguarded against waste, loss, unauthorized
use, or misappropriation; and
3. Operating revenues and expenditures are
properly recorded and accounted for so that
accounts and reliable financial and
statistical reports can be prepared and
accountability of assets can be maintained.
If EPA's internal control systems do not comply with
the requirements above, the Administrator must.identify
any material weaknesses and describe the plans and
schedules for corrective actions.
The letter must also include corrective actions taken
concerning previously identified material weaknesses
which are still of concern.
The Administrator must also report on whether EPA's
accounting system conforms to the principles,
standards, and related requirements prescribed by the
Comptroller General under FMFIA.
2. Classified Information - The OMB Guidelines require
the annual assurance letter to be available to the
public. However, the following information should not
be disclosed to the public:
..a. Information specifically prohibited from
disclosure by any provision of law; and
b. Information specifically required by Executive
Order to be kept secret in the interest of
national defense or the conduct of foreign
affairs. .
H-5
-------�
-------�
Exhibit XV
Page 1 of 4
QUALITY CONTROL EVALUATION REPORT
(Internal Control Coordinator)
The Assistant Administrator for Administration and Resources
Management, as the Agency's Senior Internal Control Official, must
report to the Administrator each year on whether the Agency's
internal control process was performed in compliance with OMB
Circular A-123 and the Federal Managers' Financial Integrity Act
(FMFIA).
OARM will base its determination on whether the process was
conducted in accordance with those documents by evaluating each
primary organization's implementation of the EPA process. The
February 6, 1987 memorandum to the Primary Organization's Internal
Control Coordinators from the Agency's Internal Control Staff
outlined the steps of the process and what was expected of the
primary organizations in FY 1987. The steps are:
1. Organizing the Process/Annual Work Plan;
2. Updating CATS Reports;
3. Training Personnel;
4. Segmenting the Agency;
5. Reviewing and Revising Internal Control
Documentation;
6. Conducting Risk Assessments;
7. Evaluating "Highly Vulnerable" Assessable Units;
8. Developing Management Control Plans;
9. Performing internal Control Evaluations;
10. Resolving Weaknesses/improving Controls;
11. Reporting and Assurance Letters; and
12. Quality Assurance
This report, along with the Agency's Internal Control Staff's
review of it and your assurance letter, evaluates implementation
of the process.
Any statement answered with a NO or NOT SURE must be
accompanied by a narrative explanation. Please ensure that all
statements are answered and all requested identifying information
is provided by October 31, 1987.
-------�
SAMPLE: Internal Control Coordinator (ICC) Form
Exhibit XV
Page 2 of 4
•I—
FEDERAL MANAGERS' FINANCIAL INTEGRITY ACT
QUALITY CONTROL EVALUATION REPORT
Primary Organization
Primary Organization Head
Internal Control Coordinator
Date
Phone No.
Any statement answered by NO or NOT SURE requires a narrative outlining the reasons
for delay or how you are addressing the issue.
ORGANIZATION/ORIENTATION/AWARENESS
1. All GM and SES employees and other managers with significant
supervisory responsibility have been trained and/or briefed
on the topic of the FMFIA (internal controls).
2. Copies of the FMFIA, the GAO standards, the OMB guidelines,
and pertinent Agency internal control guidance are on file
and accessible to whomever may need to review them.
3. FMFIA responsibilities have been included in the management
section of the Performance Standards of all appropriate
managers/supervisors as defined under 1. above.
YES
NO
NOT
SURE
SEGMENTATION
4. The organization is segmented into Assessable Units (AUs) in
the manner required by Agency guidance.
5. Review of the AU structure indicates that all functions,
operations, and organizations are fully covered.
6. Each AU has a designated AU manager who has been informed of,
or is fully aware of, his/her responsibilities.
DOCUMENTATION
7. Internal control documentation exists for all AUs, is on file,
and has been reviewed.
-------�
Exhibit XV
Page 3 of 4
YES
NO
NOT
SURE
8. Internal control documentation is formatted in the style
prescribed by Agency guidance (i.e. covers event cycles,
internal control objectives, and internal control techniques),
9. All internal control documentation has been reviewed on an
annual basis and necessary changes (inaccurate documentation
improved, new programs/functions documented, and terminated
programs/functions deleted) made in writing and filed.
RISK (VULNERABILITY) ASSESSMENTS (RAs)
10. Each AU manager has completed a RA in 1986 or 1987.
11. Managers of AUs rated "highly" vulnerable have planned or
taken action(s) to address the vulnerability and determine
if weaknesses exist or existing controls are adequate.
MANAGEMENT CONTROL PLANS (MCPs)
12. Each AU Manager has developed a 5-year MCP.
13. Each AU Manager has reported completed and planned reviews
and significant weaknesses by AU sub-unit, particularly
those rated highly vulnerable.
INTERNAL CONTROL EVALUATIONS
14. Internal control/alternative reviews have been conducted so
that the organization has a basis for providing reasonable
assurance. (Note: In order for the POH to provide reasonable
assurance, some programs/functions need to be reviewed each
year whether or not any are determined highly vulnerable.)
(a) Transaction testing was carried out in these reviews.
-------�
Exhibit XV
Page 4 of 4
YES
NO
NOT
SURE
15. Internal control/alternative reviews conducted produced
written reports that have been reviewed and are on file.
16. Documentation is on file or has been reviewed verifying that
weaknesses identified/recommendations made in these written
reports have been corrected/implemented.
CORRECTIVE ACTION TRACKING SYSTEM (CATS)
17. Corrective Action Plans exist for each weakness or improve-
ments reported in CATS, contain milestones and timeframes with
start and coupletion dates, and have been reviewed.
18. Every IG and GAO report has been reviewed for internal
control weaknesses and coordinated with the office's Audit
Followup Coordinator to prevent duplication.
19. Documentation verifying that corrective actions taken to
resolve weaknesses/make improvements tracked in CATS have
been completed, is on file or has been reviewed.
SUMMARY EVALUATION STATEMENT
20. EPA's FMFIA process was implemented in this organization in
a thorough and conscientious manner.
REMARKS:
ICC's signature
POH's Signature
Date
Date
-------�
Exhibit XVI
Page 1 of 4
QUALITY CONTROL EVALUATION REPORT
(Assessable Unit Manager)
The Assistant Administrator for Administration and Resources
Management, as the Agency's Senior Internal Control Official, must
report to the Administrator each year on whether the Agency's in-
ternal control process was performed in compliance with OMB Circu-
lar A-123 and the Federal Manager's Financial Integrity Act (FMFIA).
OARM will base its determination on whether the process was
conducted in accordance with those documents by evaluating each
primary organization's implementation of the EPA process. The
February 6, 1987 memorandum to the Primary Organization's Internal
Control Coordinators from the Agency's Internal Control Staff out-
lined the steps of the process and what was expected of the primary
organizations in FY 1987. The steps are:
1. Organizing the Process/Annual Wprk Plan;
2. Updating CATS Reports;
3. Training Personnel;
4. Segmenting the Agency;
5. Reviewing and Revising Internal Control
Documentation;
6. Conducting Risk Assessments;
7. Evaluating "Highly Vulnerable" Assessable Units;
8. Developing Management Control Plans;
9. Performing Internal Control Evaluations;
10. Resolving Weaknesses/Improving Controls;
11. Reporting and Assurance Letters; and
12. Quality Assurance
This report and your assurance letter evaluates implementa-
tion of the process.
Any statement answered with a NO or NOT SURE must be
accompanied by a narrative explanation. Please ensure that all
statements are answered and all requested identifying information
is provided to your Primary Organization's Internal Control
Coordinator.
You will notice that some of the blocks have been marked
"not applicable to AU Managers". Your Primary Organization's
Internal Control Coordinator is responsible for answering these
statements. The ICC may need your input regarding these state-
ments to complete the report.
-------�
SAMPLE: Assessable Unit (AU) Manager Form
Exhibit XVI
Page 2 of 4
FEDERAL MANAGERS' FINANCIAL INTEGRITY ACT
QUALITY CONTROL EVALUATION REPORT
Primary Organization
Assessable Unit
Assessable Unit Manager
Date
Mail code
Phone No.
Any statement answered by NO or NOT SURE requires a narrative outlining the reasons
for delay or how you are addressing the issue.
ORGANIZATION/ORIENTATION/AWARENESS
1. All GM and SES employees and other managers with significant
supervisory responsibility have been trained and/or briefed
on the topic of the FMFIA (internal controls).
2. Copies of the FMFIA, the GAO standards, the OMB guidelines,
and pertinent Agency internal control guidance are on file
and accessible to whomever may need to review them.
3. FMFIA responsibilities have been included in the management
section of the Performance Standards of all appropriate
managers/supervisors as defined under 1. above.
YES
NO
NOT
SURE
not applicable
to AU Managers
SEGMENTATION
4. The organization is segmented into Assessable Units (AUs) in
the manner required by Agency guidance.
5. The review of this AU structure indicates that all functions,
operations, and organizations are fully covered.
6. This AU Manager has been informed of, or is fully aware of,
his/her responsibilities in internal control.
not applicable
to AU Managers
DOCUMENTATION
7. Internal control documentation exists for this AU, is on file,
and has been reviewed.
-------�
Exhibit XVI
Page 3 of 4
YES
NO
NOT
SURE
8. Internal control documentation for this AU is formatted in the
style prescribed by Agency guidance (i.e. covers event cycles/
internal control objectives, and internal control techniques).
9. All internal control documentation for this AU has been reviewed
on an annual basis and necessary changes (inaccurate documenta-
tion improved, new programs/functions documented, and terminated
programs/functions deleted) made in writing and filed.
RISK (VULNERABILITY) ASSESSMENTS (RAs)
10. This AU Manager has completed a RA in 1986 or 1987.
11. If this AU is rated "highly" vulnerable, this AU manager has
planned or taken action(s) to address the vulnerability and
determine if weaknesses exist or existing controls are adequate.
MANAGEMENT CONTROL PLANS (MCPs)
12. This AU Manager has developed a 5-year MCP.
13. This AU Manager has reported completed and planned reviews
and significant weaknesses by AU sub-unit, particularly
those rated highly vulnerable.
INTERNAL CONTROL EVALUATIONS
14. Internal control/alternative reviews have been conducted so
that the organization has a basis for providing reasonable
assurance. (Note: In order for the AU Manager to provide
reasonable assurance, some programs/functions need to be
reviewed each year whether or not any are determined highly
vulnerable.)
(a) Transaction testing was carried out in these reviews.
-------�
Exhibit XVI
Page 4 of 4
YES
NO
NOT
SURE
15. Internal control/alternative reviews conducted produced
written reports that have been reviewed and are on file.
16. Documentation is on file or has been reviewed verifying that
weaknesses identified/recommendations made in these written
reports have been corrected/implemented.
CORRECTIVE ACTION TRACKING SYSTEM (CATS)
17. Corrective Action Plans exist for each weakness or improve-
ments reported in CATS, contain milestones and timeframes with
start and completion dates, and have been reviewed.
18. Every IG and GAO report has been reviewed for internal
control weaknesses and coordinated with the office's Audit
Followup Coordinator to prevent duplication.
19. Documentation verifying that corrective actions taken to
resolve weaknesses/make improvements tracked in CATS have
been completed, is on file or has been reviewed.
SUMMARY EVALUATION STATEMENT
20. EPA's FMFIA process was implemented in this organization in
a thorough and conscientious manner.
REMARKS:
AU Manager's Signature
Date
-------�
Exhibit XVII
Page 1 of 15
ATTACHMENT 1
SAMPLE ASSURANCE LETTER
MEMORANDUM
SUBJECT: Annual Report on Internal Controls
FROM: [Primary Organization Head]
TO: C. Morgan Kinghorn,
Acting Assistant Administrator
Office of Administration and Resources Management
I am submitting this annual report as required by EPA Order
1000.24, "Establishing, Evaluating, and Reporting on Internal
Control Systems", to assist the Administrator in complying'with
OMB Circular A-123, "Internal Control Systems" and the Federal
Managers' Financial Integrity Act. The report also complies
with the internal control requirements of OMB Circular A-130,
"Management of Federal Information Resources".
ASSURANCE STATEMENT
I have taken the necessary measures to assure that we have
evaluated our internal controls in accordance with guidance
provided by the Office of Administration and Resources Management.
Based on the evaluation process and my personal knowledge, it is
my opinion that the internal controls in effect in [Primary
Organization] on September 30, 1987, taken as a whole, provide
reasonable assurance of compliance with the objectives of internal
control"! Examples of important areas covered by this assurance
include automated information systems security, property manage-
ment, grants, contracts, financial management, budget management,
and program management and operations.
Attachment A provides data requested on our evaluation
process.
IMPROVEMENTS IN INTERNAL CONTROLS
Managers throughout [Primary Organization] have taken
seriously their responsibility to improve internal controls.
We have instituted the following improvements.
-------�
Exhibit XVII
Page 2 of 15
1* Correcticm of Wealcnesses In [Primary Organization]
Reported lLa¥tL Year To the President And -The Congress.
[Description of Weaknesses and Corrections]
[2-3 sentences for each weakness]
Attachment 3 provides a summary of the actions taken to
correct the weaknesses. I understand that this summary will be
included in the Administrator's 1987 report to the President and
the Congress.
I will continue to review [this program/these programs] care--
fully to enscre that the corrective actions taken were sufficient
to solve the problems identified and preclude future occurrences
of similar problems. If the actions do not appear sufficient, we
will undertake additional corrective actions as appropriate.
2. Correction Of Weaknesses Reported Last Year in
[Primary OrganTzation]'s Annual Report on Internal
Controls.
Last October, we reported [ ],weaknesses requiring correc-
tion. All planned corrective actions have been implemented [or
add except as noted below].
[Description of Actions Not Completed]
[1-2 sentences for each weakness]
Attachment C provides a summary of the weaknesses not cor-
rected, the actions taken to date to correct them, and our plans
for additional action.
3. Weaknesses or Improvements Identified and Corrected
in 1987.
As part of our continuing effort to make [Primary Organiza-
tion] 's control systems even better, we identified and completed a
number of improvements during 1987. These are described in Attach-
ment D.
4. Continuing Review of Corrective Actions.
I will continue to review our operations carefully to make
sure that the corrective actions taken were sufficient to solve
the problems identified and preclude future occurrences of similar
problems. If the actions do not appear sufficient, we will under-
take additional corrective actions as appropriate.
-------�
Exhibit XVII
Page 3 of 15
INTERNAL CONTROL WEAKNESSES TO BE CORRECTED/IMPROVEMENTS
As a result of our continuing evaluation of internal controls
in [Primary Organization], we have identified the following inter-
nal control weaknesses and improvements which will be addressed
during FY 1988.
1. WeaknessesRequiring Corrective Actions, WhichI
Reconmend Be Reported To The President And The Congress.
[Description of material weakness]
[One sentence for each weakness]
2. Weaknesses Requiring Corrective Actions or Improvements
To Be Made, But Which Are Not Sufficiently Material To
Report To The President And The Congress.
[Description of material weakness]
[One sentence for each weakness]
Attachment E provides action plans for correcting each of the
weaknesses or making each of the improvements listed in 1 and 2
above.
Attachment F provides a summary of each weakness that I
recommend be reported to the President.
INTERNAL CONTROL REVIEWS AND RELATED ACTIONS
The [Primary Organization] is responsible for the quality of
its internal controls. We evaluate those controls to ensure that
they are properly functioning and are adequate.
1. 1987 Internal Control Reviews
In our 1986 assurance letter [Primary Organization] scheduled
[number] internal control reviews (ICRs). We also scheduled [num-
ber] ICRs that were not identified in our 1986 assurance letter.
The following ICRs were completed in FY 1987 and demonstrated
the overall effectiveness of controls in place [or corrective
actions identified are being implemented.]
[Description of ICR - 1-2 sentences]
Attachment G provides a summary of the ICR findings.
The following ICRs were scheduled in 1987 or earlier and will
be completed in a future fiscal year.
[Description of ICR - 1-2 sentences]
[Planned completion date]
-------�
I
Exhibit XVII
Page 4 of 15
2. 1987 Alternate Reviews and Studies
In addition to performing the above ICRs that adhered to the
formal guidelines the internal Control Staff issued, [Primary
Organization] conducted [number] reviews of our operations, func-
tions, or facilities. Each of these reviews consisted of testing
transactions, reviewing control techniques, validating the quality
of data, etc., and resulted in written reports.
Attachment H is a list of the related reviews or studies
conducted by our office.
3. FY 1988 Internal Control Reviews
As a result of our continuing evaluations of internal con-
trols, [Primary Organization] has scheduled [number] internal con-
trol reviews for FY 1988. Also, we will participate in any reviews
scheduled by other primary organization heads, if requested.
Attachment I provides action plans for completing these
reviews.
4. FY 1988 Alternate Reviews and Studies
In addition to the ICRs, [Primary Organization] plans to
perform [number] alternate reviews and/or related studies that are
not formal ICRs but test transactions, review control objectives
and result in a written report.
[Description of study - One sentence]
Attachments A through I
-------�
Exhibit XVII
Page 5 of 15
r-
8
8
zat
0)
§
I
03
8
83
«
W-rj
,5
rH CO
8S
•y &
O
O
f
wi
ies in Per
Descripti
*
i
rH
s
4J
-------�
Exhibit XVII
Page 6 of 15
ATTACHMENT B
IMPLEMENTATION OF THE FMFIA IN FY 1937
SUMMARY OF ACTIONS TAKEN TO CORRECT MATERIAL WEAKNESS
REPORTED IN 1986 TO THE PRESIDENT AND THE CONGRESS
Primary Organization:
WEAKNESS: Improved procedures were needed to...
[One sentence description of weakness]
BACKGROUND: The Agency needed assurance that...
[One or two paragraphs explaining the importance of
the event cycle and internal control objectives]
CORRECTIVE ACTIONS: We implemented the following
corrective actions in FY 1987.
[List of corrective actions and completion dates]
[NOTE: Do not exceed one page per weakness
Put each weakness on a separate page.]
-------�
Exhibit XVII
Page 7 of 15
CN
I
fi
O
ro
§ 8
I a
a
(0
O
•l-l
8
V*
S
e
-------�
Exhibit XVII
Page 8 of 15
I -
3
a
M M
-------�
Exhibit XVII
Page 9 of 15
ATTACHMENT D
IMPLEMENTATION CF THE FMFIA IN FY 1987
WEAKNESSES/IMPROVEMENTS IDENTIFIED AND CORRECTED DURING FY 1987
Primary Organization:
1. WEAKNESS; Improved procedures were needed to ...
[One sentence description of weakness]
BACKGROUND; The problem was ...
[One or two sentences explaining the need for increased
assurance in the event cycle]
CORRECTIVE ACTIONS; We ...
[Briefly explain the actions taken and indicate how they
should solve the weakness identified]
2. WEAKNESS:
etc.
-------�
Exhibit XVII
Page 10 of 15
CM
I
&
w
1
i
-------�
Exhibit XVII
Page 11 of 15
fM
CM
§>
6
9
i
§
i
BSI
-------�
Exhibit XVII
Page 12 of 15
ATTACHMENT F
IMPLEMENTATION OF TKS FMFIA IN FY 1987
SUMMARY OF MATERIAL WEAKNESSES TO BE REPORTED IN 1987
TO THE PRESIDENT AND THE CONGRESS
Primary Organization:
WEAKNESS: Improved Procedures Are Needed to...
[One sentence description of weakness]
BACKGROUND: The Agency needs assurance that...
Cone or two paragraphs explaining the importance of
the event cycle and internal control objectives]
CORRECTIVE ACTIONS: Weplan to implement the following
correctiveactions in FY 1988.
[List of corrective actions and planned completion dates]
[NOTE: Do not exceed one page per weakness.
Put each weakness on a separate page.]
-------�
Exhibit XVII
Page 13 of 15
ATTACHMENT G
IMPLEMENTATION OF THE FMFIA IN FY 1987
SUMMARY OF FINDINGS OF INTERNAL CONTROL
REVIEWS INITIATED
Primary Organization*
-------�
Exhibit XVII
Page 14 of 15
ATTACHMENT H
IMPLEMENTATION OF THE FMFIA IN FY 1987
RELATED REVIEWS OR STUDIES CONDUCTED
Primary Organization:
Description of Review or Study Office Date Complet ed
-------�
Exhibit XVII
Page 15 of 15
w
3 $
S
8
o
0]
o>,s ® «
.£ tJ .2 • o
iJ $ » CO -H
•3 r« £ -H?
* •
>H C4
in
-------�
•••*
-------�
QUALITY ASSURANCE
CATS
•Status Checks
• Effectiveness of Action
•Correction within one
' year
RESPONSIVENESS
* Reports Timely
* Proper Signature
•Accurate information
QUALITY
ASSURANCE
CURRENT
DOCUMENTATION
Coverage
Up-to-date
Proper format
OVERALL
PROCESS
Risk Assessment
MCP
Assurance Letter
Evaluation
etc.
AlCRs MEETING
CRITERIA
Testing Findings
Recommendations
Corrective Actions
• Video Tapes
•OMB
• Internal Control Staff
• Internal Control
Coordinator
-------�
-------�
CHAPTER I. EVALUATION OF EPA'S INTERNAL CONTROLS PROCESS
, .- if QUALITY ASSURANCE 1
• • '• •- •.•.',- .'•.-. .:-.,,
•v , . . • • • • • : - - • ' - : • .
I. PURPOSE , . .. " , 4-
This chapter discusses the procedures for evaluating EPA's .
implementation of the Federal Managers' Financial Integrity Act
(FMFIA). " " ---.-•'
OMB Circular A-123 (Revised) requires the designated senior
internal control official, the Assistant Administrator for
Administration and Resources Management, to provide assurance to
the EPA Administrator that the Agency-conducted.the internal
control evaluation process in a "thorough and conscientious
manner." ' . • '.
II. ROLES AND RESPONSIBILITIES
, • r - "*
A complete and thorough.evaluation of EPA's.internal controls
process requires the cooperation of the following key personnel:
A. AA/OARM - The AA/OARM is responsible for reporting
annually to the Administrator by December 15 on whether EPA
personnel conducted the internal control process in a
thorough and conscientious manner and in compliance with OMB
Guidelines. , *'-..*.
B. Internal Control Staff - The Internal Control Staff
(ICS) in the Office of the Comptroller (OC), is responsible
for: . • -":..- ... •„" *.
. 1. Coordinating the overall evaluation^of EPA's FMFIA
process;
2. Conducting training sessions of ICCs and program
managers; ?..
'•3. -Conducting on-site reviews of AU's and ICC's files,
documentation, and selected ICRs and AICRs;-;
4. Conducting quarterly meetings-of ICCs to: cover any
problems that arise during the-year; . >
5. Evaluating the 'actions taken by EPA's 22. primary
organization heads (POHs) in providing "reasonable
assurance" to .the AA/OARM that the primary organization
internal control systems are working effectively; and
6. Preparing the AA/OARM's assurance letter and
background materials to the Administrator.
1-1
-------�
C* ' Primary Organization Heads (POHs) -. Each POH is '
responsible for conducting an annual evaluation of their
respective primary organization's internal control systems
and providing "reasonable assurance" to the AA/OARM by
October 31 that those systems are working effectively.
D. Internal Control Coordinators - The Internal Control
Coordinator (ICC) of each -EPA primary organization is
responsible for:
1. Coordinating an overall evaluation of the FMFIA
process for their respective primary organization;
2. Evaluating the : actions taken by the primary
organization's assessable unit (AU) managers in
providing "reasonable assurance" to the POH that the
internal control systems of the assessable units are
working effectively;
3. Conducting quality assurance reviews of selected
ICRs and AICRs;
4. Reviewing and updating all related material to
ensure full implementation of the FMFIA process;
5. Attending quarterly meeting of ICCs;. and «
6. Preparing the primary organization's consolidated
report for the AA/OARM.
E. AU Managers - The assessable unit manager of each EPA
primary organization is responsible for:
1. Evaluating the FMFIA process for their respective
AU;
2. Attending training sessions as deemed necessary;
and
3. Reporting results of their AU evaluation (mentioned
in the preceding"point) to their POH.
F. Office of the Inspector General - By December 1,
annually, the Office of the Inspector General (OIG) is
responsible for conducting a separate, independent
evaluation and reporting to the Administrator on whether EPA
is implementing FMFIA in a manner consistent with OMB
Circular A-123. The Office,of Inspector General reviews the
IC8 and any other Program or Regional office as deemed
necessary*
1-2
-------�
III. PROCEDURES
The evaluation of EPA's FMFIA process may include, but is not
limited-to, the following.steps: .
- Conducting follow-up activities pursuant to the report
results or responses, as necessary;
- Reviewing the quality of ICRs and AICRs; .
*• ',
- Conducting training sessions to ensure that all necessary
personnel have a working knowledge of internal controls;
- Reviewing and consistently updating documentation; and
- Ensuring that all necessary personnel have .written
performance standards regarding internal controls.
The following paragraphs discuss these steps in further detail
and Exhibit XVIII provides a summary illustration.
A. FMFIA Quality Control Evaluation Reports - The FMFIA
evaluation process focuses on the extent to which EPA's
primary organizations' FMFIA compliance efforts are
thorough, conscientious, and adequate to support a statement
of "reasonable assurance" to the Administrator.
• 1. By mid-July of each year, the ICS distributes a
blank Quality Control Evaluation Report form to the ICC
of each EPA primary organization to distribute to all
AU managers. . . ,
The evaluation report form examines six aspects of
internal controls: orientation and awareness of
managers concerning. FMFIA .responsibilities;
segmentation of the organization; documentation of
activities; assessment.of vulnerabilities; review of
controls; and tracking and reporting.
AU managers must answer the questions and submit the
. completed form to their ICC. ...
2. Upon receipt of the AU evaluation forms, the ICC
consolidates the responses from all of the forms into a
single evaluation report for that primary organization.
By no later than October 31 annually, the ICC must
submit the evaluation report, along with the POH's
annual assurance letter, to.the AA/OARM (through the
ICS).. It is critical for the ICC to meet the October
31 deadline to enable the ICS to conduct any
appropriate follow-up activities relating to any
- . - 1-3
-------�
issue(s) raised in the evaluation responses or reports
and to meet the AA/OARM's December 15 deadline for
reporting to the Administrator.
"i
B. Follow-up Evaluation Activities - Upon receiving tfie POH
evaluation reports from the ICCs, the ICS consolidates and
analyzes the responses.
Prior to preparing the AA/OARM's report to the
Administrator, the ICS conducts follow-up activities to
resolve issues raised by the evaluation responses. Follow-
up activities can include (but are not restricted to)
interviewing the *ICCs and AU managers, and conducting .
evaluations of internal control reviews (ICRs) and
alternative internal 'control reviews (AICRs).
The following paragraphs discuss these follow-up activities
in detail.
1. Interviews - In an ICC or AU manager interview, the
ICS may ask how the ICC or AU manager implemented the
FMFIA process in the organization and the extent to
which the ICC or AU manager fulfilled certain basic
FMFIA requirements (e.g., adding internal control
responsibilities to performance standards). In
addition, the ICS may examine the organization's
internal control documentation.
At the conclusion of an interview, the ICS will review
the findings with the ICC, AU manager, or their POH,
raise issues that need to be resolved, make suggestions
for improvements, and solicit comments regarding the
existing FMFIA process in the primary organization.
2. ICR/AICR Evaluation - The ICS may also evaluate
the components of an ICR or AICR conducted by an AU
manager. (For further information on the ICR/AICR
process, see Chapter F.)
The ICS may evaluate the components of an ICR/AICR's
event cycles; internal control objectives; internal
control techniques; testing of techniques; reporting
results; and documentation.
The ICS uses the results of its ICR/AICR evaluation in
one of two ways. The ICS may return its ICR/AICR
evaluation to the responsible primary organization with
specific suggestions for improvement. Or, the ICS may
use the results of its ICR/AICR evaluation to make
changes in EPA guidance or suggest training of the
assessable unit manager that conducted the ICR/AICR.
1-4
-------�
After completing any follow-up activities, the ICS
prepares the AA/OARM's report to the Administrator.
C. Report to Administrator - As required by OMB Circular A-
123 (Revised) and EPA Resource Management Directive 2560,
the AA/OARM reports to the Administrator by December 15
annually "on whether or not the evaluation of internal
controls in EPA was conducted in a conscientious and
thorough manner" and in compliance with the OMB Guidelines.
1-5
-------�
-------�
Exhibit XVIII
I
jg
I
s
£
1
m
3
-------�
-------�
BACKGROUND
ON
EPA'S INTERNAL CONTROL
REQUIREMENTS
FMFIA Requires
Annual Internal Control
Evaluations in all
Federal Agencies
FMFIA Required GAO
to Develop Internal
Control Standards
Issued June 1983
FMFIA Required OMB
to Develop Guidelines
for Evaluating Internal
Controls
Issued December 1982
OMB Revised Circular
A-123 to Include
Management Control Plans
and Quality Assurance
Issued August 1986
EPA Performs Annual
Internal Control
Evaluations and Reports
on Results in Accordance
with EPA Directive 2560
-------�
-------�
ADDENDUM
1. HISTORICAL BACKGROUND
I. PURPOSE
This section discusses the background to EPA's internal control
process, defines major internal control terminology, outlines the
major roles and responsibilities of EPA and other Federal
officials, and illustrates EPA's internal control process.
II. BACKGROUND ;
The Federal-Government has long been concerned with the need for
internal control systems designed to prevent fraud, waste, abuse,
and mismanagement of Government funds. The Accounting and
Auditing Act (part of the Budget and Accounting Procedures Act of
1950) made the head of each executive department and agency
responsible for establishing and maintaining effective systems of
internal control. •
As the Federal Government grew during the 1960s and 1970s-, so did
'efforts to strengthen the effectiveness of internal controls. In
October 1981, the Office of Management and Budget (OMB) issued
Circular A-123 to address numerous instances of fraud, waste, and
abuse of Government resources and mismanagement of Government
programs''resulting from poor internal controls. - '
In September 1982, Congress and the President enacted the Federal
Managers' Financial Integrity Act (FMFIA), which amended the 1950
Act. The.goal of this legislation is to help reduce fraud,
waste, and abuse'and to improve management of Federal operations.
In August 1983, OMB revised Circular A-123 to incorporate the
provisions of FMFIA. OMB again revised the Circular in August
1986 to improve the process for evaluating agency internal
control systems. •
FMFIA requires that the internal accounting and administrative
controls of each agency conform to standards prescribed by the
Comptroller General. FMFIA requires that OMB establish
guidelines by which agencies can evaluate their systems of
internal control.
FMFIA also mandates that each executive agency annually evaluate
its system of internal accounting and administrative controls.
Further, FMFIA requires agency heads to report to the President
and the Congress annually on whether their internal control
systems comply with the goals of the Act. If systems do not
comply, agency, heads must identify, material weaknesses and
present' plans for corrective action. The preceding exhibit
-------�
presents a brief overview of these Federal requirements. Section
2 of this addendum provides a detailed discussion of the relevant
Federal and EPA authorities, guidelines, and standards that
govern EPA's internal control system.
III. AUTHORITY
EPA's Resource Management Directive, Section 2560 - Internal
Control, provides an overview of EPA's internal control process.
The Directive incorporates the Comptroller General's standards
and outlines OMB internal control guidelines.
The Directive sets internal control standards for EPA program
operations and administrative functions. It prescribes
organizational and functional responsibilities, including
requirements for annual reports.
The Directive can be found in its entirety in Appendix 5.
IV. SCOPE
This manual applies to all EPA organizations and its managers.
V. DEFINITIONS
Action Plan — A document identifying major work steps and
scheduled start and completion dates for correcting internal
control deficiencies.
Agency Component — A major organization, program, or functional
subdivision of an agency having one or more separate systems of
internal control (e.g. Criteria and Standards Division or CERCLA
Enforcement Division).
Assessable Unit fAtn — A program operation, administrative
function or a sub-division thereof which is subject to a risk
assessment and internal control evaluation. An assessable unit
is comprised of related event cycles. An assessable unit is
usually a division or branch of an office. In EPA, we recommend
that an AU be constructed of units no larger than a division.
The ultimate decision for segmentation rests with the Assistant
Administrator or Regional Administrator.
Control Objective — A desired goal or standard for a specific
event cycle that ensures that the component's mission and
objectives are accomplished efficiently and effectively.
Control Techniques — The management processes or documents . •
designed, implemented, monitored, and changed as necessary to
-------�
achieve the control objectives or to reduce risks to acceptable
levels. Examples of control.-techniques include passwords to
limit access to data bases, internal procedures for delegating
programs to States, planning calendars with specific milestones,
and segregating sensitive duties among several personnel.
Internal Control Corrective Action Tracking System (CATS) — The
automated agency system used to track each quarter the actions
taken to correct identified internal control.weaknesses and
implement internal control improvements. (There,is a separate
tracking system for DIG audits..)
* • • »
EventCycle — A series of related steps that constitute a
distinct and separate process or-activity within a component. An
event cycle refers to the related processes or actions to carry
out a recurring responsibility, create the necessary
documentation, and gather and report related data. The number of
event cycles within an assessable unit.depends upon the size and
complexity of the unit. . For instance, in the Resource Management
Division, event cycles consist of (1) managing the Agency's
internal control program, (2) the Productivity Program, and (3)
the Audit Follow-up Program.
GAP Internal Control Standards — The standards issued by the
Comptroller General on June 1, 1983 for use in establishing and
maintaining systems of internal control. See Appendix 2.
General Control Environment — Various factors that can influence
the effectiveness of internal controls over programs and
administrative functions such as budget cuts, changes in
personnel, reorganizations and new management policies.
• _ ^_ •>
Internal Control — The plan of organization,, methods, and
procedures adopted by.management to provide reasonable assurance
that obligations and costs comply with applicable law; safeguards
exist to protect funds, property, and other assets against waste,
loss, unauthorized use, or misappropriation; and personnel
properly record and account for revenues and expenditures
applicable to agency operations.
Internal Control Documentation — Any written material (including
software) that describes internal control methods and .measures', }
communicates responsibilities and authorities for internal
control methods and measures, or serves as a reference for
persons reviewing internal controls and their functioning.
Internal Control Evaluation — A detailed evaluation of a program
or administrative activity to determine whether adequate control
techniques exist and are implemented to achieve cost-effective
compliance with FMFlA. Control Evaluations are of two types,-
Internal Control Reviews and Alternate Internal Control Reviews.
-------�
Internal Control Review flCRl — A detailed examination of a
system of internal control in accordance with Agency
internal control review guidance dated October 1983. The
purpose is to determine whether adequate control measures
exist and are implemented to prevent or detect potential
risks cost-effectively. (Copies of this guidance are
available from the Agency's Internal Control Staff.)
Alternative Internal Control Reviews (AICR) — Any review of
internal controls which does not use the full event cycle
methodology required by OMB and EPA guidelines. Inspector
General audits, computer security reviews, management
studies, and reviews conducted in accordance with other OMB .
Circulars (financial-A-127 and ADP-A-130) are examples of
alternative internal control reviews. Such reviews usually
focus on high risk areas/activities and determine whether
the control techniques in an agency component are operating
in compliance with OMB Circular A-123. Alternative Internal
Control Reviews must determine overall compliance and
include testing of controls and a written report of the
review detailing the activity reviewed, the findings and
recommended corrective action.
Internal Control System — All methods and measures used to
achieve the objectives of internal control for all or part of an
organizational component, program, or administrative function.
