4 S" «.«*. UNITED STATES ENVIRONMENTAL PROTECTION AGENCY (V K t (V GUIDANCE FOR PREPARING THE 1991 FEDERAL MANAGERS' FINANCIAL INTEGRITY ACT ANNUAL REPORT Prepared by: RESOURCE MANAGEMENT DIVISION OFFICE OF THE COMPTROLLER OFFICE OF ADMINISTRATION AND RESOURCES MANAGEMENT August 1991 O-J CD CD HEADQUARTERS LIBRARY ENVIRONMENTAL PROTECTION AGENCY WASHINGTON, D.C. 20460 ------- ------- CONTENTS OF THE 1991 GUIDANCE PACKAGE Page Table of Contents of the 1991 Guidance Package 3 Executive Summary 5 Milestone Calendar 6 New Requirements for the 1991 FMFIA Report ' 7 General Information About Preparing and Submitting the Report 8 CONTENTS OF THE AA's and RA's 1991 REPORT 11 The Body of the AA's and RA's Memorandum 13 Outline of a Model Memorandum 13 The Attachments to the Memorandum 17 A, Statistical Summary of Performance 19 B. Review Process 21 C. Progress Report on High Risk Areas 24 D. .Material Weaknesses / Corrective Actions 27 E. Agency-Level Weaknesses / Corrective Actions 32 F. Quality Control Evaluation Report 34 APPENDIX TO THE GUIDANCE PACKAGE Options for Preparing Sub-Assurance Memoranda A Quality Control Evaluation Report by the Assessable Unit Manager B Blank Forms for the Attachments and Sub-Assurance Memoranda C Copy of OMB's 1991 Instructions for the FMFIA Report D 3 ------- ------- I EXECUTIVE SUMMARY This document is the Agency guidance for preparing the 1991 report required by the Federal Managers' Financial Integrity Act. The guidance document consists of the following main components: o The transmittal memorandum from the Deputy Administrator, expressing his expectations about how the process will be conducted and the importance of the personal involvement of the Assistant and Regional Administrators; o A milestone calendar for completing the 1991 report; o Highlights of new requirements; o General information about preparing and submitting reports; o The required contents of the 1991 report: What AAs and RAs must address in the body of their memoranda; What AAs and RAs must provide in the attachments to their memoranda; and o An appendix containing additional material to help you prepare your report. o The requirements for your 1991 report are little changed from 1990. The main changes are: AAs and RAs must identify resources needed for corrective actions; Subordinate organizations have the option of using a simplified report to speed up the sub-assurance report process and lessen paperwork; and Reporting requirements in the Statistical Summary of Performance have been reduced. The staff of the Resource Management Division of the Office of the Comptroller stands ready to assist you in all aspects of your management integrity program including your preparation of the 1991 FMFIA report. Please call them on FTS 260-4160. ------- CRITICAL MILESTONES IN THE 1991 FMFIA REPORT PROCESS 10-31-91: FMFiA reports for Fiscal Year 1991 are due to the Deputy Administrator from Assistant Administrators, the General Counsel, the Inspector General, and the Regional Administrators. 11-8-91: Resource Management Division completes first draft of Agency Report. 11-21-91: The Senior Council on Management Controls discusses with the Assistant and Regional Administrators: o Their personal involvement in the management control and audit follow-up programs; o The material weaknesses they declare in their respective 1991 FMFIA reports; o The reasons that they judge to be non-material any OIG or GAO candidate weakness proposed in the September 12 meeting of the Senior Council on Management Controls; o The quality and timeliness of Headquarters and Regional Office reports; o The material weaknesses that are under consideration for inclusion in the Agency report that the Administrator submits to the President and the Congress by December 31; 11-26-91: Resource Management Division submits draft Agency report to Internal Control Coordinators for their offices' review. 12-12-91: Resource Management Division completes revised draft Agency report. 12-19-91: Resource Management Division meets with the Deputy Administrator to review the draft report and the material weaknesses that will be declared in the report to the President and the Congress. 