4
S"
«.«*.
UNITED STATES
ENVIRONMENTAL PROTECTION AGENCY
(V
K
t
(V
GUIDANCE FOR PREPARING
THE 1991 FEDERAL MANAGERS'
FINANCIAL INTEGRITY ACT
ANNUAL REPORT
Prepared by:
RESOURCE MANAGEMENT DIVISION
OFFICE OF THE COMPTROLLER
OFFICE OF ADMINISTRATION AND
RESOURCES MANAGEMENT
August 1991
O-J
CD
CD
HEADQUARTERS LIBRARY
ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
-------�
-------�
CONTENTS OF THE 1991 GUIDANCE PACKAGE
Page
Table of Contents of the 1991 Guidance Package 3
Executive Summary 5
Milestone Calendar 6
New Requirements for the 1991 FMFIA Report ' 7
General Information About Preparing and Submitting the Report 8
CONTENTS OF THE AA's and RA's 1991 REPORT 11
The Body of the AA's and RA's Memorandum 13
Outline of a Model Memorandum 13
The Attachments to the Memorandum 17
A, Statistical Summary of Performance 19
B. Review Process 21
C. Progress Report on High Risk Areas 24
D. .Material Weaknesses / Corrective Actions 27
E. Agency-Level Weaknesses / Corrective Actions 32
F. Quality Control Evaluation Report 34
APPENDIX TO THE GUIDANCE PACKAGE
Options for Preparing Sub-Assurance Memoranda A
Quality Control Evaluation Report by the Assessable Unit Manager B
Blank Forms for the Attachments and Sub-Assurance Memoranda C
Copy of OMB's 1991 Instructions for the FMFIA Report D
3
-------�
-------�
I
EXECUTIVE SUMMARY
This document is the Agency guidance for preparing the 1991 report required
by the Federal Managers' Financial Integrity Act. The guidance document consists
of the following main components:
o The transmittal memorandum from the Deputy Administrator, expressing his
expectations about how the process will be conducted and the importance of
the personal involvement of the Assistant and Regional Administrators;
o A milestone calendar for completing the 1991 report;
o Highlights of new requirements;
o General information about preparing and submitting reports;
o The required contents of the 1991 report:
What AAs and RAs must address in the body of their memoranda;
What AAs and RAs must provide in the attachments to their
memoranda; and
o An appendix containing additional material to help you prepare your report.
o The requirements for your 1991 report are little changed from 1990. The
main changes are:
AAs and RAs must identify resources needed for corrective actions;
Subordinate organizations have the option of using a simplified report
to speed up the sub-assurance report process and lessen paperwork;
and
Reporting requirements in the Statistical Summary of Performance have
been reduced.
The staff of the Resource Management Division of the Office of the
Comptroller stands ready to assist you in all aspects of your management integrity
program including your preparation of the 1991 FMFIA report. Please call them on
FTS 260-4160.
-------�
CRITICAL MILESTONES IN THE
1991 FMFIA REPORT PROCESS
10-31-91: FMFiA reports for Fiscal Year 1991 are due to the Deputy
Administrator from Assistant Administrators, the General Counsel, the
Inspector General, and the Regional Administrators.
11-8-91: Resource Management Division completes first draft of Agency Report.
11-21-91: The Senior Council on Management Controls discusses with the
Assistant and Regional Administrators:
o Their personal involvement in the management control and audit
follow-up programs;
o The material weaknesses they declare in their respective 1991
FMFIA reports;
o The reasons that they judge to be non-material any OIG or GAO
candidate weakness proposed in the September 12 meeting of
the Senior Council on Management Controls;
o The quality and timeliness of Headquarters and Regional Office
reports;
o The material weaknesses that are under consideration for
inclusion in the Agency report that the Administrator submits to
the President and the Congress by December 31;
11-26-91: Resource Management Division submits draft Agency report to Internal
Control Coordinators for their offices' review.
12-12-91: Resource Management Division completes revised draft Agency report.
12-19-91: Resource Management Division meets with the Deputy Administrator to
review the draft report and the material weaknesses that will be
declared in the report to the President and the Congress.
12-31-91: The 1991 FMFIA process concludes with the Administrator signing the
Agency Report to the President and the Congress.
-------�
NEW REQUIREMENTS
FOR THE 1991 FMFIA REPORT
There are few changes in requirements from last year. OMB continues to
emphasize "high-risk" reporting, priority setting for addressing material weaknesses,
budget linkage, automated information systems, validation of corrective actions,
description of training in management controls, and strengthened reporting on review
processes.
A complete copy of OMB's 1991 guidance for preparing the report is included
in this document as Appendix D. Informally, OMB has requested information on
resource estimates for dealing with high risk areas and correcting material
weaknesses. This information is requested in Attachments C and D.
-------�
GENERAL INFORMATION ABOUT
PREPARING AND SUBMITTING YOUR REPORT
The original report is due to the Deputy Administrator by
October 31, 1991.
A double-sided copy and 5-1/4" diskette containing the
report and all attachments in WordPerfect 5.0 must be sent
by October 31, 1991, to:
U.S. Environmental Protection Agency
Resource Management Division
Management Controls Branch
Mail Code H-3304, NELC-0024
Washington, D.C. 20460
This guidance should be used in preparing your Office's 1991 report to the
Deputy Administrator under the Federal Managers' Financial integrity Act (FMFIA).
Your report should cover program, administrative, and financial controls.
Detailed instructions on preparing the report and attachments are provided in
the section on this document entitled: "Contents of the Report," which begins on
page 11. The narrative portion must be substantive and highlight the major
management control accomplishments and problems of the year ending September
30, 1991. It also should discuss activities impacting your ability to provide
reasonable assurance of effective controls, such as reorganizations or new statutory
requirements.
Your attachments must include specific statistical and milestone information.
The formats for the attachments ensure consistent and complete statistical
information required by OMB, including budget information.
If you have no information to report in an attachment, please state in the
narrative section that your report does not include that attachment. Please do not
enclose a blank attachment saying "Not Applicable". Label your attachments,
however, as identified in this guidance so that when culling information from the
various reports, we have a common frame of reference.
Sub-assurance Letters
Most offices require their divisions and laboratories to prepare their own
FMFIA reports {known as "sub-assurance memos") to gather the information needed
for the office annual report.
8
-------�
We have included in Appendix A a simplified, optional approach for sub-
assurance memoranda AAs and RAs prepare their reports based on the full
guidance, while subordinate organization managers have two options for preparing
their sub-assurance memoranda: either the same format as the office report or the
abbreviated style. The simplified approach was pioneered by the Office of Water,
and it is a good a approach for saving work, where applicable.
-------�
10
-------�
CONTENTS
OF
THE 1991 FMFIA REPORT
11
-------�
12
-------�
THE BODY OF THE AA's & RA's REPORT
An outline of a model FMFIA report memorandum is presented below.
Information about the required contents of the memorandum is included
within the outline. The model allows each office sufficient flexibility to reflect
the actual character of its individual management integrity program.
MEMORANDUM
SUBJECT: 1991 Report on Management Controls
FROM: [Primary Organization Head]
TO: F. Henry Habicht II
Deputy Administrator
ASSURANCE STATEMENT: State whether the controls in your Office
provide reasonable assurance that your Office, as a whole, complies
with the requirements of FMFIA.
ACCOMPLISHMENTS IN MANAGEMENT CONTROL PROGRAM:
Describe any accomplishments your Office made in the area of
management controls. Examples include a task force effort to
strengthen particular controls or your Office's entire control process;
overall changes in your Office's control procedures to enhance
effectiveness; increased attention to audit follow-up; or conferences
held or councils formed to discuss control issues. Be generous in
sharing your success stories here, so that others may profit from them.
PIG. GAP, and OMB CONCERNS: Auditors in both the Office of the
Inspector General (OIG) and the General Accounting Office (GAO)
review management controls as part of every audit they conduct. Be
sure your memorandum addresses:
o Any major concerns identified in OIG and GAO audits performed
in your Office in 1991;
13
-------�
Audit follow-up. Reviews by the OIG and the OARM are
continuing to find that offices' audit follow-up is weak and
that reporting is incomplete or inaccurate. These
weaknesses may be material. AAs and RAs should
carefully assess their audit follow-up programs. If their
follow-up or their tracking information is weak, they should
report the weaknesses in their FMFIA reports.
Payroll/overtime administration;
Contracts management and administration;
1991 activities to improve the integrity, availability,
confidentiality of automated information systems.
and
You may address the OIG, GAO, and OMB issues in the
narrative itself, in particular attachments, or in a crosswalk of both.
The choice is yours depending on the degree of concern about them in
your particular office.
In accordance with the Computer Security Act of 1987, Federal
agencies developed plans for assuring adequate security for sensitive
systems last year. According to OMB, in some instances that process
identified significant weaknesses in agency systems along with plans
for correcting the weaknesses. Your memorandum should address
weaknesses identified in your office through this process.