Management Control Plan fMCP) — A structured process for
planning agency efforts to develop, maintain, evaluate, improve,
and report on internal controls to ensure that the objectives of
the Act and OMB Circular A-123 are achieved cost-effectively.
The plan is based on management's judgment regarding the
potential risks associated with each agency component and the
steps required to review and improve internal controls. It is a
5-year plan to be updated annually. Based upon the
Administrator's review and approval, EPA submits the MCP to OMB
at the end of the calendar year.
Material Weakness — A situation in which the designed procedures
or degree of operational compliance do not provide reasonable
assurance that the objectives of internal control are being
accomplished. The assurance letter process identifies material
weaknesses annually.
(A Presidential level "material weakness" is a situation that
could impair fulfillment of the agency's mission, deprive the
public of needed government services, violate statutory or
regulatory requirements, or result in a conflict of interest.
The assurance letter process identifies Presidential level
material weaknesses annually.)
-------�
Previously reported material weaknesses included areas that
received large budgets/ new legislation, and heavily mandated
requirements. EPA guidance recommends that managers correct
weaknesses within one year.
OMB Guidelines — The internal control guidelines issued-by OMB
in December, 1982, .entitled "Guidelines for the Evaluation and
Improvement of and Reporting on Internal Control Systems in the
Federal Government." See Appendix 3.
Preliminary Review -r A diagnostic process for analyzing and
identifying specific problems, issues, and concerns disclosed by
risk assessments.
Primary Organization — A major EPA organizational component
(there are 22) headed by either the Deputy Administrator, an
Assistant Administrator, a Regional Administrator, the Inspector
General, or the General Counsel.
Reasonable Assurance — A satisfactory level of confidence in
achieving program objectives effectively and efficiently under
given considerations of costs, benefits, and risks. This concept
recognizes that the cost of internal control'should not exceed
the benefit derived. For. example,, it is not necessary to spend
$1000 to protect.a $1 item. . '
Risk Assessment -7. A review, of the susceptibility'of a program or
function to the occurrence of waste, loss, unauthorized use, or
misappropriation. The assessment usually identifies the relative
risks of each component as high, medium or low in a 2-page
questionnaire form. The next. EPA risk assessment is scheduled
for ;1989 and every three, years thereafter.
Segmentation — The process of dividing the Agency into
assessable units, i.e., organizational components, programs,
administrative functions, etc., for which risk assessments will
be performed. EPA's segmentation is parallel to the
organization's structure. '„ :
, " ' • . • . <• •, .
.-'..•*"• . • •' • ,
VI-. ROLES AND RESPONSIBILITIES .".'."
This section outlines..the roles of the various Federal and EPA
personnel charged with implementing FMFIA.
. A., , GAP — In accordance with FMFIA "provisions, the
Comptroller General prescribes standards for each executive
agency's internal accounting and administrative controls.
GAO also conducts audits arid investigations of Executive
Branch agencies and departments — including compliance with
FMFIA, the OMB Guidelines, and the GAO Standards.
-------�
B. OMB — FMFIA requires OMB, in consultation with GAO, to
publish guidelines by which the agencies can analyze
programs and functions to determine their vulnerability
(risk) to waste, fraud, and mismanagement. EPA follows
these guidelines in evaluating and reporting on the status
of its internal controls.
C. EPA — In accordance with the GAO Standards, FMFIA
requires EPA to establish controls that reasonably ensure
that:
1. Obligations and costs comply with existing law;
2. Funds, property, and other assets are safeguarded;
3. Operational revenues and expenditures are properly
recorded and accounted for;
4. EPA is carrying out its responsibilities according
to the legislation; and
5. EPA is properly administering its programs
according to Congress and OMB.
D. Administrator — The Administrator of EPA is responsible
for ensuring that the evaluation, improvement, and reporting
on the agency's internal control system meet the
requirements of FMFIA and the OMB Guidelines.
Specifically, the Administrator must report annually to the
President and the Congress on whether EPA's internal control
systems comply with FMFIA's objectives. To the extent that
the systems do not comply, the Administrator must identify
material weaknesses and offer plans for corrective actions.
The Administrator must also report on whether EPA's
accounting systems conform to the Comptroller General's
standards.
OMB requires the Administrator to personally review and
approve the Management Control Plan. The Administrator is
to oversee the program by monitoring adherence to'the time
frames for conducting scheduled control reviews and
correcting identified major — or "material" weaknesses.
E. Assistant Administrator. OARM — The Assistant
Administrator for Administration and Resources Management is
responsible for:
-------�
1. Coordinating EPA's efforts to implement FMFIA;
2. Developing an EPA-wide inventory of assessable
units in consultation with other Primary Organization
Heads (POHs) ; ...
3. Providing guidance on performing risk assessments,
internal control reviews, and other internal, control
activities;
' «.'. " ' i
4. Assuring that EPA,managers are informed of their
responsibility to include appropriate internal control
responsibilities in their performance agreements;
j i,
5. Training managers on performing risk assessments,
internal control reviews,- and other internal control
activities; ' •'_'-
6. Ensuring that the responsible individuals complete
risk assessments*; internal control'reviews, and annual
status reports on internal control systems according to
appropriate guidance;
7. Coordinating an EPA-wide risk assessment at least
once every five years. Due to changes in EPA's
authorizing statutes and major fluctuations in EPA's
budgets, EPA has established a 3-year risk assessment
cycle;
8. Overseeing the development of an Agency management
control plan at least once every five years and
ensuring that it is updated annually and reported to
OMB by December 31 of each year; -
9. Reporting to the Administrator, by December 15 of
each year, on whether or not the evaluation of internal
controls in EPA was conducted conscientiously and
thoroughly; arid
— »»
10. Submitting to the Administrator, by December 15 of
each year, a proposed* internal control statement for
the President and the Congress.
,F. .The Comptroller — The Office Of the Comptroller is
responsible for: ' '
i
1.. Developing, issuing,.and implementing policies and
,.-. .;'procedure's for evaluating, improving, and reporting on
financial management/accounting systems;.
2." Maintaining liaison with "OMB, GAO, and others on
the evaluation, improvement, and reporting processes;
-------�
3. Monitoring the status and quality of evaluations
and reports;
4. Preparing the Administrator's annual report to the
President and the Congress;
5. Monitoring actions on reported material instances
of nonconformance to ensure prompt effective action;
6. Developing a five-year plan for integrating EPA
financial management systems.
G. Resource Management Division — The Resource Management
Division (RMD) of the Office of the Comptroller is
responsible for:
1. Ensuring that EPA managers are aware of their
internal control responsibilities;
2. Ensuring consistent and timely compliance of all
relevant EPA organizational units with EPA Resource
Management Directive 2560 - Internal Control;
3. Coordinating, monitoring, and providing guidance on
EPA's implementation of FMFIA;
4. Ensuring consistent implementation of FMFIA within
EPA;
5. Requiring timely submission of internal control
reports;
6. Initiating an internal control quality assurance
program;
7. Providing supplemental training, assistance, and
documentation to EPA employees concerning their
responsibilities under FMFIA; and
8. Developing a five-year management control plan for
all internal control assessable units.
H.
Aaencv Internal Control Staff — The Internal Control
Staff (ICS) of RMD is responsible for coordinating,
monitoring*, and providing guidance on the implementation of
FMFIA.
I. Primary organization Heads — Twenty-two Primary
Organization Heads at EPA include the Deputy Administrator,
the nine Assistant Administrators, the Regional
Administrators,, the General counsel, and the Inspector
8 ' ' •
-------�
General. Within the jurisdiction of their organizational
units, the POHs are responsible for:
1. Developing and maintaining effective systems of
internal control;
2. Resolving audit findings consistent with the GAO
Standards;
3. Conveying, in writing, to employees at each level
of management their internal control responsibilities
and expected performance and incorporating these
responsibilities and standards in their performance
agreements and appraisals;
4. Evaluating internal control systems on a continuing
basis and taking appropriate corrective action when
weaknesses are detected; .
- -.•-
5. -Reporting immediately to the Inspector General any
instances of illegal conduct, wrongdoing, or fraud
identified by internal control evaluations;
6. Assisting the Office of Administration and
Resources Management (OARM) in identifying assessable
units within areas of program responsibility;
7. Developing internal control documentation in
accordance with OARM guidance;
8. Performing risk assessments for each assessable
unit "as required by schedules established with OARM;
9. Scheduling and performing internal control reviews;
10. Developing action plans to correct weaknesses in
internal controls and assigning, responsibility for
implementation of these actions within deadlines; and
11. Reporting to the Assistant Administrator,- OARM, by
October 31 of each year, that their organization's
internal controls have been evaluated in accordance
with OARM guidance. The report must describe any
Presidential level material weaknesses and/or
significant material weaknesses disclosed by the
evaluation, the action plans for correcting these
weaknesses, and the status of actions taken to correct
any weaknesses identified in prior year's reports.
-------�
J. Inspector General — The Inspector General is
responsible for:
1. Providing technical assistance in EPA's effort to
evaluate and improve internal controls;
2. Performing audits and reviews of internal control
documentation and systems to determine whether they
meet the internal control standards and guidelines;
3. Recommending improvements in internal control
. practices and procedures as a result of audits and
reviews;
4. Reporting to the Administrator, by December 15 of
each year, on whether EPA's implementation of FMFIA is
reasonable and prudent; and
5. Investigating and reporting any instances of
illegal conduct, wrongdoing, or fraud reported in
accordance with EPA Resource Management Directive 2560.
K. Program Managers — All EPA managers are responsible for
operating effective and efficient systems of internal
control. They must also evaluate the control systems
periodically and take timely corrective actions on all
identified weaknesses'.
I" Internal Control Coordinator (ICC) — Individuals
designated by a POH to coordinate, monitor, and implement
agency internal control guidance in his or her organization.
An ICC is responsible for ensuring that his or her
organization make sufficient progress in implementing the
Act so the POH can provide "reasonable assurance" of
compliance with the FMFIA.
M. Manager/Supervisor — All agency SES and GM employees
and those GS employees having supervisory responsibilities.
This could include On-Scene Coordinators, Regional Program
Managers, Branch Chiefs, Systems Supervisors, Office
Managers, and any other position which has significant
responsibilities.
10
-------�
2. OVERVIEW OF FEDERAL REQUIREMENTS AND GUIDELINES
I. PURPOSE
This section discusses the following Federal and EPA authorities,
guidelines, and standards that govern EPA's internal control
system:
A. The Accounting and Auditing Act of 1950, 31 U.S.C.
3512 (a);
B. The Federal Managers' Financial Integrity Act of 1982
(FMFIA), P.L. 97-255, 31 U.S.C. 3512(b); ' '
C. OMB Circular A-123, Revised - Internal Control"-Systems
dated August 4, 1986;
D. GAO Standards for Internal Control in the Federal
Government (GAO Standards) dated June 1, 1983;
E. OMB Guidelines for the Evaluation.and Improvement of and
Reporting on Internal Control Systems in the Federal
Government (OMB Guidelines) dated December 1982; and
F. EPA Resource Management Directive, Section 2560 -
Internal Control.
II. ACCOUNTING AND AUDITING ACT OF 1950
The Act requires the head of each executive agency to establish
and maintain accounting and internal control systems in their
respective agencies. The systems must provide:
A. Complete disclosure of the financial results of the
agency's activities;
B. Adequate financial information for management of the
agency;
C. Effective control over and accountability for all agency
funds, property, and other assets (including appropriate
internal audits); .
D. Reliable accounting results to:
1. Prepare and support the agency's budget requests;
2. Control the execution of the agency's-budget; and
-------�
3. Provide financial information required by the
Office of Management and Budget (OMB) under the Budget
and Accounting Act, 1921 [31 U.S.C. 1104(e)]; and
E. Suitable integration of agency accounting with the
central accounting and reporting responsibilities of the
Secretary of the Treasury.
III. FEDERAL MANAGERS' FINANCIAL INTEGRITY ACT OF 1982
(Appendix 1)
In response to continuing disclosures of waste, loss,
unauthorized use, and misappropriation of funds and assets in a
wide range of government operations, Congress amended the
Accounting and Auditing Act of 1950 with the enactment of FMFIA.
FMFIA's goal is to reduce fraud, waste, and abuse and to improve
the management of Federal operations.
FMFIA requires agencies to evaluate and report annually on their
(1) internal accounting and administrative controls, and (2)
accounting systems. The Act provides the necessary discipline
for agencies to identify and remedy long-standing internal
control and accounting systems problems. Specific requirements
of FMFIA are:
A. Internal Control Standards - FMFIA requires agencies to
establish internal accounting and administrative control
systems that comply with internal control standards
prescribed by the Comptroller General and provide reasonable
assurance that:
1. Obligations and costs comply with the law;
2. Funds, property, and other assets are safeguarded
against waste, loss, unauthorized use, or
misappropriation; and
3. Operating revenues and expenditures are properly
recorded and accounted for so that management may:
a. Prepare accounts and reliable financial and
statistical reports; and
b. Maintain accountability of assets.
Subsection 4, on the following page, discusses these
standards.
B. OMB Guidelines - The official title of this document is
"OMB Guidelines for the Evaluation and Improvement Of and
-------�
Reporting On Internal Control Systems", hereinafter referred
to as the OMB Guidelines.
FMFIA also requires OMB to establish guidelines" for agencies
to evaluate their internal accounting and administrative
control systems. The systems must also comply with the
standards discussed above. Overall policy guidance is
provided in OMB Circular A-123 - Internal' Controls.
Subsection 5, OMB Guidelines, discusses these guidelines.
C. Annual Assurance Letter - FMFIA requires each agency
head to annually evaluate the agency's internal control
systems. The agency head must submit an annual assurance
letter to Congress and the President reporting on the
agency's compliance with FMFIA internal control
requirements.
If the systems do not comply with FMFIA's requirements, the
agency head must: '
1. Identify any material weaknesses in the systems;
and
2. Provide plans and a schedule for correcting the
weaknesses. .
Chapter H entitled Annual Assurance Letter Process,
discusses the annual assurance letter further.
D. Accounting System Report - Finally, FMFIA also requires
each agency head to include in the annual assurance letter .
(referenced above) a separate report on whether the agency's
accounting system conforms to the Comptroller General's
accounting, principles, standards, and related requirements.
IV. 6AO STANDARDS (Appendix 2)
FMFIA requires each executive agency to establish a system of
internal accounting" and administrative controls in accordance
with standards prescribed by the comptroller General... The
standards prescribed by the Comptroller ..General are the GAO
Standards.
The 6AO standards apply to program management as well as to
traditional financial management areas. The standards encompass
all operations and administrative functions.
The Comptroller General stated that- "the ultimate responsibility
for good internal, control rests with management ... they should
be recognized as an integral part of each system that management
-------�
uses to regulate and guide its operations. In this sense,
internal controls are management controls."
There are twelve GAp standards: five general standards; six
specific standards;"and one audit resolution standard. These
standards are listed below. . ~
A. General Standards - The general standards apply to"all
. aspects of internal controls.
1. Reasonable Assurance - "Internal control systems
are to provide reasonable assurance that the objectives
of the systems will be accomplished."
2. Supportive Attitude - "Managers and employees are
to maintain and demonstrate a positive and supportive
attitude toward internal controls at all times."
3. Competent Personnel - "Managers and employees are
to have personal and professional integrity and are to
maintain a level of competence that allows them to
accomplish their assigned duties, as well as understand
the importance of developing and implementing good
internal controls."
4. Control Objectives - "Internal control objectives
are to be identified or developed for each agency
activity and are to be logical, applicable, and
reasonably complete."
5. Control Techniques - "Internal control techniques
are to be effective and efficient in accomplishing
their internal control objectives."
B. Specific Standards - K- number of techniques are
essential to ensure that the internal control objectives
will be achieved. These critical techniques are the
specific standards discussed below.
1. Documentation - "Internal control systems and all
transactions and other significant events are to be
^clearly documented, and the documentation.is to be
readily available for examination." * *"•"-'
2. Recording of Transactions and Events -
"Transactions and other significant events are to be
promptly recorded and properly classified." •
3. Execution of Transactions and Events -
"Transactions and other significant events are to be
authorized and executed only by persons acting within
the scope of their authority."
-------�
4. Separation of Duties - "Key duties and ...
responsibilities in authorizing, processing, recording,
and reviewing transactions should be separated among
individuals."
5. Supervision - "Qualified and continuous supervision
is to be provided to ensure that internal control
objectives are achieved."
6. Access to and Accountability for Resources -
"Access to resources and records is to be limited to
authorized individuals and accountability for the
custody and use of resources is to be assigned and
maintained. Periodic comparison shall be made of the
resources with the recorded accountability to determine
whether the two agree. The frequency of the comparison
shall be a function of the vulnerability of the asset."
C. Audit Resolution Standard - "Managers are to:
1. Promptly evaluate findings and recommendations
reported by auditors;
2. Determine proper actions in response to audit
findings and recommendations; and
3. Complete, within established time frame, all
•actions that correct or otherwise resolve the matters
brought to management's attention."
V. OMB GUIDELINES, DATED DECEMBER 1982 (Appendix 3)
FMFIA required OMB to issue guidelines for agencies- to use in
developing specific plans for self-evaluations of their internal
control systems to determine whether those systems comply with
the GAO Standards.
The OMB Guidelines present a five-phased approach for agencies to
evaluate,, improve, and report on their internal controls: -
•.»•_. • * ' , i _ •.
A. Organize the evaluation process; "
B. Identify programs and [administrative functions;
*•• < -• - '
C. Conduct risk assessments;/ ';.''.
* • ' -"" ' ' '.*'•*.
D. Conduct, internal control reviews; and '' :
• '' . . • ,»
E. Report under-the "FMFIA. "" •• • •
-------�
EPA adopted this approach based on its experience and additional
OMB guidance issued annually as part-of their Call Letter for the
assurance, process. .
VI. OMB CIRCULAR A-123, REVISED, DATED AUGUST 4, 1986
(Appendix 4) ,
OMB Circular A-123 prescribes policies, responsibilities, and
requirements related to internal control reviews and the FMFIA.
It also defines key terms for Federal executive departments and
agencies to follow in establishing, maintaining, evaluating,
improving, and reporting on internal controls in their program
and administrative activities.
A. Policy - OMB Circular A-123 states that:
1. Agencies shall maintain a cost-effective system of
internal control to provide reasonable assurance that
government resources are protected;
2. All levels of management shall involve themselves
in assuring controls are adequate;
3. Existing and new agency programs shall incorporate
effective systems of internal control;
4. Internal control does not encompass such matters as
statutory development or interpretation, determination
of program need, resource allocation, rulemaking, or
other discretionary policymaking processes in an
agency.
B. Responsibilities - For each agency, OMB Circular A-123
outlines the general responsibilities of the agency head,
designated senior internal control officials, heads of
organizational units, and Inspector General (or equivalent
senior audit official).
C. Requirements - OMB Circular A-123 requires each agency
to meet the following requirements in a cost-effective
manner:
1. Maintain an internal control directive assigning
management responsibility for internal controls.; This
directive shall include provisions for (1) coordination
on internal control matters among the designated
internal control officials, (2) administrative
procedures to enforce the intended functioning of
internal controls, and (3) performance agreements, for
each Senior Executive Service and Merit Pay or
equivalent employee with significant responsibility for
-------�
internal controls, which result in recognition for
positive internal control accomplishments such < as
timely correction of internal control weaknesses and
appropriate action for violations of. internal control. .
» . • , • '
• 2. Develop a Management Control Plan (MCP) or plans, to
be updated annually, to identify component inventory,
to show risk rating of component (high, medium, low),
and to provide for necessary evaluations over a five-
year period. •''•>"'• - . • ' - .
3. Hake risk assessments to identify potential risks
in agency operations which require corrective action or
further investigation through internal control
evaluations or other actions. EPA management•should
update its risk assessment of agency components at
least once every 5 years and as major changes occur.
Due to changes in EPA's authorizing statutes and major
fluctuations in EPA's budgets, EPA has established a
three-year risk assessment cycle. Risk assessments
should be considered as part of the MCP.
4. • Make internal control evaluations using the
procedures in the 1982 OMB Internal Control Guidelines
or alternative reviews to determine whether the
internal control system is effective and operates in
compliance with FMFIA and OMB Circular A-123.
5. Implement corrective actions identified by agency
internal control evaluations on a timely basis. A
formal follow-up system should be established that
records and tracks recommendations and projected action
dates, and monitors whether management implements the
changes as scheduled.
Chapter G entitled "Corrective Action Tracking System11,
and Chapter I entitled "Evaluation of EPA Internal
Controls Process", provides further discussion of
follow-up actions.
D. Reporting - By December 31 of each year, each agency
head subject to FMFIA must submit an annual assurance letter
to the President and to Congress stating whether the agency
conducted internal control evaluations in accordance with
OMB Circular A-123 and whether the agency's internal control
system complies with GAO Standards. Chapter H discusses
this reporting process in detail.'
-------�
VII. EPA RESOURCE MANAGEMENT DIRECTIVE, SECTION 2560 - INTERNAL
CONTROL (Appendix 5) '. :
~ - *• "
EPA Resource Management Directive 2560 prescribes the policies
and standards for internal control systems in EPA. It assigns
responsibility for establishing, maintaining, evaluating,
improving, and reporting on internal controls.
A. Policy and Objectives - The policy and objectives of EPA
Resource Management Directive 2560 are the same as the OMB
Circular A-123 policies and objectives outlined in the
previous section.
B. Standards - The standards are the same as the GAO
Standards stated in Section 4 of this Addendum.
C. Procedures - The Order outlines the. following procedures
for evaluating, improving, and reporting on EPA's internal
control systems:
1. Identify EPA assessable units;
2. Develop internal control documentation;
3. Develop a Management Control Plan;
4. Perform risk assessments;
5. Resolve internal control weaknesses;
6. Schedule internal control evaluations;
7. Perform internal control evaluations;
8. Improve internal controls; and
9. Report to the President and to Congress.
D. Responsibilities - EPA Directive 2560 outlines the
responsibilities of the following officials:
1. EPA Administrator;
-2. Assistant Administrator, Office of Administration
and Resources Management;
3. The Comptroller; .
- •»
4. Resource Management Division;
5. Agency Internal Control Staff;
8
-------�
6. Primary Organization Heads (POHs);
7. Inspector General; and
8. Program Managers.
VIII. REFERENCE MATERIAL
The following documents provide additional guidelines relating to
EPA's internal control system and compliance with FMFIA:
A. Implementation of the Federal Managers' Financial
Integrity Act of 1982 - Procedures for Conducting Internal
Control Reviews, dated June 1984;
B. Financial Managers' Quality Assurance Guide - Office of
the Comptroller, not dated;
C. EPA Order 2780.IB - GAO Audits: Agency Relationships
with GAO and Responsibilities for Follow-up Actions, dated
May 1984;
D. EPA Directive 2750 - Management of EPA Audit Reports of
Follow-up Actions Manual, dated April 1984; and
E. EPA Order 2550.1 - Financial Management Systems dated
June 1985.
These documents are available upon request. Please contact the
Resource Management Division, PM-225.
-------�
-------�
ANALYSIS OF FY 1986 RISK ASSESSMENTS
To, determine which assessable units (AUs) were highly vulnerable,
the ICS used a probability (normal) distribution. More
specifically, they did the following:
- Calculated the mean (average) score of all Headquarters,
Program Offices, Support Offices, and Regional Offices AUs';
Determined the standard deviation for each.
Standard deviation is a statistical term that measures the
variability of set of observations from the mean. Therefore,
scores were compared to the mean and:
AU scores that equaled, of exceeded the mean plus one
standard- deviation were determined to be highly vulnerable
(57 + program offices), (50 + support offices), and (63 +
for regional offices);
— AU scores plus or minus one standard deviation from the mean
were determined to have medium vulnerability (38 - 56
program offices), (34- 49 support of f ices) , and (41 - 62
regional offices) ;
AU scores equal to or , less than the mean minus one standard
deviation were determined • to have low vulnerability (0 - 37
program offices), (0 - 33 support offices), and (0 - 4.0
regional offices.
Standard deviations and risk assessment scores were calculated
for each of the Headquarters Program Offices, Headquarters
Support Offices, and Regional Offices. These calculations are
presented on the following pages.
The 1989 Risk Assessment will go through the same scoring
process. Therefore, a different scale of HIGH, MEDIUM, AND LOW
will more than likely emerge as a result of new averages
attained. This will serve two purposes: to gain a more accurate
risk rating of the Agency and to alleviate any office from
attaining a lesser rating than it should.
-------�
1986 SCALE OF RISK RATINGS FOR ENVIRONMENTAL PROTECTION AGENCY
HEADQUARTERS PROGRAM OFFICES: Mean = 47.8 Standard Deviation-=9.5
High Calculations:
Medium Calculations:
Low Calculations:,
' , j
High = 57 or greater
Med = 38 to 56
Low = 0 to 37
Mean (47.8) + Standard (9.5)
Mean (47.8) - Standard (9.5)
Anything less.than 38 - "
57.3 or 57
38.3 or 38
Number of-AUs =10
Number of AUs = 38
Number of AUs = 8
(56)
Percentage ='• 17.9%
Percentage = 67.8%
Percentage ='14.3%
(100%)
HEADQUARTERS SUPPORT OFFICES: Mean =41.8 Standard Deviation = 8.5..
High Calculations:
Medium Calculations:
Low Calculations:
High = 50 or greater
Med = 34 to 49
Low = 0 to 33
Mean (41.8) + Standard (8.5) = 50'. 3 or 50
Mean (41.8)' - Standard (8.5) = 33.3 or 33
Anything less than 33
Number--of AUs = 14
Number of AUs =59
Number of AUs = 15•
(88)
Percentage = 15.9%
Percentage = 70.5%
Percentage'' = 13.6%
' (100%)
REGIONAL OFFICES:
High Calculations:'
Medium Calculations:
Low Calculations:
High = 63 or greater
Med = 41 to 62
Low = 0 to 40
Mean = 51.8 Standard Deviation•= 11.0
Mean (51.8) + Standard (11.0) = 62.8 or 63
Mean (51.8) - Standard (11.0) = 40.8 or 41
Anything less than 41 •
Number of AUs = 12
Number of AUs =61
Number of AUs =13
(86)
Percentage = 14.0%
Percentage = 70.9%
Percentage = 15 •. 1%
(100%)
-------�
ASSESSMENT UNIT LISTING FOR EPA
AU
NUMBER TITLE ' " - ' '
REGION I: : , ' ~
100 Office of Regional Administrator, Public Affairs and ~
Government Relations
101 Office of Regional Counsel
102 Air Management Division ' -'•--:
103 Environmental Services Division
104 Planning and Management Division '•>•-•"'-•."
105 . Waste Management Division
106 Water Management Division
REGION II:
200 Regional Administrator's Immediate Office, Caribbean
Field Office • ' ":
201 Office of External Programs
202 Office of Regional Counsel ...-.:
203 Office'of Policy and Management: ' r.
Grants Administration Branch, Facilities &'Administra-
tive Management Branch, Financial Management Branch
204 Office of Policy and Management:
Equal Employment Opportunity Officer, Planning and
Evaluation Branch, Policy and Program Integration
Branch, Information Systems Branch, Permits Admini-
stration Branch, Environmental Impacts Branch and
Human Resources Branch ". • .. . •
205 Environmental Services Division
206 ' Water Management"Division.
-.Air and Waste Management Division '
207 Air Programs Branch (Trends, 'Monitoring and Progress
Assessment) * '' '";
208 Air Programs Branch (Air Quality'Management
Implementation)
209 Air .Compliance Branch (Stationary Source Enforcement)
210 Radiation,. Representative (Radiation Program
Implementation) * . -; ' '; • '.'
211 Hazardous Waste.Facilities Branch .(Hazardous Waste'
Management Strategies - Permits and Hazardous Waste
Programs Branch)" ' '
212 Hazardous Waste Compliance Branch.(Hazardous Waste
Enforcement) . '
Emergency and Remedial'Response Division
213 New Jersey Remedial Action Branch and NY/Caribbean
Remedial Action Branch
214 Site Investigation & Compliance Branch/Program Support
215 Response and Prevention Branch
-------�
AU ..-•"•;,• "• • •••;.:•
NUMBER TITLE "" ' " - ;
I
REGION III:
300 Office of Regional Administrator
301 Office of Regional Counsel
302 Office of Public Affairs . . , .
303 Office of Assistant Regional Administrator for Policy
and Management; , "•'!••
304 Office of Congressional and Intergovernmental Liaison
305 .Water Management Division
306 Air Management Division . . ".
307 Hazardous Waste Management Division ,
308 Environmental Services Division . . . ....
• • *
REGION IV:
400 Air, Pesticides and Toxics Division .
401 Waste Management Division
402 Water Management Division
403 Environmental Services Division
404 Office of Congressional and .External Affairs
405 Office ,of .Regional Counsel ".
406 Office .of Policy and Management/Office of
Regional Administrator's Immediate Office
REGION. V:
500 Office of'Regional Administrator.
501 Office of Public Affairs
502 Office of Regional Counsel . '' . ' '
503 Great Lakes National Program Office
504 Air Management Division
505 Environmental Services Division .
506 .Planning and Management Division
507 Waste'Management Division ;
508 Water Division . • " .
• •' ••••'- .
REGION VI: ,
•* ' J
600 Management Division - Regional'.Administrator
601 Office of Regional Counsel
602 Hazardous Waste Management Division '
603 Air, Pesticides and Toxics Division
604 Water Management Division •
605 Environmental Services Division (includes Houston
Laboratory)
606 Office of External Affairs
-------�
AU
NUMBER
TITLE
REGION VII:
700 Immediate Office of the Regional Administrator
701 Congressional and Intergovernmental Liaison
702 Public Affairs
703 Office of Regional Counsel
704 Office of Assistant Regional Administrator for Policy]
and Management
705 Air and Toxics Division
706 Waste Management Division . - "•*'•'-•
707 Water Management Division
708 Environmental Services Division
REGION VIII : '
800 Regional Administration
801 Water Management Division
802 Hazardous Waste Management Division
803 Air and Toxics Substances Division '
804 Montana Operations Office' '
805 Environmental Services Division
806 Office of Policy ' and' Management
807 Office of Regional Counsel
808 Office of External Affairs '
REGION IX:
900a
900b
• 901
902
903
904
905
REGION
1000
1001
1002
1003
1004
1005
1006
Immediate Office Regional Administrator
Office of External Affairs
Office of Regional Counsel
Office of Policy and Management
Water Management Division
Air Management Division
Toxics and Waste Management Division
X:
Regional Administrator, Immediate Office and
State Operations Office
Management Division ' ;
Air and Toxics Division" • ' .: .
Hazardous Waste Division
Water Division
Environmental Services Division and Manchester
Laboratory" ; ; ' ' -
Office of Regional Counsel ' • • » -
-------�
AU
NUMBER
TITLE
OFFICE OF THE ADMINISTRATOR:
1100 Immediate Office •'...'.
1101 Executive Support
1102 Administrative Law Judges
1103 Civil Rights
1104 Small and Disadvantaged Business Utilization
1105 Science Advisory Board .' , ., .
1106 International Activities
1107 Regional Operations
OFFICE OF ADMINISTRATION AND RESOURCES MANAGEMENT:
1200 Program Operations Support Staff/Immediate Office
1201 Financial Management Division
1202 Resource Management Division
1203 Budget Division
1204 Procurement and Contract Management Division
1205 Grants Administration Division
1206 Personnel Management Division ."
1207 Facilities and Support Services Division
1208 Management and Organization Division
1209 Occupational Health and Safety Staff
1210 Office of Information Resources Management
1211 Office of Human Resources Management
1212 Office of Administration - RTF
1213a OA/Cinn - Facilities Management Services Division
1213b OA/Cinn - Personnel Management Division
1213c OA/Cinn - Computer Services and Systems Div -
1213d OA/Cinn - Contracts Management Division
OFFICE OF ENFORCEMENT AND COMPLIANCE MONITORING:
1300 Immediate Office, Compliance Analysis and Program
Operations Division
1301 National Enforcement Investigations Center
1302 Air Enforcement Division
1303 Office of Criminal Enforcement . .
1304 Hazardous Waste Enforcement Division .
1305 Water Enforcement Division
1306 Pesticides and Toxic Substances Division
OFFICE OF GENERAL COUNSEL: *
1400 Immediate Office and Management Functions
1401 Associate General Counsels - Legal Functions
-------�
AU
NUMBER
TITLE
OFFICE OF POLICY, PLANNING AND EVALUATION
1500 Immediate Office of Assistant Administrator
1501 Office of Policy Analysis ,
1502 Office of Standards and Regulations
1503 Office of.Management-Systems and Evaluation
OFFICE OF EXTERNAL AFFAIRS: ' .
1600 Immediate Office
1601 Public Affairs ' " .
1602 Congressional Liaison
1603 Legislative Analysis
1604 Private and Public Sector Liaison « , : 1
1605 Federal Activities
* i
OFFICE OF THE INSPECTOR GENERAL:
. Office of Audit - PIG . . ' -
1700 Audit Headquarters
1701 Operations Staff
1702 Technical Services Division
1703 Internal Audit.. Division - . .
1704 Eastern-Division
1705 . Mid-Atlantic Division • - .
1706 Southern Division • -
1707 Northern Division
1708 Western Division- •. ••
Office of Investigations - QIC , • . •
1709 Investigations Headquarters .
1710 Mid-Atlantic Division
1711 Northern Division
1712 Southern Division
1713 Eastern Division
1714 Western Division- . .
Office of Management and Technical Assessment - PIG
1715 .Technical Assessment and Fraud Prevention Division
1716 Administrative and Management Services Division
1717 ' Personnel Security Staff • • ... :
-------�
AU
NUMBER
TITLE
OFFICE OF WATER:
1800 Resources Management & Administration Immediate Office
1801 OWPE - Enforcement Division
1802 OWPE - Permits Division
1803 OWRS - Analysis and Evaluation Division "
1804 OWRS - Criteria and Standards Division
1805 OWRS - Industrial Technology Division
1806 OWRS - Monitoring and Data Support Division
1807 OMPC - Municipal Waste Treatment Facility Construction
1808 ODW - Criteria and Standards Division
1809 ODW - Program Development and Evaluation Division
1810 ODW - State Program Division . •
1811 ODW - Technical Support Division '
1812 • OGWP - Office of Ground-Water Protection' - .
1813 OMEP - Ocean Disposal Permits (Marine Operations Div)
1814 OMEP - Coastal Environmental Management (Technical
Support Division)
1815 OWP - Dredge and Fill
OFFICE OF SOLID WASTE AND EMERGENCY RESPONSE
1900 OERR - Emergency Response Division
1901 OERR - Hazardous Response Support Division - .
1902 OERR - Hazardous Site Control Division and Administra-
tive Division (Including Office of Director,, Policy
Analysis Staff)
1903 OSW - Permits and State Program Division -
1904 OSW - Waste Management and Economics Div
1905 OSW - Characterization.and Assessment Div. and Admini-
strative Division (Including Office of Director and
Office of Program Management and Support)
1906 OWPE - RCRA Enforcement Division '.
1907 OWPE - CERCLA Division and Program Management and
Support Office (Superfund Div.)