12-31-91: The 1991 FMFIA process concludes with the Administrator signing the Agency Report to the President and the Congress. ------- NEW REQUIREMENTS FOR THE 1991 FMFIA REPORT There are few changes in requirements from last year. OMB continues to emphasize "high-risk" reporting, priority setting for addressing material weaknesses, budget linkage, automated information systems, validation of corrective actions, description of training in management controls, and strengthened reporting on review processes. A complete copy of OMB's 1991 guidance for preparing the report is included in this document as Appendix D. Informally, OMB has requested information on resource estimates for dealing with high risk areas and correcting material weaknesses. This information is requested in Attachments C and D. ------- GENERAL INFORMATION ABOUT PREPARING AND SUBMITTING YOUR REPORT The original report is due to the Deputy Administrator by October 31, 1991. A double-sided copy and 5-1/4" diskette containing the report and all attachments in WordPerfect 5.0 must be sent by October 31, 1991, to: U.S. Environmental Protection Agency Resource Management Division Management Controls Branch Mail Code H-3304, NELC-0024 Washington, D.C. 20460 This guidance should be used in preparing your Office's 1991 report to the Deputy Administrator under the Federal Managers' Financial integrity Act (FMFIA). Your report should cover program, administrative, and financial controls. Detailed instructions on preparing the report and attachments are provided in the section on this document entitled: "Contents of the Report," which begins on page 11. The narrative portion must be substantive and highlight the major management control accomplishments and problems of the year ending September 30, 1991. It also should discuss activities impacting your ability to provide reasonable assurance of effective controls, such as reorganizations or new statutory requirements. Your attachments must include specific statistical and milestone information. The formats for the attachments ensure consistent and complete statistical information required by OMB, including budget information. If you have no information to report in an attachment, please state in the narrative section that your report does not include that attachment. Please do not enclose a blank attachment saying "Not Applicable". Label your attachments, however, as identified in this guidance so that when culling information from the various reports, we have a common frame of reference. Sub-assurance Letters Most offices require their divisions and laboratories to prepare their own FMFIA reports {known as "sub-assurance memos") to gather the information needed for the office annual report. 8 ------- We have included in Appendix A a simplified, optional approach for sub- assurance memoranda AAs and RAs prepare their reports based on the full guidance, while subordinate organization managers have two options for preparing their sub-assurance memoranda: either the same format as the office report or the abbreviated style. The simplified approach was pioneered by the Office of Water, and it is a good a approach for saving work, where applicable. ------- 10 ------- CONTENTS OF THE 1991 FMFIA REPORT 11 ------- 12 ------- THE BODY OF THE AA's & RA's REPORT An outline of a model FMFIA report memorandum is presented below. Information about the required contents of the memorandum is included within the outline. The model allows each office sufficient flexibility to reflect the actual character of its individual management integrity program. MEMORANDUM SUBJECT: 1991 Report on Management Controls FROM: [Primary Organization Head] TO: F. Henry Habicht II Deputy Administrator ASSURANCE STATEMENT: State whether the controls in your Office provide reasonable assurance that your Office, as a whole, complies with the requirements of FMFIA. ACCOMPLISHMENTS IN MANAGEMENT CONTROL PROGRAM: Describe any accomplishments your Office made in the area of management controls. Examples include a task force effort to strengthen particular controls or your Office's entire control process; overall changes in your Office's control procedures to enhance effectiveness; increased attention to audit follow-up; or conferences held or councils formed to discuss control issues. Be generous in sharing your success stories here, so that others may profit from them. PIG. GAP, and OMB CONCERNS: Auditors in both the Office of the Inspector General (OIG) and the General Accounting Office (GAO) review management controls as part of every audit they conduct. Be sure your memorandum addresses: o Any major concerns identified in OIG and GAO audits performed in your Office in 1991; 13 ------- Audit follow-up. Reviews by the OIG and the OARM are continuing to find that offices' audit follow-up