Your letter should address these particular control issues and
any others identified in OIG and GAO audits performed in your Office
in 1991. Evaluate these activities carefully and report any weaknesses,
along with corrective action plans to eliminate the weaknesses. When
you report weaknesses identified by an OIG or GAO auditor, and
correction of the weakness is being tracked in the Management Audit
Tracking System (MATS), please note this. Internal Control
Coordinators may have tc work closely with Audit Follow-up
Coordinators to determine this information.
HIGH-RISK AREAS FOR OMB'S GOVERNMENT-WIDE LIST: Identify
and describe existing and new "high-risk areas" for OMB's high-risk list
Give detailed information about these areas and the resources needed
to address the high risk in Attachment C.
We recognize that high risk areas may overlap with material
weaknesses. High risk areas are broad issues of concern. They may
14
-------�
be made up of discrete material weaknesses. For example, a high-risk
area entitled "procurement" might consist of several discrete material
weaknesses.
If you believe that a high-risk area exists in the Agency but must
be addressed by another office, you should notify the appropriate office
in a separate memorandum, with a copy to the Resource Management
Division. Work with the other office to raise and investigate the issue,
so that the office can determine whether to report it in its FMFIA
report.
MATERIAL WEAKNESSES: Identify and briefly describe existing and
newly reported "material weaknesses" in your FMFIA report. Give
detailed information about these weaknesses, and the resources
needed to cure them, in Attachment D.
The OMB guidance in Appendix D offers criteria for materiality.
Use these criteria to help determine which weaknesses are "material,"
that is, significant enough to report to the President and Congress.
The September 12, 1991 meeting of the Senior Council on
Management Controls (SCMC) will include briefings from EPA's
Inspector General and GAO representatives on potential material
weaknesses. The Resource Management Division will apprise you and
your Internal Control Coordinator (ICC) of the results of this meeting.
If you believe that a material weakness exists in the Agency but
must be addressed by another office, you should notify the appropriate
office in a separate memorandum, with a copy to the Resource
Management Division. Work with the other office to raise and
investigate the issue, so that the office can determine whether to report
it in its FMFIA report.
Attachments
There are six standard "Attachments" to each FMFIA report.
They are described on the pages which follow.
15
-------�
16
-------�
STANDARD ATTACHMENTS FOR EACH FMFIA REPORT
A, Statistical Summary of Performance
B. Review Process
C. Progress Report on High Risk Areas
D. Material Weaknesses / Corrective Actions
E. Agency-Level Weaknesses / Corrective
Actions
F. Quality Control Evaluation Report
Guidance for completing the Attachments to the Memorandum is
presented on the following pages.
Blank forms for the Attachments are in the Appendix to this Guidance
package.
17
-------�
18
-------�
ATTACHMENT A
STATISTICAL SUMMARY OF PERFORMANCE
OVERALL COMPLIANCE: Overall, do your management control systems comply
with the objectives of FMFIA (to reasonably assure that they protect Government
assets from waste, fraud, and mismanagement)?
Yes
,; year achieved
No
NUMBER OF MATERIAL WEAKNESSES:
In year indicated,
number reported
for the first time.
Prior Years:
1989 Report:
1990 Report:
1991 Report:
TOTAL:
X
X
X
X
XX
For that year,
number that have
been corrected.
X
X
X
X
XX
For that year,
number still
pending.
X
X
X
X
XX
State the total number of material weaknesses corrected in 1991
PENDING MATERIAL WEAKNESSES:
Category Number
Program Management:
—Program Execution X
—Systems Development & Implementation X
—Asset Disposition X
—Environmental Impact X
—Safety/Health-Related X
—Other *( Specify) X
-i
Functional Management:
—Procurement X
—Grant Management X
—Personnel & Organizational Management X
—ADP Security X
19
-------�
—Payment Systems & Cash Management
—Loan Management & Debt Collection
—Property & Inventory Management
—Other (Specify).
TOTAL
X
X
X
X
XX
20
-------�
ATTACHMENT B
REVIEW PROCESS
FMFIA .directs Federal agencies not only to establish management controls
and report on their effectiveness, but to evaluate them regularly to ensure continued
effectiveness. This attachment should describe your Office's FMFIA review process
in the following format. Please use additional pages if necessary.
DESCRIPTION OF OFFICE AND STRUCTURE OF REVIEW PROCESS:
[This section should describe your office's segmentation structure. (Segmentation is
the process in which we break the Agency into "assessable units." Each
assessable unit must establish, evaluate, and report on its controls.) The Agency's
policy is to segment by division because EPA divisional activities tend to have
common characteristics. If your office complies with this policy, simply state this. If
not, discuss your segmentation structure and explain why it is more appropriate for
your office. If you determine that your segmentation structure is no longer
appropriate for your office, discuss how and why you plan to re-segment it in 1992.
Next, you should describe your office's procedure for determining what activities
within your assessable units require testing of controls, how often you test controls,
and what types of reviews are performed. EPA's 1990 Management Control Plan
(MCP) guidance and your 1991 MCP have information to help you distinguish
between types of reviews.]
. V
1991 STATISTICAL DATA FOR REVIEW PROCESS:
[To complete this section, you should use two other FMFIA documents your office
prepared previously: your 1991 Management Control Plan (MCP) and your
vulnerability assessments (high/medium/low ranges with numeric scores).
Note that each Internal Control Review (ICR) or Alternative Internal Control Review
(AICR) conducted must meet three specific criteria:
1. A written report must be on file outlining the review methodology used,
the reviewer(s), and any findings and recommendations.
2. The review must have tested the controls described in the office's
event cycle documentation.
21
-------�
3. The findings and recommendations indicate which control techniques
must be updated in the documentation.
OIG and GAO audits are considered either ICRs or AlCRs and may be counted
below. However, the review criteria still apply. Weaknesses and corrective actions
resulting from ICRs and AlCRs should be reported in Attachments D or E.]
o Number of assessable units? • .
o Number of vulnerability assessments? [A vulnerability assessment
should have been completed for each assessable unit in 1989.
Therefore, include all vulnerability assessments conducted in 1989, as
well as any conducted in 1990 and 1991 for new assessable units.]
Planned . Conducted .
o Number of 1991 Internal Control Reviews?
Planned . Conducted .
o Number of 1991 Alternative Internal Control Reviews?
Planned . Conducted .
o Percentage of assessable units reviewed in 1991 .
COMMENTS ON DISCREPANCY BETWEEN REVIEWS PLANNED VERSUS
CONDUCTED:
[This section should explain discrepancies in the numbers reported above in 1991
STATISTICAL DATA FOR REVIEW PROCESS (planned versus conducted). Also, if
the numbers reported in the section above are not consistent with the number of
reviews reported in your Management Control Plan, provide an overall explanation
for those inconsistencies here as well.]
DESCRIPTION OF THE OFFICE SYSTEM FOR TRACKING REVIEWS.
WEAKNESSES. AND CORRECTIVE ACTIONS:
[In this section, explain how your office uses management control "tools" to schedule
and perform reviews and correct weaknesses in controls. Such tools include the
MCP, the Corrective Action Tracking System (CATS), and tracking mechanisms
specific to your office, such as the Administrator's tracking system for Superfund
which has corrective action information far more detailed than CATS.]
22
-------�
DESCRIPTION OF THE OFFICE'S PROCESS FOR VALIDATING CORRECTIVE
ACTIONS:
[Describe your overall process for ensuring that corrective actions are effective in
eliminating weaknesses. In subsequent attachments, you should describe specific
validation actions for particular weaknesses.] :
DESCRIPTION OF THE OFFICE'S TRAINING IN MANAGEMENT CONTROLS:
[In this section, describe your Office's training on management controls. Include
specific information on:
o Training available to and taken by program managers;
o Anticipated changes to your training program in FY 1992.]
23
-------�
ATTACHMENT C
PROGRESS REPORT ON HIGH RISK AREAS
The following report format should be used by offices having a high-risk area, j
or reporting one for the first time.
A high-risk area is a broad issue or activity whose controls may need <
improvement. It is usually an area requiring continual monitoring and close i
oversight. It may be made up of discrete weaknesses which clearly must be j
corrected, or it may simply be an area which is weak overall. j
The relationship between high-risk areas and material weaknesses
varies. Some high-risk areas are broadly defined and have not been identified as :
material weaknesses. Other high-risk areas have a direct relationship to one or
more material weaknesses. For example, EPA's high-risk area entitled
"enforcement" was comprised of three distinct material weaknesses. !
o High-risk areas broadly defined with no material weaknesses should be .
reported in this Attachment (C).
o Discrete material weaknesses should be reported in Attachment D.
o For high-risk areas comprised of one or more specific material
weaknesses, a crosswalk between Attachment C and Attachment D is
acceptable. The name of the high risk area(s) and material
weakness(es) should be noted in this attachment, but the detailed
information about the weakness(es) should be included in Attachment
D.
NEW REQUIREMENT FOR THE 1991 FMFIA REPORT
OMB has requested information on resource estimates for dealing with
high risk areas. Therefore, please identify the FTE and associated resources
for FY 1992 and FY 1993.