1908 Office of Underground Storage Tanks . . - : •
1909 eliminated during 1988 segmentation
1910 Office of Assistant Administrator (Including Analysis
and Evaluation, Information Management, Resource
Management, Policy and External Affairs, Ground
Water Task Force and Chemical Emergency Preparedness
Program)
1911 OERR - Office of Program Management
-------�
AU
NUMBER TITLE
OFFICE OF AIR AND RADIATION:
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
Immediate Office of Assistant Administrator Staff
Offices - OPMO, OPAR, OPD
ORP -
ORP -
ORP -
ORP -
ORP -
QMS' -
OMS -
OMS -
OMS -
OMS -
OMS -
OMS -
OAQPS
OAQPS
OAQPS
OAQPS
OAQPS
OAQPS -
Office of Director (Includes Program Management)
Criteria and Standards Division
Analysis and Support Division
Eastern Environmental Radiation Fac. *
Las Vegas Facility •
Immediate Office of the Director
Program Management Office "'
Field Operations and Support Division
Manufacturers Operations Division
Emission Control Technology Division
Engineering Operations Division
Certification Division -
- Immediate Office of the Director
- Stationary Source Compliance Division
- Air Quality Management Division •
- Technical Support Division
- Emissions' Standard Division
eliminated per ICC during 1988 segmentation
Radon Division
OFFICE OF PESTICIDES AND TOXIC SUBSTANCES
*• i
2100 Program Management • " ; .
2101 Asbestos Abatement ' • ' - , -_ * .-.•
2102 Registration, Special Registration and tolerances
2103 Generic Chemical Review
2104 Administrative Functions -
2105 Pesticides Enforcement
2106 Toxic Substances Enforcement
2107 Administration
2108 New Chemicals
2109 Chemical Testing
2110 Existing Chemicals
2111 Program Management/Administration
2112 SARA Title III
-------�
AU
1TUMBER
TITLE
OFFICE OF RESEARCH AND DEVELOPMENT:
2200 Immediate Office/Program Management.
2201 Center for Environmental Research Info.
2202 Office of Exploratory Research r • .
2203 Office of Regulatory Support
2204 Office of Acid Deposition, Environmental
Monitoring and Quality Assurance -'HQ
2205 Environmental Monitoring and Support Laboratory (EMSL)
2206 Atmospheric Sciences Research Laboratory
2207 EMSL, Las Vegas • .
2208 EMSL, Cincinnati
2209 Office of Environmental Engineering and Technology
Headquarters
2210 Air and Energy Engineering Research-
Laboratory (ERL) Research Triangle Park
2211 Hazardous Waste ERL, Cincinnati .
2212 Water ERL, Cincinnati
2213 Office of Environmental Processes and EffectstResearch
2214 Environmental Research Laboratory (ERL) Narragansett
2215 ERL, Athens, Georgia
2216 ERL, Gulf Breeze, Florida .r
2217 ERL, Duluth, Minnesota
2218 Robert S. Kerr ERL, Ada, Oklahoma . .
2219 ERL, Corvallis, Oregon
2220 Office of Health Research HQ ...
2221 Health Effects Research Laboratory, RTP
2222 . Office of Health and Environmental Assessment HQ
2223 Environmental Criteria and Assessment
Office (ECAO), RTP
2224 ECAO, Cincinnati .
-------�
SUBJECT INDEX
Subj ect* • '
Accounting and Auditing Act
Overview
Alternative Internal Control Review
and MCP
Definition .
Sample Report - Exhibit XI
(See also Internal Control Review)
Annual Assurance Letter
Preparation
Procedures
Purpose
Sample - Exhibit XVII
Assessable Units
Inventory
Classified Activities
Control Objectives
and Documentation
Definition
Samples - Exhibits IV and V
Control Techniques
and Documentation
Definition
Samples - Exhibits IV and V
Corrective Action Tracking System (CATS)
and Internal Control Reviews •
Definition >.
Procedures
Purpose
Reports
'Requirement
Sample - Exhibit XIV
Documentation
Definition
Functions I, . ,.- --.
of Alternative Internal Control Reviews
of Internal Controls
of Internal Control Reviews
Procedures
Purpose
Requirements
Samples - Exhibits IV and V
Reference
Addendum 2
E-3
> Addendum 1
H-4
:H-2
H-l
H-3
* Addendum 3B
. . A-6, H-5
C-3
Addendum 1
l. ..-C-3 •
Addendum 1
,. A-l
F-9, F-12, F-13
- Addendum 1
• G-2
.•',-.,.-, ,GTi
-.;. .--G-2
:- .".- . G-l
-'.., v \Addendum 1
F-l, F-12
A-4
F-10
C-2
C-l
C-l
-------�
SUBJECT INDEX
Subi ect
Event Cycles
and Internal Control Reviews
Documentation of
Evaluating and Reporting
• Alternate Internal Control Reviews
Internal Control Reviews
Quality Assurance - Exhibit XVIII
Risk Assessment
Federal Managers' Financial Integrity Act
Definition
Evaluation Forms
Overview
Samples - Exhibits XV and XVI
GAO Standards
and Documentation
Overview
Definition
Guidelines (Overview)
Historical Background ' ;
Inspector General
Audits
Recommendations
Internal Control Review (also Alternative internal
Analyst
and Risk Assessments - Exhibit XII
and Management Control Plan
Definition
Documenation
OARM Guides - Appendix (6)
Objectives
Procedures
Purpose
Report
. • Requirement
Samples - Exhibits XI and XIII
Reference
. F-5
C-2
A-5
Chapter F
Chapter F
1-4
D-4
Appendix (1)
Addendum 1
1-3
Addendum 2
Appendix (2)
C-l
Addendum- 2
Addendum 1
i Addendum 2
Addendum 1
1-2
A-3, A-4, C-l, 1-2
Control Review)
F-2 - ,F-8
; F-2
E-3
Addendum 1
F-4
F-4, F-14
F-2
F-4
F-l
F-9 - F-12
F-2
-------�
SUBJECT INDEX
Sub~i ect
Management Control Plan
' and OMB - Exhibits VII and VIII
and Reviews
and Risk Assessments
Definition
Objectives
Procedures , :-
Purpose
Requirements
Samples - Exhibits VIII, IX and X
OARM Guides
OMB circular A-123
and Alternative Internal Control Reviews
and Management Control Plan
Overview • '
Quality Assurance
OMB Circular A-127 :
and Alternative Internal Control Reviews .
OMB Guidelines
"and Corrective Action Tracking System
and Documentation
and Management Control Plan - Exhibits VII and VIII
• and Performance Agreements
and Segmentation
Definition . •
Overview
Performance Agreements
Sample - Exhibit II
Planning
Quality Assurance
'Procedures
Purpose ''•.'•
Quality Control Evaluation Report
and Assurance Letter
Samples:
Assessable Unit Manager - Exhibit XVI
• Internal Control Coordinator - Exhibit XV
Reference Material
Requirements (Overview)
Reference
E-3, F-3
D-5
Addendum 1
E-l
E-2
E-l
E-2
F-4, F-14
Appendix (4)
F-l
E-l
Addendum 2
1-1
F-l
Appendix (3)-
F-14
A-4
E-l
A-2
B-l
Addendum 1
Addendum 2
' A-2
A-l
Appendix (6)
1-3
-1-1
H-3, 1-3
Addendum 2
Addendum 2
-------�
SUBJECT INDEX
Sub ject.
Resource Management Directive
Definition
Overview
Responsibilities
Administrator
Assessable Unit Manager
Assistant Administrator for OARM
Comptroller/Resource Management Division
Inspector General
Internal Control Coordinator
Internal Control Staff
Primary Organization Head
Program Manager - Exhibit 1
Risk Assessment
and Management Control Plan
Definition : .
Objectives
Procedures
Purpose
Requirement
Sample - Exhibit,VI
Scoring of Risk Assessments -
Segmentation
•Definition
EPA's Segmentation
Objectives
Procedures
Purpose
Requirement
Sample - Exhibit VI
Tracking
(see also Corrective Action Tracking System)
Training
Weaknesses
and Assurance Letter
and Management Control Plan
Reference
Appendix (5)
Addendum 1
Addendum 2
H-2
(see Program Manager)
A-l, .H-2, 1-1
H-2
"1-2
A-2,
E-2,
A-2,
A-2,
A-2,
F-2,
B-2,
F-2,
D-2,.
B-3 ,
E-2,
B-3,
G-l,
C-2,
G-l.,
G-l,
C-2,
F-2,
C-2,
H-2,
D-l,
H-l,
H-2,
D-3,
H-2,
E-2,
-1-2
D-5,
1-1 =
1-2
D-5,
1-2
D-5.
•Addendum 1
D-l
D-2
D-l
D-l
Addendum 3 A
Addendum 1
Addendum 3
B-2
B-l
b-i
D-l
,A-7
A-4
G-l
H-3 - H-5
E-4
-------�
UNITED STATES
ENVIRONMENTAL PROTECTION AGENCY
INTERNAL CONTROL GUIDANCE^
for
MANAGERS AND COORDINATORS
"A GUIDE TO SUCCESSFUL
IMPLEMENTATION OFFMFIA"
OFFICE OF THE COMPTROLLER
RESOURCE MANAGEMENT DIVISION
AGENCY INTERNAL CONTROL STAFF
-------�
-------�
Federal Managers' Financial Integrity Act
of 1982
An Act
To amend the Accounting and Auditing Act of 1990 to require ongoing evaluation*
and report* on the adequacy of the tyvtema of internal accounting and adnuniatra*
tive control of each executive agency, and for other purpoaga,
Be if enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. This Act may be cited as the "Federal Managers'
Financial Integrity Act of 1982".
SEC. 2. Section 113 of the Accounting and Auditing Act of 1950 (31
U.S.C. 66a) is amended by adding at the end thereof the following
new subsection:
"(dXIXA) To ensure compliance with the requirements of subsec-
tion (aX3) of this section, internal accounting and administrative
controls of each executive agency shall be established in accordance
with standards prescribed by the Comptroller General, and shall
provide reasonable assurances that—
' "(i) obligations and costs are in compliance with applicable
law,
"(ii) funds, property, and other assets are safeguarded against
'waste, loss, unauthorized use, or misappropriation; and
"(iii) revenues and expenditures applicable to agency oper-
, ations are property recorded and accounted for to permit the
V preparation of accounts and-reliable financial and statistical
reports and to maintain accountability over the assets.
"(B) The standards prescribed by the Comptroller General under
this paragraph shall include standards to ensure'the prompt resolu-
tion of all audit findings.
"(2) By December 31, 1982, the Director of the Office of Manage-
ment and Budget, in consultation with the Comptroller General.
shall establish guidelines for the evaluation by agencies of their
systems of internal accounting and administrative control to deter-
mine such systems' compliance with the requirements of paragraph
(1) of this subsection. The Director, in consultation with the Comp-
troller General, may modify such guidelines from time to time as
deemed necessary.
"(3) By December 31,1983, and by December 31 of each succeeding
year, the head of each executive agency shall, on the basis of an
evaluation conducted in accordance with guidelines prescribed
under paragraph (2) of this subsection, prepare a statement—
(A) that the agency's systems of internal accounting and
administrative control fully comply with the requirements of
paragraph (1); or
"(B) that such systems do not fully comply with such
requirements.
"(4) In the event that the head of an agency prepares a statement
described in paragraph (3KB), the head of such agency shall include
with such statement a report in which any material weaknesses in
the agency's systems of internal accounting and administrative
-------�
I
Fwfenl Maaa«en> Financial Integrity Act
of IMS
control are identified and the plans and schedule for correcting any
such weakness are described.
"(5) The statements and reports required by this subsection shall
be signed by the head of each executive agency and transmitted to
the President and the Congress. Such statements and reports shall
also be made available to the public, except that, in the case of any
such statement or report containing information which is—
"(A) specifically prohibited from disclosure by any provision
of law, or
"(B) specifically required by Executive order to be kept secret
in the interest of national defense or the conduct of foreign
affairs.
such information shall be deleted prior to the report or statement
being made available to the public. .
SBC. 3. Section 201 of the Budget and Accounting Act, 1921 (31
U.S.C. 11), is amended by adding at the end thereof the following
new subsection:
. "(kXl) The President shall include in the supporting detail accom-
panying each Budget submitted on or after January 1, 1983, a
separate statement, with respect to each department and establish-
ment, of the amounts of appropriations requested by the President
for the Office of Inspector General, if any, of each such establish-
ment or department.
"(2) At the request of a committee of the Congress, additional
information concerning the amount of appropriations originally
requested by any office of Inspector General, shall be submitted to
such committee.'.
Sec. 4. Section 113(b) of the Accounting and Auditing Act of 1950
(31 U.S.C. 66a(b)), ia amended by adding at the end thereof the
following new sentence: "Each annual statement prepared pursuant
to subsection (d) of this section shall include a separate report on
whether the agency's accounting system conforms to the principles,
standards, and related requirements prescribed by the Comptroller
General under section 112 of this Act. .
Approved September 8, 1982.
-------�
June 1, 1983
GAO
. STANDARDS FOR :
INTERNAL CONTROL
IN THE
FEDERAL GOVERNMENT
-------�
FOREWORD ;
In 1950, the Accounting and Auditing Act was passed requiring,
among other things, that agency heads establish and maintain effec-
tive systems of internal control. Since then, the General Account-
ing Office. (GAO) has issued numerous publications to
-------�
CONTENTS
Page
FOREWORD
Introduction
Internal Control Standards
Explanation of General Standards
Explanation of Specific Standards
Explanation of the Audit Resolution Standard
1
2
4
8
11
-------�
-------�
INTRODUCTION
This document contains the Comptroller General's internal
control standards to be followed by executive nyenci.es in estab-
lishing and maintaining systems of internal control- as. required by
the- Federal Managers' Financial Integrity Act of 1902. (31 u.s.C.
35l2(b)1. Internal control systems are to reasonably ensure that
the following objectives are.achieved: , .
--Obligations and costs comply with applicable, law.
—All assets are safeguarded against waste, loss, unauthorized
use, and misappropriation.
-* —
—Revenues and expenditures applicable to agency .operations
are recorded and accounted for properly so that accounts and
reliahle financial and statistical reports may be prepared
and accountability of the assets may be maintained.
..." « . * . i
The act directs the heads of executive agencies to:
--Make an annual evaluation of their internal controls using
guidelines established, by the Office of^Management and
Budge t. - , .
•» • ' * • •
--Provide annual reports to the president and Congress that
state whether agency systems of internal control comply with
the objectives of internal controls set forth in the act and
with the standards prescribed.by the Comptroller General.
Where systems do not comply, agency reports must identify
the weaknesses involved and describe the plans for correc-
.•••'•' tive- action. * . • ••'•:. • . .. •
The following concept of internal controls is useful in under-
standing and applying the internal control standards set forth and
discussed on succeeding pages.
The plan of organization and methods and procedures adopted by
management to ensure that.resource use is consistent with
- laws, regulations, and policies;, that resources are safe-
guarded against waste, loss, and misuse; and that reliable
data are obtained* maintained, and fairly disclosed in re-
->• ports.. ! '. . . ,••.•'...
, .The ultimate responsibility for good -internal controls rests
with management. Internal controls should not be looked upon as
separate, specialized:systems within an agency., Rather, they
should be recognized as an "integral'.part of each system that man-
agement uses ; to regulate and'guide its operations. In this sense,
internal controls are management controls. Good .internal controls
are essential to achieving the proper conduct of"Government busi-
ness with full accountability for the resources made available. •
They also' facilitate the achievement of management objectives by
serving as checks and balances against uhdesired actions. In pre-
venting negative consequences from occurring, internal controls
help achieve the positive aims of program managers.
-------�
INTERNAL CONTROL STANDARDS
The internal control standards define the minimum levol of
quality acceptable for internal control systems in operation and
constitute the criteria against which systems are to he evaluated.
These internal control standards'apply to all operations and admin-
istrative functions but are not intended to "limit or interfere with
duly granted authority related to development of legislation,
rulemaking, or other discretionary-policymaking in an agency.
GENERAL STANDARDS " -
1. Reasonable Assurance. Internal control systems are to
provide reasonableassurance that the objectives of the
systems will be accomplished.
2. Supportive Attitude. Managers and employees are to main-
tain and demonstrate a positive and supportive attitude
toward internal controls=at all times. •
3. Competent Personnel-. Managers and employees are to have
personal and professional integrity and.are to maintain a
level of competence that allows them to accomplish their
assigned duties, as well as understand the importance of
developing and implementing good internal controls.
4. Control Objectives. Internal control objectives are to be
identified or developed for each agency activity and are
to be logical, applicable, and reasonably complete.
5. Control Techniques. Internal control techniques are to be
effective and efficient in accomplishing their internal
control objectives. ••'.., .
SPECIFIC STANDARDS
1. Documentation. Internal control systems and all transac-
tions and other significant events are to be clearly docu-
mented, and the documentation is to be' readily available
for examination. •
f *
2. Recording of Transactions and Events. Transactions and
other significant events are to be promptly recorded and
properly classified. . .
3. Execut ion of Transact ions and Even ts. Transactions and
other significant eventsareto be authorized and executed
only by persons acting within ^he scope of their
authority.
-------�
4. Separation of Duties. Key duties and', responsibilities in
authorizing, processing, recording, and reviewing -transac-
tions should be.separated among individuals.
5. Supervision. Qualified and continuous supervision is to
be provided to ensure that internal control objectives are
achieved.
6. Access to and Accountability for Resources. Access to re-
sources and records is to be limited to authorized indi-
viduals, and accountability for the custody and use of
resources is to be assigned and maintained. Periodic
comparison shall be made -of the resources with the
recorded accountability to determine -whether the two-
agree.' The frequency of the comparison shall be a
function 'of the vulnerability of the asset.
AUDIT RESOLUTION STANDARD
Prompt Resolution of Audit Findings. Managers are to (1)
"promptly evaluate findings and recommendations reported by
auditors, (2) determine proper actions in response to audit
findings and recommendations, and (3) complete, within estab-
lished time frames, all actions .that correct or otherwise re-
solve the matters brought to management's attention'.
-------�
EXPLANATION OF GENERAL STANDARDS
General internal control standards apply to all aspects of: in-
ternal controls. - .
REASONABLE ASSURANCE
Internal control systems are to provide reasonable
assurance that the objectives of the systems will be
accomplished.
The standard of reasonable assurance recognizes that the cost
of internal control should not exceed the benefit derived. Reason-
able assurance equates to a satisfactory level of confidence under
given considerations of costs, benefits, and risks. The ..required
determinations call for judgment to be exercised.
In exercising that judgment, agencies should:
—Identify (1) risks .inherent in agency operations, 02). cri-
teria Cor determining low, medium, and high risks, and (3)
acceptable levels of risk under varying circumstances.
--Assess risks both quantitatively and qualitatively.
Cost refers to the financial measure of resources consumed in
accomplishing a specified purpose. Cost can also represent a lost
opportunity, such as a delay in operations, a decline in service
levels or productivity, or low employee morale. A benefit is meas-
ured by the degree to which the risk of failing to achieve a stated
objective is reduced. Examples include increasing the probability
of detecting fraud, waste, abuse, or error; preventing an improper
activity; or enhancing regulatory compliance.
SUPPOETIVE ATTITUDE
Managers and employees are to maintain and demonstrate a
positive and supportive attitude toward internal controls
at all times.
This standard requires agency managers and employees to be at-
tentive to internal control matters and to take steps to promote
the effectiveness of the controls. Attitude affects the quality of
performance and, as a result, the quality of internal controls, A
positive and supportive attitude is initiated and fostered by man-
agement and is ensured .when internal controls are a consistently
high management priority.
-------�
Attitude is not reflected in any one particular aspect of. man?
agers' actions but rather is fostered by managers' commitment to
achieving strong controls through actions,-concerning agency organi-
zation* personnel practices, communication, protection* and use of
resources through systematic accountability, monitoring and systems
of reporting, and general leadership. However, one important way
for management to demonstrate its support for good internet 1 con-
trols is its emphasis on .the value of internal auditing and its re-
sponsiveness to information developed through internal audits.
The organization of an agency provides its management with the
overall framework for'planning, directing, and controlling its op-
erations. Good internal control requires clear.lines of authority
and responsibility; appropriate reporting relationships; and appro-
priate separation of authority. .
In the final analysis, general leadership is critical to main-
taining a positive and supportive attitude toward internal con-
trols. Adequate supervision, training, and motivation of employees
in the area of internal controls is important.
COMPETENT PERSONNEL
Managers and employees are to have personal and profes-
sional integrity and are to maintain a level of compe-
tence that.allows then to accomplish their assigned
dutiest as well as understand the importance of develop-
ing and implementing good internal controls.
This standard requires managers and their staff to maintain
and demonstrate (1) personal and professional integrity, (2) a
level of skill necessary to help ensure effective performance, and
(3) an understanding of internal controls sufficient to effectively
discharge their responsibilities. ,
Many elements influence the integrity of managers and their
staff. For example, personnel should periodically be reminded of
their obligations under an operative code of conduct.
In addition, hiring and staffing decisions should include per-
tinent verification of education and experience and, once on. the
job, the individual should be given the necessary formal and,on-
the-job training. Managers who possess .a good understanding of in-
ternal controls are vital to effective control systems. . .
Counseling and performance appraisals are also important. - * - .
Overall performance appraisals should be based on-an assessment of.
many critical factors, one of which should be the implementation
and maintenance of effective internal controls.
-------�
CONTROL OBJECTIVES : . :
Internal control objectives are to be identified or de-
veloped for each agency activity"and are to be logical,
applicable, and reasonably complete. * .
This standard requires that objectives be tailored -to an agen-
cy's operations. All operations of an agency can generally be
grouped into one or more categories called cycles. Cycles comprise
all specific activities (such as identifying, classifying, record-
ing, and reporting information) required to process a particular
transaction or event. Cycles should be compatible with an agency's
organization and division of responsibilities.
Cycles can be categorized in various ways. For example:
—Agency management.
--Financial.
—Program (operational).
—Administrative.
Agency management cycles cover the overall policy and plan-
ning, organization, data processing, and audit functions. Finan-
cial cycles cover the traditional control areas concerned with the
flow of funds (revenues and expenditures), related assets, and fi-
nancial information. Program (operational) cycles are those agency
activities that relate *co the mission(s) of the agency and which
are peculiar to a specific agency. Administrative cycles are those
agency activities providing support to the agency's primary mis-
sion, such as library services, mail processing and delivery, and
printing. The four types of cycles obviously interact, and con-
trols over this interaction must be established. For example, a
typical grant cycle, would be concerned with eligibility and,, if
awarded, administration of the grant. At the time.of award, the
grant (program) and disbursement (financial) cycles would interface
to control and record the payment authorization.
Complying with this, standard calls for identifying the cycles
of agency operations and analyzing each in detail to develop the
cycle control objectives. These are the internal control goals or
targets to be achieved in each cycle. The objectives should be
tailored to fit the specific operations in each agency and be con-
sistent with the overall objectives of internal controls as set
forth in the Federal Managers' Financial Integrity Act.
In appendix B of its "Guidelines for the Evaluation and •
Improvement of and Reporting on Internal Control Systems in the
Federal Government," OMB has provided a suggested list of agency
cycles and cycle control objectives. Agencies should consider this
and other sources when identifying their cycles and cycle control
objectives.
-------�
CONTROL TBCHNIQQBS
Internal control techniques are to be effective and
efficient in accomplishing their internal control
objectives. ,
Internal control techniques are the mechanisms by which con-
trol objectives are achieved* Techniques include, but are not
limited to, such things as specific policies,, procedures, plans o£
organization (including separation of duties), and physical ar-
rangements (such as locks and fire alarms). This standard requires
that internal control techniques continually provide a high degree
of assurance that the internal control objectives are being
achieved. To do so they must be effective and efficient.
To be effective, techniques should fulfill their .intended pur-
pose in actual application. They should provide the coverage they
are supposed to and operate when intended. As for efficiency,
techniques should be designed to derive maximum benefit with mini-.
mal effort. Techniques tested for effectiveness and efficiency
should be those in actual operation and should be evaluated over a
period of time. . . .
-------�
EXPLANATION OP SPECIFIC STANDARDS
A number of techniques are essential to providing the greatest
assurance that the internal control objectives will be achieved.
These critical techniques are the specific standards discussed
below. .' -
DOCUMENTATION ,
Internal control systems and all transactions and other
significant events are to'be clearly documented, and .
the documentation is to be readily available for
examination. -
This standard requires written evidence-of (1) an agency's in-
ternal control objectives and techniques and accountability systems:
and (2) all pertinent aspects of transactions and other significant
events of an agency. Also, the documentation must be available as
well as easily accessible for examination.
Documentation of internal control systems should include
identification of the cycles and related objectives and techniques,
and should appear in management directives, administrative policy,
and accounting manuals. Documentation of transactions or other
significant events should be complete and accurate and should fa-
cilitate tracing the transaction or event and related information
from before it occurs, while it is in process, to after it is
completed.
Complying with this standard requires that the documentation
of internal control systems and transactions and other significant
events be purposeful and useful to managers in controlling their
operations, and to auditors or others involved in analyzing opera-
tions,
RECORDING OF TRANSACTIONS AND EVENTS
Transactions and other significant events are to be
promptly recorded and properly classified.
Transactions must be promptly recorded if pertinent informa-
tion is to maintain its relevance and value to management in con-
trolling operations and making decisions. This standard applies to
(1) the entire process or life cycle of a transaction or event and
includes the initiation and authorization, (2) all aspects of the
transaction while in process, and (3) its final classification in
summary records. Proper classification of transactions and events
is the organization and format of information on summary records
from which reports and statements are prepared.
-------�
EXECUTION OF TRANSACTIONS AND EVERTS
.
Transactions and other significant events are to be au-
thorized and executed only by persons acting within the
scope of their-authority. , - - -
This standard deals with management's decision to exchange,
transfer, use, or commit resources for specified purposes under
specific conditions. It is the principal means of assuring that
only valid transactions and other events are entered into. Author-
ization should be clearly communicated to managers and employees
and should include the specific conditions and terms under which
authorizations are tp be made. Conforming to the terms of an au-
thorization means that employees are carrying out their assigned
duties in accordance with directives and within the limitations
established by management.
SEPARATION QP DUTIES - .
Key duties and responsibilities in authorizing, process-
ing, recording, and reviewing transactions should be sep-
arated among individuals. .
to reduce the risk of error, waste, or wrongful acts or to
reduce the risk of them going undetected, no one individual should
control all key aspects of a transaction or event. Rather, duties
and responsibilities should be assigned systematically to a number
of individuals to ensure that effective checks and balances exist.
Key duties include authorizing, approving, and recording transac-
tions; issuing and receiving assets; making payments; and reviewing
or auditing transactions. Collusion, however, can reduce or des-
troy the effectiveness of this-internal control standard.
SUPERVISION
Qualified and continuous supervision is to be provided to
ensure that internal control objectives are achieved.
This standard requires supervisors to continuously review and
approve the assigned work of their, staffs. It also requires that
they provide their staffs with the necessary guidance and training'
to help ensure that errors, waste, and wrongful acts are minimized
and that specific management directives are achieved.
Assignment, review, and approval of a staff's work requires
—clearly communicating the duties, responsibilities, and ac-
countabilities assigned each staff member;
—systematically reviewing each member's work to the extent
necessary; and
-------�
—approving work at critical points-to, ensure that work flows
as intended.
Assignment, review, and approval of a staff's work should re-
sult in the proper processing of transactions and events including
(1) following approved procedures and requirements, (2) detecting
and eliminating errors, misunderstandings, and-improper practices,
and (3) discouraging wrongful acts from occurring or from
recurring. .......
ACCESS TO AND ACCOUNTABILITY FOR RESOURCES
Access to resources and records is to be limited to 'au-
thorized individuals, and accountability for the custody
and use of resources is to be assigned and maintained.
Periodic comparison shall be made of the resources with
the recorded accountability to determine whether the two
agree. The frequency of the comparison shall be a
function of the vulnerability of the asset. '
The basic concept behind restricting access to resources is to
help reduce the risk of unauthorized use,.loss to the Government,
and to help achieve the directives of management. However, re-
stricting access to resources depends upon the vulnerability of the
resource and the perceived risk of loss, both of which should be
periodically assessed. For example, access to and accountability
for highly vulnerable documents, such as check stocks, can be
achieved by
> '
—keeping them locked in a safe,
—assigning or having each document assigned a sequential
number,
—assigning custodial accountability to responsible individ-
uals,, and
Other factors affecting access include the cost, portability,
exchangeability, and the perceived risk of loss or improper use of
the resource, in addition, assigning and maintaining accountabil-
ity for resources involves directing and communicating responsibil-.
ity to specific individuals within an agency for the custody and
use of resources' in achieving the specifically identified manage-
ment directives.
10
-------�
EXPLANATION OF THE AUDIT RESOLUTION STANDARD
Managers are to (1) promptly evaluate Eladings and recom-
mendations reported by auditors, (2) determine proper ac-
tions in response to audit .findings and recommendations,
and (3) complete, wittiin established time frames, all ac-
tions that correct or otherwise resolve the matters
brought to management's attention.
The audit resolution standard requires managers to take
prompt, responsive action on all findings and recommendations made
by auditors. Responsive action is that which corrects identified
deficiencies. Where audit findings identify opportunities for im-
provement rather than cite deficiencies, responsive action is that
which produces improvements.
The audit resolution process begins when the results .of an
audit are reported to management, and is completed only after ac-
tion has been taken that (1) corrects identified deficiencies, (2)
produces improvements, or (3) demonstrates the audit findings and
recommendations are either invalid or do not warrant management ac-
tion. . . ' . .
Auditors are responsible for following up on audit findings
and recommendations to ascertain that resolution has been achieved.
Auditors' findings and recommendations should be monitored through
the resolution and followup processes. Top management should be
kept informed through periodic reports so it can assure the quality
and timeliness of individual resolution decisions.
11
-------�
-------�
DECEMBER, 1982
GUIDELINES FOR
THE EVALUATION AND IMPROVEMENT OF
AND REPORTING ON INTERNAL CONTROL SYSTEMS
IN THE FEDERAL GOVERNMENT
-------�
-------�
FOREWORD
The Budget, and Accounting'Procedures Act of 1950 required that each aaency
head establish and maintain systems of accounting and internal control.
The expectation was.that such systems .would help to prevent fraud, waste,.
abuse, and mismanagement in Federal Government operations.-
The Act notwithstanding,..instances of ..fraud, waste, and abuse continued to
occur at an unacceptable level. Indeed, a GAO report, issued in Auaust,
1980, found widespread, similar, and prevalent control weaknesses in the
Federal Government.
The Reaaan Administration, as part of Reform 88, is committed -to stream-
* ' • • *
lining the management and administration of the Federal Government. This
includes reducing fraud,' improving management controls,"and eliminating
errors in the administration of- Government programs. Tn October, 1981 ^
the Office of Manaaement and Bu'riaet issued Circular. A-123 as an early
effort to improve controls. Like the 1950 Act, the-Circular required the
head of each deoartment and agency to develop and maintain adequate
systems of internal control. s _Unl ike the Act,-however, "it defined reguire-
ments and-responsibilities in -order to transform the 1950 Act expectations
into-reality.
' i "' • • . .
The Congress has likewise expressed its support for good internal manaae-
ment in the Federal Government. In September, 1982, the Congress passed
the Federal Managers' Financial Integrity Act (P.L. 97-255). This Act
requires that each Executive agency's internal accounting and
administrative controls be established in accordance with standards
prescribed by the Comptroller General., and provide reasonable assurance
that:
* Obligations and costs are in compliance with applicable law;
* Funds, property, and other assets are safeauarded; and
" Revenues and expenditures applicable to agency operations are
properly recorded and accounted for.
-------�
The Act also requires OMB to establish, in consultation, with the
Comptroller General, Guidelines with which.the aaenci.es can evaluate their
systems of internal accounting and administrative control. In addition, it
requires an annual statement from the head of each Executive agency to the
President and the Congress stating whether or not the agency's system of
internal accounting and administrative control complies with'the
v
requirements of" the Act, and identifying the agency's material control
weaknesses, if any, and its plans for'correcting the weaknesses.
This document contains the guidelines required by the Act to be developed
by OMB. It is to be used by each agency's management as guidance in the
development of its own specific plans for performing a self-evaluation of,
improving, and .reporting on the agency's internal control system in the ,
most efficient and effective manner consistent with the agency's unique
missions and organizational structures.
The Act also requires the-head of each Executive Agency to report on
whether the agency's accounting system conforms to principles, standards,
and related requirements prescribed by the Comptroller General. Guidelines
for meeting this requirement are being issued under separate cover.
DAVID A. STOCKMAN
DIRECTOR
11
-------�
TABLE OF CONTENTS
PAGE
FOREWORD . . .......... ................. . i
CHAPTERS
:< • •'.•'*,
I INTRODUCTION ............. ..'..."..'..*'. I- 1
I! ORGANIZING THE EVALUATION ..... \ . -. ......... II-l
II! IDENTIFYING PROGRAMS AND ADMINISTRATIVE FUNCTIONS . . . .. V ' III-l
IV VIILNFRARILITY ASSESSMENTS ........ . ........ IV-1
V INTERNAL CONTROL REVIFWS ........... . ...... V.-1
VI • REPORTING [INOER THE FEDERAL MANAGERS' FINANCIAL
INTEGRITY ACT
EXHIBITS ...'-.:
1 — Overview of. the Internal Control Evaluation, Improvement ,-.. . . 1-6
and Report ina Process
? -- List of Proorans and Administrative Functions w.ithin ..... I.I1-4
the Component
3 -•?. Analysis of-General Control Environment
4 — Assessment of Compliance with Standards of Internal ..... IV-U
. Control Rased on Completion of a Vulnerability Assessment
5 .. Overall Vulnerability Assessment ............... IV-1?
-------�
TABLE OF CONTENTS ('Continued)
EXHIBITS (Continued)
PAGE
— List of Event Cycles Within °roqrams and,
Administrative Functions . .
V-3
7 -- List of Internal Controls
V-7
-- Tests of Internal. Controls,
V.q
GLOSSARY
APPENDICES.
A -- Sample Partial Classification of Components, Proarams, . .
and Administrative Functions
A-l
B — Common cvent Cycles and Suaqested Control Objectives .... B-l
in Federal Aqencies
B-l Suqqested Control Ob.iectives for Selected Administrative . . Q-l:
Sunoort Services
C -- Sample Letter for Written Assurance to the Aaency Head from
Designated Senior Official
r.-l
D — Sample Letter for Written Assurance to the Aqency Head from O-1
the Head of an Oraanizational Unit
E — Sample Letter for Comments to the Aaency Head from
the Inspector General or Hauivalent
F -- Sample Internal Control Statement F-l
-------�
, . > CHAPTER I
INTRODUCTION
Internal Control, for the purpose of these Guidelines, is defined as the
steps a Federal aaencytakes "to provide.reasonable assurance that:
r • m , * '
" OMigat ions and costs are in compliance with applicable law;
" Funds,- property, and other assets are safeguarded against waste, loss,
unauthorized use, or misappropriation; and
* Revenues and expenditures applicable to agency operations are properly
recorded and accounted for to permit the preparation of accounts and
reliable financial and statistical reports and to maintain account-
ability over the assets.
•* ", -
_• i .
*t - «
An internal control system is the organizational structure and the sum of
the methods and measures used to achieve the objectives of internal
control. .
» *• *
An internal control system should not be a separate system in an aqency.
It should be an integral part of the systems used to operate the proarams
and functions performed by the aqency. Thus, internal control would be the
responsibility of the same individuals who are responsible for operating
the programs and functions. This enables the objectives of internal
control to be accomplished in the most efficient and effective manner.