is weak and that reporting is incomplete or inaccurate. These weaknesses may be material. AAs and RAs should carefully assess their audit follow-up programs. If their follow-up or their tracking information is weak, they should report the weaknesses in their FMFIA reports. Payroll/overtime administration; Contracts management and administration; 1991 activities to improve the integrity, availability, confidentiality of automated information systems. and You may address the OIG, GAO, and OMB issues in the narrative itself, in particular attachments, or in a crosswalk of both. The choice is yours depending on the degree of concern about them in your particular office. In accordance with the Computer Security Act of 1987, Federal agencies developed plans for assuring adequate security for sensitive systems last year. According to OMB, in some instances that process identified significant weaknesses in agency systems along with plans for correcting the weaknesses. Your memorandum should address weaknesses identified in your office through this process. Your letter should address these particular control issues and any others identified in OIG and GAO audits performed in your Office in 1991. Evaluate these activities carefully and report any weaknesses, along with corrective action plans to eliminate the weaknesses. When you report weaknesses identified by an OIG or GAO auditor, and correction of the weakness is being tracked in the Management Audit Tracking System (MATS), please note this. Internal Control Coordinators may have tc work closely with Audit Follow-up Coordinators to determine this information. HIGH-RISK AREAS FOR OMB'S GOVERNMENT-WIDE LIST: Identify and describe existing and new "high-risk areas" for OMB's high-risk list Give detailed information about these areas and the resources needed to address the high risk in Attachment C. We recognize that high risk areas may overlap with material weaknesses. High risk areas are broad issues of concern. They may 14 ------- be made up of discrete material weaknesses. For example, a high-risk area entitled "procurement" might consist of several discrete material weaknesses. If you believe that a high-risk area exists in the Agency but must be addressed by another office, you should notify the appropriate office in a separate memorandum, with a copy to the Resource Management Division. Work with the other office to raise and investigate the issue, so that the office can determine whether to report it in its FMFIA report. MATERIAL WEAKNESSES: Identify and briefly describe existing and newly reported "material weaknesses" in your FMFIA report. Give detailed information about these weaknesses, and the resources needed to cure them, in Attachment D. The OMB guidance in Appendix D offers criteria for materiality. Use these criteria to help determine which weaknesses are "material," that is, significant enough to report to the President and Congress. The September 12, 1991 meeting of the Senior Council on Management Controls (SCMC) will include briefings from EPA's Inspector General and GAO representatives on potential material weaknesses. The Resource Management Division will apprise you and your Internal Control Coordinator (ICC) of the results of this meeting. If you believe that a material weakness exists in the Agency but must be addressed by another office, you should notify the appropriate office in a separate memorandum, with a copy to the Resource Management Division. Work with the other office to raise and investigate the issue, so that the office can determine whether to report it in its FMFIA report. Attachments There are six standard "Attachments" to each FMFIA report. They are described on the pages which follow. 15 ------- 16 ------- STANDARD ATTACHMENTS FOR EACH FMFIA REPORT A, Statistical Summary of Performance B. Review Process C. Progress Report on High Risk Areas D. Material Weaknesses / Corrective Actions E. Agency-Level Weaknesses / Corrective Actions F. Quality Control Evaluation Report Guidance for completing the Attachments to the Memorandum is presented on the following pages. Blank forms for the Attachments are in the Appendix to this Guidance package. 