PRINCIPAL STAFF CONTACT
Name:
Title:
Agency/Office:
Telephone Number: FTS
24
-------�
HIGH RISK AREA: Describe the problem/weakness. If the area is already on
OMB's high-risk list, use that description. If a new high risk area is reported, prior
consultation with the Resource Management Division's Management Controls Branch
(MCB) is advised. Call Peter B. Nobert, Chief, MCB, on FTS 260-4160.
o Appropriation.
o Year Identified.
o How identified: [OIG/GAO audit, ICR or AICR, Management
Assistance Review, A-130 Security Review, newspaper report, etc.]
o . Targeted Correction Date in Last Year's Report.
o Current Target Date.
o Reason for Change in Date(s).
STRATEGY: Briefly describe how your Office is correcting the problem/weakness.
CRITICAL MILESTONES COMPLETION DATE-
, ^ORIGINAL CURRENT
,,~'"~ PLAN PLAN
ACTUAL
CRITICAL MILESTONES. DATES AND RESOURCE REQUIREMENTS
A;
B.
C.
D.
Completed Actions/Events:
high risk report to OMB.
Describe actions taken since the mid-year
Planned Actions/Events (FY 1992): Identify critical milestones and dates for
the next 12 months. If it is necessary to revise the original planned date,
explain above the reason for the change, and identify actions to minimize
slippage in the Assessment of Progress section of the report.
Planned Actions/Events (FY 1993 and bevond): Identify critical longer-term
milestones and dates through achievement of final corrective action. The
milestones listed here should be consistent with the Management Integrity
section of the Agency's 1993 budget submission to OMB.
Resource Requirements: In the following table, please show the resources
needed to address the high risk area. Please identify the appropriation for
which the resources are needed. The resource information listed here should
25
-------�
be drawn from the Management Integrity section of the Agency budget
submission.
FY 1992
President's
Budget
FY 1993 OMB Submission
Additional
Request . Need
Appropriation
S&E ($000)
AC&C
SF
R&D
TOTAL
S&E FTE
SF FTE
TOTAL FTE
Budget Implications: In addition to the resources listed above, you may want
to provide a narrative description of the budgetary impact.
RESULTS INDICATORS: Describe key results indicators. Results indicators are
quantitative and/or qualitative measures to determine whether offices' actions have
corrected the weakness or deficiency. For example, improved response times to
requests for data and information and increased collections or decreased debt are
results indicators. Project milestones are usually process-oriented. Their
accomplishment does not, therefore, necessarily ensure that the intended result has
been achieved.
ASSESSMENT OF PROGRESS:
progress.
Highlight both significant achievements and
26
-------�
ATTACHMENT P
MATERIAL WEAKNESSES / CORRECTIVE ACTIONS
Material weaknesses are those which are significant enough to be reported by
the Administrator to the President and Congress. The OMB guidance, Appendix D,
offers criteria to help you determine materiality.
This attachment should consist of three parts:
o A summary/table of uncorrected material weaknesses.
o A description of each uncorrected material weakness in internal
controls.
o A description of each material weakness corrected in 1991.
NEW REQUIREMENT FOR THE 1991 FMFIA REPORT
To ensure that the Agency plans for resources to fix material
weaknesses, please identify the FTE and associated resources for FY 1992
and FY 1993.
PART ONE: SUMMARY/TABLE. Provide a summary of all uncorrected material
weaknesses listed in part two (please provide a page number for easy reference.)
The summary should list the titles in priority order and provide information on the
correction schedule. The following format should be used:
Title
First
Reported
YEAR
1990 FMFIA
Report Target
for Correction
Current
Target for
Correction
PART TWO: DESCRIPTION OF UNCORRECTED MATERIAL WEAKNESSES.
Describe each uncorrected material weakness - in order of priority -- and provide
a complete action plan to correct the weakness. Changes in previous corrective
action schedules should be explained. Although you may cease reporting the
material weakness when the corrective actions eliminate the materiality of the
problem, you must continue to track the weakness, as Agency-level, until the
problem is completely eliminated.
27
-------�
ATTACHMENT D
MATERIAL WEAKNESSES / CORRECTIVE ACTIONS
Material weaknesses are those which are significant enough to be reported by
the Administrator to the President and Congress. The OMB guidance, Appendix D,
offers criteria to help you determine materiality.
This attachment should consist of three parts:
o A summary/table of uncorrected material weaknesses.
o A description of each uncorrected material weakness in internal
controls.
o A description of each material weakness corrected in 1991.
NEW REQUIREMENT FOR THE 1991 FMRA REPORT
To ensure that the Agency plans for resources to fix material
weaknesses, please identify the FTE and associated resources for FY 1992
and FY 1993.
PART ONE: SUMMARY/TABLE. Provide a summary of all uncorrected material
weaknesses. The summary should list the titles in priority order and provide
information on the correction schedule. The following format should be used:
YEAR
Title First 1990 FMFIA Current
Reported Report Target Target for
for Correction Correction
PART TWO: DESCRIPTION OF UNCORRECTED MATERIAL WEAKNESSES.
Describe each uncorrected material weakness - in order of priority -- and provide
a complete action plan to correct the weakness. Changes in previous corrective
action schedules should be explained. Although you may cease reporting the
material weakness when the corrective actions eliminate the materiality of the
problem, you must continue to track the weakness, as Agency-level, until the
problem is completely eliminated.
27
-------�
The following format must be followed for each uncorrected material weakness. All
data elements are required.
CATS Tracking Number: If this is a new weakness, leave this blank. Resource
Management Division will assign the number.
Title of Material Weakness:
Description of Material Weakness and Its Impact on Agency Operations:
Functional Category in Statistical Summary: From the following functions of
management, list any areas where there are uncorrected weaknesses.
-Procurement
-Grant Management
-Personnel & Organizational Management
-ADP Security
-Payment Systems & Cash Management
-Loan Management & Debt Collection
-Property & Inventory Management
-Other (Specify)
Appropriation/Program Element:
Administrative Activity/Program Activity:
Year Identified:
Source of Discovery: Indicate how the material weakness was initially discovered
(e.g., OIG audit or investigation; management review or evaluation.) Reference
specific source document by title and report number or subject matter and date.
When you report weaknesses identified by an OIG or GAO auditor, please note this.
Internal Control Coordinators may have to work closely with Audit Follow-up
Coordinators to determine this information.
Original Target Correction Date:
Targeted Correction Date in Last Year's Report:
Current Target Date:
Reason for Change.in Datefs):
Critical Milestones in Corrective Action: Provide a complete action plan to
correct/improve the material weakness in the format presented below.
28
-------�
A.
B.
C.
a
Completed Actions/Events: Briefly describe actions taken since the last report
to OMB,
Planned Actions/Events (FY 1992):
the next 12 months.
Identify critical milestones and dates for
Planned. Actions/Events (FY 1993 and beyond): Identify critical longer-term
milestones and dates through achievement of final corrective action.
Resource Requirements: In the following table, please show the resources
needed to cure the material weakness. Please identify the appropriation for
which the resources are needed. The resource information listed here should
be drawn from the Management Integrity section of the Agency budget
submission.
Appropriation
S&E ($000)
AC&C
SF
R&D
TOTAL
S&E FTE
SF FTE
TOTAL FTE
FY 1992
President' s
Budget
FY 1993 OMB Submission
Additional
Request Need
Budget Implications: In addition to the resources listed above, you may want
to provide a narrative description of the budgetary impact.
Validation Process to be Used: Explain the validation process management will use
to verify completion and effectiveness of the corrective actions. Describe the
inspector General's role in validating corrective actions and identify other
independent validation processes to be used.
Corrective Action Plan Status Updates:
o September 30. 1991. Status Update: [This block serves as the Fourth
Quarter 1991 CATS Update. Address the progress being made on
each milestone listed above.]
s
o December 31. 1991. Status Update:
29
-------�
[Leave blank. This information will be requested as the 1992 First Quarter
CATS Update.]
o March 31. 1992. Status Update:
[Leave blank. This information will be requested as the 1992 Second Quarter
CATS Update.]
o June 30. 1992. Status Update:
[Leave blank. This information will be requested as the 1992 Third Quarter
CATS Update.]
o September 30. 1992. Status Update:
[Leave blank. This information will be requested as the 1992 Fourth Quarter
CATS Update.j
PART THREE: DESCRIPTION OF CORRECTED MATERIAL WEAKNESSES. For
each material weakness corrected this year, please provide the following information.
All data elements are required.
CATS Tracking Number:
Title of Material Weakness:
Description of Material Weakness and Its Impact on Agency Operations:
Functional Category in Statistical Summary: From the following functions, of
management, list any areas where there are unconnected weaknesses.