-------�
HISTORY AND SCOPE OF INTERNAL CONTROLS WITHIN THE FEDERAL GOVERNMENT
The Budqet and Accounting Procedures Act of 1950 required that each aqency
establish-and maintain systems of accountina and internal control. It is
widely recoanized that these systems are necessary not only for financial
and admin i stratiye act 1v_1t_ies, but for program and operational activities
involving funds, property, and other assets for which the agency is
responsible. Indeed, the 1950 Act, by definition, encompassed not only
systems of internal control that provide full disclosure of an agency's
financial results, adequate financial information for agency management
purposes, reliable accounting results, and suitable integration of aoency
accounting and Treasury nepartment accountina. It also encompassed systems
of internal control that provide "effective control over the
accountability for'all funds, prooerty, and other assets for which the
aqency is responsible, including appropriate internal audit."
At the same time, it was, and still is, clear that internal control is
concerned with only the operational aspects of a program or function. It
does not encompass such matters as statutory development or interpretation,
determination of program need, resource allocation, rulemaking, or other
discretionary policymakinq processes in an agency.
An increasing, awareness, however, of a need to strengthen internal control
systems in the Federal Government led to the issuance of OMB Circular
A-123, "Internal Control Systems," in October, 1981. Included in the
requirements of Circular A-123 were:
1-2
-------�
" The assiqnment of internal control responsibilities to specific
• ' c
officials throughout each aqency. .
* The completion of vulnerability assessments coyerina all aqency
components by December 31, 1982, and not less frequently than
biennially thereafter. ...-"•.
* The performance of internal-control reviews on an ongoinq basis.
* The establishment of 'administrative procedures to enforce the intended
functioninq of internal controls, mcludinq'provisions that perform-
ance appraisals reflect execution of internal control responsibilities
and procedures to take necessary actions to correct internal control
weaknesses on a timely basis. " " -
Finally, "in 1^82 the Congress enacted the Federal Managers' Financial
Integrity Act, requiring each Executive agency not only to have internal
accounting and administrative controls for these systems, but also- to
perform ongoing evaluations and provide an annual statement on the control
systems to the President and the Conqress. More specifically, the Act
'• ' ..••'.
requires:
* The establishment of internal accounting and administrative controls
(typically characterized as simply "internal controls") in each
Executive agency in .accordance with standards prescribed by the U.S.
Comptro11er Genera 1.
'•••."> - . .
* The conduct of evaluations by aaencies of their systems of internal
accounting and administrative control in accordance with guidelines
issued by the Director of t*e Office of Manaqement and ?udaet.
1-3
-------�
Transmittal of an annual statement by the head of each Executive
agency to the President and Conqress indicatino whether the agency's
systems of internal accounting and administrative control comply with
the Comptroller General's standards and provide reasonable assurance
that obligations and costs are in accordance with applicable law;
funds, property, and other assets are safeguarded; and revenues and
expenditures are properly recorded and permit the preparation of
reliable financial and statistical reports.
The purpose of this publication, is to provide guidance for the evaluation
and improvement of and reporting on internal control systems in Executive
agencies in conformance with the Act. Each Executive agency is expected to
use this guidance to assist in the development of its own specific plans in
order that management can perform a self-evaluation of, improve, and report
on its internal control system in the most efficient and effective manner
consistent with its own -jniaue missions and organizational structure.
j t
THE BASIC APPROACH TO EVALUATING, IMPROVING AND REPORTING ON
INTERNAL CONTROLS
-!„
An evaluation of and reporting on internal control can be approached in
several ways. The approach presented in this publication provides an
efficient and effective way, based on technigues used to evaluate and
report on the internal controls associated with financial statements, but
expanded to encompass the controls necessary for administrative and program
activities with systems subject to these guidelines.
The recommended approach for evaluating, improving, and reporting on
internal controls is comprised of seven phases:
-------�
" Organizing-the process. This includes a determination, as to the
information and assurances to be provided to the agency head to enable
the annual statement to be made to the President and the Congress; the
'assignment of respons-ibilitres for planning, directing, and
controlling the evaluation process throughout the agency; and the
development of an information system-that provides a tracking of the
status of the evaluations and corrective actions as well as other
pertinent information necessary to manage-the overall process 'and
facilitate preparation of the annual report.
* Segmenting the aoe'ncv^jnto organizational components^ and then
identifying the programs and administrative func^igns^conducted in
each component. For example, the Department of He'alth and' Human
Services can he segmented into the Social Security Administration, the
Health Care Financing Administration, etc. The Social Security
Administration, in turn, could be segmented into the Supplemental
Security Income program, the Old-Age Survivors Insurance program,
etc.; or into administrative functions such as eligibility determina-
tion-systems, benefit payment systems, quality control, etc.
* Assessing the vulnerability to waste, loss, unauthorized use, or
misappropriation of the funds, property or other assets within each
• *
component and deciding which are the most vulnerable. This is done by
identifying the factors that create an inherent riskiness in the
function, considering the operating environment in which the function-
is, performed, and orel imijnarily evaluating whether safeguards exist to
prevent waste, loss, unauthorized use, or misappropriation from
occurring.
1-5
-------�
Developino pians and schedules for the performance of internal
control reviews and other actions, based on an evaluation of the
results of the vulnerability assessments and other considerations
(management priorities, resource constraints, etc.), and in such a
manner as to provide that internal controls in those programs and
administration functions deemed to be the most vulnerable, as well as
those deemed to be less vulnerable, are evaluated and improved as
necessary to ensure a stronq system of internal control.
Reviewing the internal controls for the selected programs and admin-
istrative functions, determinina whether adequate control objectives
have been estahlished and control techniques exist and are function-
ina as intended, and then developino recommendations to correct
weaknesses•in either the design or functioning of the internal
control system.
Determining, scheduling, andtaking the necessary correctiveactions
for improving internal controls on a timely basis. Included in the
determination should be an analysis to assure that the expected
benefits to be obtained will outweigh the costs of any improvements
made.
* Preparing the annual statement to the President and the Congress on
the status of the agency's system of internal control, as required by
the Act.
This recommended approach is depicted in a"flow chart {Exhibit 1) and
explained in detail in Chapters II to VI.
I-fi
-------�
The above process is not an attempt to evaluate discretionary policy
decisions. Rather," the evaluation process begins at the point at which a
proararn or function has been authorized by the policy-level official havinq
authority-to-do so, and focuses on the steps involved in the operation of
the proaram. For example, the review of a welfare assistance program
should not include an evaluation of whether the eliqibility criteria are
consistent, with the statute and its 1'eqisTative history. Instead, the
review should evaluate whether the operation of the program.,is. consistent
with the criteria'and thus-there is reasonable assurance that obligations
and costs are in compliance with the applicable law; funds, property" and
other assets are safeguarded; and revenues and expenditures are properly
recorded.
1-7
-------�
EXHIBIT 1
OVERVIEW OF THE INTERNAL CONTROL EVALUATION,,
IMPROVEMENT, AND REPORTING PROCESS
ORGANIZE THE
PROCESS
SEGMENT THE
AGENCY
CONDUCT VULNERABILITY
ASSESSMENTS
1. Analyze General Control
Environment
2. Analyze Inherent Risk
3. Evaluate Safeauards
{Preliminary Evaluation)
4. Summarize Results
DEVELOP PLANS FOR
SUBSEQUENT ACTIONS
CONDUCT INTERNAL
CONTROL REVIEWS
1. Identify Event Cycles
2. Analyze General Control
Environment
3. Document the Event Cycle
4. Evaluate Internal
Controls
5. Test Internal Controls
6. Summarize Results
TAKE CORRECTIVE
ACTIONS
PREPARE REPORT ON
INTERNAL CONTROLS
1-8
-------�
INTERNAL CONTROL STANDARDS
"* s ' • ' •> • •
As stated in the Act, each Executive agency is to establish a system of
internaV accounting and administrative controls in accordance with
standards prescribed'by the'Comptroller General. The following is
consistent with our understanding of those standards, as they are to appear
in the General Accountma Office document: Standards for Internal. Control
in the Federal Government.
•* Reasonable Assurance ---internal control-systems shall -provide •
reasonable, but not absolute, .assurance that the objectives of the
system will be accomplished. This, standard recognizes that .the cost
of internal control should not exceed the benefits derived therefrom,
and that the benefits consist of reductions in the risks of .failing to
achieve the stated objectives.
'* Attitude — Managers and employees are to maintain and demonstrate a
positive and supportive attitude toward internal control at all times.
'• * .-' " *:
* Competent Personnel -- Managers and employees are to have hiqh
standards of integrity, are to be competent by education, experience,
and/or training to accomplish their assianed duties, and are to
possess adequate knowledge of internal control.
? Internal Control Objectives'-- Specific internal control' objectives
are to be developed for each agency activity. The control objectives
must be complete, logical, and applicable to the specific activity and
are to be consistent with the accomplishment of the "overall objectives
of internal control specified'in the Act*. ' '^ r
*The "overall internaV "control'objectwe's -specified in th£ Act are:
(1) Obligations and costs are-in compliance with applicable law.
(2) Funds, property, and other assets are safeguarded against waste,
loss, unauthorized use, or misappropriation.
(3) Revenues and expenditures applicable to agency operations are
properly recorded and accounted' for to permit the preparation of
accounts and reliable financial and statistical reports and to
maintain accountability over the assets.
-------�
Internal Control Technjdues -- Internal control techniques, I.e.,
processes and documents that accomplish the internal control
objectives, are to be designed for and operated in all aaency
activities, in order to comprehensively accomplish the control
objectives on a consistent basis, and m an efficient and effective
manner. ... - .
Documentation -- Internal control systems, i.e., control'objectives
and internal control techniques, the accountability for resources,-and
all transactions and other events shall be clearly documented.
Documentation shall be readily available.
Recording of Transact ions -- Transactions shall .be recorded as
executed, when executed, and be properly classified.
Execution of Transactions — Independent evidence shall be maintained
that authorizations are issued by persons acting within the scope of
their authority and that transactions conform with the terms of the
authorizations. -
Separation of Duties -- Key duties such as authorizinq, approving, and
recording transactions, issuing or receiving assets, making payments,
and reviewing or auditing shall be assianed to separate individuals to
minimize the risk of loss to the government. . Internal control depends
largely on the elimination of opportunities to conceal errors or
irregularities. This in turn depends on the assignment of work in
such a fashion that no one individual controls all phases of an
activity .or transaction, thereby creating a situation that permits
errors or irreaularities to qo undetected.
I-10
-------�
* SupervIs Ion — Qualified and continuous supervision shall be provided
to assure that approved procedures are followed. Lines of personal
responsibility and accountability shall be clear.
* Access to Resources — Access to resources shall be limited to author-
ized personnel. Access includes both direct physical access and
indirect access through the preparation or processing, of documents
that authorize the use or disposition of resources. Periodic compari-
son shall be made of the resources with the recorded accountability to
determine whether the two aqree. The frequency of the comparison
shall be a function of the vulnerability of the asset.
The Federal Managers Financial Integrity Act also requires a standard
concerning audit resolution and follow-up. The Comptroller General is
defining that standard as follows:
* Managers should promptly evaluate findings and recommendations
reported by auditors; determine proper action in response to audit
findings and recommendations; and complete, within established time
frames, all actions that correct or otherwise resolve the matters
Brought to management's attention.
1-11
-------�
-------�
••-••' - • CHAPTER II- . .--:• .-•• •-, : ...•••
ORGANIZING THE EVALUATION ' :
• *
It is critical that an Fxecutive agency, whether large or small, carefully
.- " i • - ' . . i r
prqanize and assign responsibilities in a manner that ensures that the
evaluation, improvement, and reporting on internal controls is conducted
in an efficient and effective manner. This includes providing for aualitv
> * . - i,
control over the entire process. The key organizing considerations
include: • r . •- . , .< • • • • . . . , , : ,
* Assigning responsibilities. . . .'_*_. • • '.
* Internal reporting. - ... •'.. - . . •
* -Documentation-. ...-..--
• ; • " -:/••:•-.*-
* Personnel and supervision. . . . ,
* Scheduling the evaluation processes.
ASSIRNINR RESPONSIBILITIES " ' ,• ..
• ' :---'- •<••• •-- ' - •.--••-.• , .-. ...... .,,„.
As.' noted earlier,, an internal control system is not a separate system
within' an- agency, but rather, an integral .part of the systems used by. an
agency to operate -its programs .and other activities. The Act recognizes
this relationship, and thus, requires, the head of . the agency to be
responsible for- submitting a statement to the President and the Congress
on the status of the agency's' internal controls.- *•'- •
-------�
Because it is unrealistic to expect an agency head to have first-hand
knowledge of the status of the agency1,* internal control system, the
aoorooriate responsibilities should'be carefully assigned to selected
senior officials throughout the agency in order to ensure that the process
of evaluating, improving, and reporting on internal controls is carried out
in conformance with these guidelines, and in an efficient and effective
manner. These senior agency officials should be expected to provide the
agency head with written assurances that the responsibilities have been
carried out. . . •
The assignment of responsibilities should include the following:
* Direction of the agencywide effort ~ ._•.-.•'
One senior official should he responsible for coordinating the overall
aaencywide effort of evaluating, improving, and reporting on internal
control in conformance with these guidelines. This official should be
asked to orovide assurance that these processes have been:"conrlucted,
in accordance with the guidelines, in a thorough and conscientious
manner. (See Appendix C) •' ' ''
* Heads of organizational units — '' '• * ''
Just as the aqency head is ultimately resoonsihle for internal control
in the aoency, the head of each organizational unit in an agency is
responsible for internal control in that unit. Accordingly, the "head
of each organizational unit (and other components identified in the
segmenting process'described in Chapter III) should prov'ide assurance*
that'he'or she is'"cognizant'of the importance of internal"control; has"
performed the evaluative processes in his'or her areas of'response- ,
bility in accordance'with the OMB guide!ines~and in-a conscientious
' manner; and believes that the objectives of internal control are , .
complied with in his or her area of resoonsibility within the
described limits. ^See Aooendix D)
II-2
-------�
Inspector General or equivalent -- The Inspector General, or equi-
valent in agencies without*an Inspector-General, normally reviews
Internal control documentation and systems and reports the results of
—.these reviews to- appropriate levels of management. .These reviews, -
whicn.the IG undertakes either on his own initiative or at the request
of the aqency head, are either separate reviews of internal, controls
or performed in conjunction with internal audits.
In addition, however, th'e IG may be asked to provide comments as to
-whether the evaluation process has been conducted in accordance with
these guidelines. IG comments in response to such a request may be
based on a limited review to-determine whether the first--s.ix phases
described in Chapter I are carried out in a reasonable and prudent
manner. (-See Appendix.E) . , .. •
-Performance of this limited review by the Inspector General should not
be interpreted to preclude the Inspector General from providing
technical assistance in the aqency effort to evaluate internal
controls," or-as-otherwise limiting" the authority of the'Inspector
Generalv In fact, the Inspector General or equivalent is encouraged
. to provide technical .assistance to further the.overall goal of
strenqtheriinq internal control systems. However, it,is imperative
. f ~- •»f * xj '""
that manaqement throuqhout the agency be heavily involved in the
evaluative-process, since it is manaqement that has primary responsi-
bility for the maintenance of a strong system of"internal control. "
However, care should be taken to avoid duplication of work'. 'To the
extent that the Inspector General has conducted or is planning to
conduct internal-"-control reviews' of certain aqency activities, a
determination should be' made as.to how these reviews can help accom- <
pi ish the evaluations required by these guidelines. In those
instances where the Inspector General agrees to conduct certain
internal control reviews, the senior official desiqnated by the agency
head to direct the aqencywide effort may rely on the internal control
reviews performed by the Inspector General. However, the senior
official is still primarily: responsible for- the overall judgments
reqardina compliance with the Guidelines.
II-3
-------�
INTERNAL REPORTING
An internal report ina and- follow-up system* should he established to .-monitor
the accomolishment of the various tasks that make up'the evaluation and
improvement process. This system should be used to ensure that:
* Vulnerability assessments are scheduled and completed on a timely
basis.. - . . . .. ..-.
" Scheduled internal control reviews are completed on a timely basis.
" Corrective actions are taken on a timely basis.
The system also should .be able to:
*k " "• . '
* - Summarize.information regarding the results of. the.vulnerability
assessments, .internal control- reviews, 'and necessary corrective
actions in order to support the annual statement to the-President and
the Conaresv. "•' ' "*'
" Gather other data necessary to evaluate other actions'to'improve
internal control, e.q., status of traininq, impact on performance
a •- appraisals,-other personnel actions. •••-...•
Consideration should be qiven" to coordination or integrating this
information system with the aoe'ncy's audit'fol low-up "information-system.
11-4
-------�
DOCUMENTATION • ........
Adequate written documentation should he maintained. In particular,
documentation should be maintained for. activities conducted in .connection
with vulnerahil ity -assessments, 'internal control reviews, and *o1 low-up
actions to provide a permanent record of the methods used, the personnel
involved and their roles, the key -factors considered, and the conclusions
reached. This information wi 11 be useful for reviewinq the validity of
conclusions reached, evaluating the performance of individuals involved in
the assessments and reviews, and-performina subsequent assessments, and
reviews. ' - -"
PERSONNEL AND SUPERVISION
It is essential that a sufficient level 'of staff .resources be comrrritted to
the internal control evaluation process. 'As such, it -is likely that the
vulnerability assessments and internal control reviews will be performed by
persons from various parts of the agency. Examples are the individuals who
i > *
operate the systems beina reviewed and persons from the central staffs.
-- ;--v -j ,. .
These i/idividuals need to have a qood understanding of the process in order
that they can make appropriate judgments.
Some specific measures that should be considered in order to provide this
understandina, as well as assure the necessary Quality, are as follows:
'-.Orientation and training -- Orientation and/or training sessions
should be provided to explain the objectives, of and orocedures for
* - * . t • . •
conducting vulnerability. assessments and internal control reviews.
Il-fi '
-------�
Assiqnmgnt of personnel -- Use of the "team" approach should be
considered in order that small qroups of Individuals can perform
assessments"and/or reviews 'jointly. :This-provides some assurance that
the limitations of one individual can be offset by the strengths of
another. It also stimulates individual team members' thinkina..
Supervision — Adequate supervision of personnel involved in the
assessment and review processes should be provided for.
Performance appraisal -- Administrative procedures should be .initiated
to evaluate performance in assessment and review activities.
Personnel should be advised that this will be a-factor in their
overall performance evaluation.
Technical assistance -- Technical assistance should be develooed and
provided to employees assigned to the process. A procedures manual
"to guide the performance of vulnerability assessments and internal
rr
control reviews, and containinq appropriate standard forms, may be
useful. Agency "experts" who can answer questions and provide other
assistance in this area should be designated and their names provided
to the reviewers. Informal guidance should be circulated periodically
and periodic meetings of key personnel involved in the process held as
'still another means of information sharing.
Monitoring — A monitoring system should be developed to assure that
assessments and reviews are performed adequately. One way would be to
use an individual 'or small aroup to test assessments and reviews as
deemed necessary. Another way would be to coordinate with the
Inspector General's limited reviews of the process.
II-6
-------�
SCHEDULING THE EVALUATIOFhPROCESS .; - :... . •'••_.',
Scheduling the vulnerabil ity-assessments and internal control reviews"^
should be Jdone carefully with consideration "given to resource availability,
the'performance of risk analysis and similar evaluations -in accordance with
other statutory or regulatory requirements, the cyclical nature of-"certain^
•j~ • -
operations, and;.-other relevant factors. -It'is necessary,^however, to
ensure that, sufficient evaluative work is scheduled and completed in t'ime
" **
to provide a basis for the .annual' statement to the President, and" the
».
Congress. • , ' . ' . . "
T- . I ' . - . . -i.-
Furthermore, as required by Circular A-123,. vulnerability assessments
should be completed for all agency activities by December 31, 1982, and not
' , :J •-•__-•". _ - '.'*•-
less frequently"than biennially thereafter.' It is suggested, therefore,
'that a schedule be prepared for each biennial cycle,,which specifies the
individual(s) responsible for performing each 'assessment and the date by
'• which each is to be completed. Vulnerabil-ity assessments should be.
conducted as soon as possible for activities that are new or undergoing
major changes rather than waiting for the next biennial cycle.
: P ' .• '
Internal control reviews are to be conducted on a continuous basis
throughout the year. The schedule of internal control reviews should be
developed based on an evaluation of the results of the' vulnerability
assessments and other considerations (management-priorities-, resource
- 4 • «. • . • - -
constraints, etc.) in order to ensure that agency activities determined to
be highly vulnerable, as well as.those which are less vulnerable, are
evaluated and improved as necessary to provide a strong system of internal
control. Preparation of a schedule similar to that discussed for the '
vulnerability assessments is recommended. .-
.Since no exemption has been provided for classified or secure activities,
they must be included in the evaluation process. Care should be .taken,
however, to assure that persons participating in the evaluations-for such
activities'have the necessary security clearances and that the documenta-
tion is appropriately classified.and handled. -
II-7
-------�
-------�
CHAPTER III ' ••;'
IDENTIFYING PROGRAMS AND ADMINISTRATIVE FUNCTIONS
Federal aqencies are larqe, complex organizations. 'The most' effective way
to systematically perform an evaluation of the systems uoon which an aqency
head can submit a statement is to segment the aqency first into
orqanizational or other components and then into.the programs and'.
administrative functions within each component. This approach also-
f \ " ' *
facilitates the allocation of resources to the assessment process and the
determination of who should be responsible for,providing assurances. ,
.."''" > .'
SELECTING THE COMPONENTS, PROGRAMS AND FUNCTIONS r -. . :
**
There is no single method to divide an aqency into components,'programs,
and administrative functions,.for purposes of evaluating the system of . •
internal control,, part.icularly tsinee agencies, vary so widely in
orqanizational structure, and .the nature of activities conducted. Jhe-:bas.ic•
qoal of the divis.ion is to develop-an-aqency-wide inventory of_ "assessable
units," each of which, can .be the subject of - a vulnerability assessment. .-
This inventory should provide complete coverage of all proqram and -.- ..;
administrative functions, consistent with.the discussion jn Chapter,!. .-The
individual assessable" units--should.be of'an appropriate-nature-.and size/to
facilitate the conduct of a meaninqful vulnerability assessment. • • •.-r
' : •. ' i • . < '. • . • '•" .
In develbpihq-the inventory'of:assessable units, reference should be made
to such sources of information as the aqency's budget arid related *- >'"•''.
materials, orqamzation charts, aqency manuals, and proqram and financial
management information systems. The following specific factors should be
considered:
-------�
* Existinq orqanizational structure.-
* Nature and size of the agency's proarams and administrative
functions.
* Numbers of sub-proqrams or sub-functions in a program or function
* Number of separate organizations operating the program
* Degree of independence of the proqram or function
v •"'•..
" Differences in operating systems , .
* Dearee of centralization or decentralization
* Budaet levels • ' .
* Numbers of personnel
* * •.• •*',"•'»."
The deqrees of independence and centralization/decentralization are very
significant. A proqram or administrative function could" operate in seve'ral
locations. Since the proqram or administrative function and internal
control system may vary among locations—in design and/or operation—it may
be necessary to perform separate vulnerability assessments and/or internal
control reviews" for each location. Thus-a consideration when classifying
programs-and functions operatinq at several locations is. whether to
identify:the locations first and then list the programs and functions
operatinq within each location, or to identify the programs and functions
first, and then for each multi-location proqram and function, identify and
list the locations at which it operates. Either approach is acceotable, as
long as coveraqe is complete. -
-------�
Also, it should.be remembered that the purpose of the "review'is to
evaluate and improve, the internal .controls for.operatinq prqqrams and
administrative functions. Pol.icymakinq activities and other activities not
subject to the guidelines should not be included in the .inventory.
Appendix A shows a sample of a partial inventory of components, .programs
and administrative functions for a Cabinet-level department... .._ .-..'.,
*
Once the-agency inventory of assessable units has been developed, the
information should be documented. (One possible format for such
documentation is provided in Exhibit 2.) These lists provide the means
for oraanizinq and manaqinq the evaluation process.
III-3
-------�
Agency Component:
' list of Programs and ;Adm,ini strati ye Functions . • "
- Within the Component •
Programs/Administrative Functions
Comments
Prepared by
Reviewed by
Date
nate
EXHIBF 2
111-4
-------�
- • CHAPTER IV • • ' ' . •
VULNERABILITY ASSESSMENTS
A vulnerability assessment is a review of the susceptibility of a orogram
or function, subiect to the guidelines, to the occurrence of waste, loss,
unauthorized use, or misappropriation. More specifically', _a vulnerability
assessment is intended to determine the likelihood that situations exist in
which: : ..
-«
fl) obliaati'ons and costs are not in compliance with applicable law;
(?) funds, property, and other assets are -not adequately safeguarded
•aqainst waste, loss, unauthorized ^use, or misaoprooriation; :and
(3) revenues and expenditures applicable to-agency operations are not
properly recorded and accounted for and therefore do not permit
the preparation of accounts and reliable financial and statistical
reports or the maintenance of accountability over assets.
As indicated, however, the internal control evaluation process does not
stop with vulnerability assessments since, by themselves,-vulnerability
" * '' ' **."•"*' ;
assessments do not necessarily identify weaknesses or result in
improvements. Rather, vulnerability assessments are the mechanism with
which an aqency can determine.the relative potential for loss in these
oroarams and functions, and then, after aivina consideration to such
*• '« "* ' **
relevant factors as management priorities, resource constraints, etc.,
schedule internal -control reviews and related actions. .. ., ' -
-------�
A vulnerability assessment consists of -the.foilowing three steps:
1. Analysis of the general control environment.
?. Analysis of inherent risk.
3. Preliminary evaluation of safeauards. • •
ANALYSIS OF GENERAL CONTROL ENVIRONMENT
The environment in which activities are conducted has a major impact on
the effectiveness of internal control within an agency. Several factors
determine ,the,general control environment, includina the followina drawn
from the General Accounting Office document, Executive Reporting on
Internal Controls in Government and the American Institute of Certified
Publ.ic Accountants document, Report on the Special Advisory CommUtee on
Internal Accounting Control:
* "
* Management Attitude — Management recognition of the importance of
and commitment to the establishment and maintenance of a strong
system of internal control as communicated to employees throuqh
actions and words.
i' . '
" Organizational Structure — The identification of organizational
' •"-"•.,'. i ' • • . •
units to perform the necessary functions and the establishment of
t i ' . t
appropriate reoortina relationshios.
' ; •*' * »
* Personnel — the comoetence and integrity of the organization's
personnel. *' - '
* ngleQation and Communication of Authority and Pesponsihility —'-
Aooropriate deleaation or limitation of authority in a manner that
provides assurance that resoonsihil ities are effective^ discharged.
IV-2
-------�
* Policies and Procedures — The definition, documentation and dissem-
ination of information to all employees as to how the organization is
intended to perform in various situations.
* Budgeting and. Reporting Practices -- The specification and communica-
tion of organizational goals and the extent of'their accomplishment.
* .. .' • "
* Organizational Checks, and Balances -- The establishment of an ..
appropriate level of financial and other management controls and
internal auditinq. . ••.-.-*-.
' f
* AP.P Consideration — When utilized, an awareness of the strengths
and exposures inherent in a system that uses ADP and the existence of
aooropriate controls. ; '; ' .
.. . j .
An evaluation of the general control environment is the first step in the
vulnerability assessment process. It should be performed by determining .
whether the characteristics of a strong general control environment, as
described above, exist by (a) reviewing documented policies and procedures;
(b) talking with management and other personnel; (c) observing practices;
and (d) drawing upon a familiarity with the operation.
This "evaluation may be'performed -for the component as a-whole, or individ-
ually for each program and administrative function subject tor the
guidelines that is carried out within the component. The determining
factors would be the size, nature, and degree of centralization of the
programs and function's conducted within the "agency'component;
Exhibit 3 presents a form which may he useful in making the analysis.
Iv-3
-------�
Agency Component:
Analysis of General Control Environment
Program/Administrative Function —
Factor
Manaqement Attitude
Orqanizational
Structure
Personnel
Delegation and
Conmunication (of
Authority and'1
Responsibility
Pol ides and
Procedures
t
Budgetinq and
Reportinq '-
Organizational
Checks and
Balances
APP Considerations
Other Factors
. Evaluation
Satisfactory
Other
Comments
Overall Evaluation:
Prepared by
Date
Reviewed by
Pate
EXHIBIT 3
-------�
ANALYSES OF INHERENT RISK ......
The second step .in-, the.-vulnerabiliity^assessment process is the .performance
of an analysis, for each-identified.program .and-administrative function
subject to these gu.idel ines,. of :the inherent; potential for waste, loss,
unauthorized use, -or misappropriation-.due to the nature of the activity
itself. Matters-to be considered in-the analysis should1include, but need
'not be limited to, the following: - :--, , , r--1?,^ •„*.-:'
* Purpose and characteristics '•"'"'."
* Rudaet level " " .
" ' * Impact outside the atiency-- ' -•' ...-'"' *• ' •' :
* Age and 1 ife expectancy- • * " • '- - ' -•'•' "":
• *' Degree ofvcentralization •'.'•' =" ' • '.-•'•
"'Special concerns - ' • '
; " " Prior' reviews v" - " - ' "':'"•*'• * - ' ' -" • "' ' •-..-
. * Mahagemeht responsiveness "': ' '" • ''.'•'•'• r
-••.••:••"•.-••..•••• •"•..•-••' '.,--' •-•••>. '.: . .- ^ :
Purpose an'd Characteristics' " ': " ' '' ' ' • ' • "" -
"• ' . J .' ** ''": •' • • *' -i •'• *-'• '' * ' -' -' * - » ' '-'*-.
The purpose and characteristics of these program or administrative '..'"-
functions should be.considered, and any aspects that make the activity ' -;
susceptible to waste," l:oss,> unauthorized use, or misappropriation noted..
Knowledge of the ouroose and characteristics can be obtained;'if rftit ' '
al ready ava i 1 abl e, by- rey.i ewing^ sucjh^ back ground;, mater i a 1 - as .the' "re.1 eyant,
enabling legHlation and legislative history, .regulations, statements..o^f _•
missions,, goals and objectiyes,. operati,ng pVocedures and bolicieSj and "'';"
budoet materials. The ,fpi iQwingVmatters ,.should be noted,, particu.lar.ly *
since they often tend^to^contribujte to .fraud,-waste and abuse:.. :.,,.'.. •*-
* Broad-.or...vague. Jegj.sJ at.ive ^authority-or regulations.. .- .
" Cumbersome legislative or regulatory-reguirements.. * - -'..--
.. " , Broad or ^vagu.e mrs.sions, goals or-objectives. ,\, ^ v .
-. ' • " --.;.' ;. ... •' \ • • • ••*-* Iv-5 - ' ".- ^" '*...,
-------�
* High deqree of complexity. .". . -.-'"'
* Existence of third party beneficiaries.
-. v • * Activities "invo I vino 'the • "payment of entitlement monies/
-.->•* •'•Activities 'operating under''severe time constraints. :"
* Activities involving the handling of cash receipts. - •*'
" Activities involvina approval of applications, arantina of
-..- .-, authority/ certifications, issuance of 1'icenses or permits, ,
inspections, or enforcement. • . •:
Budget Level - .
Programs or activities involvina larqe amounts of money are susceptible to
qreater amounts of waste, loss, unauthorized use, or misappropriation
than proqrams or activities involving small amounts. Accordingly, the
level of fundino, including personnel time allocated to the program or
function, should be determined by reviewing the agency-budget and support-
ing materials. For certain activities, the budget may not reveal-• the
total money involved so estimates should he made and/or other financial
measures considered. For example, for a function such as. property .-. -
management, a separate budget often does not exist, in'order to" measure"
the full financial significance of this function, the value.of controlled
property must he determined.
t * . * , " ' "*• ' ' - s • - f
'.'.•.-••; t * * ' * - ; *• ' .•!-•*,
Impact Outside the'Agency ' " . " '. "
Government programs and functions often have considerable financial and
.- • .^..JtB ' '. \ • > • . . . , ' : ••...".
no'nf inaricial impact on persons" and organizations outside the aqency. For
ex ample,"activities "such as the issuancYof registrations or permits, "'
standard-setting, rate-making, and licensing 'can affect significantly
economic status, health, safety, etc. When a program has such-impacts, "if
may be susceptible to external pressures that might circumvent internal
controls. Hence, impact outside the agency should be considered!
Information concernino potential impact can usually'be'obtained ~from such
.sources as budaet documents., orooram descriptions, and media and public
interest group reports. *.»'.-•
iv-fi
-------�
Aoe and Life Expectancy., r- ; -. ; •-..;',•? • -....' •, • >\" •• . .> •
' I "~ •* •*
- ' • *
Consideration should be. given to the aae and life expectancy of the
> -'*,'''•
program or administrative function.1- :New ( in existence rless1 -than :two" , "'. '
yeans), chanqinq (undergoing substantial modification or reorganization),
or phasinq out (to be eliminated within Mor 2 years") proqrams. should be
considered more susceptible to: waste, loss, unauthorized use, or misappro-
priation than stable proqrams (in existence for more than two years and
not expected to phase out within two years). The reasons- are: - -
* New or chanqinq -programs' may lack written policies or procedures,
. lack -adequate resources; have inexperienced. managers', 'lack devices '
• to measure program performance, and in general have 'considerable'
'••*.-' ' . - •" '• -
confusion associated with them.
.. ~ ' -•-».-•**'.."'--•«..*•
•* • _
* Proqrams that -are phasinq out may lack adequate resources or may
involve close-out '-activities for which controls have not been "
developed and /or " large amounts" of money or other resources. which"
- - ;.'••'• •. v • v ' . ., -, *-'••••
motivation when a proqram:is phasing out. '
' " '' ' " '
"> .
- •
Degree of Centralization"
'
The extent to which the program, or administrative function is conducted in
*" •'*• •-,.'•'"''' "-'•'" -"
a centralized or';decentral ized mode .should be considered. Specifically, a
determination should be made as to whether the.activity is: - /
* Federal Centralizedr-- Managed and. control led on a day-to-day basis
in a "centralized.'Federal agency system. -
IV-7
-------�
* Federal Decentralized -- Manaaed and controlled"on-a'day-to-day ,
basis by Federal aaency field installations or staffs.
* Participant Administered -- ^anaaedrand controlled on a day-to-day .
basis by a non-Federal'organization. Proarams supported-by qrants, '-
: contracts or loans would fall into this
»
Different decrees of centralization are appropriate, for,different.types of
activities. .TheDevaluation should consider whether the'degree of
centralization is appropriate for the activity.beinq conducted.
r*
Special Concerns
-'•-•". )- • " . . '-.-...-.;-,
Often, the.existence of. special concern for an activity may be indicative
t '' V ¥>'••,* f • f • • : • ; . * f
that for some reaspn it is .highly susceptible to waste, loss, unauthorized
use, or misappropriation, and should be treated as such. Consideration,
* r " - •
therefore, should be qiven as to whether the prooram or administrative
r
function has been the focus of the followina types of special attention:
* " .
. ' ' * t •.-*•*.•
' Special interest exhibited by the President, Congress, OMB, or the :"
%
Secretary.
* Deadlines set hy leaislation. •
' " Media attention. '-
* Litigation.
IV-8
-------�
If special-attention has .been focused,on the program or function, special-
problems related-to its exposure, to waste-, \1oss-, .unauthorized use, or : * •
misappropriation may exist, and an attempt'should be made"to" identify such
problems. Also, consideration should be given as to whether the special
•• * *• , . '
attention qwen the proqram is, in and of-"itself", a "source of pressure that
miaht create, a vulnerability.. . ..--'. •
Prior 'Reviews ' ' ''."'" '" ". ••"*'' ''•'."