17 ------- 18 ------- ATTACHMENT A STATISTICAL SUMMARY OF PERFORMANCE OVERALL COMPLIANCE: Overall, do your management control systems comply with the objectives of FMFIA (to reasonably assure that they protect Government assets from waste, fraud, and mismanagement)? Yes ,; year achieved No NUMBER OF MATERIAL WEAKNESSES: In year indicated, number reported for the first time. Prior Years: 1989 Report: 1990 Report: 1991 Report: TOTAL: X X X X XX For that year, number that have been corrected. X X X X XX For that year, number still pending. X X X X XX State the total number of material weaknesses corrected in 1991 PENDING MATERIAL WEAKNESSES: Category Number Program Management: —Program Execution X —Systems Development & Implementation X —Asset Disposition X —Environmental Impact X —Safety/Health-Related X —Other *( Specify) X -i Functional Management: —Procurement X —Grant Management X —Personnel & Organizational Management X —ADP Security X 19 ------- —Payment Systems & Cash Management —Loan Management & Debt Collection —Property & Inventory Management —Other (Specify). TOTAL X X X X XX 20 ------- ATTACHMENT B REVIEW PROCESS FMFIA .directs Federal agencies not only to establish management controls and report on their effectiveness, but to evaluate them regularly to ensure continued effectiveness. This attachment should describe your Office's FMFIA review process in the following format. Please use additional pages if necessary. DESCRIPTION OF OFFICE AND STRUCTURE OF REVIEW PROCESS: [This section should describe your office's segmentation structure. (Segmentation is the process in which we break the Agency into "assessable units." Each assessable unit must establish, evaluate, and report on its controls.) The Agency's policy is to segment by division because EPA divisional activities tend to have common characteristics. If your office complies with this policy, simply state this. If not, discuss your segmentation structure and explain why it is more appropriate for your office. If you determine that your segmentation structure is no longer appropriate for your office, discuss how and why you plan to re-segment it in 1992. Next, you should describe your office's procedure for determining what activities within your assessable units require testing of controls, how often you test controls, and what types of reviews are performed. EPA's 1990 Management Control Plan (MCP) guidance and your 1991 MCP have information to help you distinguish between types of reviews.] . V 1991 STATISTICAL DATA FOR REVIEW PROCESS: [To complete this section, you should use two other FMFIA documents your office prepared previously: your 1991 Management Control Plan (MCP) and your vulnerability assessments (high/medium/low ranges with numeric scores). Note that each Internal Control Review (ICR) or Alternative Internal Control Review (AICR) conducted must meet three specific criteria: 1. A written report must be on file outlining the review methodology used, the reviewer(s), and any findings and recommendations. 2. The review must have tested the controls described in the office's event cycle documentation. 21 ------- 3. The findings and recommendations indicate which control techniques must be updated in the documentation. OIG and GAO audits are considered either ICRs or AlCRs and may be counted below. However, the review criteria still apply. Weaknesses and corrective actions resulting from ICRs and AlCRs should be reported in Attachments D or E.] o Number of assessable units? • . o Number of vulnerability assessments? [A vulnerability assessment should have been completed for each assessable unit in 1989. Therefore, include all vulnerability assessments conducted in 1989, as well as any conducted in 1990 and 1991 for new assessable units.] Planned . Conducted . o Number of 1991 Internal Control Reviews? Planned . Conducted . o Number of 1991 Alternative Internal Control Reviews? Planned . Conducted . o Percentage of assessable units reviewed in 1991 . COMMENTS ON DISCREPANCY BETWEEN REVIEWS PLANNED VERSUS CONDUCTED: [This section should explain discrepancies in the numbers reported above in 1991 STATISTICAL DATA FOR REVIEW PROCESS (planned versus conducted). Also, if the numbers reported in the section above are not consistent with the number of reviews reported in your Management Control Plan, provide an overall explanation for those inconsistencies here as well.] DESCRIPTION OF THE OFFICE SYSTEM FOR TRACKING REVIEWS. WEAKNESSES. AND CORRECTIVE ACTIONS: [In this section, explain how your office uses management control "tools" to schedule and perform reviews and correct weaknesses in controls. Such tools include the MCP, the Corrective Action Tracking System (CATS), and tracking mechanisms specific to your office, such as the Administrator's tracking system for Superfund which has corrective action information far more detailed than CATS.] 22 ------- DESCRIPTION OF THE OFFICE'S PROCESS FOR VALIDATING CORRECTIVE ACTIONS: [Describe your overall process for ensuring that corrective actions are effective in eliminating weaknesses. In subsequent attachments, you should describe specific validation actions for particular weaknesses.] : DESCRIPTION OF THE OFFICE'S TRAINING IN MANAGEMENT CONTROLS: [In this section, describe your Office's training on management controls. Include specific information on: o Training available to and taken by program managers; o Anticipated changes to your training program in FY 1992.] 