--Procurement
-Grant Management
-Personnel & Organizational Management
-ADP Security
-Payment Systems & Cash Management
-Loan Management & Debt Collection
-Property & Inventory Management
-Other (Specify)
Appropriation/Program Element:
Administrative Activity/Program Activity:
Year Identified:
30
-------�
Source of Discovery: Indicate how the material weakness was initially discovered
(e.g., OIG audit or investigation; management review or evaluation.) Reference
specific source document by title and report number or subject matter and date.
When the weakness was identified by. an OIG or GAO auditor, please note this.
Internal Control Coordinators may have to work closely with Audit Follow-up
Coordinators to determine this information.
Original Target Correction Date:
Targeted Correction Date in Last Year's Report:
Actual Completion Date:
Reason for Change in Datefs):
Corrective Actions Taken:
material weakness.
Provide a complete list of actions which corrected the
Results of Validation Actions: Explain the validation process management used to
verify completion and effectiveness of the corrective actions. Describe the role the
Inspector General performed, in validating corrective action and identify other
independent validation processes used.
31
-------�
ATTACHMENT E
AGENCY-LEVEL WEAKNESSES/CORRECTIVE ACTIONS
In this section, report new and previously reported weaknesses which do not
require reporting to the President and Congress but which the office still must
address. Include weaknesses identified in ICRs or AlCRs. Use the following format
for each weakness. This format will serve as the 1992 Corrective Action
Tracking System (CATS) format, and eliminate duplicative entry of data.
It is not necessary to identify resource requirements for curing Agency-level
weaknesses.
CATS Tracking Number: Leave this blank for weaknesses being reported for the
first time. The Resource Management Division will assign this tracking number.
Otherwise, include the number assigned previously to the weakness.
Assessable Unit Number:
Title of Agency-level Weakness and Description:
Year Identified and Source of Discovery: Indicate briefly how the weakness was
initially discovered (e.g., AICR such as an OIG audit). Reference a specific source
document by report number or subject matter and date. If you report weaknesses
identified by an OIG or GAO auditor, and correction of the weakness is being
tracked in MATS, please note this so it will not be tracked in CATS. Internal
Control Coordinators may have to work closely with Audit Follow-up Coordinators to
determine this information.
Critical Milestones in Corrective Action: Provide the action plan to correct the
weakness. Number each milestone in the plan and give dates for each milestone.
Explain any changes in milestone dates reported in previous years.
Validation Milestone: The final milestone should be a step to verify
completion and effectiveness of the corrective actions. If this was not
included in previously reported action plans, please include it now. Validation
actions can include actions managers themselves take, actions others - such
as auditors - take, and other independent processes.
Budget Implications: If the corrective actions will impact your budget, please provide
a narrative description here.
32
-------�
Corrective Action Plan Status Updates:
o September 30. 1991. Status Update: [this block serves as the Fourth
Quarter 1991 CATS Update. Address the progress being made on
each milestone listed above.]
o December 31. 1991. Status Update:
[Leave blank. This information will be requested as the 1992 First
Quarter CATS Update.]
o March 31. 1992. Status Update:
[Leave blank. This information will be requested as the 1992 Second
Quarter CATS Update.]
o June 30. 1992. Status Update:
[Leave blank. This information will be requested as the 1992 Third
Quarter CATS Update.]
o September 30. 1992. Status Update:
[Leave blank. This information will be requested as the 1992 Fourth
Quarter CATS Update.]
33
-------�
ATTACHMENT F
QUALITY CONTROL EVALUATION REPORT
(Internal Control Coordinator and
Assistant or Regional Administrator) . .
The Assistant Administrator for Administration and Resources Management,
as the Agency's Senior Internal Control Official, must report to the Administrator
each year on whether the Agency's internal control process was performed in
compliance with OMB Circular A-123 and the Federal Managers' Financial Integrity
Act (FMFIA).
The steps of the process were:
1. Organizing the process - Annual Work Plan;
2. Updating CATS Reports;
3. Training personnel;
4. Updating EPA's Segmentation;
5. Reviewing and revising Event Cycle Documentation;
6. Conducting Vulnerability/Risk Assessments;
7. Evaluating "highly vulnerable" assessable units;
8. Updating Management Control Plans;
9. Performing.Internal Control Evaluations (ICRs and AiCRs);
10. Resolving weaknesses and improving controls;
11. Reporting on the process and developing assurance letters;
12. Ensuring Quality Assurance
This Quality Control Evaluation Report and your assurance letter helps you,
the Resource Management Division, and the Office of Inspector General evaluate
your organization's implementation of this process.
The basic purpose for this form is to provide a quality control
mechanism for your 1991 internal control program, ft is a quick reference
form for seeing what parts of your internal control program need
improvement. Any statement answered with a "NO" or "NOT SURE" must be
accompanied by a narrative explanation and should be addressed in your 1992
FMFIA program.
Please ensure that all statements are answered and this questionnaire
accompanies your assurance letter, due October 31, 1991.
34
-------�
FEDERAL MANAGERS' FINANCIAL INTEGRITY ACT
QUALITY CONTROL EVALUATION REPORT
AA or Regional Office
Primary Organization Head .
Internal Control Coordinator
Any statement answered with "NO" or "NOT SURE" requires a narrative statement
describing the reasons for your response.
I YES|NO|NOT |
i_ I i SURE i ;
ORGANIZATION/ORISNTATION/AWARENESS ]
1. All SES, GM supervisors, and others with j
significant FMFIA responsibility have been
trained or briefed on FMFIA and/or internal '
I| | | controls.
2. Copies of the FMFIA, the GAO Standards, OMB
guidelines, and pertinent Agency internal control
I I j I guidance are on file and accessible for review.
3. Managers in,your organization know where to find
the copies of FMFIA, the GAO Standards, OMB
guidelines, and perjtinent Agency internal control
I I | I guidance.
4. FMFIA responsibilities have been included in
the Performance Standards of all appropriate
I managers/supervisors as defined in 1. above.
SEGMENTATION
5. This organization is segmented into Assessable
I | | Units (AUs) as required by Agency guidance.
6. All functions, operations, and organizations
I | | are fully covered in the FMFIA process.
35
-------�
I I
7. The AU managers in the organization have been
informed of, or are fully aware of, their
responsibilities, in internal control.
EVENT CYCLE DOCUMENTATION
8. Event cycle documentation is on file and
is complete, up-to-date, and accurate.
9; Event cycle documentation has all elements
required by Agency guidance. Event cycles,
control objectives, and control techniques are
clearly identified.
10. Event cycle documentation has been certified
by the organization's managers for accuracy,
completeness, and current activities.
.I_J I
VULNERABILITY (RISK) ASSESSMENTS (VAs)
11. A VA was performed for all assessable units
in 1990, or 1991 for new assessable units.
12. Offices rated "highly" vulnerable have com-
pleted or planned a review to address their vul-
nerability and determine if weaknesses in controls
exist or if existing controls are adequate.
I I
.1 I
13.
MANAGEMENT CONTROL PLANS (MCPs)
This organization updated its 1991 MCP.
14. The MCP includes "1991 completed reviews" and
."1992 - 1996 planned reviews" based on VA ratings,
priority arid resources.
INTERNAL CONTROL EVALUATIONS (ICRs and AICRs)
15. Internal control reviews and/or alternative
internal control reviews (ICRs/AICRs) have been
conducted so that the organization's managers are
aware of improvements needed in their controls.
36
-------�
16. Written reports for ICRs/AICRs are on file and
are used to make necessary.improvements.
17. Supporting documentation for the ICRs/AICRs is
on file verifying that weaknesses identified or
recommendations made in these written reports have
been corrected or implemented.
18. ICR/AICR-recommended corrective actions were
evaluated to determine their effectiveness in
eliminating the weakness. Supporting documentation
I I | | is on file to substantiate this.
19. ICR/AICR's conducted tested controls. Those
I | J | controls are listed in event cycle documentation.
CORRECTIVE ACTION TRACKING SYSTEM (CATS)
20.. Corrective Action Plans, containing milestones
and completion dates were developed for each
weakness. Actions taken to correct the weaknesses
I I I I are monitored routinely for quarterly CATS updates.
21. Every IG and GAO report was reviewed for
internal control weaknesses. This effort has been
. coordinated with the office's Audit Follow-Up
I I I | Coordinator.
22. The managers have performed follow-up action
to ensure that the corrective actions reported as
"complete" in CATS have, indeed, corrected the
weakness. Supporting documentation is on file to
I I | | substantiate this.
. SUMMARY EVALUATION STATEMENT
Based on the manager's Quality Control Evaluation
.Reports and the personal involvement of the key
personnel in this organization, we have
implemented the Internal Control process in a
I I I | thorough and conscientious manner.
37
-------�
REMARKS;
ICC's Signature
Date
AA's or RA's Signature
Date
38
-------�
-------�
APPENDIX
TO
THE GUIDANCE PACKAGE
Optional Sub-Assurance Memoranda
Quality Control Evaluation Report by the Assessable Unit Manager
Blank Forms for the Attachments
Copy of OMB's 1991 Instructions for the FMFIA Report
A
B
C
D
-------�
-------�
-------�
APPENDIX A
THE BODY OF THE SUB-ASSURANCE MEMORANDUM
We are providing a simplified, optional approach for sub-assurance
memoranda. This means that while the AA and RA memoranda must be based on j
the full guidance, subordinate managers have two options for preparing sub- {
assurance memoranda: the same format as AAs and RAs, or the abbreviated one.