•.'. • -,„:•»•,•. • . : ; • • • •• "•• •- .-:••• -. • '.:
Prior audit reports submitted by the Inspector General, the "General ;_.
Accountinq Office, and others; internal evaluations; Congressional reports;
.and consultinq reports should be reviewed for any indications that, the-
proqram or administrative'function has previously been subject'"to losses -
due to waste* loss, unauthorized use, or misappropriation. "The amounts of
estimated losses, if any, and the period covered by the prior review should
be considered.. : - -,-- . -• _ •_- -'.,.,-: •.• • -
Proqrams or functions with minimal audit coveraqe or with siqnifican't7 and"
repeated findinqs .should be considered more susceptible to waste, loss,
•'--.'?'•»' "" - . _ V" •. -i"-- ^' ' " ?, "" . , " .-•"•';
unauthorized use, or misapprbprTation. '* " " • ' ---
Mariad'ement" Responsiveness
'• Manaqement's'responsiveness to-recommendations from its OIG-,'GAO, an'd
-•-•> "r •„:•* ':,•', .,-••;' ;^ -• .*.:><• . •'• ,v.-,.--..,... - '," '•-.-.•*•' „' f
other evaluationtdroups should be .considered". This would include actions
- . '• ' -^ -• '•; -j -2V ••'•• ^ r^\.~«fs' •*'•.:'• -',-;' ^ ^ ;"•;•:••'• ^"'r1?- •: "<:;'
taken to correct prpb terns-.-brought to ^management's; attention as a result of
prrdr •fev'i'ews. A(»A lack of-responsiveness suggests .-a higher .^degree of-.,, .._. -
susceptibility to waste, loss, unauthorized ..use, or misappropriation. ;..-••
.** *.***•
-------�
The list "of control objectives contained in-Appendices B and B-l may be -
useful .in identifying certain? .risks*that should.be considered for; each, of'
the, proorams and functions he.ing. assessed. • : , .. . :
PRELIMINARY'EVALUATION OF SAFEPLIARDS' '
.- .' . ~< ••-. v. • •'«• . . -i-:-; . " ; ">' •«.<*.••• • . • <• • ,.
The third step in the vulnerability asessment process is the making of a ;'
preliminary judgment regarding the existence and adequacy of internal
control over the specific programs and administrative functions sub.iect to
the guidelines. The key consideration should be whether appropriate
controls are in place to prevent or at least minimize waste, loss,
'•'••••"•.; ' ' • • • ; _ c. »
unauthorized use, or misappropriation.
As stated, an in^-depth. review of the existina controls is not approoriate
at this-, stage.- Rather, the.evaluator's judgment should, be based largely
on his,or. her knowledge of the existence and functioning of safeauards
that protect the activity's resources from waste, loss, unauthorized use,
or mismanagement. However, the evaluation must be thouohtful and based on
a working knowledge of the proaram or administrative function. Judgments
made without knowledge of the situation are usually not sufficiently
rel iable.- • : * • . - ; .. '. ..... .
•"..:••-." " • ..- ,- . - i-. •. " .-' . . : i, . .i.v . - ;.:-?' -
SUMMARIZING THP RESULTS OF THE VULNERABILITY ASSESSMENTS
The completion of the three steps permits the assessor to make an overall
assessment of (1) the adherence of the program or administrative function1^
internal, control system to at least some of the prescribed internal
standards,,,and (2\ the vulnerability of the program or administrative
function itself. The assessment should be documented (see Exhibits '4 and *>
''•'••>--..' : • . ,'" -.. • • -; . • - .-.. • • , .. • - , •
for suggested forms) and a conclusion reached as to overall vulnerability.
Care should be taken to ensure that'the rat'in'gs, which -can be-a subjective
judgment or a numerical score,-".are done consistently throughout the-entire
organization-. ?-.>.- ....-, < ... • / .... .
-------�
Aqency Component:
Assessment of Compliance with Standards'of Internal Control
Based on Completion, of a Vulnerability.Assessment
%
Program/Administrative Function — .. ....... ..
'Standard*
Reasonable assurance
Attitude
Competent personnel
Internal control objectives*
Internal control techniques*
Documentation
Recording of transactions*
Execution of transactions*
Separation of duties :
Supervision
Access'to Resources
Compliance
(Yes, No, N/A)
Comments
OVERALL -COMMENTS :- •*" ~
Prepared by
Reviewed bv
.Date
•Date
*NOTE:Sufficient analysis 'wil1 probably not have been done at this point
to support^an assessment of compliance with those standards:tmarked'
with an as'terisk. If - that""is "true"j.'mark""N/A'(hof'apol icable)' in ,
the second cplumn'v^ "- _ ._ _ _" / ;.' ,*- •-..*-
'.':- • " . --..'• " :EXHIRITV4 •" ' '•' :> >•.'.."
-------�
Aqency .Component:
Overall Vulnerabil U.y Assessment
Proaram/Administrative Function —
OVERALL EVALUATION OF GENERAL CONTROL ENVIRONMENT:
ANALYSIS OF INHERENT"RISK:
Factor
...
Purpose and Characteristics
Budget Level •
Impact Outside the Aqency
Aae and Life Expectancy
Deqree of Centralization
Special Concerns
Prior Reviews
Manaqement Responsiveness
Other Factors
.Ratina
,
•
i
'
Comments
' ••• •':. •'••'.•• ••
i
' •' - - . .
• • 7. -
•*--•.. ' ' - ' , :.
i - • • '•• ~ j •
• o '
; - ;. .- -.. ..- -
OVERALL EVALUATION OF INHERENT RISK:
PRELIMINARY EVALUATION OF SAFEGUARDS:
OVERALL VULNERABILITY:
OTHER COMMENTS-(.P.RORLEMS.REOUIRINR. IMMEDIATE ACTION,, HEFICIENCIES NOTED,
ETC.)'/ .., .,,..,.. . . ,. ..'...__• ...
Internal Control .Review Scheduled For
To be Performed Bv:
°repared by-_
Reviewed bv
. Date
Date
EXHIBITS
IV-12
-------�
Problems or weaknesses reouiring "immediate corrective action may be
observed during the performance of the vulnerability assessments. For
instance, a program may be assessed -in which the controls are'perceived to
be grossly inadequate -and there is a strona possibility of loss if
corrective action is not taken immediately. Such situations should be
brought to the attention of the appropriate agency official as soon as
, . • . . • .. -. - ! • .
possible in order that appropriate..corrective actions can be taken
promptly.
DEVELOP PLAN FOR SUBSEQUENT ACTIONS
The next step in the process is to use the summarized vulnerability
assessments to determine appropriate subsequent actions. It is important
at this point to remember the overall objective of the internal control(
evaluation process, .namely, to bring about a strengthening of internal
control systems in a cost-effective-manner.
One approach may be to classify the vulnerability of each of the programs
and administrative functions subject to these guidelines in such a way as
to facilitate the establishment of a prioritized schedule for internal
control reviews, e.q., highly vulnerable, requiring a detailed review of
internal controls; moderately vulnerable, permitting less intensive and
less frequent internal control reviews; low vulnerability, etc.
Another approach would be to consider a serie's of options for each of the
program and administrative functions. This could be done by first
evaluating the decree and causes of the vulnerabilities; then considering
manaaement oriorities, resource availability, and other management
initiatives underway; and finally determining the appropriate courses of
action. These might consist of:
IV-13
-------�
* Scheduling and conducting an. internal .control, review. ...... . ., ..« ,
* Requesting an audit. ..,.«, - -,-.-...
* Establishing increased or improved monitoring procedures.
" Developing and conducting training programs for the staff.
* Issuing clarifying instructions.
* Modifying procedures or documents.
An approach such as the latter can help to ensure that resources devoted
to the internal control evaluation and improvement process are used in an
effective and efficient manner.
IV-14
-------�
CHAPTER V
INTERNAL CONTROL REVIEWS
An internal control review is a'detailed examination of a system'of
internal control to determine"whether adequate control measures exist'and
are implemented to prevent or detect the occurrence of potential risks in
a cost effective manner. ' •
Six recommended steps for an internal control review are:
* Identification of the event cycles.
.".»-*;
* Analyses of the general control environment.
•• •'•" ' •-->-. ',- ' ' •' •••.£.: '.I.' - . -'. •:. •: • -
* Documentation of the event cycle.
* Evaluation of the internal controls within the event cycle.
• . ". f ' ' .-,..'':.'• • '•.."•
'""" ' • - ' »•' •- > - • " " ••'.'".'.''-•' .•'••
* Testinq of^the internal controls. . , . ,
"' .:•.-•"'.. ,. • • • - . . • .t<" :'••.'.. ~\;
*-,Reportino the results, j- ., r . ....,#.. . . ,.
This Chapter describes how to perform these six steps.
-------�
inENTIFICATION OF THE EVENT CYCLES
Event cycles are the processes used to initiate and perform related
activities, -create the necessary documentation, and gather and report
. ' ' J'
related data. In other words, an event cycle' is a series of steps taken
to get something done. Each program and administrative function performed
within an agency or aaency component contains one or more event cycles.
Por example, an entitlement proaram could contain the fol lowing event
cycles:, information gathering and verification, eliaibility determination,
information process i no and record tceepinq, payment, and monitoring. The
event cycles for an administrative function could include payroll,
procurement of supplies and materials, correspondence handling, etc.
(Aopendices B and 3-1 present event cycles commonly found in Federal
Government aqencies. The General Accounting Office, orofessional
associations, and private organizations also publish lists of common event
cycles).
cycles provide the focal points for the conduct of internal control
'••.'' ' . ':
reviews. Accordingly, the first step in the internal control "review" phase
is to identify the event cycles in the program or administrative function
which are s'ub.iect to the guidelines and'which are selected for an internal
control review. The sources of information for develooing such a list
would he Appendix R or similar lists, the vulnerability assessment for the
nroqr am/function, legislation, regulations, policy statements, orocedures
manuals, management interviews, etc. Exhibit 6 "provides a form on wh'ich
the cycles can he listed.
A determination must then be made as to which event cycles are to be
reviewed. The results of the vulnerability assessment should be helpful
in makino this determination, with areas identified as the cause of a
highly vulnerable classification being aiven the highest oriority.
Documentation should be maintained.
V-2
-------�
Agency Component:
List of Event Cycles Within Programs
and Administrative Functions
Prograro/Adninistrative Function -
Event Cycles
Comments
Dreoareri. by
Date
Reviewed by
Date
EXHIBIT 6"
.V-3 v
-------�
ANALYSIS OF THE GENERAL CONTROL ENVIRONMENT . ...
The environment in which the cycle operates has a ma.ior impact on the
effectiveness of internal control. Therefore, an important part of an
internal control review is an evaluation of the general control
environment, i.e., the management attitude, organization structure,
personnel, delegation and communication of authority and responsibility,
policies and procedures, budgeting and reporting practices, organizational
checks and balances, etc. Analysis of the general control environment
performed for the vulnerability assessment can be referred to and updated.
HOC!.MENTATION OF THE ^VENT CYCLE
The next step is to document the event cycle in order to obtain a thorough
understanding of how it operates. This is accomplished by interviewing
the persons involved in the cycle, reviewing existing documentation,
observing the activity, and then preparing either a narrative explanation
or a flow chart, accompanied by pertinent narrative information in
sufficient detail to permit an in-depth analysis of the existence and
adeauacy of internal controls. The.documentation should identify such
things as the procedures, the personnel performing the procedures, and the
forms and records developed and maintained.
-------�
Regard!ess/of the-method used, it is advisable to-review the completed
documentation With the persons providina the information, and, if '
necessary, track one or two transactions throuah the process. 'Roth
procedures will assure that the documentation and the understanding of the
cycle are accurate.
• ... - •* *'
EVALUATION OF THE INTERNAL CONTROLS.WITHIN THE EVENT CYCLES
The fourth step- in the process is to evaluate the,event cycle by reviewing
the documentation and:dec id.inq whether the system, at .least as defined, is
sufficient to provide reasonable assurance that obligations and costs-are
in compliance with applicable law; the agency's funds, property, and other
assets are orooerly safeguarded; and the revenues and expenditures are
properly recorded to permit the preparation of reliable financial and
statistical information. The manner in'which this is done is ,to:
' • '* *" " *" '•'".*'
* -Ascertain the contro 1 oh j ect i v.es. for the event cycle. Control.
-••objective's are rdesi red -goals or conditions-for a specif-ic event cycle
. that reflect the application of the overall objectives of internal
control to that specific cycle.' If-control objectives are"5achieved,
the potential for the occurrence of'waste, loss; unauthorized use, .or
misappropriation is significantly decreased.
" . --•;.' "•*•"•• ' ' . - !' ' -:... ' .". ' '. .-...- <>
The control objectives for an event cycle should be written. This,
, •- ' -• -.2"* ' • .<..•'- .: •«•'. .:', ,. •• .-... . „ .. ... . ',c ••..;
documentation»should be.reviewed to-determine.whether the 11st of
'.objectives-for each ev.ent cycle, is complete, logical, and relevant to
the event.cy.dei. If the .controls-objectives are not-adequately ,
.documented, such documentation should be developed and maintained as .
'part of t'h'e overall documentation of internal controls.' . :'-
v-s
-------�
Examine the documentation, and ascertain whether ;appropriate'internal
control techniques are. in place to.enable the control objectives to be
met in an efficient and effective manner. Internal control techniaues
are the processes or documents that enable the control objectives to
be achieved.
Control techniaues should be defined in writina. This documentation
should be reviewed to determine whether it provides reasonable
assurance that the control objectives can be met in a consistent,
'efficient, and effective manner. If the control techniques are" not
adequately documented, such documentation should be developed and.
.maintained as part of tthe overall Documentation of the internal
controls. ...-,-
?••••» i • , -
1 . i - ' *
The relationship between this and the prior task and the inherent
'•'••.,•-•"'••. i \ „>••-•-•• .....
risks in an event cycle cannot be overemphasized. Control objectives
are established because' a risk exists; internal control techniques are
implemented to prevent the specific risk from occurrinq. For example,
a payroll system contains th'e ri'sk: of people netting paid for time not
worked; Ah appropriate control' objective would be that payments are -
made only in return for services.. An-internal control technique could
be that.Mme-sheets • include approval by a supervisor that the payment
made is=only for services actually.performed. .. .
It is important to remember that there are inherent limitations that
can constrain an agency's efforts to maintain effective internal
control. Examples include budget constraints, statutory or re'oulatory
restrictions, staffing limitations; and other priorities. These
constraints should be considered when evaluating the appropriateness
of the control objectives and internal control techniques.
Identify whether there ar,e any internal control techniques, that are
excessive, thereby creatina inefficiencies and unnecessary costs.
V-6
-------�
A form that may be useful in document inq this information, is presented m
Exhibit 7. Appendices B and B-r presents appropriate control objectives
for common- event cycles. Similar. lists can be obtained from the General
Accountinq Office, professional associations, and private orqamzations'
publications. t •'_.•••
The results of this process are an identification of (a) necessary internal
control techniques (whose functioninq has to be tested, as discussed in the
next section); {b) control objectives for which" the control techniques" are
not adequate ^and. system corrections must be made; and/or (c) control
techniques that are unnecessary and, can be eliminated.
* *
TFSTINR OF THE INTERNAL CONTROLS
The final step in an internal control -review is the testinq of the neces-
sary control technioues to determine whether such controls are functioninq
as intended. This may be done by selectinq a samole of transactions, and
reviewino the documentation for those transactions, as well as makinq other
observations and inquiries, and ascertaininq whether" the specified
techniques are satisfactorily employed. Various sampling procedures may be
useful for enhancing the effectiveness of this process. The testing" of the
systems may often require the use of advanced review procedures.
Sometimes a specified control technique will appear to be inadequate for a
aiven condition or will not be functionina properly. In those instances,
the reviewer should evaluate whether personnel are compensating for the
shortcoming with other safequards, or whether compensating controls exist
in interrelated systems not subject to review-. ...... 'r -< -
The reviewer should complete this test ina- step -by notina any necessary •?
control techniques not functioninq as intended or not compensated for.: Me
should also -consider how such/ shortcom.inns should be addressed, i.e., by--".
instituting new controls, improvina existina controls, or accepting the
risk associated with the shortcominn'. A form for such notations is
presented in Exhibit 9. .
-------�
Aoency Comoonent:
List of Internal Controls
Program/Administrative Function -
Event Cvcle
Control Objectives
Control Techniaue
Strength (S)
Weakness (W)
Excessive (E)
Comments
Prepared by-'
Rev.iewed by
Date:
Date:
v-p
-------�
Aqency Component:
Tests of Internal Controls
Proqram/Administrative Function -
Event Cycle
Necessary Control -
Techniques
*'Functioninq
fYes or No)
Adequate *
(-Yes or No)
Comments
and
Recommendations
Prepared by
'Reviewed by
Date
.Date
EXHI-RIT R
v-q
-------�
REPORTING THE RESULTS OF THE INTERNAL CONTROL REVIEWS
Two types of .reports should result'from-.the internal control reviews. The
first are the reports for initiating corrective action, prepared for the
managers of the programs and administrative functions and other line
managers. These reports, which may be written or oral, are discussed in
the remainder of this chapter, the second type of'report, discussed in the
** - *
next chapter, is necessary^to .support the agency head's statement to the
President and the Congress. ' '
•i "v
Reports intended to obtain corrective action should contain an identi-
fication of weaknesses within the system and recommendations as to how the
weaknesses can.be corrected. Recommendations for possible improvements in
the economy and efficiency of the internal controls should also be made, if
appropriate. . .
More specifically, attention should be given to the following:
* In what ways is the general control environment inadequate to
provide the necessary atmosphere for the appropriate functioning of
specific controls?
" In what :areas are necessary control techniques nonexistent or
inadequate?
• - ' • » * *•
* In what areas are necessary control techniques not functioning as
intended? . . , . . ' '
" In what areas are control techniques excessive, thereby fostering a
lack of economy or creating ineffic'iencies?
V-10
-------�
• In what ways .are executive, legislative, or other management
retirements excessive, thereby creating inefficiencies?
These reports should include recommendations for how" such situations 'could
be corrected or improved. In evaluating possible-alternatives, considera-
tion should be given to the costs arid expected'benefits of changes in
order that control objectives can be achieved in a cost-effective manner.
While it is sometimes difficult to determine the exact costs and benefits
- of suggested improvements, it is desirable at least to,estimate these •-'•
amounts,so that controls are not instituted that-cost more than they
save. •, ..• "..;' /• . .' -.
'-•''•"-.•• . ' :
'- - FOLLOW-UP ACTIONS •..-./•'.-. - - '
*v.
Vulnerability assessments -and internal control reviews and reports should
not be an end in themselves. The recommendations should be considered by
management on a timely basis and the appropriate'corrective actions taken
as promptly as possible. -A formal follow-up system should be established
that logs and tracks recommendations and target dates, provides assistance
for the development of plans for implementation of the corrections, and
monitors whether the chanqes are made as scheduled. The existing audit
follow-up system could be used for this purpose.
V-ll
-------�
-------�
CHAPTER VI
REPORTING UNDER THE FEDERAL MANAGERS' FINANCIAL INTEGRITY ACT
The Federal Managers' Financial Inteqrity Act of 1982 requires a statement
from each agency head to the President and to the Congress as to whether
the aoency has established a system of internal accounting and
administrative control- in accordance with standards .prescribed by the
Comptroller General; and whether this system provides reasonable assurance
that:
• »• * " •
* Obligations and costs are in accordance with applicable law;
* Funds, property and other assets are safeguarded against waste,-loss,
unauthorized use, or misappropriation; and
" Revenues and expenditures are properly recorded and permit the
-* *
preparation of reliable financial and statistical reports.
An agency that follows these guidelines will be able to comply with the
•.-.•"' .
Act. ..... ..
RASIC STATEMFNT ' • ' " ••' .» -
Specifically, an agency following these guidelines will have the following
.•'" " * ' % •".'*
in place:
, . »'"«.* * .
* Responsibility for directing a program to comply with the Act
assigned to a high level official.
-------�
* Agency internal control directives, regulations-and other
materials published and disseminated throughout the organization.
* Documentation of the conduct and results of onaoino vulnerability
assessments and internal control reviews.-
* Documentation of corrective actions taken to strengthen the internal
control systems. •,'
" Inclusion'of internal control elements in performance appraisals. ,, .•'
" Written assurances from the desianated senior official responsible
for coordinating the aaencywide effort and the heads of the aaency's
various oraanizational units, and comments from the Inspector General
or equivalent. (See Appendices C, D, and E for examples)
The existence of these elements, collectively, provides, strong evidence
that management and other personnel, throughout the organization, are
coanizant of the importance of internal control and that the-necessary
evaluation and improvement processes are taking place. These are the two
major conditions that support transmittal of the reou-ired statement.
MATERIAL WEAKNESSES
The Act also reauires an agency to include within the statement to the
President and the Congress a report listing identified material weaknesses'
in internal accounting and .administrative control and a schedule for their
correction. A material weakness is a situation in which the desianed ,
procedures or the dearee of operational compliance therewith does not
provide reasonable assurance that the objectives of internal control
specified in the Act are.beina accomplished. The size of the agencies and
the complexities of their activities are such that even though the elements
listed in the previous section are present, material weaknesses, as'
defined, could exist. •.: .....
:.. vi-2
-------�
Another step, therefore, In preparing the statement to the President and
the Congress Is for the senior official responsible for coordinating the
agencywide effort to use the internal reportina system described in
Chapter I! to determine whether any material weaknesses in internal
accounting and administrative control of significance to the President and
the Congress were uncovered by the evaluation process. If there were, a
brief description should be obtained along with the plans and schedule for
correcting the weakness. This information would be incorporated into the
-" . * • - .1 •
report. ' . .
Finally, the report can and should be used to demonstrate that the planned
corrective actions have been taken. This can be done by including .in the
statement the.status of actions taken to correct weaknesses in internal
accounting and administrative control identified in prior years'
statements. '<• '
CLASSIFIED MATTERS '
-The statement must also be made available to the public. However, relevant
information that is (1) specifically prohibited from disclosure by any
provision of law; or (2) specifically required by Executive order to be
kept secret in the interest of national defense or the conduct of'foreign
affairs, should -not be included in the statement made available to the :
public. '
A recommended statement format is- provided in Appendix F.
,VT-.V
-------�
-------�
. GLOSSARY -,
Agency -— Any executive department or independent establishment in the
Executive branch of the Government but not including any Government
corporation or agency subject to the Government Corporation Control
Act, nor the United States Postal -Service.
Aqency Component — A major organization, program, or "functional
subdivision 'of an agency having one or more separate systems of
internal control . "
•'.'.' / •- j
Assessable Unit — A program or administrative function or subdivision
thereof which is to be the subject of a vulnerability assessment.
Ob.1 ect lye -- A desired goal or condition for a specific event
cycle that reflects the application of the overall objectives of
internal control to that specific cycle.—
Event Cycle -- The processes used to initiate and perform related
activities, create the. necessary documentation, and gather and report
related data.
I/ Control objectives are not absolutes. ; Since the achievement of
~" control objectives can be and is affected by such factors as budget'
constraints, statutory and requlatory restrictions,*'Staff limitations,
and cost-benefit considerations, the lack of achievement of control .
objectives does not necessarily represent a defect or deficiency in
internal control.
-------�
General Control Environment -- Various environmental factors that can
influence the effectiveness of internal controls over program and
administrative functions. . --".
Inherent Risk— The.inherent potential for waste, loss, unauthorized use,
or misaporopriation due to the nature, of an activity itself..
Internal Control--r-The.steps that an agency takes to provide reasonable
assurance that obligations and costs are in compliance with.
applicable law; funds, property, and other assets are safequarded
aqainst waste, loss, unauthorized use, or misappropriation; and
revenues and expenditures applicable to agency operations are
properly recorded and accounted for to permit the preparation of
accounts and reliable financial and statistical reports and to
maintain accountability over the assets.
Internal Control Review — A detailed examination of a system of internal
control to determine whether adequate control measures exist and are
implemented to prevent or detect the occurrence of potential risks in
a cost effective manner.
*
Internal Control System' -- The 'Sum of the organization's methods and
measures used to achieve the objectives of internal control.
Vi '
V
Internal Control Technique — A process or document that is heinq relied .
on to efficiently and effectively accomplish a control objective and
thus help safeguard an activity from waste, loss, unauthorized "use,
or misappropriation: .•'••
-2-
-------�
Material Weakness -- A situation in which the designed procedures or deqree
of operational compliance therewith does not provide reasonable
assurance that the objectives of internal control specified in the Act
; are beina accomplished. ~ .. ' •" _ • . • • -'
. '. • 4 - V " ?'t '' -
Vulnerability Assessment'-- A review of the susceptibility of ia-proqram or '
function to the'occurrence of waste, loss, unauthorized use, or • >- /
• misappropriation. ' "; •'''•*'..-. • - , ' -' ."
-3-
-------�
-------�
APPENDIX A
SAMPLE PARTIAL INVENTORY OF COMPONENTS,
PROGRAMS, AND ADMINISTRATIVE FUNCTIONS
This appendix illustrates an approach that a department/agency miqht use to
inventory its components and programs and administrative functions for
purposes of conducting vulnerability assessments. The example is based on
operations of the Department of Commerce.
Component (1)
Patent and Trademark office
National Bureau of Standards
National Technical Information
Service
Bureau of the Census
Office of Administration
Office of the Inspector General
Office of General Counsel
Office of Public Affairs
Office of Congressional Relations
Program and Administrative
Function (2)
Patent process
Trademark process
Information dissemination
Administration
Measurement, research, and
standards
Engineering measurements and
standards
Comouter sciences and technology
Central technical support
Administration
Program planning and personnel
Information and resource
management
Operations/general services
Controller's office activities
Aud i t
Investigative
PO!icy and planning
rhfs Ts a partial listing. Other bureaus would also be included as
individual comoonents.
Proorams and administrative functions have only been included for a few
components. In actual use programs and administrative functions for
the other comoonents would also be listed.
A-l
-------�
-------�
APPENDIX P.
COMMON EVENT CYCLES AND SUGGESTED CONTROL OBJECTIVES
IN FEPEPAL AGENCIES
This appendix presents a list of event cycles commonly found in Federal
agencies and agency components. Also included are certain types of assets "
that are highly susceptible to loss and for which controls are vital, e.g.,
cash, materials and supplies. Finally, the list provides suggested control
objectives for each .event-cycle/type of asset. , ... .......
The purpose of the list isvto 'help agencies and agency components identify
the event cycles and types of assets and control objectives that need to be
considered when performing internal control reviews. The list is neither
'• *• " '"' f ' i .'- . „•• • • ., ' • .-•.-•;
all-inclusive nor mandatory. Agencies will probably operate event cycles
not included on the list and certainly will not operate al1 cycles .included
in the list. Also/iriternaV"~controrobI>iectives listed may not be-appro-
priate for a particular situation. Accordingly; each agency'should use this
list as a guide to identify event cycles and develop internal, control
objectives for its .programs and 'admjnjstrati^ functions that are covered by
these guidelines. (Similar lists are available from, the General Accounting
Off ice,-professional associations, and private organizations.)-
-------�
Finally, in establishing control objectives and control techniaues, as well
as in performing internal control reviews, agencies should be mindful of the
inherent limitations (budaet constraints, statutory and regulatory restric-
tions, staffing limitations, etc.) which constrain agency action. The lack
of achievement of control ob.iectives due to these systemic limitations or
cost-effectiveness considerations cannot and should not be considered
defects or deficiencies in internal controls.
I. .OPERATIONS CYCLES ...
The operations,cycles are intended to encompass the agency's program
activities that are suh.iect to these guidelines. The differences in
..'•;"!.•.. ' . '
agency missions make it i'moossible to develop a representative lis't of
operations cycles and corresponding control objectives. Hence, each
agency/aqency component should examine its own orograms and define the
-••• appropriate .event cycles and control .objectives.
The following are the operations cycles for some typical government
programs and the internal control objectives for these cycles.
Production Activities- •• • • ' •' " • • . ••"..'
Th'e-primary internal control "Objectives normally ,associated with
.production activities include the following:
(1) A production plan is authorized defininq the products to be
manufactured, the timing and quantities of 'productionj' and the
needed inventory levels." ' .'* -: - -' •' "• " -
(2) Lead'time schedules are timely and accurate, arid permit, realistic
due dates.
(t] Product quality and engineering standards exist and are monitored
to ensure that quality products are produced as efficiently as
• possible.
B-2
-------�
(4) Production controls exist to ensure that the plant is operating
with the optimum mix of resources including labor, equipment, and
materials. .
(5) Production controls exist to prevent the manufacture of-
unauthorized products or Quantities of products.
(fi) Resources used and products completed are timely and accurately
reported.
(7) Production costs are computed accurately and recorded timely. .
(R) Recorded balances of inventory, property, and related activity
are periodically substantiated and .evaluated..; . •
loans and Loan Guaranties :.'••' ' ' '
The primary internal control objectives'normally, associated with loans
and loan guaranties include the following:
r '"" * ' '- - ' 1 • . :•>•_. ••'. . I ":
(1) Applications for loans and loan guaranties are evaluated for
appropriateness of eligibility, collateral, if required,,and
• other qualifying criteria prior^to approval.,, •'•..'
(2) Security interest in property used as collateral is properly
recorded; filed, and documents secured ;by a.responsible. '.<
custodian^
(3) Accurate receivables-agings are1-prepared "systematical ly/.'and .-
timely. '
(A) Loan and-loan quarantv reoayments are collected';'contr'6-ll-ed and
•1-1 v , •.* v . ' ,1
- ' -.*•*• , '-' * , • • ' ^ . * * '
reoorted in a manner that is consistent with applicable
*-••-.. ~ " *
aopropriations, other law, and pol'icv. . .
(5) .Periodic estimates are made;.of unco.llectible loan^balances with
such estimates timely reported-to management.. - ;
{fi^-' Proper write-off,-conversion,'and settlement or fora.iveness of.
delinquent loans is assured. -• -
B-.1
-------�
- Grants ' - "' ' "' ' ' ' ' '' • • ' " - "
The primary internal control objectives normally associated .with qrants
include the ;fol lowiinq:/ -i . . .. , ^
(1) , Accurate.maintenance of the factors used in distribution formulas
for entitlement grants.
(2) Grantees' program eligibility requirements are sufficiently
detailed to ensure that the program beneficiaries"and other
interested parties understand the qualifications to receive
prescribed benefits; ' / - •••-.*
(3) Grantees maintain sound organizational, budgetary and accounting
systems that are oeriodically reviewed and evaluated.
• (4) Grantees' procurement procedures comply with regulations.
(5) Grantees properly maintain, safeguard, and account for
government-financed property and equipment.
(6) Grantees maintain current cost allocation plans and overhead
rates.
(7) Grantees are paid only for allowable costs and amounts.
(8) Financial and compliance audits of grantee activity performed at
•least'once every two years. ,- '
(9): Prompt and appropriate grant close,-out actions, are taken.
II. INTERNAL MANAGEMENT AND...ADMINISTRATION CYCLES
. Organization
The primary internal control objective normally associated with
organization includes the following:
(1) Responsibility'for the performance of aM duties is specifically
assigned and appropriately separated alona with necessary
. . .de-1'eqations of'authority .to suff icient^ numbers of qua-lified
employees. . , . . ••..•*
-------�
Personnel .-Policies and Practices.-. • .:-.
The primary internal control objectives normally associated with personnel
policies and practices include the following:
i ,, . ,
(J) Personnel-ceilinqs are strictly enforced.
(2) Recruitment, training, evaluation, and,termination practices are
operating in accordance with applicable laws and regulations and
in a manner that promotes economy and efficiency of operations.
(3) Appropriate standards of conduct are communicated and enforced.
(4) Employment records are promptly, completely and accurately
estalished with proper safeguards against unauthorized access.or
..... . . * H
the preparation of ficticious records.
t
Administrative Support Services
.--..._ .-. • !
The primary internal control objectives normally associated with
administrative services include the following:
* • is ' • "
(1) Services provided meet the organization's legitimate needs.
8-5
-------�
(2) Services are conducted in a manner .that .promotes'economy and;-
efficiency in operations.
(3) Safeguards-exist; to prevent unauthorized or wasteful use
(See Appendix 8-1)
Adv i sory jnd Techni c a1 Serv i ces •
The primary internal control objectives normally associated with
advisory ,and technical,.services include the following:
\
(1) Services provided meet the oraanization's leaitimate needs.
f2) Services are conducted jn a manner that promote economy and
efficiency in operations.
(3) Safeauards exist to prevent unauthorized or wasteful use of such
services.
. .• " " ; ,• •. r
Security and Safeguarding of Classified Material
The primary internal control objectives normally associated with
security and safequardina classified material are the following:
r ' • -1_ _."'.-. . • • .
(1) Documents-are appropriately classified.
(?) Appropriate safeguards'exist to prevent unauthorized access to
classified materials.
B-6
-------�
Audit Followup
The primary internal control objectivesr-normally associated with audit
followup include the following:
(•1) Audit resolution and corrective actions pertaininq to audit
recommendations are made on a timely basis. .
(?) Audits resolved and corrective action on audit recommendations are
scheduled in accordance with' specific criteria.
(3) Accurate records of the status of audit reports and recommendations
are maintained throuqh the entire process of resolution and
corrective action. - .- - :
(A) Major disagreements between the audit organization and aaency
management or contracting officials are resolved on a timely basis.
•- - . i ' . • •*- • -,.-''.;."• .• : .
(?) Resolution actions are consistent with law, reaulation, and
Administration policy. .
(6) Resolution and correction action on recommendations involving more
than one program, aqency, or level of government are coordinated.
* • • . •
(7) Reouired reports are reliable, accurate, and submitted^ on i timely
basil. . . .....
(8) Claims arising from audit disallowances are promptly recorded as
receivables and collected in accordance with the Federal Claims
Collection Act. ..•-.- v • - - . .••.
(9) Interest'on audit-related deht^is ch'arqed promptly, without "eaard
to whether the disallowance is or will be aooealed.
8-7
-------�
III. INFORMATION PROCESSING AND -REPORTING7CYCLES ' • •' •'
* ~i. - • -.t
Information Collection
The primary internal control objectives normally associated with
information collection are the following:
(.1) .. Information collected ,is-meaninqfu.l and useful.
(?) Information collected is reliable.. .
(3) Information is arranoed in an orderly fashion.
, (4) Information is maintained on a current basis.
Correspondence HandHno
The primary internal control objectives normally associated with
correspondence handling are the following:
(1) Correspondence is channeled to the appropriate parties.
(2} Replies are made promptly, accurately and responsively.
' " t
Records Maintenance
The primary internal control objectives normally associated with
* , • ' - i * . i..1*" *
records maintenance are'the following:
•.•-•.-••- -v • '. % . • '.
(1) Records are readily available.
(2) Records are adequately protected. '
(31 Only necessary records are retained.
Automatic Data Processing •'
The primary internal control objectives normally associated with
automatic data processing are as follows: ' ••
-------�
(1) Proper authorization of transaction inputs, adeauate edit checks,
and necessary safequards of sensitive .input forms to insure
accurate, proper, complete and timely entry of information.
(2) Data is safeauarded to prevent unauthorized access, improper
chanaes, or loss.
. (3) Appropriate controls exist to detect unauthorized use~of the
system.
(4) Outputs produced accurately, completely and timely.
t ' ' ' / i t
IV. ASSET ANH LIABILITY CYCLES- . ....
Cash '" - ••'•''•.'