23 ------- ATTACHMENT C PROGRESS REPORT ON HIGH RISK AREAS The following report format should be used by offices having a high-risk area, j or reporting one for the first time. A high-risk area is a broad issue or activity whose controls may need < improvement. It is usually an area requiring continual monitoring and close i oversight. It may be made up of discrete weaknesses which clearly must be j corrected, or it may simply be an area which is weak overall. j The relationship between high-risk areas and material weaknesses varies. Some high-risk areas are broadly defined and have not been identified as : material weaknesses. Other high-risk areas have a direct relationship to one or more material weaknesses. For example, EPA's high-risk area entitled "enforcement" was comprised of three distinct material weaknesses. ! o High-risk areas broadly defined with no material weaknesses should be . reported in this Attachment (C). o Discrete material weaknesses should be reported in Attachment D. o For high-risk areas comprised of one or more specific material weaknesses, a crosswalk between Attachment C and Attachment D is acceptable. The name of the high risk area(s) and material weakness(es) should be noted in this attachment, but the detailed information about the weakness(es) should be included in Attachment D. NEW REQUIREMENT FOR THE 1991 FMFIA REPORT OMB has requested information on resource estimates for dealing with high risk areas. Therefore, please identify the FTE and associated resources for FY 1992 and FY 1993. PRINCIPAL STAFF CONTACT Name: Title: Agency/Office: Telephone Number: FTS 24 ------- HIGH RISK AREA: Describe the problem/weakness. If the area is already on OMB's high-risk list, use that description. If a new high risk area is reported, prior consultation with the Resource Management Division's Management Controls Branch (MCB) is advised. Call Peter B. Nobert, Chief, MCB, on FTS 260-4160. o Appropriation. o Year Identified. o How identified: [OIG/GAO audit, ICR or AICR, Management Assistance Review, A-130 Security Review, newspaper report, etc.] o . Targeted Correction Date in Last Year's Report. o Current Target Date. o Reason for Change in Date(s). STRATEGY: Briefly describe how your Office is correcting the problem/weakness. CRITICAL MILESTONES COMPLETION DATE- , ^ORIGINAL CURRENT ,,~'"~ PLAN PLAN ACTUAL CRITICAL MILESTONES. DATES AND RESOURCE REQUIREMENTS A; B. C. D. Completed Actions/Events: high risk report to OMB. Describe actions taken since the mid-year Planned Actions/Events (FY 1992): Identify critical milestones and dates for the next 12 months. If it is necessary to revise the original planned date, explain above the reason for the change, and identify actions to minimize slippage in the Assessment of Progress section of the report. Planned Actions/Events (FY 1993 and bevond): Identify critical longer-term milestones and dates through achievement of final corrective action. The milestones listed here should be consistent with the Management Integrity section of the Agency's 1993 budget submission to OMB. Resource Requirements: In the following table, please show the resources needed to address the high risk area. Please identify the appropriation for which the resources are needed. The resource information listed here should 25 ------- be drawn from the Management Integrity section of the Agency budget submission. FY 1992 President's Budget FY 1993 OMB Submission Additional Request . Need Appropriation S&E ($000) AC&C SF R&D TOTAL S&E FTE SF FTE TOTAL FTE Budget Implications: In addition to the resources listed above, you may want to provide a narrative description of the budgetary impact. RESULTS INDICATORS: Describe key results indicators. Results indicators are quantitative and/or qualitative measures to determine whether offices' actions have corrected the weakness or deficiency. For