To simplify the preparation of 1991 sub-assurance letters within offices,
managers may want to use this optional checklist format and transmittal memo.
With this approach, the transmittal memo contains the manager's assurance that a j
system of management controls is in place and working, and describes the actions
the manager has taken, or plans to take, to improve management controls.
The Office of Water has used this streamlined approach and found that it
lessens the paperwork burden of assurance letter reporting, saves time, and still .
complies with the requirements of the Federal Managers' Financial Integrity Act.
If your managers have any questions about using this streamlined approach,
please have your ICC call the Resource Management Division's Management
Controls Branch.
An outline of a model sub-assurance FMFIA report memorandum is presented
below.
MEMORANDUM
SUBJECT: Annual Report on Management Controls
FROM: (Division)
TO: Assistant Administrator or Regional Administrator
I am submitting this annual report as required by Resource
Management Directive 2560 - "Internal Controls", to help you comply
with OMB Circulars A-123 • "Internal Controls" and A-130 -
"Management of Federal Information Resources".
-------�
ASSURANCE STA TEMENT
I have taken the necessary measures to assure that we have
evaluated our management controls in accordance with guidance
provided by the Office of Administration and Resources Management
and OMB. Based on our evaluation process and the following
information, it is our opinion that the system of management controls in
effect in this office during the fiscal year ending September 30, 1991.
provide reasonable assurance of compliance with the objectives of
management control.
ACTIONS TAKEN OR PLANNED TO IMPROVE MANAGEMENT
CONTROLS
I have implemented the following steps to improve management
controls in my office:
1.
2.
3. and so on...
DETAILED INFORMATION ON MANAGEMENT CONTROLS
The attached forms provide detailed information on management
control training, vulnerability assessments, management control
evaluation(s), implementing corrective action(s), and plans for review(s)
in the upcoming fiscal year.
Attachment
-------�
Attachment
FEDERAL MANAGERS' FINANCIAL INTEGRITY ACT
ANNUAL REPORT i
OFFICE: (AA OFFICE or REGION) . ' •
i
ASSESSABLE UNIT: (DIVISION) j
ASSESSABLE UNIT NUMBER:
The attached forms support the actions taken to strengthen our management ,
controls. !
FORM TITLE APPLICABLE N/A |
' i
i
A Statistical Summary of Performance ;
|
B Review Process
C Progress Report on High Risk Areas
D Material Weaknesses/Corrective Actions
E Agency-Level Weaknesses/
Corrective Actions
Quality Control Evaluation Report
-------�
-------�
APPENDIX B
QUALITY CONTROL EVALUATION REPORT
(Assessable Unit Manager)
The Assistant Administrator for Administration and Resources Management,
as the Agency's Senior Internal Control Official, must report to the Administrator
each year on whether the Agency's internal control process was performed in
compliance with OMB Circular A-123 and the Federal Managers' Financial Integrity
Act (FMFIA).
The steps of the process were:
1. Organizing the process - Annual Work Plan;
2. Updating CATS Reports;
3. Training personnel;
4. Updating EPA's Segmentation;
5. Reviewing and revising Event Cycle Documentation;
6. Conducting Vulnerability/Risk Assessments;
7. Evaluating "highly vulnerable" assessable units;
8. Updating Management Control Plans;
9. Performing Internal Control Evaluations (ICRs and AlCRs);
10. Resolving weaknesses and improving controls;
11. Reporting on the process and developing assurance fetters;
12. Ensuring Quality Assurance
This Quality Control Evaluation Report and your assurance letter helps you,
your Internal Control Coordinator, the Resource Management Division, and the
Office of the Inspector General evaluate your organization's implementation of this
process.
The basic purpose for this form is to provide a quality control
mechanism for your 1991 internal control program. It is a quick reference
form for seeing what parts of your internal control program need
improvement. Any statement answered with a "NO" or "NOT SURE" must be
accompanied by a narrative explanation and should be addressed in your 1992
FMFIA program. Please ensure that all statements are answered and any other
requested information is provided to your primary organization's Internal Control
Coordinator.
You will notice that statement number 2 has been marked "not applicable".
Your organization's Internal Control Coordinator is responsible for responding to this
one.
-------�
FEDERAL MANAGERS' FINANCIAL INTEGRITY ACT
QUALITY CONTROL EVALUATION REPORT
AA or Regional Office
Assessable Unit
Assessable Unit Manager
Any statement answered with "NO" or "NOT SURE" requires a narrative statement
describing the reasons for your response.
|YES|NO|NOT |
I I | SURE| ORGANIZATION/ORIENTATION/AWARENESS
1. All SES, GM supervisors, and others with
significant FMFIA responsibility have been
trained or briefed on FMFIA and/or internal
I I I I controls.
2. Copies of FMFIA, the GAO Standards, OMB guide
lines, and pertinent EPA internal control guidance
Not Applicable are on file and accessible .for review.
3. Managers in your organization know where to
find the copies of FMFIA, the GAO Standards, OMB
guidelines, and pertinent Agency internal control
I | | | guidance.
4. FMFIA responsibilities have been included in
the Performance Standards of all appropriate
managers/supervisors as defined in 1. above.
SEGMENTATION
5. My office is a segmented Assessable Unit in
I | I I accordance with Agency FMFIA guidance.
6. All functions, operations, programs, and
activities are fully covered in the FMFIA
I | | | process.
7. I, as the manager of this designated Assessable
Unit, have been informed of my responsibilities
for internal control as outlined in FMFIA.
8
-------�
: EVENT CYCLE DOCUMENTATION
8. Event cycle documentation is on file and
I I I is complete, up-to-date, and accurate.
9. Event cycle documentation has all elements
required by Agency guidance. Event cycles,
' control objectives and control techniques are
_| | clearly defined techniques.
10. I have certified the event cycle documentation
for accuracy, completeness, and current activities.
I I My ICC has the certification.
VULNERABILITY (RISK) ASSESSMENTS (VAs)
I I I I 11. I completed a VA for my assessable unit in
1989, 1990, or 1991 if it is new.
12. If my organization is rated "highly" vulnerable
I have completed or planned a review to determine
if weaknesses in controls exist or existing controls
I I I I are adequate. (Put N/A if rated "medium" or "low") .
MANAGEMENT CONTROL PLANS (MCPs)
I | | 13. I updated my assessable unit's 1991 MCP.
14. I included "1991 completed reviews" and
__ "1992 - 1996 planned reviews" on my organization's
'| I I 1991 MCP.
INTERNAL CONTROL EVALUATIONS (ICRs and AICRs)
15. Internal control reviews and/or alternative
internal control reviews (ICRs/AICRs) have been
conducted so that I, as the AU Manager, am aware
I | of improvements needed in my controls.
16. Written reports for ICRs/AICRs are on file and
I | are used to make necessary improvements.
-------�
17. Supporting documentation for the ICRs/AICRs is
on file verifying that weaknesses identified or •
recommendations made in these written reports have
I I I I been corrected or implemented.
18. ICR/AICR-recommended corrective actions were
evaluated to determine their effectiveness in •
' eliminating the weakness. Supporting documentation
I I I I is on file to substantiate this.
19. ICRs/AICRs conducted tested controls, and those
I I I I controls are listed in event cycle documentation.
CORRECTIVE ACTION TRACKING SYSTEM (CATS)
20. Corrective Action Plans, containing milestones
and completion dates were developed for each
weakness. Actions taken to correct the weaknesses
I I are monitored routinely for quarterly CATS updates.
21. Every IG and GAO report was reviewed for
internal control weaknesses. I have coordinated
this effort with the office's Audit Follow-Up
I I Coordinator.
22. I have taken follow-up action to ensure that
the corrective action reported as "complete" in
CATS have, indeed, corrected the weakness.
Supporting documentation is on file to .substantiate
I I this.
SUMMARY EVALUATION STATEMENT
I am confident that my organization has
implemented the Internal Control process in a
thorough and conscientious manner.
10
\
-------�
REMARKS:
AU Manager's Signature
Date
11
-------�
12
-------�
APPENDIX C
BLANK FORMS FOR THE AA AND RA REPORT
AND SUB-ASSURANCE REPORT ATTACHMENTS
A. Statistical Summary of Performance
B. Review Process
C. Progress Report on High Risk Areas
D. Material Weaknesses / Corrective Actions
E. Agency-Level Weaknesses / Corrective
Actions
F. Optional Sub-Assurance Memorandum
13
-------�
14
-------�
. ATTACHMENT A .
STATISTICAL SUMMARY OF PERFORMANCE
OVERALL COMPLIANCE; Overall, do your management control systems
comply with the objectives of FMFIA (to reasonably assure that
they protect Government assets from waste, fraud, and
mismanagement)?