The orimary internal control ''objectives normally'associated with cash
include the followina:
(1) Physical security safeauards maintained where cash is stored and
processed. . , .
(2). Cash, check signing machines,- sianature dies, and blank, •
partially prepared, mutilated, and voided checks are protected
from unauthorized use.
(3) Receipts are recorded properly arid time!/ and deposited promptly.
(4) Disbursements'are recorded properly and timely.
(5) . Effective cash management"system is maintained.
>,*'.. J"< • > r ,- - - ' * . .. i "•" '
Negotiable Instruments and Other Investments
The orimary. internal control objectives normally associated with
negotiable instruments and other investments include the following:
(1) Physical security safequards are'maintained where negotiable
« .'v ..... . , .t . ... • . •
instruments and other investments are stored and'processed.
f?^ Ronds, drafts, and other securities are protected from
unauthorized use.
8-9
-------�
(3) " Timely-and accurate1'accounting is maintained' - '• '
(4} Investments comply with leaal requirements.
(5) -Interest and-other, investment income is .collected oromptly when
due. . ._.,..,. ...,. ... ... - .
Letters of Cred it
The primary internal control objectives normally associated with
letters of credit include the following:
(1) Letters of credit are issued only to large dollar recipients who
have a continuing relationship with'the Federal•Government' and an
adeouate cash management system.
(?) Amounts available under letters of credit do not exceed available
award authority or immediate cash needs..
(3) Assurance exists that funds are used only for intended puroose.
(4) Cash balances in recipients' hands do not exceed recipients'
needs.
Receivables :.'-''
The primary-internal control objectives normally associated with'
receivables.include-the following: . :
-(!-) - Promo-t, and accurate recording of all receivables.
(2) Ability to determine and reoort sources and age of receivables.
(3) Continuous and timely attempts are marie to collect receivables
due.
(4) Identification of the portion of the receivables that may not be
collectible. '. "•"...' ' * ' : .".,. ^.V; .:-.."• ;
('5) Validity of write-offs, conversions, and settlement or
foroiveness of receivables. . . .*--•- • • ->.
(6) Repayments collected, controlled and reported in a manner
. - .consistent with applicable law .and regulations.
(7) Title to prooerty. used as collateral is properly recorded, filed,
and secured.
n-tn
-------�
Capital Assets and Material Inventories -; • * . . >
The primary internal control -objectives .normaMy -associated with
capital assets and material, inventories include the following:-.
(1) Only authorized and. needed property is procured. :
(?) . Receipts of property are recorded timely and accurately in source
documents and accounting records.
(3) netailed'subsidiary records"are maintained'for individual capital
assets and significant categories of material inventories and are
periodically reconciled to control accounts.
(4) Periodic ohysical verification is made of the existence and
condition of property, and inventories.' •.'"•'•
(5) Physical security measures are commensurate'with the size, type,
and value of property. - - -
(6) Issues, transfers, retirements, and losses are reported and
accounted for timely. •
-IT •«.'.•-• ,\ ' . :
(7) Assets are properly reauisitioned and used exclusively for
Government activities. • .
(8) Records of asset use are accurately maintained.
"*'f • - * * I " ' J * - 4
Payables, Debt, and Other -Liabi1ities
•^««fc^MM .„*.+ ," ' ,
The primary internal.control objectives, normally associated with
payables, debt, and other, liabilities include the followina:
(1) All-pavahles and. other, claims aaainst-the Government are recorded
promptly, and accurately. . .. .. . .. * .
(2) Prepayment examinations and certifications, of performance are
made to ensure validity and clerical accuracy of claims prior to
payment. ' .... ^ ..•
(3) ;.Debt, and-other .long-term liabilities are properly authorized,
recorded and serviced in.accordance with aoplicable.laws and
reaulations.
R-ll
-------�
fiduciary and t_Trust Funds . ".'-. ,
The "primary internal control objectives' normally associated with
fiduciary and trust funds include "-the'following:
(1) Liabilities to others are- recorded properly. ;
(2) -Detailed subsidiary records are maintained and are periodically
reconciled to control accounts. . _
.,. (3|- Funds are handled in accordance with applicable law and
. . ^ regulations. ....
(41 Effective control is maintained by responsible officials.
(5) .Benefits and other disbursements are subject to comparable
controls to other payments.
V. RECEIPT
1 • • • * *
Taxes and Duties
""'-"•— i .
The primary internal control objectives normally associated with taxes
-. i *•."*.. .. •
and duties include the following:
(1) Taxing programs are aoolied to all individuals and organizations
. subject to taxes.
•i
(2) Tax returns and assessments are reasonably correct.- ' -
(3) All receipts are recorded accurately and timely.
(a) Rece'iots are safeauarded while in the custody of the agency' and
promptly transferred to the Treasury.
(5) Settlements, allowances, and refunds' are properly authorized.
(fi) Taxing programs are administered -in accordance with applicable
laws and 'regulations. *"- '
••••-'-..; , -
Services Rendered • •
the brimar-y internal control' obiectives normally associated with
services rendered include' the following:
•R-12
-------�
(1) "evenues are recorded -immediately as services are rendered with
accounts receivable promptly set up and hilled on -a timely basis
if not paid in ful1. -
{?). Receiots are recorded accurately and-t-imely.
(3) Receipts are safequarded while in the custody of the aaenc.y and
oromotly transferred to the Treasury. :
(4) Services rendered and related, charges are conducted in accordance
with applicable laws and regulations. -; . • ..
other Sales •• ' - ••.•-•
The primary internal control objectives normally associated with other
sables include the following: • : ' ~ : • . .-
(1) Sales are recorded immediately as items' are sold with accounts
receivable promptly set up and billed on a timely basis.for
non-cash sales. . . I .
(2) Receipts are recorded accurately and timely. •
(3) Receipts are safeguarded while in the custody of the agency and
are promotly transferred to the Treasury.
f4) Sales of goods, property, eauipment, bonds, notes, and other.
items are conducted in accordance with aoplicable laws and
regulations.
"'.»'. *
Fines, Penalties, and Judgments
The primary internal control objectives normally associated with fines,
penalties, and judgments include the following:
(1) Fines,, penalties, and judgments are levied on or souaht .from
individuals and organizations as required by laws or regulations.
i2) Fines and penalties are charged at the proper statutory rate.
1-.13
-------�
*'"" (3V All-receipts "are recorded accurately and timely.
- (4)' Receipts are safequarded while in the "custody of the aqency and
are promptly transferred to the Treasury.
(5) Rescissions and forgivenesses are properly authorized:.
Other Receivable Col lections " ' *• • -:
• The primary-internal control objectives normally ^associated with other
receivable collections include the followinq: ''. -
(1) All receipts are recorded accurately and timely. . ..-
(?) Receipts are safequarded while in-.the custody of the agency and
are promptly transferred to the Treasury. . ' "• .
(^ Procedures for effectinq collection, includinq offset and -
installment payments, are utilized on a timely basis.
"»..'. • ' *
Other Receipts . . •
•MMMMMMMMMMMWMHMI^^^WMMMMK . t • '
The primary internal control objectives normally associated with' other -
receipts include the followinq:
. (I) All receipts are recorded accurately and timely.
(2) Receipts are safeauarded while in the custody of the aqency and
are promptly transferred to the Treasury.
(3) Monies are requested and received in situtions where warranted in
accordance with applicable law and reaulations.
-' • ' F *
vi. 'EXPENDITURE CYCLES
p ' *"• / t ' t
Payroll, Pensionsand Other Fringe Benefits
The primary internal control objectives normally, associated with
payroll, pensions and other frinae benefits include the followina:
-------�
(1) Appropriate authority exists for the. appointment, change, and
termination of all personnel'. - • .
(2) Compensation and benefit payments are in accord with current
statutory or regulatory limitations.
(3) Payments are made only in return for services rendered.
(4) Gross and net payroll amounts and payroll deductions are correct.
(R) Payroll charqes, including1 fringe benefits, are recorded and
distributed promptly. •
(6) Timely, accurate and complete subsidiary records are maintained
of vacation, sick leave and other balances..
** j '
Federal Assistance Payments to Other Governmental Units and
Individuals
The primary internal control objectives normally associated, with
Federal assistance payments to other Governmental units and individuals
include the followina: . •
(1) Disbursements are valid and properly approved.
(2) Disbursements are recorded promptly and accurately to the
appropriate accounts.
(3) Payments are within budget limits and in accordance with
applicable laws, regulations,, and agreements.
(4) Payments are made only to eliaible recipients for eligible costs.
"•» ' ' , * \ "
(5) Payments are made promptly and in full.
Procurement and Acquisition . . . .
The primary internal control objectives normally associated with
procurement and acguisition include the following:
(1) .All purchases are authorized within-budget limits and made in
accordance with applicable laws, regulations, and'agreements.
B-15
-------�
(?) Government has-" oa ids lowest prices commensurate with quality,.
service, delivery and rel iabil.ity. •» '. • • .. , .
(3^ Purchases and acquisitions are received and examined for
accentabil ity. , ;.. -.- • - . .- • . .-
(4) Disbursements are valid and properly aporoved.
(5) Disbursements are made on a timely basis. .
(6) Disbursements are recorded promptly and accurately to the
aooropnate account.
I
» *' « *
Travel Advances and Reimbursements
The primary internal control obiectives normal1y associated with travel
advances and reimbursements include the following;
(1) Travel reimbursements and advances provided only for properlv.
j •'.'••.<"' ' " '
authorized travel .
1 •.''•» ' • * * & *. " -
(?) Amounts paid are in accordance with 'applicable qovernment travel
requlations.
(3) Reimbursements are timely, properly approved, and properly
recorded to the appropriate account.
(4) Advances are 1 iquidated withm reasonable time periods.
nther Expenditures
The primary internal control objectives normally associated with other
r ; t m • • . ___ - •
expenditures include the following:
(1) Expenditures are valid and properly approved.
f?) Expenditures are recorded promptly aind' accurate1y--in the'
'appropriate accounts.
Debt service requirements, refunds, valid c-1 aims' and'other
appropriate payments are made timely in full accordance with
applicable laws, reaulat ions', and4 aareements.1 • ''•
-------�
• APPENDIX B-l
•f ^.^^^^^^^^.^^^.^^^_
SUGGESTED CONTROL OBJECTIVES FOR SELECTED ADMINISTRATIVE
-SUPPORT SERVICES
Included in Appendix R are suqaested control objectives for the generic
cateqory administrative support services. ,Jhe Office of Management and
Budqet has developed a series of model control systems-for specific ,
administrative supoort services. This Appendix presents suggested control
ob.iectives for selected administrative services drawn from those control
models. ...» '
Periodicals, Pamphlets, and Audiovisual..Products
* Periodicals, pamphlets, and audiovisual products are related to aaency
. mission, contribute to solution of an identifiable need, and are
appropriate in format and scope for the intended audience.
* Periodicals, pamphlets, and audiovisual products are not duplicative of
other materials that convey the same message.
* Periodicals, pamphlets, and audiovisual products are produced or
acquired in a cost-effective manner.
" Completed periodicals, pamphlets and audiovisual oroducts are
consistent with planned product and distributed in conformance with
;approved distribution plan. • . .
Rr.17
-------�
Consulting and Related Services
Services are secured for an appropriate purpose, i.e., to obtain
specialized opinions or professional or technical advise which does
not exist or is not available within the agency or another agency,
outside points of view to avoid excessively limited judgments on
critical issues, advice reqardina developments in- industry,
university, or foundation research, opinion of noted experts whose
national or international prestiqe can contribute to. the success of •
important projects^ or assistance to complete-a necessary project
within a specified period of time.
* Services are not used to Perform work of a oolicy/decision-makinq or
manaqerial nature that is the direct responsibility of aqency
officials: or to bypass or undermine personnel ceilinqs, pay '
limitations, or competitive employment procedures; or to aid in
influencinq or enactinq legislation.
* Services are secured through maximum competition, without preference
to former qovernment employees.
* Payments for services bear a relation to work completed. .
* Services provided meet the organization's specific needs and advice
and recommendations are implemented, unless there are valid reasons to
the contrary. •
Long-Term Training
* lonq-term traininq is orovided only when the necessary set of
knowledqes or skills requires'a comprehensive study proqram which
cannot be accomolished by a series of unconnected short-term courses;
the time span for the acquisition of the knowledoe or skill is such
that a concentrated or lonq-tem proqram is most feasible; and the set
of knowledges or skills is so complex, new, or aninue that it cannot -
be readilv obtained on a short-term basis or throuqh other means.
3-18
-------�
" Nominees continue in agency service for an appropriate period
following completion of long-term training.
" Long-term training is relevant to selected employees' current and/or
projected assignments, required skills and knowledge, individual
development plan, and career potential; and is appropriate for his or
her commitment to the organization and Federal service.
Space Acou i s i t i on andJJt i1i zat i on
* Need for and intended use of space is adequately justified.
* Requesting unit conforms with soace allowance standards.
* Request cannot be met by realignment of existing space assignments or
use of vacant or under-utilized space.
" Space is leased on the most favorable basis to the fiovernment, with
due consideration to maintenance and operational efficiency.
-. * Lease charges are consistent with orevailinq scales in the community
for comparable facilities.
* Legal requirements, e.g., facilities for the handicapped, fire safety
features, are satisfied.
* Lease contains orovisions necessary to administer the agreement, such
as duration of lease, including clearly stated renewal rights; base
for future escalations; liquidated damaqes provision; stated costs ^or
overtime usage; and termination riqhts.
* Lease conforms with agency and Administration goals and priorities and
leqal requirements.
R-19
-------�
-------�
APPENDIX C
SAMPLE LETTER FOR WRITTEN ASSURANCE TO THE
AfiFNCY HEAD FROM DESIGNATED SENIOR OFFICIAL
Hear (agency head)': - • -
• ' * • , .*
In accordance with your delegation of responsibilities -to me, I have
directed an evaluation-of the system of internal accounting and
administrative control of (.name'of aqency) in effect during the year ended
. As required by'the Federal Managers Financial Integrity Act, this
evaluation has been conducted in accordance with Guidelines for the"
Evaluation and Improvement of and Reporting on Internal Control Systems in
the Federal Government, issued by the Director of the Office of Management
and Budget, in consultation with the Comptroller General, and accordingly
included an evaluation of whether the system of internal accounting and
administrative control of (name of agency) was in compliance with the
standards orescribed by the Comptroller General.
C-l
-------�
The objectives of the system of internal accounting and administrative
control of the (name of agency) are to provide reasonable assurance that:
« Obliaations and costs are in compliance. with applicable law;
— Funds, property, and other assets are safeguarded aaainst waste,
loss, unauthorized use, or misappropriation; and
— Revenues and expenditures applicable to aqency operations are
properly recorded and accounted for to permit the preparation of .
accounts and reliable financial and statistical reports and to
maintain accountability over the assets. . .
The concept of reasonable assurance recognizes that the cost of internal
control should not exceed the benefits expected to.be derived therefrom,
and that the benef.its consist,of reductions in the risks of failinq to
achiev.e the stated objectives. Estimates and judgments are required to
assess the expected benefits and related costs of control procedures.
Furthermore,, errors or irreaularities may occur and not he detected because
of inherent limitations in any system of internal accountina and
administrative control, includinq those limitations resultinq from resource
constraints, Congressional restrictions, and other factors. Finally,
projection of any evaluation of the system to future periods is subject to
the risk that procedures may be inadequate because of chanaes in conditions
or that the deqree of compliance with the orocedures may deteriorate.
Nonetheless, I have taken the necessary measures to assure that the
evaluation, identified in the first paraqraph, has been conducted in a
thorough and conscientious manner.
r.-?
-------�
The results of the evaluation, assurances given by heads of oraaniza-
tional units, and other information provided indicate that the system of
internal accounting and administrative control of (name of aqency) in
effect during the year ended (date), taken as a whole, complies with the
requirement to provide reasonable assurance that the above-mentioned
objectives were achieved within the limits described in the precedina
paragraph. The evaluation, however, did disclose the following material
weaknesses— :
(LIST OF MATERIAL WEAKNffSSES)-
Attachment A to this report contains the recommended plans and schedules
for correcting such weaknesses,— and the status of actions taken to
7.1
correct weaknesses identified in prior years' reports.—
(SIGNATURE)
I/If there are no material weaknesses, this sentence should be deleted,
~ and there would be no list or portion of Attachment A containing plans
and schedules for correcting such weaknesses.
2f If there were no actions taken durina the past year to correct
weaknesses, or no identified weaknesses for which corrective actions
remain to be taken, this phrase would be deleted.
-------�
-------�
APPENDIX n
SAMPLE LETTgP FOR WRITTEN ASSURANCE TH THE
APENCY HEAD FROM THF HEAD OF AN ORGANIZATIONAL UNIT
Hear (agency head):
As (title) of the (name of.organizational unit) of the (name of aaency), I
am cognizant of the importance of internal controls. I have taken the
necessary measures to assure that the evaluation of the system of internal
control of (name of organizational unit) has been conducted in a
conscientious and thorough manner in accordance with Guidelines for the
Evaluation and Improvement of and Reporting on Internal Control Systems in
the Federal Government, issued hy the Director of the Office of Management
and Budget, in consultation with the Comptroller General, and accordingly
included an evaluation of whether the system of internal accounting and
administrative control of (name of agency) was in compliance with standards
prescribed by the Comptroller General.
The objectives of the system of internal accounting and administrative
control of the (name of agency) are.to provide reasonable assurance that:
— Obligations and costs are in compliance with applicable law;
— Funds, property, and other assets are safeguarded against waste,
loss, unauthorized"use, or misappropriation; and
D-1
-------�
— Revenues-and exoenditures aoplicable to aaency operations are
properly recorded and accounted for to permit the preparation of
accounts and reliable financial and statistical.reports and to
maintain accountabi 1 itv'over the assets. - '.' -
The concept of reasonable assurance recoanizes that the cost of internal
control should not exceed the benefits expected to he derived therefrom, and
that the benefits consist of reductions in the risks of failinq to achieve
the stated objectives: Estimates and judgments are required to assess the
expected benefits and related costs of control orocedures. Furthermore,
errors or irreaulanties may occur and not be detected because of inherent
limitations in any system of internal accountina and administrative control,
includinq those limitations resultina from resource constraints,
Concessional restrictions, and other factors. Finally, projection of any
evaluation of the,, system to future periods .is subject to the risk that
procedures may he inadequate because of chances in conditions or that the
deqree of compliance with the procedures may deteriorate.
The results of the evaluation, performed in accordance with the Guidelines
identified in the -first naraqraph, and other information provided indicate
that the system of internal, .accountinq and administrative control of
{orqanizational unit) in effect durina the year ended (date), taken as a
whole, complies with the requirement to provide reasonable assurance that
the above-mentioned objectives were achieved within the limits described in
n-2
-------�
the preceding paraqraph. The evaluation, however, did disclose the
followino material weaknesses— :
(LIST OF MATERIAL WEAKNESSES)-''
Attachment A to this report contains the {name of organizational unit's)
plans and schedules for correcting such weaknesses,— and the status
of actions taken to correct weaknesses identified in prior years'
* ?-I
reports .—
\tIf there are no material weaknesses, this sentence should be deleted,
and there would be no list or portion of Attachment A containing plans
and schedules for correctino such weaknesses.
21 If there were no actions taken during the past year to correct
weaknesses, or no identified weaknesses for which corrective actions
remain to be taken, this phrase would be deleted.
H-3
-------�
-------�
APPENDIX E
SAMPLF LETTER FOR COMMENTS TO THE AGENCY HEAD
FROM THF INSPECTOR GENERAL OR EOtllVALFNT
near (aqency head):
I have,conducted a limited review to determine whether the evaluation of the
system of internal accounting and administrative control, as described in
Guidelines for the Evaluation and Improvementof and Reporting on Internal
Control Systems in the Federal Government, issued by the Director of the
Office of Manaqement and Budqet, in consultation with the Comptroller
General, has been carried out in a reasonable and prudent manner in the
(aqency) for the year ended (date). During this limited review, nothinq
came to my attention that would indicate that the (aaency) did not comply
with the above-nentioned guidelines.
(SIGNATURE)
E-l
-------�
I
-------�
. APPENDIX F .
SAMPLE INTERNAL CONTROL•STATEMENT '
(AND REPORT, IF APPLICABLE)-
Dear Mr. President:
An evaluation of the system of internal accountina 'and' administrative
control of (name of aqency) in effect durinq the year ended (date) was•
performed in accordance with Guidelines for the Evaluation and Improvement
of and Reporting on Internal Control Systems, in the Federal Government,
issued by the Director of the Office of Manaaement and Budget, in consulta-
tion with the Comptroller General, as required by the Federal Manaoers'
Financial Intearity Act of 1982, and accordingly included an evaluation of
whether the system of internal accountinq and administrative control (name"
of aqency) was in compliance with the standards prescribed by the
Comptroller General. . ....
The objectives of the system of internal accountinq and administrative
control of the (name of aqency) are to provide reasonable assurance that:
— Obligations and costs are in compliance ,with applicable law;
-- Funds,' property, -and other assets are safequarded aqainst waste, .
loss, unauthorized use, or misaporooriation; and
*— Revenues and expenditures' appl.icab.1e to aqency operations are
properly-recorded and accounted for to permit the preparation of
accounts and reliable financial and statistical reports and to
maintain 'account abil.ity over the assets. • "*
-------�
The conceot of.reasonable assurance reconnizes that the cost of internal
control should not exceed .the-'benefits-expected to.be derived therefrom,
and that the benefits consist of reductions in the risks of failino to
achieve the "stated objectives. Estimates and iurtqments are required to
assess the exoected benefits and related costs of control orocedures.
Furthermore, errors or irreaularities may occur and not be detected, because
of inherent limitations in any system of internal accountinq and admin-
istrative control, includinq those limitations resultinq from resource
constraints, Conqressional restrictions, and other factors. Finally,
projection of any evaluation of the system to future periods is subject to
the risk that procedures may he inadequate because of chanqes in conditions
or that the decree of compliance with the procedures may deteriorate.
The results o* the .evaluation described in the first oaraqraoh, assurances
qiven by appropriate .(name o* aqency) officials, and other information
provided indicate that the system of internal accounting and administrative
control of (name of aaency) in effect durina the year ended (date)', taken as
a whole, comolies'with the requirement to provide reasonable assurance that
the above-mentioned objectives were achieved within the limits described in
the precedinq oaraqraoh. The evaluation, however, did disclose the
^ollowinn mater.ial weaknesses— : , . -
(LIST OF MATERIAL WEAKNESSES)-7
Attachment 4 to' this statement contains the (name of aqency) olans'and •
2/
schedules for correctinq such weaknesses,— and the status o^ actions
3/
taken' to- correct weaknesses identified in prior years' reports.—
(SIGNATURED
I/ If material weaknesses in systems subject .to .these quideHnes are found,
~ this sample constitutes the statement and report required by the Act.
If material weaknesses are not found, th'is sample,"as adjusted,
constitutes the statement required by the Act.
y If there are no material weaknesses, this sentence should be deleted,
and there would be no list or oortion of Attachment A containinq plans
and schedules for correcting such weaknesses.
3/ If there were no actions taken durinq the oast year to correct
~" weaknesses, or no identified weaknesses for which corrective actions
remain to be taken, this phrase would be deleted.
-------�
EXECUTIVE OFFICE OF THE PRESIDENT
OFFICE OF MANAGEMENT AND BUDGET
WASHINGTON. O.C. 20«O3
AUG 04 B86
CIRCULAR A-123
Revised
TO THE HEADS OF EXECUTIVE DEPARTMENTS- AND ESTABLISHMENTS
SUBJECT: Internal Control Systems
*
1. Purpose. This circular prescribes policies and procedures to be
followed by executive departments and'agencies in establishing,
maintaining, evaluating, improving, and reporting on"internal
controls in their program and administrative activities.
2. Rescission. This circular replaces Circular A-123, Revised,
"Internal Control Systems," dated August 16, 1983.
3. Background. The Budget and Accounting Act-of 1950 requires the
head of each department and agency to establish and maintain
adequate systems of internal control.'
The federal Managers Financial Integrity Act, P.L. 9.7-255,
(hereafter referred to as the Integrity Act), amended the Budget
and Accounting Procedures Act of 1950 and requires that internal
accounting.and administrative control standards be developed by
the General Accounting office, annual evaluations be conducted by
each executive agency of its system of internal accounting and
administrative control in accordance with guidelines established
by the Director of the Office of Management and Budget; and
annual statements be-submitted by the heads of each executive
agency -to the President and the Congress on the status of the
agency's system of internal controls.
4. Policy. Agencies shall establish•and maintain a cost-effective
.system of .internal controls to provide reasonable assurance that
Government resources are protected against fraud, waste,
mismanagement or misappropriation and that both existing and new
program and administrative activities are effectively and
efficiently managed- to achieve the goals of the-agency. The
system shall comply wit h. the Integrity .Act and the internal
control standards developed "by the General Accounting office and
implemented by this circular. All levels of -management shall be
involved in ensuring trie adequacy of control's. Internal control
does not encompass such matters as statutory development or
interpretation, determination of program need, resource
allocation, rulemaking, or other discretionary policymaking
processes in an agency.
5. Defin itions. For the purpose of this circular, the following
terms are defined:
a. Agency — any department or independent establishment in the.
executive branch.
-------�
b. Age n cY Comoo ne n t — a major program, administrative activity,
organization,'or functional subdivision of an agency.
c. Internal JTontrol Objective -- specific end to be achieved by
control techniques used in a component. Each objective is to
take into consideration the nature of the component and the
requirements of this circular. Limiting factors such as
budget constraints, statutory and regulatory restrictions,
staff limitations, and the cost-benefits of each control
technique are to be considered in determining desired
internal control objectives.
d. Internal Control Documentation — wr.itten materials of two
types.
(1) Sys tern documen tat ion includes policies and procedures,
organization charts, manuals, memoranda, flow charts, and
related written materials necessary to describe
organizational structure, operating procedures, and
administrative practices; and to communicate responsibilities
and authorities for accomplishing programs and activities.
Such documentation should be present to ihe extent required
by management to effectively control tneir operations.
(2) Review documentation shows the type and scope of review,
the responsible official, the pertinent dates and facts, the
key findings, and the recommended corrective actions.
Documentation is adequate if the information is understand-
able to a reasonably knowledgeable reviewer.
e. Internal Control Guidelines '— the guidelines issued by the
Office of Management and Budget (OMB)'in December 1982,
entitled "Guidelines for the Evaluation and Improvement of
and Reporting on Internal Control Systems in the Federal
Government," or as they may be modified subsequently. These
guidelines, present a suggested approach, and should adapted
to meet the needs of the individual agencies provided that
any such adaptation remains in compliance with this circular.
c. Internal Control Evaluation — a detailed evaluation of a
program or administrative activity to determine whether
. adequate control techniques exist and are -implemented to
achieve cost-effective compliance with tne Integrity Act.
Control evaluations are of two types.
-------�
(1> Internal Control Review is a detailed examination of a
system of internal controls using the methodology specified
, in the Internal Control Guidelines. All reviews should
produce written materials documenting what was.done and what
was found. See 5(d), Internal Control Documentation.
(2) Alternative Intejr n al Control_ Review is a process such as
Circular A-130 computer security reviews, Circular .A-127
financial 'system reviews, Inspector General audits, and other
management and consulting reviews to determine that the
control techniques in an agency component are operating in
compliance with this circular. Such alternative reviews must
determine overall compliance and include testing of controls
and the development of required documentation.
g. Internal Control Standards—the standards developed by the"
General Accounting Office, and published in "Standards for
Internal Controls, in the Federal Government," October 31,
1984. Implementation of the standards should be in '
accordance with this circular, consistent with agency needs
for sound cost-effective internal control systems.
h. Internal Control System -- the organization structure,
operating procedures, and administrative practices adopted by
all levels of management to provide reasonable assurance that
programs and administrative activities are effectively
carried out in accordance, with the objectives of the
Integrity Act and this circular.
i- Internal Control Techniques — the management processes and
documents necessary to accomplish an internal control .
objective. •
j. Management Control Plan (MCP) — a brief-, written plan which
summarizes the agencies risk assessments, planned actions,
and internal control.evaluations to be undertaken to provide
reasonable .assurance that controls are in place and working
and is used to manage Integrity Act implementation.
' - ' " , "" - .-*.'"*
k. Material Weakness — a specific instance of: non-compliance
with the Integrity .Act of sufficient, importance to be
reported to the President and Congress. Such weakness would
significantly impair the fulfillment of an agency component's
mission; deprive the public of needed services; violate'
•statutory or regulatory requirements; significantly weaken
safeguards against'waste, loss, unauthor i-zed* use or
misappropriation of funds, property,"'or other assets; -or
result in -a conflict* of interest.
* * • "T . i
1.- Reasonable Assurance '-- a judgment by an agency head based
upon all available information that the"systems of internal
control are operating as intended by the Integrity Act.
-------�
6.
m« Rislc -Assessment -- a documented review by management of a
component's susceptioiiicy to waste, loss, unauthorized use,
, . or misappropriation. •• Risk assessments are -of . two .types:
(I) vulnerability assessments as provided in che guidelines,
and
(2) alternative procedures tailored to agency circumstances.
n* Testing — procedures to determine whether internal control
systems are .working in accordance with management internal
control objectives.
Responsibility. The head of each agency is responsible for
ensuring that the design, installation, documentation, evalua-
tion/ and improvement of internal controls, and issuance of
reports on the agency's internal controls are in accordance with
the requirements of the Integrity Act and :nis circular.
a. A senior official shall be designated in each agency who
shall be responsible 'for coordinating -he overall agency-wide
effort, to comply and evaluate compliance witn trie Integrity
Act and this circular.
Heads of agency components are responsible" for developing and
administer ing the systems of internal controls in their
units. -This responsibility includes reporting to the agency
nead each year on the compliance of the internal control
systems in their component with the requirements of the
Integrity Act' and this circular. Quality controls are to be
established to assure the accuracy of reports to the agency
nead.
The Inspector General (IG) or the senior audit official where
there is- no IG, tnrough .a program of audits and inves cita-
tions, is an integral part of. the agency's internal control
process. Routine evaluations of internal, controls shouia oe
included within, the scope of internal . audits and reflected in
tne resultant reports. The reports are to be included witnin
the sum of all information available to managers for their
consideration in making the reasonaole assurance .determina-
tion for use in the annual internal control statement.
In addition, the
consulted in tne
IG or senior audit official should ae
internal control process. the IG snouli.
provide technical assistance in the agency efforts to
evaluate and improve, systems affected.by this circular, and
may advise
evaluation
circular.
the agency head whether the agency's review and
process has been conducted consistent with this
Consultation and the provision of technical advice
-------�
by the IG during-agency planning efforts should, not preclude-
the IG from independently making any reviews or audits or
otherwise limit the authority of the IG.
7, Objectives of internal Control. The objectives of internal
control apply to all program and administrative activities.
Internal control systems are to provide management .with
reasonable assurance that:
a. .Obligations and costs comply with applicable law.
b. .Assets are safeguarded against waste, loss, unauthorized use
and misappropriation. - '-• • •
c. Revenues and expenditures applicable to agency .operations are
recorded and accounted for properly so that accounts and
reliable financial and'statistical reports may be prepared
and accountability of the assets may be maintained.
d. Programs are efficiently and effectively carried out in
accordance with applicable law arid management policy.
8. Required Agency Actions. • Each agency-shall, meet the following
requirements in a cost-effective manner.
a. Maintain a current internal control' directive assigning
management responsibility for internal controls in accordance
with this circular and the" internal. Control "Guidelines with
the following provisions. Provide for coordination on '
internal control matters among the designated internal
control" official,, heads of agency, components, program/
managers and staffs;, and the. ^G" office 'or its equivalent.
Es.tablish" administrative procedures to enforce the intended
functioning of ' internal controls. . Requ.ire performance"
agreements, 'tor each senior Executive, Service and Merit Pay
or equivalent employee with significant responsibility for
internal controls, which'result in" recognition for positive
internal control accomplishments such as timely correction of
.internal control'weaknesses and appropriate"'act ion for •; ' •-"-!
.violations of internal controls.: .: , .,' ';.— ..•.• ? " •
b. '-Develop :a,Management Control Plan (MCPT'or plans to'be
updated annually. -The- primary purpose of'ari'MCP is to
identify. component inventory, to^show risk": rating .of .-.
component {high, medium,,-low) , and" ;to provide, for..necessary
evaluations over -a f ive-.year . period. .Material 'weaknesses and
other areas-of management'-concern may also be monitored ...
... through the plan. High risk components and material
weaknessesvmust.be acted,, upon during the first year of the,
plan. The plan should be based upon the ;,sche.dule of actions
in each major component, and identify the senior managers
responsible. Management should utilize the plan for
monitoring progress and ensuring that planned actions are. in
-------�
fact taken. MCP's are intended to be part of each agency's
overall planning process and at a minimum should be linked to
activities under A-127'and A-130. The first MCP should, be
issued and in effect by December 31, 1987.
c. Make risk assessments to identify potential risks in agency
operations which require corrective action or further
investigation through internal control evaluations or other
actions. These may follow the vulnerability assessment
procedures in the Internal Control Guidelines or may be based
on a systematic review building on management's knowledge,
information obtained from management reporting systems,
previous risk assessments, audits, etc. Management should
update its risk assessment of agency components at least once
every 5 years and as major changes occur. Risk assessment on
new or substantially revised programs should occur as part of
planning for implementation and the results reflected in the
MCP. Risk assessments are to be considered as part of
developing the MC?.
d. Make internal control evaluations using the procedures in the
Internal Control Guidelines or alternative reviews to deter-
mine whether the internal, control system is effective and is
operating in compliance with the,Integrity Act and this
circular. These reviews should identify internal controls
that need to be strengthened or streamlined. The composite
of-all information that management relies upon to judge, their
systems effectiveness must include information on the results
of tests of their operating internal control systems.
e. Implement corrective actions identified by agency internal
control evaluation efforts on a timely basis. A formal
followup system should be established that records and tracks
recommendations and projected action dates, and monitors
•wnether the changes are made as scheduled. The tracking •
system should be made part of broader agency management
reporting systems whenever"feasible.
9. Reporting. By 'December 31 of each year, -the head of an agency
subject to P.L. 97-255 (31 U.S.C. 3512) shall submit a statement
to the President and to Congress as of the close-of the fiscal
year: stating whether the evaluation of internal controls was
conducted in accordance with this circular, and whether the -•
agency's system of internal controls taken as a whole complies
with the standards developed by the General Accounting Office
and implemented through tnis circular and provides re'asonaole
assurance that programs are effectively carried out in •
accordance with applicable law; reporting the material
weaknesses, if any, in the agency's system of internal controls,
Uowever identified; and containing- a plan for correcting :
material weaknesses. " • - • •
-------�
Instructions to be followed in preparing this report will be
published in supplemental guidance provided by OMB.
10. Effective Date. This circular is effective upon publication.
11' Inquiries. All questions or inquiries should be addressed to the
Financial Management Division, Office of Management and Budget,
telephone number 202/395-3993.
12. Sunset Review Date. This circular shall have an independent
policy review to ascertain its effectiveness three years from the
date of issuance.
ler III
-------�
-------�
>: Internal Control Guidelines
This supplement to the 1982 Internal Control Guidelines is
intended to clarify their applicability and to assist agencies in
determining risk*of fraud, waste, and loss; and rapidly
identifying and correcting material weaknesses in management
controls. ' .' . '
Compliance with the Internal Control Guidelines is not
mandatory, provided agencies adopt alternative procedures of
equivalent efficacy. These agency procedures must determine
relative risk of fraud, abuse, and other losses 'in agency programs
and administrative activities; and also identify and correct
material weaknesses in agency internal control systems.