example, improved response times to requests for data and information and increased collections or decreased debt are results indicators. Project milestones are usually process-oriented. Their accomplishment does not, therefore, necessarily ensure that the intended result has been achieved. ASSESSMENT OF PROGRESS: progress. Highlight both significant achievements and 26 ------- ATTACHMENT P MATERIAL WEAKNESSES / CORRECTIVE ACTIONS Material weaknesses are those which are significant enough to be reported by the Administrator to the President and Congress. The OMB guidance, Appendix D, offers criteria to help you determine materiality. This attachment should consist of three parts: o A summary/table of uncorrected material weaknesses. o A description of each uncorrected material weakness in internal controls. o A description of each material weakness corrected in 1991. NEW REQUIREMENT FOR THE 1991 FMFIA REPORT To ensure that the Agency plans for resources to fix material weaknesses, please identify the FTE and associated resources for FY 1992 and FY 1993. PART ONE: SUMMARY/TABLE. Provide a summary of all uncorrected material weaknesses listed in part two (please provide a page number for easy reference.) The summary should list the titles in priority order and provide information on the correction schedule. The following format should be used: Title First Reported YEAR 1990 FMFIA Report Target for Correction Current Target for Correction PART TWO: DESCRIPTION OF UNCORRECTED MATERIAL WEAKNESSES. Describe each uncorrected material weakness - in order of priority -- and provide a complete action plan to correct the weakness. Changes in previous corrective action schedules should be explained. Although you may cease reporting the material weakness when the corrective actions eliminate the materiality of the problem, you must continue to track the weakness, as Agency-level, until the problem is completely eliminated. 27 ------- ATTACHMENT D MATERIAL WEAKNESSES / CORRECTIVE ACTIONS Material weaknesses are those which are significant enough to be reported by the Administrator to the President and Congress. The OMB guidance, Appendix D, offers criteria to help you determine materiality. This attachment should consist of three parts: o A summary/table of uncorrected material weaknesses. o A description of each uncorrected material weakness in internal controls. o A description of each material weakness corrected in 1991. NEW REQUIREMENT FOR THE 1991 FMRA REPORT To ensure that the Agency plans for resources to fix material weaknesses, please identify the FTE and associated resources for FY 1992 and FY 1993. PART ONE: SUMMARY/TABLE. Provide a summary of all uncorrected material weaknesses. The summary should list the titles in priority order and provide information on the correction schedule. The following format should be used: YEAR Title First 1990 FMFIA Current Reported Report Target Target for for Correction Correction PART TWO: DESCRIPTION OF UNCORRECTED MATERIAL WEAKNESSES. Describe each uncorrected material weakness - in order of priority -- and provide a complete action plan to correct the weakness. Changes in previous corrective action schedules should be explained. Although you may cease reporting the material weakness when the corrective actions eliminate the materiality of the problem, you must continue to track the weakness, as Agency-level, until the problem is completely eliminated. 27 ------- The following format must be followed for each uncorrected material weakness. All data elements are required. CATS Tracking Number: If this is a new weakness, leave this blank. Resource Management Division will assign the number. Title of Material Weakness: Description of Material Weakness and Its Impact on Agency Operations: Functional Category in Statistical Summary: From the following functions of management, list any areas where there are uncorrected weaknesses. -Procurement -Grant Management -Personnel & Organizational Management -ADP Security -Payment Systems & Cash Management -Loan Management & Debt Collection -Property & Inventory Management -Other (Specify) Appropriation/Program Element: Administrative Activity/Program Activity: Year Identified: Source of Discovery: Indicate how the material weakness was initially discovered (e.g., OIG audit or investigation; management review or evaluation.) Reference specific source document by title and report number or subject matter and date. When you report weaknesses identified by an OIG or GAO auditor, please note this. Internal Control Coordinators may have to work closely with Audit Follow-up Coordinators to determine this information. Original Target Correction Date: Targeted Correction Date in Last Year's Report: Current Target Date: Reason for Change.in Datefs): Critical Milestones in Corrective Action: Provide a complete action plan to correct/improve the material weakness in the format presented below. 