Yes ; year achieved . No .
NUMBER OF MATERIAL WEAKNESSES:
In year indicated, For that year, For that year,
number reported number that have number still
for the first time, been corrected. pending.
Prior Years:
1989 Report:
1990 Report:
1991 Report:
TOTAL:
PENDING MATERIAL WEAKNESSES:
Category Number
Program Management:
—Program Execution
—Systems Development & Implementation
—Asset Disposition
—Environmental Impact
—Safety/Health-Related
—Other (Specify)
Functional Management:
—Procurement
—Grant Management
—Personnel & Organizational Management
—ADP Security
—Payment Systems & Cash Management
—Loan Management & Debt Collection
—Property & Inventory Management
—Other (Specify)
TOTAL
-------�
ATTACHMENT B
REVIEW PROCESS
DESCRIPTION OF OFFICE AND STRUCTURE OF REVIEW PROCESS:
1991 STATISTICAL DATA FOR REVIEW PROCESS;
o Number of assessable units? .
o Number of vulnerability assessments?
Planned . Conducted .
o Number of 1991 Internal Control Reviews?
Planned . Conducted .
o Number of 1991 Alternative Internal Control Reviews?
Planned . Conducted .
o Percentage of assessable units reviewed in 1991
COMMENTS ON DISCREPANCY BETWEEN REVIEWS PLANNED VERSUS CONDUCTED:
DESCRIPTION OF THE OFFICE SYSTEM FOR TRACKING REVIEWS,
WEAKNESSES, AND CORRECTIVE ACTIONS;
DESCRIPTION OF THE OFFICE'S PROCESS FOR VALIDATING CORRECTIVE
ACTIONS:
DESCRIPTION OF THE OFFICE'S TRAINING IN MANAGEMENT CONTROLS:
-------�
ATTACHMENT C
PROGRESS REPORT ON HIGH RISK AREAS
PRINCIPAL STAFF CONTACT
Name:
Title:
Agency/Office:
Telephone Number: FTS
HIGH RISK AREA:
o Appropriation.
o Year Identified.
o How Identified.
o Targeted Correction Date in Last Year's Report,
o Current Target Date.
o Reason for Change in Date(s).
STRATEGY:
CRITICAL MILESTONES COMPLETION DATE
ORIGINAL CURRENT ACTUAL
PLAN PLAN
CRITICAL MILESTONES, DATES AND RESOURCE REQUIREMENTS
A. Completed Actions/Events;
B. Planned Actions/Events (FY 1992);
C. Planned Actions/Events (FY 1993 and beyond):
-------�
D. Resource Requirements:
FY 1992 FY 1993 OMB Submission
President's Additional
Appropria t ion Budget , Request Need
S&E ($000)
AC&C
SF
R&D '
TOTAL
S&E FTE
SF FTE
TOTAL FTE
Budget Implications;
RESULTS INDICATORS:
ASSESSMENT OF PROGRESS:
-------�
. . ATTACHMENT D
MATERIAL WEAKNESSES/CORRECTIVE ACTIONS
PART ONE; SUMMARY/TABLE.
_ YEAR
Title First 1990 FMFIA Current
Reported Report Target Target for
for Correction Correction
PART TWO: DESCRIPTION OF UNCORRECTED MATERIAL WEAKNESSES.
CATS Tracking Number;
Title of Material Weakness:
Description of Material Weakness and Its Impact on Agency
Operations:
Functional Category in Statistical Summary;
Appropriation/Program Element;
Administrative Activity/Program Activity:
Year Identified;
Source of Discovery;
Original Target Correction Date;
Targeted Correction Date in Last Year's Report:
Current Target Date:
Reason for Change in Date(s);
-------�
Critical Milestones in Corrective Action;
A. Completed Actions/Events;
B. Planned Actions/Events (FY 1992):
c-. Planned Actions/Events (FY 1993 and beyond);
D. Resource Requirements;
FY 1992 FY 1993 OMB Submission
President's Additional
Appropriation Budget Request Need
S&E ($000)
AC&C
SF
R&D
TOTAL
S&E FTE
SF FTE '
TOTAL FTE
Budget Implications;
Validation Process to be Used;
Corrective Action Plan Status Updates;
o September 30, 1991, Status Update;
o December 31, 1991, Status Update;
o March 31, 1992, Status Update;
o June 30, 1992, Status Update:
o September 30, 1992, Status Update;
PART THREE; DESCRIPTION OF CORRECTED MATERIAL WEAKNESSES.
CATS Tracking Number;
-------�
Title of Material Weakness:
Description of Material Weakness and Its Impact on Agency
Operations; • . •
Functional Category in Statistical Summary;
Appropriation/Program Element:
Administrative Activity/Program Activity;
Year Identified;
Source of Discovery:
Original Target Correction Date;
Targeted Correction Date in Last Year7s Report;
Actual Completion Date;
Reason for Change irt Date(s):
Corrective Actions Taken;
Results of Validation Actions;
-------�
. •:.••• . ATTACHMENT E
AGENCY-LEVEL WEAKNESSES/CORRECTIVE ACTIONS
CATS Tracking Number:
Assessable Unit/AU #;
Title of Agency-level Weakness and Description:
Year Identified and Source of Discovery;
Critical Milestones in Corrective Action:
Validation Milestone:
Budget Implications, If Any;
Corrective Action Plan Status Updates:
o September 30, 1991, Status Update;
o December 31, 1991, Status Update:
o March 31, 1992, Status Update; '• -
o June 30, 1992, Status Update:
o September 30, 1992, Status Update;
-------�
ATTACHMENT F
MEMORANDUM
SUBJECT: Annual Report on Management Controls
FROM:
TO:
I am submitting this annual report as required by Resource
Management Directive 2560 - "Internal Controls", to help you
comply with OMB Circulars A-123 - "Internal Controls" and A-130 -
"Management of Federal Information Resources".
ASSURANCE STATEMENT
I have taken the necessary measures to assure that we have
evaluated our management controls in accordance with guidance
provided by the Office of Administration and Resources Management
and OMB. Based on our evaluation process and the following
information, it is our opinion that the system of management
controls in effect in this office during the fiscal year ending
September 30, 1991, provide reasonable assurance of compliance
with the objectivesof management control.
ACTIONS TAKEN OR PLANNED TO IMPROVE MANAGEMENT CONTROLS
I have implemented the following steps to improve management
controls in my office:
1.
2.
3. . .
DETAILED INFORMATION ON MANAGEMENT CONTROLS
The attached forms provide detailed information on
management control training, vulnerability assessments,
management control evaluation(s), implementing corrective
action(s), and plans for review(s) in the upcoming fiscal year.
Attachment
-------�
Attachment
FEDERAL MANAGERS' FINANCIAL INTEGRITY ACT
ANNUAL REPORT .
OFFICE:
ASSESSABLE UNIT:
ASSESSABLE UNIT NUMBER:
The attached forms support the actions taken to strengthen
our management controls.
FORM TITLE APPLICABLE N/A
A Statistical Summary of Performance
B Review Process
C Progress Report on High Risk Areas
Material Weaknesses/Corrective Actions
Agency-Level Weaknesses/
Corrective Actions
Quality Control Evaluation Report
-------�
-------�
APPENDIX D
OMB'S 1991 INSTRUCTIONS
FOR THE FMFIA REPORT
15
-------�
EXECUTIVE OFFICE OF THE PRESIDENT
OFFICE OF MANAGEMENT AND BUDGET
WASHINGTON. D.C. 20503
August 3, 1991
MEMORANDUM FOR THE DEPUTY SECRETARIES OF EXECUTIVE DEPARTMENTS
DEPUTY ADMINISTRATOR OF THE ENVIRONMENTAL
PROTECTION AGENCY
DEPUTY ADMINISTRATOR OF THE NATIONAL
AERONAUTICS AND SPACE ADMINISTRATION
SELECTED HEADS OF INDEPENDENT AGENCIES
/
FROM: Frank Hodsoll
Executive Associate Director
SUBJECT: 1991 Federal Managers' Financial Integrity Act
(FMFIA) Reporting Requirements
Attached is the guidance to be used in preparing your
agency's 1991 FMFIA report to the President and the congress.
This guidance should be followed by the agencies listed in
Attachment A. Smaller independent agencies will receive modified
guidelines.
The report is due to the President and the Congress on
December 31, 1991. However, agencies are encouraged to submit
the report early, so that OMB can use agency FMFIA findings
during the budget formulation process.
I ask your personal attention in assuring that the 1991
FMFIA report reflects the true state of your agency's management
controls.
Please ask your staff to direct any questions to your
agency's OMB Management Examiner or to the Management Integrity
Branch on 395-6911.
Attachments
-------�
. Attachment A
The following agencies are subject to the Federal Managers'
Financial Integrity Act (FMFIA) and the attached guidance:
Department of Agriculture .