Since agency,managers have the responsibility for improving
controls, Circular A-123 requires the use of a management control
plan to ensure efficient procedures, integration with other '
management processes, and compliance with the circular.
Management Control Plans (MCPs)
Each agency is required by Circular A-123 to develop a
five-year MCP to-plan and direct the process for reviewing risk,
and identifying and correcting material weaknesses in internal
control systems. Because the MCP is primarily a document to
manage overall agency efforts under the circular, superfluous
detail should-be avoided. MCPs must involve senior managers.
MCPs should fully utilize managerial knowledge and judgment within
a simple, structured process featuring clear, reasonably complete
documentation.
Items to be included in the MCP include all components in the
inventory, tne name of the official responsible for Circular A-123
compliance within the component, management's assessment of the
relative risk.of the -component, year reviews of component internal
control systems are planned to be completed. Material weaknesses
identified, year identified, and year corrected or scheduled for
correction may also be included.
Though the MCP should be updated annually, a complete new MCP
is not required. An example of an MCP is attached.
-------�
Alternative Internal Control Reviews
In order -to streamline the process of reviewing internal
control systems and to better involve program and administrative
managers. Circular A-123 encourages agencies to use alternatives
to the internal control review process specified in the Internal
Control Guidelines. , ...
The requirements that ACIRs must meet, include compliance with
Circular A-123,' and sample testing of controls in operation, in
responding to these requirements, agencies may use questionnaires,
checklists, model control systems, and so on. In part these -
requirements may be met by using existing agency management
reporting and review processes — including reviews made under OMB
Circulars A-76, A-127, and A-130; as well as reviews, audits,
management studies, and consultant studies.• -
-------�
S A M
United States Department of the Interior
BUREAU OF MINES
2401 E STREET, NW. .
WASHINGTON, D.C. 20241
'February U, 1986
Memorandum
To: Assistant Secretary
From: . Director, Bureau of Mines
Subject: Management Evaluation Plan 1986
The attached Management Evaluation Plan for 1986 has been prepared in
accordance with instructions provided in your memorandum of January 10, 1986.
The process used at the Bureau of Mines complies with recommendations made by
the Office.of :he Inspector General (OIG) in Memorandum Audit Resort
E -MO -MOA-10-85-8, "Comments on Statements and Reports Prepared by the U.S.
Geological Survey and Bureau of Mines for Fiscal Year 1985 Under the Federal
Managers Financial Integrity Act of 1982"; and commitments made in the Bureau
response of December 18, 1985, to the audit report.
The procedure used in the assignment of risk and the development of the •
Management Evaluation Plan are described in Attachment II to this memorandum.
Several' changes have been made in the Inventory. They include:
i
1; Addition of three components that were recommended in the OIG report
Division of State Activities, the adjudication process of the Office of Equal
Employment Opportunity, and Mineral Institutes Program. The State Activities
Program was a component prior to 1984 when the organization was called Office
of State Liaison. The Office of Equal Employment Opportunity adjudication
process, and the Mineral Institutes Program are new programs.
2. Deletion of the Grants and Cooperative Agreements component because
the grants activ.ity is part of the Mineral Institutes Program and will be
reviewed with that component, and the Bureau does not have any cooperative
agreements.
The DIG report also recommended component status for the Office of Technical
Information, the Office of Congressional Liaison, the Senior Advisory Staff,
and the Special Projects Staff. The functions of these organizations were
analyzed to determine whether they qualify for component status. The OMB
-------�
guidelines specifically exclude from component status sptutory development or
interpretation, determination of program need, and other discretionary policy-
talcing processes in an agency. The organizations proposed for component states
by the OIG perform staff functions that qualify for exemption and therefore-
*ere .iot i-tcVjded in t.ne inventory.
adaitional information tnat you may require
We will oe pleasea to proviae
Attachments
-------�
2
*« *^
•< IN
*
3
>• 3
V —
» a
-= > x
3
— - 0
» X
c «
a a 0>
- S »
m x"
a,
a »e
9
V
X
o
3 •
M »
X M
"•^
•
U
~t
IM
O •
« e
-. «
x •
• O
c u
•
«
B
raluat iona
Typ«
Bl
II
e i-
• a
— u
B. >"
*
S
a
•«4
3 a,
- > •
3
3
Previ
Year
V
w
» b
e :
— u
.«
• hi
•-. 3
« —
a.
E
tt
c
0
0
u
.
\
•
ji jt jt jt e
0) Ui
-------�
-------�
Attachment I!
Procedure Used In Developing the 1986 Management Evaluation Plan
During the period January 15-24, 1986, the Internal Control Coordinator '
reviewed past Internal Control Reviews, Vulnerability Assessments, Audits," "."
Reports, and the-Component Inventory within the framework of the 1986
Management Evaluation Plan (MEP) Instructions provided by the._DOI Office of
Financial Management (PFM). The criteria provided by PFM were reviewed for
applicability to the various components and modified as appropriate.
Recommendations in the Office of the Inspector General (OIG) report on the 1985
process were built into the process for developing the 1986 MEP.
On January 27, 1986, a meeting was held with the Director, Deputy Director,
Assistant Director--Finance and Management, and Internal Control Coordinator to
discuss: changes in the 1986 process for internal control reviews;, how the
streamlining would affect the Bureau; the most effective way of conducting the
risk assessment; developing the plan; and scheduling of the 1986 reviews and
training. .For the seven organizational entities proposed for component status
by the Inspector General, it was decided that a meeting should be held with
each manager to review the organization against the PFM criteria for risk and
to assess whether there are operational activities that meet the criteria for
component status. .
On January 28 - February 13, 1986, meetings and conferences were held with the
Internal Control Coordinator, each Assistant Director, each Division Chief and,
where appropriate, staff perso.ns responsible for the conduct of internal
control reviews.
Components in the previous inventory were given a risk assessment and scheduled
for review as appropriate. The seven proposed components were examined, and it
was determined that the Division of State Activities, Office of Equal
Employment Opportunity, and Office of Mineral Institutes have operational
functions that should be subject to an internal control review. The Office of
Technical Information, Office of Congressional Liaison, Director's Senior
Advisory Staff, and the Special Projects Staff of the Assistant Director—
Mineral Data Analysis all perform mostly staff and/or policy analysis
functions that exclude them from component status, according to definitions
provided by OMB.
In assigning level of risk, the following additional criteria were used: (1}
"interactions with other organizations in such a way that the ability of either
organization to accomplish its mission could be adversely affected by actions
of the other, (2) degree of impact the program might have on resources of the
Bureau as a whole, (3) size and scope of the program, and (4) congressional
interest in: the program. ~
Although no component material control weaknesses were identified as a result
of this process, it should be noted that risk assessment ratings appear to be
more realistic than those assigned in the past. Managers judged the risk
-------�
Page 2 of Attachment II
potential using weighting factors 1n making their risk assessments that were
tailored to-their program; Some components that had received a LOW rating
under the old system were given a MEDIUM rating under the new system. .Also,
some of the functional components1 that had received a HIGH rating under the old
system were given either MEDIUM or LOW ratings this time.
Details of the risk assessments for each of the components are available from
the Bureau's Internal Control Coordinator.
The Director will present the final ratings and the schedule for internal
control reviews over the next three years to the Assistant Directors and
Division and Office Chiefs at a staff meeting Tuesday, February 18, 1986.
Director of the Office of Financial Management is expected to attend the
meeting and discuss the revised and streamlined procedures.
The
-------�
RESOURCES MANAGEMENT DIRECTIVES
INTERNAL CONTROL
SECTION 2560 - INTERNAL CONTROL
2560
Table of Contents
PARAGRAPH
TITLES
PARAGRAPH
NUMBERS
PURPOSE • 1
SCOPE..: ; 2
BACKGROUND : „.. 3
ROLES AND RESPONSIBILITIES -. 4
Administrator 4.3.
Assistant Administrator, Office of Administration & Resources Management 4.b.
The Comptroller 4.c.
Resources Management Division 4.d.
Agency-Internal Control Staff •. 4.e.
Primary Organization Heads 4.f.
i
Inspector General 4.g.
- Program Managers .; 4.h.
POLICY AND OBJECTIVES '. 5
STANDARDS AND GUIDELINES •. 6
GAO Internal Control Standards 6.a.
OMB Guidelines .1 6-b.
k-
EVALUATION, IMPROVEMENT^AND REPORTING PROCEDURES 7
OVERVIEW OF THE INTERNAL CONTROL PROCESS 8
FURTHER INFORMATION .- '. 9
APPENDIX . APPENDIX
TITLES NUMBERS
Definitions of Commonly Used Terminology 2560-1
-------�
-------�
RESOURCES MANAGEMENT DIRECTIVES
INTERNAL CONTROL
•2560
2560 - INTERNAL CONTROL
1. PURPOSE. This Directive reviews the
background of EPA's internal control process,
defines major! internal control terminology,
prescribes standards and guidelines for
internal control systems in EPA, presents an
overview of EPA's internal control process,
.and outlines the major roles and responsi-
bilities of EPA managers,
2. SCOPE. The provisions of this Directive
apply to all EPA organizations.
3. BACKGROUND. The Federal Government
has long been concerned with the need for
internal control systems designed to prevent
fraud, waste,' abuse, and mismanagement of
Government funds! The Accounting and
Auditing Act of 1950 made the head of each
executive department and agency responsible
for establishing and maintaining effective
systems of internal control.
As the Federal government grew during the
1960s and 1970s, there were, efforts to
strengthen '. the effectiveness of internal
controls. In; October 1981, the Office- of
Management and Budget (OMB) issued Circular
A-123 to address numerous instances of fraud,
waste, and abuse of Government resources and
mismanagement of Government programs
resulting from poor internal controls.
In September 1982, the Congress and the
President enacted the 'Federal Managers'
Financial Integrity Act (FMFIA), which
amended the> 1950 Act. The goal of this
legislation is; to help reduce fraud, waste,
and abuse and to improve management of
Federal operations.
The FMFIA requires that the _ internal
accounting and . administrative -'controls of
each agency conform to standards prescribed
by the Comptroller General. OMB must
establish guidelines by which agencies can
evaluate their systems of internal control.
The FMFIA also mandates that' each executive
agency 'annually evaluate its system of
internal' ' accounting and administrative
controls.- Further, the FMFIA requires :agency
heads to report to the President and to
Congress annually on whether their internal
control systems comply with the requirements
of the Act. If systems do not comply, .agency
heads must identify material weaknesses and
present plans for corrective actions.
Pursuant to this Act, OMB issued "Guidelines
for the .Evaluation and Improvement of and
Reporting on Internal Control Systems in the
Federal Government" in December 1982. The
Comptroller General issued "Standards .for
Internal Control in the Federal Government"
in June 1983. OMB subsequently .revised
Circular A-123 in August 1983, to include the
new requirements contained in the FMFIA. OMB
revised the Circular again in August 1986.
4. ROLES AND RESPONSIBILITIES. This sec-
tion outlines the roles of various Agency
personnel and organizations charged with
implementing the FMFIA.
a. Administrator. The EPA Administrator
is responsible 'for ensuring that the design,
installation, documentation, evaluation, and
improvement of internal controls, and
issuance of reports oh the Agency's internal
controls meet the requirements of the FMFIA
'and OMB Circular A-123. Specifically, the
Administrator must report annually to the
President and the Congress on whether EPA's
internal control systems comply with the
FMFIA's objectives. To the "extent that the
systems do not comply, the Administrator must
identify material weaknesses and offer plans
for corrective actions. The Administrator
must also report on whether EPA's accounting
system conforms to the Comptroller General's
standards.
b. Assistant Administrator, Office of
Administration and Resources Management
(OARM). The Assistant Administrator for-OARM
is EPA's designated senior- internal., control
official and is responsible for:
(1) Coordinating
comply and evaluate
FMFIA;
EPA'S efforts '•" to
compliance wuh-i«tne
-------�
RESOURCES MANAGEMENT DIRECTIVES
INTERNAL CONTROL
2560
(2) Developing an EPA-wide inventory
of assessable units in consultation with-
other primary organization heads (POHs);
(3) Providing guidance on the perform-
ance of vulnerability assessments, internal
control reviews, and other internal control
activities;
(4) Ensuring that appropriate internal
control responsibilities are included in the
performance agreements of EPA managers;
(5) Providing training on the perform-
ance of vulnerability assessments, internal
control reviews, and other internal control
activities;
(6) Ensuring that vulnerability
assessments, internal control reviews, and
annual status reports on internal . control
systems are completed according to
appropriate guidance;
(7) Coordinating an EPA-wide risk
(vulnerability) assessment at least once
every five years;
{8} Overseeing the development of an
Agency management control plan at least once
every five years .and ensuring that it is
updated annually;
(9) Reporting to the Administrator,
by December 15 of each year, on whether or
not the EPA's internal control evaluation
indicated compliance with, the FMFIA and ,OM8
Circular A-123; and
(10) Submitting to .the Administrator
by December 15 of each year, a proposed
internal control statement for the President
and for Congress.
c. The Comptroller. The Office of the
Comptroller is responsible for:
(1).. Developing, issuing, and implement-
ing policies and procedures for evaluating,
improving, and reporting on financial manage-
ment accounting systems;
(2) Maintaining liaison with OMB,
GAO, and others on evaluating, improving, and
reporting processes;
(3) Monitoring the status and quality
of evaluations and reports;
(4) Preparing the Administrator's annual
report to the President and to Congress;
(5) Monitoring actions on reported
material instances of nonconformance to
ensure prompt effective actions; and
(6) Developing a five-year plan for
integrating EPA financial management systems.
d. Resource Management Division. The
Resource Management Division (RMD) of the
Office of the Comptroller is responsible for:
(1) Ensuring that EPA managers are
aware of their internal control responsibilities,
(2) Ensuring consistent and timely
compliance of-all relevant EPA organizational
units with this directive;
(3) Coordinating, monitoring, and
providing guidance on EPA's implementation of
FMFIA;
(4) Ensuring that FMFIA is implemented
consistently within EPA;
15) Requiring internal control reports to
be submitted on time,
(6) Initiating an internal control quality
assurance program, and
(7) Providing supplemental training
and assistance to EPA. employees concerning
their responsibilities under FMFIA.
e. Agency Internal Control Staff. The
.Internal Control Staff '(ICS) of RMD is
responsible for coordinating, monitoring, and
providing guidance on the implementation of
the FMFIA.
f." Primary . Organization Heads. Within
the jurisdiction of their organizational units,
the POHs are responsible for:
(1) Developing and maintaining effective
systems of internal control;
(2) Resolving audit findings consistent
with the GAO Standards;
-------�
RESOURCES MANAGEMENT DIRECTIVES
INTERNAL CONTROL
' 2560
(3) Conveying, in writing, to employees
at each level of management their internal
control responsibilities and expected perform-
ance and incorporating their responsibilities
and standards in their- performance agreements
and appraisals; - ' : ' '
(4) Evaluating internal control systems
on a continuing basis and taking appropriate
corrective action when weaknesses .are
detected; ! •
(5) Reporting immediately to the
Inspector General any .instances of illegal
conduct, wrongdoing, or fraud identified by
internal control evaluations;
{6> Assisting the Office of Administra-
tion and Resources Management (OARM) in
identifying assessable units within areas
of program responsibility;
{7} Developing internal control documen-
tation in accordance with OARM guidance;
|8) Performing vulnerability assessments
for each assessable unit as required by
schedules established with OARM;
i
(9) Scheduling and performing internal
control reviews as required by OARM;
»-•*.». '. * - i
(10) Developing . action , plans to
correct weaknesses in internal controls and
assigning responsibility for .implementation
of these actions within deadlines; and
(11) Reporting to . , the .• Assistant
Administrator, OARM, by October 31 of each
year, that . the organization's internal
controls have''been evaluated in accordance
with OARM guidance. The report must.describe
any material weaknesses disclosed by the
°~ evaluation, the -action, plans for correcting
• these weaknesses," and the .status of actions
taken to correct any weaknesses identified in
prior year's reports. • •. '
g. Inspector General. The inspector General
is responsible for:
.(1). Providing technical assistance, in
EPA's -effort--to -evaluate and improve internal
controls; , .«-
(2). Performing audits -and reviews of
internal control documentation and systems-to
determine whether they meet the internal
control standards and guidelines;
!
(3) Recommending • improvements in
internal control practices- and procedures as
a result of audits and reviews;
(4) Reporting to the Administrator,
,by December 15,of each year, on whether EPA's
implementation of FMFtA is being carried out
in a reasonable and prudent manner; and
(5) Investigating and reporting any
instances of illegal conduct, wrongdoing, or
fraud reported in accordance ; with this
Directive.
h. Program Managers. All EPA managers
.are responsible for operating . effective and
efficient systems of internal control. • They
must also evaluate the control . system
periodically and take timely .corrective
actions on all identified weaknesses.
5. POLICY AND OBJECTIVES.
... a. Policy. All EPA . organizations shall
develop and maintain effective systems ,of
internal control over their program-
operations and administrative functions. In
implementing this policy, . primary organiza-
tion heads. (POHs) s'hali! evaluate all internal
control systems on an ongoing basis, take
prompt action to correct weaknesses, and
report all findings and corrective actions
taken. ,_
b. Objectives. The objectives " of main-
taining .effective internal. control systems
are to provide reasonable assurance that:
•(1). Obligations and^ costs comply
applicable law;
with
{2) Assets, are safeguarded against
waste, loss, unauthorized', use,' or misapp-
ropriation bf resources;. .,.,'..
. {3} Revenues .. and , expenditures
applicable, to EPA operations-are recorded ana
accounted for properly, so that accounts and
reliable . "-.anciai and statistical reports
may be prepared and accountability of tne
assets may be maintained; and
-------�
RESOURCES MANAGEMENT DIRECTIVES
INTERNAL CONTROL
2560
(4) Programs are efficiently and
effectively carried out in accordance with
applicable law and management policy.
6. STANDARDS AND GUIDELINES. The follow-
ing Federal standards and guidelines govern EPA's
internal control.system.
a. GAO INTERNAL CONTROL STANDARDS.
The following standards as defined by the
Comptroller General define the minimum level
of quality acceptable' for. internal control
systems and constitute the criteria against
which systems are evaluated. The internal
control .standards apply to all Agency program
operations and administrative functions.
They are organized into five general
standards which apply to all aspects of
internal controls, six specific standards
designed to assure that the internal control
objectives will be met, and one audit
standard - which • defines managers'
responsibilities for proper resolution- of
audit findings.
(1) General Standards.
(a) Reasonable Assurance. Internal
control systems are to provide reasonable
assurance that the objectives of the systems
will be met.
(b> Supportive Attitude. ' Managers and
employees are to maintain and demon-
strate a positive and supportive attitude
toward internal controls.
{c> Competent Personnel. Managers
and employees are to have personal and pro-
fessional integrity and are to maintain a
level of competence that allows them to
accomplish their assigned duties, as well
as understand the importance of developing
and implementing good internal controls.
(d) ConjtrQJObjectives. Internal con-
trol objectives are to be identified or develop-
ed for each agency activity and are to be
logical, applicable, and reasonably complete.
{e> C°ntr°l Techniques. Internal control
techniques are to be effective in accomplishing
their internal,control objectives.
, {2) Specific Standards.
(a) Documentation. Internal control
systems and all transactions and other
significant events are to be clearly documented,
and the documentation is to be readily
available for examination.
(b} Recording^ of Transactions and
Events. Transactions
cant events are to
and properly classified.
and other
be promptly
signifi-
recorded
-------�
RESOURCES MANAGEMENT DIRECTIVES
INTERNAL CONTROL
2560
b. OMB GUIDELINES. The PMF1A requires
OMB to issue guidelines for agencies to use
in developing' specific plans' to self-evaluate
their internal control systems and determine
whether those systems comply with the GAO
Standards.
These guidelines present a five-phased
approach for agencies to evaluate, .improve,
and report on their internal controls. The
guidelines require agencies to:
•' ' !. '
{1) Organize the evaluation; , -
(2) Identify programs and administrative
functions; ' '
j
(3) Conduct risk (vulnerability) assessment
(4} Conduct internal control evaluations;
and '
|
(5) Report under the FMFIA.
EPA has adopted 'a modified version of this
approach. Paragraphs 7 and 3 present an
overview of EPA's approach,
7. EVALUATION. IMPROVEMENT, AND
REPORTING PROCEDURES. Pursuant to these
requirements,! standards, and guidelines, the
Agency will implement evaluation, improvement,
and reporting procedures as follows:
a. Identify Agency Assessable Units.
Develop an inventory of assessable units
covering all program operations and
administrative functions..
b. Develop Internal Control Documen-
tation. For each assessable unit,
identify and 'document the event cycles, the
internal control objectives of each cycle,
the risks of not achieving each objective,
and the- internal control techniques designed
to achieve the objective. Managers should
incorporate this information in their internal
control documentation.
c. Develop a Management Control Plan.
(1) Identify the component inventory.
(2) Show the risk ratings of compon-
ents (high, medium, and low).
{3} Provide for necessary" evaluations
over a five-year period. ' •
(4) Monitor material weaknesses and
other areas of management concern.
d. Perform Risk (Vulnerability) Assessments.
{1) Analyze the, general control
environment. Consider management's commit-
ment to strong controls; organizational
structure; personnel competence and integrity;
delegating authority and communicating respons-
ibility; policies and procedures; definition,
documentation, and dissemination of budgeting
and reporting practices; organizational checks
and balances; and ADP practices
(2) Analyze the inherent risk of the
assessable unit. Consider its purpose and
characteristics; available resources; impact
outside the Agency; age and life expectancy;
degree of centralization; special concerns
such as interest by "the President, Congress,
the courts, OMB, the Administrator, or the
media; and prior reviews or reports submitted
by the 1G, GAO and others, and management
responsiveness to their recommendations.
(3! Make a preliminary judgement of
the adequacy of internal controls.
(4) Report on the vulnerability of
the assessable unit and characterize the
assessable unit as haying high, medium, or
low vulnerability. ...
e. Resolve Internal Control Weaknesses.
(1) Analyze any highly vulnerable areas
identified through the nsk (vulnerability)
assessment process plan.
(2) Determine the cause and effect of the
weakness.
(3) Select and implement cost-effective
actions to correct the weakness.
f. ' Schedule Internal Control Evaluations.
(1) Schedule and document Internal
Control Reviews or Alternative Reviews
performed annually so that the POH can
provide "reasonable assurance" that internal
controls are functioning properly.
-------�
RESOURCES MANAGEMENT DIRECTIVES
INTERNAL CONTROL
2560
(2) Based on the results of the risk
assessment, establish the list of assessable
units to be studied during the internal
control review process.
(3) Ascertain whether managers have
properly identified and documented the event
cycles, control objectives, associated risks,
and control techniques for the assessable
unit.
(4) Update the - analysts .of the
general control environment performed for the
risk assessment. , '
(5) Determine which event cycles
contribute to the vulnerability of the
assessable unit and schedule an internal
control or alternative review on each of
these event cycles.
g. Perform Internal Control Evaluations.
(1) Evaluate the stated internal
control techniques and perform tests to
determine whether they are functioning as
intended.
{2} Report the results of the review
and recommendations to correct any weaknesses
observed.
h. Improve Internal Controls.
(1) Select cost-effective
correct weaknesses.
actions to
(2) Develop an action plan.
(3) .Initiate corrective actions.
(4) Monitor progress and report
performance through Corrective .Action
Tracking System (CATS).
i. Report to the President ' and the
Congress. . The Act requires a statement by.
December 31 of each year -from the
Administrator to the President and the
Congress stating whether or not the Agency's
systems of internal accounting and
administrative control comply • with the
requirements of the Act. If the systems do
not fully comply, the statement must identify
any material weaknesses and the plans for
correcting them. The statement by the
Administrator will be-supported by reports
from the POHs, as discussed in Section 9.
8. OVERVIEW OF THE INTERNAL CONTROL
PROCESS. Exhibit 2560-1 illustrates EPA's
internal control process and briefly describes
each step in the process. Technical guidance
to this directive, when published, will outline
m greater detail the different aspects of
the process
9. FURTHER INFORMATION. For further
information on the topics discussed in this
Division, contact: Director, Resource Manage-
ment Division, Room 1125, West Tower, -PM-225,
Washington, D.C. 20460.
-------�
RESOURCES MANAGEMENT DIRECTIVES .• -. 2560
INTERNAL CONTROL - '. -
DEFINITION OF COMMONLY USED TERMINOLOGY
Action Plan. A document identifying major work steps and scheduled start and completion
dates for correcting internal control deficiencies.
Agency Component.- A major organization, program, administrative activity, or functional
subdivision of the Agency having one or more separate systems of internal control.
Assessable Unit. A program operation or administrative function subject to a risk
(vulnerability) assessment. An assessable unit is comprised of related event cycles.
Corrective Action Tracking System (CATS). The automated Agency system used to track actions
taken to correct identified internal control weaknesses. EPA also uses CATS to track foilowup
actions taken in response to findings/recommendations contained in final audit reports.
Event Cycle. A group of related steps needed to complete an activity in an Assessable Unit.
These steps include: starting and performing tasks; documenting the effort; and gathering and
reporting data.
General Control Environment. Various environmental factors that'irifluence the effectiveness of
internal controls.
Inherent Risk. The inherent potential for waste, loss, unauthorized use, or misappropriation
due to the nature of an activity itself. *
Internal Control. The plan of organization, methods, and procedures that management uses to
provide reasonable assurance that obligations and costs comply with applicable law; funds,
property, and other assets are safeguarded against waste, loss, unauthorized use, or
misappropriation; and revenues and expenditures applicable to Agency operations are properly
recorded.and accounted for. •
••«•'•
Internal Control Coordinator. Individual designated by each Primary Organization Head (POH) to
coordinate, monitor and implement Agency internal control guidance in their organization. An
Internal Control Coordinator (ICC) is responsible for ensuring that their organizations make
good progress in implementing the Act so the POH can provide "reasonable assurance" of
compliance with the FMFIA.
Internal Control Documentation. Written materials of two types:
(1) System documentation. The policies arid p'rocedures, organization charts, manuals,
memoranda, flow charts, and related written materials necessary to describe organizational
structure, operating procedures, and administrative practices; and to communicate
responsibilities and authorities-for accomplishing programs and activities. Management should
require such documentation to be present to effectively control operations.
(2) Review documentation. Materials showing the type and scope of review, the
responsible official, the pertinent dates and facts, the key findings, and the recommended
corrective actions. Documentation is adequate when a reasonably knowledgeable reviewer can
understand it. • '
Appendix 2560-1a
-------�
RESOURCES MANAGEMENT DIRECTIVES
INTERNAL CONTROL
2560
Internal Control Evaluation. A detailed evaluation of a program or administrative activity to
determine whether adequate control techniques exist or are implemented to achieve cost-
effective compliance with the Integrity Act. Control evaluations are of two types:
(1) Internal Control Review. A detailed examination of a system of internal controls
using the methodology specified in the internal control guidelines issued by the Office of
Management and .Budget. All reviews should produce written materials documenting what was done
and what was found.
(2) Alternative Internal Control Review. A process such as OMB Circular- A-130
Computer Security Reviews, Circular A-127 Financiaj' System Reviews, Inspector General audits,
and other management and consulting reviews performed to determine whether control techniques
in an agency component are operating in compliance with OMB Circular A-123. .Such alternative
reviews must determine overall compliance and include testing of controls and the development
of required documentation.
Internal Control Guidelines. The guidelines issued by the Office of Management and Budget
(OMB) in December 1982, entitled "Guidelines for the Evaluation and Improvement and Reporting
on Internal Control Systems in the Federal Government," or as they may be modified
subsequently. These guidelines present a suggested approach, individual agencies may adapt
them to meet their needs provided that any adaptation remains in compliance with OMB Circular
A-123.
Internal Control Objective. A specific end to be achieved by control techniques used in a
component. Each objective is to take into consideration the nature of the component and the
requirements of OMB Circular A-123. Management should consider limiting factors such as budget
constraints, statutory and regulatory restrictions, staff limitations, and the cost-benefits of
each control technique in determining desired internal control objectives.
Internal Control Standards. The standards developed by the General Accounting Office (GAO),
and published as "Standards for Internal Controls in the Federal Government" on June 1, 1933
and revised October 31,1984. Implementation of the standards should be in accordance with OMB
Circular A-123 and- consistent with Agency needs for sound, cost-effective internal control
systems.
Internal Control System. The organization, structure, operating procedures, and administrative
practices adopted by all.levels of management to provide reasonable assurance that programs and
administrative activities are effectively carried out in accordance with the objectives of the
FMFIA and OMB Circular A-123, .
Internal Control Techniques. The management processes and requirements necessary to
accomplish an internal control objective.
.Management Control Plan (MCP). A written five-year plan summarizing an agency s risk
assessments, planned actions, and internal control evaluations performed to provide reasonable
assurance that controls are in place and working. Agencies use the MCP to manage FMFIA
implementation.
Manager/Supervisor.
responsibilities.
All EPA SES and GM employees and those GS employees having supervisory
Appendix 2560-1b
-------�
RESOURCES MANAGEMENT DIRECTIVES
INTERNAL CONTROL
Material Weakness. A specific instance of non-compliance with the FMF1A of significant
importance to be reported to the President and the Congress. Such a weakness would
significantly impair the fulfillment of a component's mission; deprive the public of needed
services; yiotate statutory or regulatory requirements; significantly weaken safeguards against
waste, loss, unauthorized use or misappropriation of funds, property, or other assets, or
result in a conflict of interest.
T ' *
Primary Organization. A major EPA organizational component (there are 22) headed by either the
Deputy Administrator, the Assistant Administrator, the Regional Administrator, the Inspector
General, or the General Counsel.
Reasonable Assurance. A judgment based upon all available information that the systems of
internal control are operating as intended by the FMFIA.
Risk Assessment. A documented review by management of a component's susceptibility to waste.
loss, unauthorized use, or misappropriation. Risk assessments are also known as vulnerability
assessments (VAs). VAs are defined in OMB guidances and may be tailored to Agency
circumstances
Testing, procedures used to determine whether internal control systems are working in
accordance with management internal control objectives.
Appendix 2560-1c
-------�
-------�
UNITED STATES
ENVIRONMENTAL PROTECTION AGENCY
QUALITY ASSURANCE
WORKSHOP
"A Simple Approach to Performing
Internal Control Evaluations"
% pnX .
Office of the Comptroller Conference
June 10-12, 1987
OFFICE OF THE COMPTROLLER
FINANCIAL MANAGEMENT DIVISION
FCQAS Financial Compliance and Quality Assurance Staff
-------�
-------�
INTERNAL CONTROL EVALUATIONS
"A Simplified Approach11
WHAT ARE INTERNAL CONTROL EVALUATIONS?
DEFINITION: DETAILED EVALUATION OF A PROGRAM OR ADMINISTRATIVE ACTIVITY TO
DETERMINE IF ADEQUATE CONTROL TECHNIQUES-EXIST AND'ARE OPERATING
TO ACHIEVE COST-EFFECTIVE COMPLIANCE WIJH THE INTEGRITY ACT:
NOTE: An Internal Control Evaluation Does Not Require the Evaluation of the Entire
Control System. Evaluations Need Only Focus on Controls in High Risk Areas.
There are two types of Internal Control Evaluations performed in EPA. They are described
below:
INTERNAL CONTROL REVIEWS (ICRsl: •''..'
DEFINITION: DETAILED EXAMINATION OF A SYSTEM OF INTERNAL CONTROLS USING THE FULL
EVENT CYCLE METHODOLOGY SPECIFIED IN THE INTERNAL CONTROL GUIDELINES
; TO DETERMINE WHETHER ADEQUATE CONTROL MEASURES EXIST "AND ARE
' IMPLEMENTED TO ACHIEVE THE OBJECTIVES OF INTERNAL CONTROL.
The step-by-step ICR Event Cycle Methodology is listed below:
STEP 1. ANALYZE AND EVALUATE THE GENERAL CONTROL ENVIRONMENT
STEP 2. IDENTIFY AND DOCUMENT THE EVENT CYCLES
STEP 3. IDENTIFY AND DOCUMENT RISKS FOR EACH EVENT CYCLE
STEP 4. IDENTIFY CONTROL OBJECTIVES FOR THE RISKS
STEP 5. IDENTIFY AND EVALUATE CONTROL TECHNIQUES FOR THE OBJECTIVES
STEP 6. TEST THE INTERNAL CONTROLS
STEP 7. MAKE OVERALL EVALUATION AND COMPARE TO THE GAO STANDARDS
STEP 8. IDENTIFY AND IMPLEMENT CORRECTIVE ACTIONS
STEP 9. REPORT THE RESULTS
REMEMBER . . . before you even PLAN an ICR make sure that you do, in fact, have to do one.
Most EPA offices are conducting reviews only on those internal control review areas rated high
or moderate in vulnerability. Even if your internal control area was rated high or moderate,
there may be acceptable substitutes for an ICR, such as ALTERNATIVE INTERNAL CONTROL
REVIEWS.
-------�
ALTERNATIVE INTERNAL CONTROL REVIEWS fAICRsi:
DEFINITION: ANY REVIEW OF INTERNAL CONTROLS WHICH DOES NOT USE THE FULL EVENT
CYCLE METHODOLOGY. SUCH ALTERNATIVE REVIEWS MUST DETERMINE
OVERALL COMPLIANCE AND INCLUDE TESTING OF CONTROLS AND THE
DEVELOPMENT OF REQUIRED DOCUMENTATION. ..
• . 4
ALTERNATIVE ICRs CAN BE CONDUCTED:
Through Existing Review Processes:
o A-130 Computer Security Reviews
o A-127 Financial Systems Reviews (TRANSACTION TESTING)
o- Routine Management Studies . • . i
Financial Assistance Reviews (FARs)
-- Management Assistance Reviews (MARs)
-- Quality Assurance Reviews (QARs) - - " • . . ' ' :
o Consulting Studies
o Procurement Certification Reviews ' . . '
-- .As separate reviews. When conducted separately, they should focus on high risk
areas/activities. (TRANSACTION TESTING)- ,
- Audits of Internal Control Systems - i.e.. Inspector General Audits.
The chart on the following page highlights the differences in ICRs versus Alternative ICRs.
-------�
ICRs VS. ALTERNATIVE ICRs
ICRs
ALTERNATIVE ICRs
ANALYZE AND EVALUATE GENERAL
CONTROL ENVIRONMENT ,;
1 I, ' * •
IDENTIFY ALL EVENT CYCLES '
IDENTIFY ALL RISKS FOR EACH CYCLE
IDENTIFY CONTROL OBJECTIVES FOR
THE RISKS ' :
*!
IDENTIFY AND EVALUATE CONTROL.
TECHNIQUES FOR.THE OBJECTIVES
IDENTIFY HIGH RISK ACTIVITIES
IOENTIF.Y CONTROLS OVER HIGH RISK
ACTIVITIES
TEST INTERNAL CONTROLS
LIMITED TEST OF SIGNIFICANT CONTROLS
MAKE OVERALL EVALUATION AND
COMPARE TO THE GAO STANDARDS
IDENTIFY AND IMPLEMENT CORRECTIVE
ACTIONS
REPORT ON RESULTS
COMPARE TO THE GAO STANDARDS
IDENTIFY AND IMPLEMENT CORRECTIVE
ACTIONS
REPORT ON RESULTS
NOTE: ICRs are the MOST COSTLY and TIME CONSUMING of control evaluations. Detailed
instructions on conducting ICRs are contained in the EPA manual entitled:
"IMPLEMENTATION OF THE FEDERAL MANAGER'S FINANCIAL INTEGRITY ACT
OF 1982 - GUIDE FOR PERFORMING INTERNAL CONTROL REVIEWS".