28 ------- A. B. C. a Completed Actions/Events: Briefly describe actions taken since the last report to OMB, Planned Actions/Events (FY 1992): the next 12 months. Identify critical milestones and dates for Planned. Actions/Events (FY 1993 and beyond): Identify critical longer-term milestones and dates through achievement of final corrective action. Resource Requirements: In the following table, please show the resources needed to cure the material weakness. Please identify the appropriation for which the resources are needed. The resource information listed here should be drawn from the Management Integrity section of the Agency budget submission. Appropriation S&E ($000) AC&C SF R&D TOTAL S&E FTE SF FTE TOTAL FTE FY 1992 President' s Budget FY 1993 OMB Submission Additional Request Need Budget Implications: In addition to the resources listed above, you may want to provide a narrative description of the budgetary impact. Validation Process to be Used: Explain the validation process management will use to verify completion and effectiveness of the corrective actions. Describe the inspector General's role in validating corrective actions and identify other independent validation processes to be used. Corrective Action Plan Status Updates: o September 30. 1991. Status Update: [This block serves as the Fourth Quarter 1991 CATS Update. Address the progress being made on each milestone listed above.] s o December 31. 1991. Status Update: 29 ------- [Leave blank. This information will be requested as the 1992 First Quarter CATS Update.] o March 31. 1992. Status Update: [Leave blank. This information will be requested as the 1992 Second Quarter CATS Update.] o June 30. 1992. Status Update: [Leave blank. This information will be requested as the 1992 Third Quarter CATS Update.] o September 30. 1992. Status Update: [Leave blank. This information will be requested as the 1992 Fourth Quarter CATS Update.j PART THREE: DESCRIPTION OF CORRECTED MATERIAL WEAKNESSES. For each material weakness corrected this year, please provide the following information. All data elements are required. CATS Tracking Number: Title of Material Weakness: Description of Material Weakness and Its Impact on Agency Operations: Functional Category in Statistical Summary: From the following functions, of management, list any areas where there are unconnected weaknesses. --Procurement -Grant Management -Personnel & Organizational Management -ADP Security -Payment Systems & Cash Management -Loan Management & Debt Collection -Property & Inventory Management -Other (Specify) Appropriation/Program Element: Administrative Activity/Program Activity: Year Identified: 30 ------- Source of Discovery: Indicate how the material weakness was initially discovered (e.g., OIG audit or investigation; management review or evaluation.) Reference specific source document by title and report number or subject matter and date. When the weakness was identified by. an OIG or GAO auditor, please note this. Internal Control Coordinators may have to work closely with Audit Follow-up Coordinators to determine this information. Original Target Correction Date: Targeted Correction Date in Last Year's Report: Actual Completion Date: Reason for Change in Datefs): Corrective Actions Taken: material weakness. Provide a complete list of actions which corrected the Results of Validation Actions: Explain the validation process management used to verify completion and effectiveness of the corrective actions. Describe the role the Inspector General performed, in validating corrective action and identify other independent validation processes used. 31 ------- ATTACHMENT E AGENCY-LEVEL WEAKNESSES/CORRECTIVE ACTIONS In this section, report new and previously reported weaknesses which do not require reporting to the President and Congress but which the office still must address. Include weaknesses identified in ICRs or AlCRs. Use the following format for each weakness. This format will serve as the 1992 Corrective Action Tracking System (CATS) format, and eliminate duplicative entry of data. It is