Department of Commerce
Department of Defense
Department of Education
Department of Energy
Department of Health and Human Services
Department of Housing and Urban Development
Department of the Interior
Department of Justice
Department of Labor
Department of State
Department of Transportation
Department of the Treasury
Department of Veterans Affairs
ACTION
Agency for International Development
Appalachian Regional Commission
Arms Control and Disarmament Agency
Central Intelligence Agency
Commission.on Civil Rights
Commodity Futures Trading Commission
Consumer Product Safety Commission
Equal Employment Opportunity Commission
Environmental Protection Agency
Executive Office of the President
Farm Credit Administration
Federal Communications Commission
Federal Election Commission
Federal Emergency Management Agency
Federal Energy Regulatory Commission
Federal Labor Relations Authority
Federal Maritime Commission
Federal Mediation and Conciliation Service
Federal Retirement Thrift Investment Board
Federal Trade Commission
General Services Administration
International Trade Commission
Interstate Commerce Commission
Merit Systems Protection Board
National Aeronautics and Space Administration
National Archives and.Records Administration
National Credit Union Administration
National Endowment for the Arts
National Endowment for the Humanities
National Gallery of Art
National Labor Relations Board •
National Science Foundation
-------�
National Transportation Safety Board
Nuclear Regulatory Commission
Office of Personnel Management .
Panama Canal Commission
Peace Corps
Railroad Retirement Board
Resolution Trust Corporation Oversight Board
Securities and Exchange Commission
Selective Service System
Small Business Administration
U.S. Information Agency
U.S. Soldiers' and Airmen's Home
The following agencies are exempt from the provisions of FMFIA but
are subject to OMB Circulars No. A-123, Internal Control Systems.
and No. A-127, Financial Management Systems, and to the attached
guidance:
Commodity Credit Corporation
Export-Import Bank of the United States
Federal Crop Insurance Corporation
Federal Housing Finance Board
Federal Housing Administration Fund
Federal Prison Industries, Inc.
Government National Mortgage Association
Overseas Private Investment Corporation
Pension Benefit Guaranty corporation
Rural Telephone Bank
Saint Lawrence Seaway Development Corporation
Smithsonian Institution
-------�
• ;-..' Attachment B
GUIDANCE FOR PREPARING 1991 INTEGRITY ACT REPORT
This guidance should be used in preparing your agency's 1991 report
to the President and the Congress under the Federal Managers'
Financial Integrity Act (FMFIA).
This . guidance applies to the Cabinet departments and major
independent agencies, as listed in Attachment A. Separate
instructions will be issued for smaller agencies.
The report is due to the President and Congress on December 31,
1991. However, agencies are encouraged to submit the report early.
This will allow OMB to make maximum use of the report during the
budget formulation process.
The report should highlight the major management control and
financial systems accomplishments and problems of the year ending
September 30, 1991, as well as your commitment to future
improvements. The report should cover both Section 2, and Section
4 of the FMFIA. Section 2 addresses improving management controls
over program and administrative areas — as well as financial
activities — to protect against fraud, waste or mismanagement.
Section 4 requires that financial management systems comply with
standards applicable to Executive Branch agencies.
Your submission should include those material weaknesses in
management controls, and material non-conformances in financial
systems, significant enough to be of interest to the President and
the Congress. Special consideration should be given to whether
nbncompliance with commonly accepted security practices in a
sensitive system constitutes a material weakness.
Questions may be directed to your agency's OMB Management Examiner
or to OMB's Management Integrity Branch on 395-6911.
-------�
Overall Requirements
The 1991 year-end management integrity report should consist of a
single letter from the agency head to the President and the
Congress, with five Enclosures:
A. Statistical Summary of Performance;
B. Summary of Agency's Management Control Review Process;
C. Progress Report on High Risk Areas;
D. Description of Material Weaknesses and Critical
Milestones for Corrective Actions; and
E. Description of Material Non-conformances and Critical
Milestones for Corrective Actions.
Assessing Materiality of Weaknesses - Section 2 Internal Controls
For purposes of determining what constitutes a material weakness in
internal control systems (Section 2), the criteria set forth in OMB
Circular A-123 should be used. The criteria require reporting
weaknesses that:
o significantly impair the fulfillment of an agency or
component's mission;
o deprive the public of needed services;
o violate statutory or regulatory requirements;
o significantly weaken safeguards against waste, loss,
unauthorized use or misappropriation of funds, property, or
other assets; or
o result in a conflict of interest.
Since the above factors are judgmental and can be widely
interpreted, the following additional factors should be used to
determine whether weaknesses are to be reported to the President
and the Congress. Each material weakness should meet one or more
of the following additional criteria:
o merits the attention of the agency head/senior management, the
Executive Office of the President, or the relevant
Congressional oversight committee;
o exists in a major program or activity;
o could result in the loss of $10 million or more, or 5 percent
or more of the resources of a budget line item; or
o its omission from the report could reflect adversely on the
management integrity of the agency.
Assessing Materiality of Weaknesses - Section 4
Each material non-conformance (Section 4) should meet one or more
of the following criteria:
o merits the attention of the agency head/senior management, the
Executive Office of the President, or the relevant
Congressional oversight committee;
o prevents the agency primary accounting system from achieving
central control over agency financial transactions and
-------�
resource balances;..
o prevents compliance of the primary accounting system,
subsidiary system or program system with OMB Circular A-127
(Financial Management Systems), the Standard General Ledger.
and the Core Financial Systems Requirements: or
o results in an actual material misstatement (either 5 percent
or more of a budget line item or $10 million or more) in
reports required by .the OMB, the Treasury Department, or the
Congress.
Assessing Overall Compliance with Section 4
To report compliance with Section 4, agencies must provide
reasonable assurance that the quality of both agency budget and
accounting information and agency financial systems meets the
requirements described below. Agencies may report overall
compliance even with a number of material non-conformances, as long
as the non-conformances when considered together are not
sufficiently serious to prevent compliance. As a general rule,
agencies with systems on the OMB high risk list must report non-
compliance, or compliance with specific exceptions. until
corrective action is completed.
Compliance with information standards requires:
(crosswalks
o implementation of the Standard General Ledger
acceptable); and
o accurate, timely, comparable, useful budget and accounting
information for the current and past fiscal years.
Compliance with systems functional standards requires:
o for the agency (bureau level acceptable):
a primary financial system featuring general ledger
control (including fund control) over agency resources,
obligations and spending;
single entry of data (or adequate reconciliation) between
primary and subsidiary systems; and
appropriate accounting capability for cost and for
production units.
o for individual systems or subsystems:
adequate systems documentation and audit trails; and
— adequate overall performance of assigned mission.
-------�
FORMAT FOR THE 1991 FMFIA REPORT
Letter From the Agency Head
Your letter . to the President
substantive. It should:
and the Congress should be
o state whether there is reasonable assurance that the agency,
as a whole, complies with both Sections 2 and 4 of the FMFIA
(such assurance may be provided even though limited exceptions
are cited);
o state high risk areas in priority order;
o state critical material weaknesses and non-conformances other
than those identified as high risk areas;
o describe concisely the impact or potential impact of these
problems on agency programs; and
o summarize corrective actions being taken or planned to address
these problems.
Enclosures
Detailed requirements for Enclosures A - E follow.
Transmission of Report
The letter and enclosures, addressed to the following persons,
must be signed by the agency head and transmitted to the recipients
no later than December 31 (Agencies are encouraged to make early
submissions.} :
Addressee
The President
The President
of the Senate
Speaker of the
House of
Representatives
Address on letter
The President
The White House
Washington, D.C.
20500
Honorable J. Danforth Quayle
President of the Senate
Washington, D.C. 20510
Honorable Thomas S. Foley
Speaker of the House
of Representatives
Washington, D.C. 20515
Salut
Dear Mr.
President:
Dear Mr.
President:
Dear Mr.
Speaker:
In addition, fifteen copies of the report to the President
should be sent to:
Ms. Susan Gaffney
Acting Assistant Director for
Financial Management
Office of Management and Budget
New Executive Office Building, room 10235
Washington, D.C. 20503
-------�
ENCLOSURE A — STATISTICAL SUMMARY OF PERFORMANCE
Enclosure A to the agency letter should present a statistical
summary of the agency's performance under Section 2 (internal
controls} and Section 4 (financial systems) using the format on the
following pages. . The enclosure should, where necessary, describe
changes in the definition of material weakness and non-conformance,
and any other action that would affect the statistical summary.
STATISTICAL SUMMARY OF PERFORMANCE
SECTION 2, INTERNAL CONTROL SYSTEMS
Overall compliance Yes No Year achieved
Number of Material Weaknesses
In year indicated, For that year For that year,
number reported number that have number still
for the first time been corrected pending
Prior years
1989 report
1990 report
1991 report
Total :
Of the total number corrected, how many were corrected in 1991?