Our concentration will be on: "A SIMPLIFIED APPROACH TO PERFORMING ALTERNATIVE
INTERNAL CONTROL REVIEWS". Therefore, the next few pages will provide the minimum steps
required when performing Alternative ICRs. Following these step-by-step instructions, a
"Case Study" is provided showing when such 'a review would be .appropriate and how the
review is performed. ' ' .
-------�
PERFORMING ALTERNATIVE INTERNAL CONTROL REVIEWS:
STEPS TO FOLLOW
TAKE THE FOLLOWING STEPS (OR ADD THEM TO AN EXISTING REVIEW PROCESS) TO PERFORM
AN ALTERNATIVE INTERNAL CONTROL REVIEW, :
STEP 1. IDENTIFY HIGH RISK ACTIVITIES
STEP 2. SELECT ONE OR MORE HIGH RISK ACTIVITIES
STEP 3. IDENTIFY AND DOCUMENT CONTROLS
STEP 4. TEST CONTROLS
STEP 5. COMPARE TO THE GAO STANDARDS
STEP 6. IDENTIFY AND IMPLEMENT CORRECTIVE ACTIONS
STEP 7. REPORT THE RESULTS
-------�
SUBSTEP 4. ANALYZE THE RESULTS
At this point, we would like you to review the data collected (Exhibit A) and discuss
among your group members what conclusions you would draw and/or recommendations you
would make.
THE FOLLOWING QUESTIONS SHOULD SERVE AS A GUIDE IN YOUR ANALYSIS OF EXHIBIT A:
1. Are payments being made in accordance with the Prompt Payment Act? Are payments made
no later than 30 days after receipt of goods or invoice, whichever is later? . v1
2. Were all documents properly reviewed and certified prior to payment?
3. Were receiving reports obtained prior to payment?
4. Were-discounts taken?-.
5. If payments were made too'early, was it in order to take:advantage of discounts? •
6. If payments were made late, why?
7, Additional comments?
ONCE YOU HAVE ANALYZED THE RESULTS, REFER TO OUR SAMPLE OFFICE REVIEWER'S
ANALYSIS WHICH FOLLOWS AND THE ANSWER KEY AT THE CONCLUSION OF THE CASE
STUDY. ;
-------�
SAMPLE OFFICE REVIEWER'S ANALYSIS
TOTAL PAYMENTS SAMPLED 10,
NUMBER PAID EARLY 2
NUMBER PAID LATE (INCLUDES 2 PAID BEYOND
45 DAYS) 4
^
NUMBER PAID ON TIME 4
INVOICE NOT DATE STAMPED • . 1 -
TOTAL DISCOUNTS OFFERED AND TAKEN 1
(Benefit of discount not determined;
however, discount was cost-effective
for government.) •••-..
TWO OF THE 10 PAYMENTS DID NOT SHOW EVIDENCE OF VOUCHER EXAMINER REVIEW
(INITIALS); HOWEVER, ALL DATA WAS RECHECKED AND NO PROBLEMS WERE NOTED.
2 CASES SHOWED DATE RECEIVING REPORT RECEIVED IN FINANCE OFFICE USED TO
COMPUTE DUE DATE RATHER THAN DATE GOODS ACTUALLY RECEIVED BY AGENCY.
2 PAYMENTS MADE BEYOND 45TH DAY WITHOUT INTEREST PAID TO VENDOR.
2 CASES RECEIVING REPORT RECEIVED IN FINANCE OFFICE BEYOND PAYMENT DUE
DATE.
2 CASES WHERE FOLLOWUP CALLS TO RECEIVING OFFICES WERE NOT MADE.
IN 7 OF 10 CASES RECEIVING REPORTS WERE NOT FORWARDED TO FINANCE OFFICE ON
TIME.
DESK PROCEDURES DO NOT ADDRESS REQUIRED ACTIONS IF RECEIVING REPORTS ARE NOT
RECEIVED AFTER THREE FOLLOWUP CALLS. '
SUBSTEP 5. DISCUSS THE RESULTS WITH MANAGERS
The reviewer meets with the managers to discuss the results of the tests. The reviewer
presents to management not only the raw test results but also the conclusions he has drawn from
analyzing the raw data. At this time, the reviewer and managers discuss possible corrective
actions as well as the cost/benefit of such actions.
-------�
OMB' guidelines require that documentation or recording*of control techniques.be;
WRITTEN:
CONTROL TECHNIQUES SHOULD BE DESCRIBED IN A
WRITTEN DOCUMENT. THE.WRITTEN DESCRIPTION
SHOULD BE REVIEWED PERIODICALLY AND UPDATED,
AS NEEDED. . .
LINKED TO
81!
• CONTROL TECHNIQUES SHOULD BE DIRECTLY LINKED TO
SPECIFIC RISKS. ,.,:.„..
EVALUATIVE:
THE DOCUMENTATION SHOULD INCLUDE A JUDGEMENT ON
THE EFFICIENCY AND EFFECTIVENESS OF EXISTING.
CONTROL'TECHNIQUES.
THE FOLLOWING IS A SAMPLE FORMAT FOR DOCUMENTING CONTROLS:
HIGH RISK ACTIVITY: Commercial Pay Unit
- i
RISKS
INVOICES/ VOUCHERS '
ARE NOT PROCESSED
IN ATIMELY FASHION
TO ENABLE THE
ACCOUNTING OFFICE
TO MAKE PAYMENTS
IN ACCORDANCE
WITH THE PROMPT
PAYMENT ACT
4
. . .
- . ••
• •• •
CONTROL
TECHNIQUE
PAYMENT
PROCESSING
PROCEDURES ,
ARE PROVIDED
TO ALL
PERSONNEL
LOGS ARE
• KEPT TO
TRACK THE
NUMBER OF
DAYS BETWEEN
RECEIPT AND
PAYMENT
SUPERVISORS
SPOT CHECK
; LOGS
STRONG
X
• .
X
WEAK
X
.
EXCESS
,. .
:
-
"
-
COMMENTS
"
NO SYSTEM
FOR FLAGGING
THOSE PAY-
MENTS
REACHING
-DEADLINE
'«•••
- •
~
OVERALL EVALUATION: THE OVERALL MIXTURE OF CONTROL TECHNIQUES FOR THIS EVENT
CYCLE IS:
D STRONG D WEAK D EXCESSIVE
-------�
Step 3 explains how to .identify and. document control techniques using the GAO
Standards.
A large portion of this step has been done for you at a "general" level. This informa-
tion is contained in EXHIBIT 2 OF THE FINANCIAL MANAGERS' QUALITY ASSURANCE GUIDE.
Exhibit 2 is a .consolidation of relevant Comptroller General/OMB objectives and
standards, related internal control considerations and EPA procedures or control
techniques designed to enable the Agency to meet prescribed requirements. Your office
should revise and update this Exhibit to indicate the following:
o adequate coverage of applicable functions
•**•
o accurate description of internal control techniques or procedures being used
in your office
o elimination of functions that no longer exist
This effort on your part, will, represent the completion of Step 3. Your office, based
on completion of steps 1 and 2 may decide to focus on an Alternative ICR of "commercial
payments." Therefore,'the reviewer would simply take the applicable pages of the Exhibit
and tailor the control techniques and test procedures to reflect actual office operations.
This would then allow for the performance of Step 4 - Testing of the Controls.
-------�
STEP 4. TEST THE CONTROLS
AFTER IDENTIFYING AND DOCUMENTING CONTROLS OVER THE SELECTED HIGH RISK AREAS,
THE NEXT STEP IS TO TEST THE CONTROLS.
TESTING CONTROLS IS THE PROCESS OF VERIFYING THAT THE CONTROLS "ON PAPER" ARE
FUNCTIONING AS INTENDED AND ARE EFFECTIVE IN PREVENTING POTENTIAL RISKS.
THE PURPOSE OF TESTING THE CONTROLS IS TO OBTAIN REASONABLE ASSURANCE THAT THE
CONTROLS ARE IN PLACE AND OPERATING AS INTENDED. "
COMPLETE THE FOLLOWING SUBSTEPS TO TEST CONTROLS:
« __ ' .«•
SUBSTEP1. DEVELOP A TEST PLAN
i " •.'••" .
. SUBSTEP 2. CONDUCT THE TESTS
SUBSTEP3. DOCUMENT THE TEST - , ' '
SUBSTEP 4. ANALYZE THE RESULTS
SUBSTEP 5. DISCUSS THE TEST RESULTS WITH MANAGERS
SUBSTEP 1. DEVELOP A TEST PLAN
• i - . - .
What Controls/Areas Should be Tested? WHY? ,.--. ', -.'-••
- Test areas where procedures have recently changed.
- Test areas that have not been tested for a substantial period of time.
' • "' • " • - f .*• '•:..-
--. Test those controls that contribute the most to preventing potential risks.J
Methods of Testing. " . ; .
'-- DOCUMENT ANALYSIS: Determining if a control js working by reviewing existing
records, completed forms or other documentation ' This^may be done by selecting a sample
of transactions and tracing them through the system.
' » -'. ''? r' r},!.. ..-•'•.-,[=..
-- OBSERVATION: Determining if a control is working by watching the performance of a
control.
-- INTERVIEW: Determining if a control is working by eliciting" .information from
the personnel who perform that control. •:;;.•
How Much Testing is Needed? "''.'•' • '' ;'
o- Tests should not be 100% of the records or 100% of the'operation of a control. ''
o Representative samples of sufficient size should be selected when conducting tests. -' *
-------�
o Avoid Complicated Statistical Sampling
- Although statistical samples are preferable because they allow for projection, they
are not required.
-- Judgement samples, selected without apparent bias, will suffice.
- Reserve random, stratified random and similar methods for transaction type testing
in which the risks involve large numbers of transactions. , .. .
***"'.'.'. \
- Consider interval sampling when reviewing transactions.
• * * ' • •
*':'"•' SUBSTEP 2. CONDUCT THE TESTS '
Data Collection - Use tools to simplify, standardize, and document data collection. Examples
of data collection tools are: . • ,. .
+*
o • Observational togs .
o Frequency tabulation
o Work Distribution Matrix .. . ...
o Checklist . .
o Interview Guide - .
o Questionnaire
Rely on Personnel Who are Familiar with the Controls to do Testing
o Use their knowledge - Don't Forget to simply ask if they are experiencing any problems.
Quality Control of Testing is Required - provide reasonable assurance that tests were properly
done.
o Work papers are the Key Ingredient. .
o Supervisors or QA Liaison should review workpapers to ensure testing was done, and
properly evaluated. , • ""'-'
, o Headquarters QA staff should.review workpapers during QA reviews.
" . • . . .. r
SUBSTEP 3. DOCUMENT THE TEST
IT IS NECESSARY.TO DOCUMENT THE TESTS PERFORMED THROUGH WORKING PAPERS.
WORKING PAPERS SERVE'AS: ' ,
o identification and documentation of the process followed,
o tools .to perform the review in an orderly fashion, . .
o support for discussions with operating personnel,.
1.0
-------�
o support for conclusions reached, and. :• ., '
o background and reference data for subsequent reviews. •
WORKING PAPERS SHOULD BE: . ,
UNIFORM ' ECONOMICAL COMPLETE
~ SUBSTEP 4. ANALYZE THE RESULTS - '-...;,
AFTER COMPLETION OF THE TESTING, THE TESTS OF-SPECIFIC CONTROL TECHNIQUES MUST
BE ANALYZED TO DETERMINE IF.-THE DEGREE OF COMPLIANCE WITH CONTROL TECHNIQUES IS
ADEQUATE'TO AVOID THE OCCURRENCE OF RISK.
QUESTIONS WHICH SHOULD BE ASKED ARE: ' : - .
• .'-.,. . ; ^ :H .,-,• -• o- : ' -.'••• -•:.'-
-- What is the degree of.compliance with the control technique?
-- Is the degree of compliance adequate to avoid risk? . .• • - .- • *• •-• . : ,>
-- Is the problem a failure to comply with existing..control techniques or are the
. techniques inadequate?
. .; - *' * .. • i'..'"'.' '-•*..
-- If the techniques are inadequate, what additional techniques are necessary?
{ ' . ' • -. • ^' . . ~ • *=
The evaluation of the test results is subjective in nature since it .involves judgements of theseffective-
ness of control techniques. However, the evaluation is based upon the objective test'results and must be
documented in the workpaper files.. A short narrative explanation focusing on the weaknesses
disclosed is sufficient. The narrative'explanation should be cross referenced to the working papers,
supporting the individual tests performed. . •
NOTE: The case study contained in this guide provides an example of "testing the controls." It
provides you with a complete step-by-step exercise that shows you how simple transaction testing
can be. ,. * .. , . . . .
SUBiSTEP 5. DISCUSS THE TEST RESULTS WITH.MANAGERS
AFTER COMPLETING TESTING, THE TEST RESULTS SHOULD" BE ANALYZED AND DISCUSSED
WITH THE MANAGERS RESPONSIBLE FOR OPERATING THE.CONTROLS REVIEWED. THE
PURPOSES OF THIS DISCUSSION ARE TO COMMUNICATE THE'RESULTS OF THE TESTING'AND
ANY CONCLUSIONS DRAWN, TO SEEK AGREEMENT ON f HE CONCLUSIONS, AND TO ELICIT FR_OM
THE MANAGERS RECOMMENDATIONS ON 'ANY NECESSARY CORRECTIVE ACTIONS. -'
,- -t-
11
-------�
STEP 5. COMPARE TO GAO STANDARDS
As stated in the Federal Managers' Financial Integrity Act, each executive agency is to
establish a system of internal accounting and administrative controls in accordance with
standards prescribed by the Comptroller General. GAO Control Standards define the minimum
level of quality acceptable for internal control systems in operation and represent criteria
against which systems are to be evaluated. Our next step is to make an overall evaluation of
those internal controls tested in Step 4. Making an overall evaluation allows us to judge how
well the key ingredients of the controls reviewed work in relation to each other. We cannot
evaluate the control techniques without considering'the other control system ingredients, such
as competent personnel or supportive attitude. This overall judgement will enable us to:
"•>•!• r- • .
o Select corrective actions
* * ••. t 'j •"' '• •'.',
o Report on compliance with the GAO Standards
There are two types of control standards: .:•••-
GENERAL STANDARDS - Apply to all aspects of control
SPECIFIC STANDARDS - Critical Internal Control Techniques
The GENERAL STANDARDS are:
o REASONABLE ASSURANCE -- Recognizes cost shputd not exceed benefits
o SUPPORTIVE ATTITUDE ' -- Attentive to Internal Controls
o COMPETENT PERSONNEL -- Integrity and skills for effective performance
o CONTROL OBJECTIVE .-- Are to be established for each activity
o CONTROL TECHNIQUES -- Efficient and effective mechanisms
USE THE GAO STANDARDS TO HELP IDENTIFY ANY ASPECTS OF
CONTROL WHICH NEED IMPROVEMENT.
The kev standard is REASONABLE ASSURANCE " ' . ',. . - ; ..
Are controls in the area examined adequate to provide reasonable,assurance that.activities^and
transactions will operate as planned and authorized?
Reasonable assurance is the confidence you have in your understanding of the risks and the
measures taken to reduce those risks. Reasonable assurance is your guarantee that you have
carefully weighed the risk against the safeguards. The standard of reasonable assurance
recognizes that the cost of internal control should not exceed the benefits derived (i.e.,
risk reduction!.
The SPECIFIC STANDARDS were used in Step 3 to identify control techniques.
12
-------�
STEP 6. IDENTIFY AND IMPLEMENT CORRECTIVE ACTIONS
When weaknesses are found in the internal control system, a decision must be made to
institute new controls, improve existing controls, or accept the risk.
SELECTING CORRECTIVE ACTIONS involves creating a "game plan" or strategy for reducing the
risk. , ... , %_
'''• SELECTING CORRECTIVE ACTIONS ALLOWS US TO MAKE.
COST-BENEFICIAL DECISIONS ABOUT ENHANCEMENTS TO OUR. .• • •"•
.'. • CONTROL SYSTEMS.
How are corrective actions selected? . ' •
i . J" '•'.' " '""-_'' • t '' . ' :.'' \ f '.•'_..
The following substeps are completed in order to select corrective actions:
o IDENTIFY POSSIBLE ACTIONS -•"' . - ' " •• 'V.:1 i-.'d^-'v .
• ' ' • ;r. •'«.
o ANALYZE COSTS AND BENEFITS '
. ; • ' l ' .' . . ' •- .' • . ..'.'-...
• " •' •* '• . > ,.'••'" • ' ' . . ' . '•••*.
Identifying possible actions.involves the following: '•"•
PROBLEM IDENTIFICATION: -Using ;the results-of the/AICR,'identify the problems; controls not
used; compensating controls in use; weak controls; -excessive controls; 6V' weak control
environment. •
' : •, ',*-•. ' . • ,- • . -r •'.>•/ ..
.REASON IDENTIFICATION - Now, ask yourself: Why are the problems occurring?
ACTION IDENTIFICATION - Finally, develop a list of alternative actions to address the reasons.
Once you have identified the possible corrective actions to be taken you need to analyze costs and
benefits. If you have determined that new or improved controls'are needed, then you must compare
the costs of these changes against the potential loss reduction that may result.
COST OF
PROPOSED CONTROLS
o ; Personnel $
o Information $
o ;Funds $
VS.
' POTENTIAL
LOSS REDUCTION
o
0
Financial
Non-Financial
A simple analysis can be done using rough "ballpark" figures. However, this simple analysis should
provide sufficient information on costs and benefits to allow us to make a judgement between risks
and safeguards. We want to avoid creating an out-of-control system of controls.
•13
-------�
STEP 7. REPORT THE RESULTS
Since the primary objective of the Alternative Internal Control Review is to provide advice and
assistance to .management, it is important that its results be articulated. A suggested format for
reporting the results is identified below:
o INTRODUCTION
o SCOPE OF REVIEW
o REVIEW TECHNIQUES
o TEST PLAN
o SUMMARY AND ANALYSIS
OF TEST RESULTS
o RECOMMENDATIONS
o . INDICATE AREAS OF
EPA NON-CONFORMANCE
Describe the purpose/objective of the
review and the report. Also, provide
any pertinent background information.
Describe the areas (event cycles)
reviewed,.
Describe the testing methodology
utilized.
Attach a copy of the test plan
utilized. ••,.•/ • . -: :
-.Present the findings and conclusions
reached by the reviewer(s).
Present the recommendations on how
the control weaknesses that were
identified can be corrected or
controlled.
Summarize testing results, indicating
instances of EPA non-conformance with
GAO principles and standards in ,'
accordance with OMB Circulars A-123,
A-127 and the Federal Managers'
' Financial Integrity Act. - • -
U
-------�
ALTERNATIVE INTERNAL CONTROL REVIEW
CASE STUDY
The following represents a sample "Case Study" of an Alternative Internal Control Review (ICR).
The Study involves an Alternative ICR of the Commercial Payments function _ within a typical
Financial Management Office. The proce.ss begins with the identification of potential review
areas focusing on a single selected area -- commercial payments. Identification of potential
areas is based on a real or perceived risk within the sample office. Areas selected for
testing may or may not represent high, risk areas in every finance office. The identification
process considers the unique situation of the office under study.
STEP 1. IDENTIFY HIGH RISK ACTIVITIES
A meeting is held-with; senior staff members of the finance office.- In attendance are: The
Comptroller, Financial Management Officer (FMO), all section/unit chiefs and the Quality
Assurance Staff Accountant. The group has chosen to select risks to be reviewed using a
functional-approach.. .The sample .office's .functional statement includes the following major
functions: «':•-..<•-' '•".. *" •»
•
;-- cash management ; •,..•-•
' - commercial payments
'-- travel payments./-. - • . • ...
- accounting and financial reports
- collections - • t ; . : .• ;'" . • r^-: •_ «
,-- accounts receivable ,
;-- payroll ,'" ;. .'••.' -.•**' 'r . • - -
1 -- imprest fund
-- assistance agreements
-- superfund accounting
;-- quality assurance ... v : .
I . . * « V
Focusing oh these primary functions, discussions are held to determine the activities for
review and testing. Conclusions reached during this session are based on management's
knowledge of the operation and the overall financial >environment. This differs from the paper
^intensive process required during an internal, control review where each event.cycle and risks
for those event cycles are identified. ..•.-, •:".. . •. . ...
Inherent-to this risk identification is a strong reliance on each manager's FAMILIARJTY with
their operations. Criteria used during this "brain storming" .process- may include the
following: • PAST PROBLEMS (as identified through OIG or GAO reviews); DEGREE OF RISK (e.g.
high dollar, liquidity of assets, potential for agency embarrassment); NEWNESS OF FUNCTION
OR NEW MANAGEMENT: ELAPSED TIME SINCE LAST REVIEW.
In discussing the various functions within the office, the group noted.several concerns: • i.
o DURING THE LAST 6 MONTHS OUR OFFICE HAS EXPERIENCED A 60% TURNOVER IN ITS
COMMERCIAL PAYMENTS UNIT.
-------�
o R€CENTGAO AUDITS OF PRO MPT PAYMENT ACT COMPLIANCE HAVE DISCLOSED GENERAL
NON-COMPLIANCE WITH THE ACT GOVERNMENTWIDE. '
o ERA'S OFFICE OF INSPECTOR GENERAL HAS RECENTLY ISSUED ITS REPORT ON REVIEW OF
ACCOUNTS RECEIVABLE AGENCYWIDE. ' NOTED IN THE REPORT WERE SEVERAL
PROBLEMS WITH THE AGENCY'S HANDLING OF ACCOUNTS RECEIVABLE.
SPECIFICALLY, RECEIVABLES WERE NOT RECORDED ON TIME FOR FINES AND PENALTIES
IN OVER 50% OF THE CASES AND PROPER FOLLOWUP ON DELINQUENT RECEIVABLES WAS
NOT BEING INITIATED.
Based on the above, the group agrees that the commercial paymenfuntt qualifies as a high risk
activity for their office. Also, although this office was not visited during the OIG's review
of receivables, the FMO is concerned that the problem exists here as well. The group believes
the problem is severe enough to warrant review. Therefore, accounts receivable is added to the
list of high risk activities.
At this point, the Superfund Accounting Unit Supervisor expressed concerns in her area. She
highlighted the recent issue of new guidance in this area and expressed her concerns regarding
its implementation. She also pointed out the high visibility of the Superfund Program. The
group agreed that testing would be appropriate in the Superfund area at this time.
The meeting contjnues until each functional area is thoroughly discussed. At the conclusion of
the meeting, five high risk activities have been identified as potential candidates for
testing: r • • -
COMMERCIAL PAYMENTS, ACCOUNTS RECEIVABLE, SUPERFUND,
IMPREST FUND, AND CASH MANAGEMENT. ' '
As you can see, this process relied heavily on:
MANAGEMENTS KNOWLEDGE OF THEIR PARTICULAR OPERATION.
MANAGEMENT'S AWARENESS OF AGENCYWIDE PROBLEMS
MANAGEMENT'S AWARENESS OF GOVERNMENTWIDE PROBLEMS.
STEP 2. SELECT ONE OR MORE HIGH RISK ACTIVITIES
Management has identified five high risk areas; • however, limited resources necessitates
prioritizing the areas as only three reviews will be conducted this year. This step involves a
judgement call on the part of management. Weighing the relative risks of each area, management
has decided to perform Alternative ICRs for commercial payments, accounts receivable and
Superfund Accounting. The reviews are scheduled and each is included on the office's FY 198?
Quality Assurance Workplan. ' - • *
RESULT
Management has pooled its KNOWLEDGE of office operations and drawn from its AWARENESS of
Agency and Governmentwide problems/interests- and used this information to identify what it
perceives as high risk areas for the office.
-------�
... -; ., . -. ....... ^ BENEFIT-.... .......
• -•. - ' *••.' j - <••: "'•••;• . "-•.•/.'•'* ' -. • •.
Management*has avoided documenting each event cycle in the finance office, a-process which
could take days. Instead, they have relied on their own expertise to identify ..high risk
activities.
. •-1
The first review will be of commercial payments with a focus on compliance .with the Prompt
Payment Act. the Quality Assurance Staff member is assigned responsibility for the review.
STEP 3. IDENTIFY AND DOCUMENT CONTROLS
To identify controls for commercial payments, the reviewer discusses with the responsible
unit chief what procedures are in effect-to ensure proper and timely payment. Also, the
reviewer will request copies of performance agreements'for those individuals processing
payments. The following general control techniques are identified for the sample office:
o EPA ACCOUNTING MANUAL, CHAPTER 15 *•"
o DESK PROCEDURES^FOR PAYMENT PROCESSING - ' :-
o VOUCHER EXAMINATION MANUAL • -' ." "'
o PERFORMANCE AGREEMENTS FOR UNIT SUPERVISOR AND ALL VOUCHER EXAMINERS
All of the above represent'the broad, internal control techniques for the payment area. At this
point, the reviewer should refer to. Exhibit 2 of the Financial Managers1' Quality Assurance
Guide. This exhibit contains an analysis of EPA's Policies and Procedures, GAO Standards, and
A-123 Control Objectives. -•-.-•'.;-....
The exhibit reflects the relevant GAO Standards for finance operations, A-123 Control
Objectives and EPA procedures on control techniques designed to enable trie Agency to meet
prescribed requirements. Therefore,-in the broader (Agehcywide) sense this step" has been
partially completed. To the extent that our sample .office's desk procedures are in conform-
ance with Agency Policy (i.e., EPA Accounting Manual, Chapter 15) this step is complete.
The reviewer evaluates'the desk procedures against the requirements of EPA Accounting Manual,
Chapter 15 and provides control techniques to update Column 3 of Exhibit 2 in the Guide and
tailor it.to the sampte'office. ' • :
The requirements are found to be in conformance with Chapter 15.
Exhibit 2, "Accounting for Cash Assets^, is completed.
-Appropriate-updating of
STEP 4. TEST THE CONTROLS
SUBSTEP 1. DEVELOP TEST PLAN
As Substep 1 in the testing process, the reviewer DEVELOPS A TEST PLAN.
The reviewer identifies "specific- internal.'control techniques as outlined in the-'desk
- procedures. : . . , - . ,. . ,
'-'ALTHOUGH ' THE REVIEWER HAS" IDENTIFIED GENERAL'--CONTROL -TECHNIQUE'S^' I.E.,-
ACCOUNTING MANUAL, CHAPTER 15, DESK PROCEDURES; ETC., IT IS'NECESSARY TO FOCUS
ON THE SPECIFIC CONTROLTECHNIQUES, OR STEP BY STEP PROCEDURES. 'IT WOULD BE TOO
-------�
CUMBERSOME TO PULL TRANSACTIONS AND TEST THEM AGAINST A "MANUAL CHAPTER."
TESTING IS BEST ACCOMPLISHED BY FOCUSING ON THE KEY STEPS REQUIRED TO ACCOMPLISH
EACH TRANSACTION. TESTING IS THEN REDUCED TO CHECKING FOR COMPLIANCE WITH THESE
KEY STEPS. • '• •••--•.
Taking a 13 column workpaper, key data required for our analysis is inserted in each column
' heading. The reviewer has identified the following key requirements contained in the desk
procedures:
o DATE STAMP INCOMING INVOICES/AND RECEIVING REPORTS.
o LOG IN ALL INVOICES.
o CHECK ALL CALCULATIONS (INITIAL DOCUMENT).
o CHECK SIGNATURES AND ACCOUNT NUMBERS ON OBLIGATING DOCUMENT.
CHECK FOR DISCOUNTS OFFERED.
o COMPUTE BENEFIT OF DISCOUNT (ATTACH COMPUTATION SHEET).
o CHECK FOR PROPER RECEIVING REPORT. IF THERE IS NO.RECEIVING
REPORT, MAKE UP TO 3 FOLLOWUP CALLS.
o EACH DAY PULL FROM TICKLER FILE ALL PAYMENTS DUE:
Audit . , -
Sort • ......
Schedule for Payment
Compute interest due for payments made after 45 days
o PAYMENTS MUST BE MADE NO LATER THAN 30 DAYS FROM DATE OF RECEIVING
REPORT AND/OR DATE OF INVOICE, WHICHEVER IS LATER.
o PAYMENT SCHEDULE MUST BE SIGNED BY CERTIFYING OFFICER PRIOR TO PAYMENT.
o PAYMENTS ARE FILED IN TICKLER AS DUE, 5 DAYS PRIOR TO 30th DAY.
Having identified the specific internal control techniques, the reviewer highlights each
technique which focuses on timeliness of payments (since the thrust of this review is
compliance with the Prompt Payment Act). • •
SUBSTEP2. CONDUCT THE TESTS
The reviewer conducts the tests. A sample workpaper. Exhibit A, shows the data our reviewer
collected through his analysis of 10 sample transactions. The sample was selected
judgementally from the office's "accomplished schedules" folder.
SUBSTEP3. DOCUMENT THE TEST
This substep is accomplished by completion .pf.workpapers, documented interviews, etc. .The
reviewer inserts appropriate column headings on the workpaper. 'At least four columns are left
.blank, two for identifying transaction information and two for comments.
COMPLIANCE WITH THE REQUIREMENT FOR MAINTAINING A TICKLER FILE CANNOT BE
VERIFIED BY INDEPENDENT DOCUMENT ANALYSIS. THIS IS OFTEN THE CASE WITH CONTROL
TECHNIQUES. INFORMATION REGARDING COMPLIANCE W.ITH THIS PROCEDURE WILL BE
DETERMINED BY INTERVIEWING THE VARIOUS VOUCHER EXAMINERS, -
4 •
-------�
STEP 1. IDENTIFY HIGH RISK ACTIVITIES
RISK = THE PROBABILITY OF AN UNWANTED OCCURRENCE SUCH AS
. WASTE, FRAUD, OR MISMANAGEMENT
RISK IS WHAT THE INTERNAL CONTROL SYSTEM SHOULD BE
DESIGNED TO MANAGE
TO IDENTIFY RISK ASK:
WHAT ARE THE AREAS THAT HAVE BEEN PROBLEMS IN THE PAST? '
WHAT RISKS RELATE TO THOSE AREAS? ' ' ; ' *'
IS THE AREA UNDER NEW MANAGEMENT OR IS IT A NEW FUNCTION?
WHAT RISKS OR GROUP OF RISKS INVOLVE THE MOST DOLLARS?
WHAT RISKS OR GROUP OF RISKS COULD CAUSE THE MOST POTENTIAL HARM?
WHAT RISKS INTERACT SO THEY CAN BE REVIEWED SIMULTANEOUSLY?
EXAMPLE: COMMERCIAL PAYMENTS
RISKS o Payments are not timely
o Payments are made too early ' . '.
o Payments charged against the wrong account
o Payments are made for goods not received , , .
STEP 2. SELECT ONE OR MORE HIGH RISK ACTIVITIES
Once you have identified the high risk activities, select one or
more activities to review for adequacy of internal controls.
-------�
STEP 3. IDENTIFY AND DOCUMENT CONTROLS
Identify and document existing internal control techniques.
A CONTROL TECHNIQUE IS ANY MECHANISM OR PROCEDURE
USED TO PREVENT OR DETECT RISKS
GAO STANDARDS CAN BE USED TO IDENTIFY CONTROL TECHNIQUES
The General Accounting Office (GAO) has issued specific standards for internal controls.
These standards can help you identify existing control techniques. Existing control
techniques may be defined in, directives, policies, and procedures. To identify control
techniques, review these source materials and ask yourself the following questions. NOTE:
These questions are organized around the GAO standards for control techniques. *,
STANDARD
QUESTION
DOCUMENTATIONi
RECORDS:
Are written descriptions of methods or procedures used?
If YES ... Describe them.
Are records used? (i.e., manual logs, etc.)
If YES . .. Describe them.
AUTHORIZATION:
STRUCTURE:
SUPERVISION:
SECURITY:
OTHER:
Are authorization procedures and .reviews used to eliminate
possible fraud?
If YES .. .'Describe them. • -
Is segregation of duties used to reduce possible fraud or
mismanagement?
If YES . . . Describe them.
Are supervisory actions established to avoid possible
mismanagement?
If YES ... Describe them.
Are security measures (i.e., access restrictions).used to ensure
improper access to records, files, etc.?
If YES .. . Describe them.
Are other measures taken to reduce risks?
; If YES ... Describe them. .., ,.
-------�
STEP 5. COMPARE TO GAO STANDARDS
The reviewer's next step is to make an overall evaluation that the results of testing the
controls conforms to the GAO Control Standards. Remember....the key standard is REASONABLE
ASSURANCE. The reviewer refers to the general control standards and their requirements and
documents whether the controls
-------�
CASE STUDY ANSWER KEY
QUESTION 1: • Are payments being made in accordance with the Prompt Payment Act?
*
ANSWER: Six of 10 payments were not made in accordance with the Prompt Payment
• • Act. ' ' • * • • •
QUESTION 2: Were all documents properly reviewed and certified prior to payment?
ANSWER: Yes, all documents were properly reviewed and certified correct for payment.
QUESTION 3: Were receiving reports obtained prior to payment?
ANSWER: Yes, receiving reports were attached to all- paid invoices. The date the
receiving report was received in the office occurred prior to the invoice
payment date in all cases.
QUESTION* Were discounts taken? _ -i . .
ANSWER: Yes, one discount was offered and taken. The discount was. advantageous
to the Government; however, the required computation sheet fo7 determining
whether it was advantageous to the Government was not attached.
QUESTION 5: • • If payments were made too early, was it in order to take advantage of discounts?
ANSWER: No. two payments were made early. No discount offered on either one.
• . - ," ,
QUESTION 6: -If payments were made late, can you determine why?
- • • . j . •..
ANSWER: ,, TRANSACTIONS 3 THROUGH 6 WERE ALL PAID LATE. '
Transactions 3 and 4 were paid exactly 30 days after receipt of the receiving
' * report by the finance office. This may be a coincidence; however, it
appears that the voucher examiner inadvertently computed the due date by
adding 30 days to the. date the receiving report was received in the
finance office as opposed to the date the goods were actually received
and accepted bv the Agency.
For transactions 5'and 6, closer analysis-shows that these payments were
made exactly 5 days after the receiving report was received1 in the finance
office.
. . *' ', ' ~ , v i
Because it takes 5 days to pay after all necessary documents are received,
(PROCEDURES STATE TO PULL FOR PAYMENT 5 DAYS PRIOR TO
' SCHEDULED DUE DATE) these payments were made immediately upon receipt
of the receiving report which was forwarded to the finance office late in
both cases. Because in both cases the voucher examiner had made the 3
required foltowup calls (albeit to no avail), the cause of these two
payments being late appears to be program offices not forwarding
receiving reports to the finance office within 5 days after receipt
or acceptance of goods or services as required by the Prompt Payment
Act.
-------�
ADDITIONAL OBSERVATIONS
A comparison of columns 2 and 3 further supports the fact that receiving offices are not
forwarding receiving reports to the finance office and are thus preventing the finance office
from meeting its responsibilities under the Act. The amount of time ranged from same day
to 52 days.
-------�
-------� |