Pending Materia1 Weaknesses
Category Number
Program management:
Program execution
Systems development
and implementation
Asset disposition
Environmental impact
Safety, health-related . •
Other (specify)
Functional management:
Procurement
Grant management
Personnel and
organizational management
ADP security
Payment systems
and cash management
Loan management
and debt collection
Property and
inventory management
Other (specify)
Total
-------�
SECTION 4. FINANCIAL MANAGEMENT SYSTEMS
Compliance assurance
Yes
Overall compliance with Section 4
o Compliance with financial information
standards
o Compliance with systems functional
standards
Number of Material Non-conformances
In year indicated, For that year,
number reported number that have
for first time been corrected
Year
No Achieved
For that .
year, number
still pending
Prior years
1989 report
1990 report
1991 report
Total
Of the total number corrected, how many were corrected in 1991?
Pending Non-conformances
Name of
System
Type of
Non-conformance
Title of
Non-conformance
Non-conformance types are as follows:
o Financial information standards
Compliance with SGL
Data quality
o Systems functional standards
Primary financial system
Effective interfaces
— Cost accounting
Documentation/audit trails
— Mission performance
-------�
ENCLOSURE B — REVIEW PROCESS
This enclosure should describe the agency's FMFIA review process.
1. Section 2
o Description of organization and structure of review process:
o 1991 statistical data for review process:
Number of assessable units .
Number of vulnerability assessments ,
planned . Conducted .
Number of .internal control reviews
planned . Conducted .
Number of alternative reviews
planned . Conducted .
— Percentage of assessable units reviewed .
o Comment on results versus plan:
2. Section 4
o Description of organization and structure of review process:
o Provide an inventory of agency's financial management systems,
and indicate the total number of systems *:
o 1991 statistical data for review process:
Number of annual reviews .
Number of detailed cyclical reviews .
o Comments on results versus plan:
3. Overall
o Describe the agency system for tracking reviews, material
weaknesses, material non-conformances, and corrective actions;
o Describe process for validating corrective actions;
o Briefly describe how the agency provides training in
management controls;
o Describe actions taken or planned to ensure accountability for
results in identifying and correcting material weaknesses and
non-conformances.
* Use agency response to OMB Memorandum 91-05 (April 15, 1991) if
available.
-------�
ENCLOSURE C --- PROGRESS REPORT ON HIGH RISK AREAS
This enclosure should be used by agencies that have a high risk
area.
The relationship between high risk areas and material weaknesses
varies. Some high risk areas have a direct relationship to one or
more material weaknesses. For example, a high risk area entitled
11 procurement" might be comprised of five discrete material
weaknesses. Other high risk areas are broadly defined and have not
been identified as material weaknesses. High risk areas in the
latter category should be reported in this enclosure.
For high risk areas made up of one or more material weaknesses, a
crosswalk between this enclosure and Enclosure D or .E is
acceptable. The name of the high risk area and material
weakness(es) should be noted in this enclosure, but detailed
information should be included in Enclosure D or E.
High Risk Area; .
Describe problem/weakness. If the area is on the OMB high risk
list, that description should be used or updated. If a new high
risk area is reported here, prior consultation with OMB on the
description is advised.
Bureau/Appropriation;
Pace of Corrective Action
Year Identified:
Original Targeted Correction Date;
Targeted Correction Date in Last Year's Report:
Current Target Date;
Reason for Change in Datefs):
Strategy;
Briefly describe how the agency is correcting the problem/weakness.
Completion Date
Critical Milestones Original Plan Current Plan Actual
Provide a complete plan of action for correcting the high risk.
A. Completed Actions/Events
B. Planned Actions/Events (short term - next 12 months)
C. Planned Actions/Events (longer termV
Results Indicators
Describe key results indicators. Results indicators are
quantitative and/or qualitative measures to determine whether
agency actions have corrected the weakness or deficiency.
Assessment of Progress
Highlight both significant achievements and problems.
-------�
ENCLOSURE D — MATERIAL WEAKNESSES/CORRECTIVE ACTIONS
This enclosure consists of three parts: (1) a summary/table of
contents of material weaknesses; (2) a description of each pending
material weakness in internal controls (Section 2); and, (3) a
description of each material weakness that was corrected in 1991.
The summary/table of contents section includes material on
correction targets which is also requested in the description
sections. This is done to facilitate analysis of the agency's
overall performance on pace of corrective actions.
Part 1.. Provide a summary of all pending material weaknesses. The
summary should: list the . titles of the weaknesses in priority
order; provide information on the correction schedule; and indicate
the page number of the more detailed description to follow. The
following format should be used:
Title
Year
First
Reported
Target for
Correction
in 1990
FMFIA Report
Current
Target
for
Correction
Page
Part 2. Describe each pending material weakness and provide a
complete plan of action to correct the weakness. Changes in
previous corrective action schedules should be explained.
Correction is accomplished when the weakness is no longer material.
Material weaknesses may be consolidated, so long as the identity
and character of the weaknesses are not lost.
The following format shall be followed for each uncorrected
weakness. All data elements are required.
Title of Material Weakness;
Functional Category in Statistical Summary;
Sureau/Appropriation/Account Number:
Administrative Activity/Program Activity;
Pace of Corrective Action
Year Identified;
Original Targeted Correction Date;
Targeted Correction Date in LastYear's Report;
CurrentTarget Date:
Reason for Change in Datefs);
Description of Material Weakness and Its Impact on Agency
Operations;
-------�
Source of Discovery of Material Weakness;
Indicate how material weakness was initially discovered, e.g.,
IG audit or investigation, management review, evaluation.
Provide a reference to a specific source document by report
number .or subject matter and date.
Critical Milestones inCorrective Action;
Provide a complete plan of action to correct/improve the
material weakness in the format presented below.
Critical Milestones
Completion Date
Original Plan Current Plan Actual
A.
B.
C.
Completed actions/events
Planned actions/events
(short term - next 12
months!
Planned actions/events (longer term)
Validation Process to be Used;
Explain the validation process to be used by management to
verify the completion of the corrective action.. Describe the
role the Inspector General can perform in validating
corrective action and identify any other independent
validation processes to be used.
Part 3. For each material weakness corrected this year, please
provide the following information:
Title of Material Weakness:
Bureau/Appropriation/Account Number;
Year Identified:
Corrective Actions Taken;
Results of Validation Actions Taken;
10
-------�
ENCLOSURE E — MATERIAL NON-CONFORMANCES/CORRECTIVE ACTIONS .
This enclosure consists of three .parts: (l) a summary/table of
contents of material non-conformances; (2) a description of each
pending material non-conformance (Section 4); and (3) a description
of each material non-conformance that was corrected in 1991. The
summary\table of contents section includes material on correction
targets which is also requested in the description, sections. This
is done to facilitate analysis of the agency's overall performance
on pace of corrective actions.
Fart 1. Provide a summary of all pending material non-
conformances. The titles of the non-conformances should be listed
in priority order. Information on the correction schedule can be
broken down either by system or by individual non-conformance. The
following format may be used as a model:
Year
Name of system/
Title(s) of
non-conforraance f s)
First
Reported
Target for
Correction
in 1990
FMFIA Report
Current
Target
for
Correction
Page
Part 2. Describe each pending material non-conformance and provide
a plan of action to correct the non-conformance. . Changes in
previous corrective action schedules should be explained.
Correction is accomplished when the non-conformance is no longer
material. Material non-conformances may be grouped (e.g., by
system or organizational unit), so long as the identity and
character of the deficiencies are not lost.
The following format may be used as a model for uncorrected
material non-conformances. Under any .circumstances, all data
elements are required.
Name of System for Organizational Unit, if appropriate);
Title of Material Non-conformance:
System Type: Core Financial . Subsidiary
Functional Category in-Statistical Summary:
Bureau/Appropriation/Account Number;
Administrative Activity/Program Activity:
Program
:\
\
\
-------�
A
Pace of Corrective Action
Year Identified; .. '
Original Targeted Correction Date:
Targeted Correction Date in Las_t Year's Report:
Current Target Date;
Reason for Change in Date(si;
Description of Material Non-conformance and Its Impact' on
Agency Operations:
Source of Discovery of Material Non-conformance;
Indicate how material non-conformance was initially
discovered, -e.g., IG audit or investigation, management
review, evaluation. Provide a reference to a specific source
document by report number or subject matter and date.
Critical Milestones in Corrective Action:
Provide a complete plan of action to correct/improve material
non-conformance in the format presented below.
Completion Date
Critical Milestones Original Plan Current Plan Actual
A. Completed actions/events
B. Planned actions/events (short term - next 12
months)
C. Planned actions /events (longer j-erm)
Validation Process to beUsed;
Explain the validation process to be used by management to
verify the completion of the corrective action. Describe the
role the Inspector General can perform in validating
corrective action and identify any other independent
validation processes to be used.
Part 3. Please provide the following information for any material
non-conformances corrected this year:
Name of System or Organizational Unit (if appropriate):
Title of Material Non-conformancefs):
System JType^ Core Financial Subsidiary Program
Bureau/Appropriation/Account Number;
Year Identified: *
Corrective Actions Taken:
Results of Validation Actions Taken;
12
-------� |