not necessary to identify resource requirements for curing Agency-level weaknesses. CATS Tracking Number: Leave this blank for weaknesses being reported for the first time. The Resource Management Division will assign this tracking number. Otherwise, include the number assigned previously to the weakness. Assessable Unit Number: Title of Agency-level Weakness and Description: Year Identified and Source of Discovery: Indicate briefly how the weakness was initially discovered (e.g., AICR such as an OIG audit). Reference a specific source document by report number or subject matter and date. If you report weaknesses identified by an OIG or GAO auditor, and correction of the weakness is being tracked in MATS, please note this so it will not be tracked in CATS. Internal Control Coordinators may have to work closely with Audit Follow-up Coordinators to determine this information. Critical Milestones in Corrective Action: Provide the action plan to correct the weakness. Number each milestone in the plan and give dates for each milestone. Explain any changes in milestone dates reported in previous years. Validation Milestone: The final milestone should be a step to verify completion and effectiveness of the corrective actions. If this was not included in previously reported action plans, please include it now. Validation actions can include actions managers themselves take, actions others - such as auditors - take, and other independent processes. Budget Implications: If the corrective actions will impact your budget, please provide a narrative description here. 32 ------- Corrective Action Plan Status Updates: o September 30. 1991. Status Update: [this block serves as the Fourth Quarter 1991 CATS Update. Address the progress being made on each milestone listed above.] o December 31. 1991. Status Update: [Leave blank. This information will be requested as the 1992 First Quarter CATS Update.] o March 31. 1992. Status Update: [Leave blank. This information will be requested as the 1992 Second Quarter CATS Update.] o June 30. 1992. Status Update: [Leave blank. This information will be requested as the 1992 Third Quarter CATS Update.] o September 30. 1992. Status Update: [Leave blank. This information will be requested as the 1992 Fourth Quarter CATS Update.] 33 ------- ATTACHMENT F QUALITY CONTROL EVALUATION REPORT (Internal Control Coordinator and Assistant or Regional Administrator) . . The Assistant Administrator for Administration and Resources Management, as the Agency's Senior Internal Control Official, must report to the Administrator each year on whether the Agency's internal control process was performed in compliance with OMB Circular A-123 and the Federal Managers' Financial Integrity Act (FMFIA). The steps of the process were: 1. Organizing the process - Annual Work Plan; 2. Updating CATS Reports; 3. Training personnel; 4. Updating EPA's Segmentation; 5. Reviewing and revising Event Cycle Documentation; 6. Conducting Vulnerability/Risk Assessments; 7. Evaluating "highly vulnerable" assessable units; 8. Updating Management Control Plans; 9. Performing.Internal Control Evaluations (ICRs and AiCRs); 10. Resolving weaknesses and improving controls; 11. Reporting on the process and developing assurance letters; 12. Ensuring Quality Assurance This Quality Control Evaluation Report and your assurance letter helps you, the Resource Management Division, and the Office of Inspector General evaluate your organization's implementation of this process. The basic purpose for this form is to provide a quality control mechanism for your 1991 internal control program, ft is a quick reference form for seeing what parts of your internal control program need improvement. Any statement answered with a "NO" or "NOT SURE" must be accompanied by a narrative explanation and should be addressed in your 1992 FMFIA program. Please ensure that all statements are answered and this questionnaire accompanies your assurance letter, due October 31, 1991. 34 ------- FEDERAL MANAGERS' FINANCIAL INTEGRITY ACT QUALITY CONTROL EVALUATION REPORT AA or Regional Office Primary Organization Head . Internal Control Coordinator Any statement answered with "NO" or "NOT SURE" requires a narrative statement describing the reasons for your response. I YES|NO|NOT | i_ I i SURE i ; ORGANIZATION/ORISNTATION/AWARENESS ] 1. All SES, GM supervisors, and others with j significant FMFIA responsibility have been trained or briefed on FMFIA and/or internal ' I| | | controls. 2. Copies of the FMFIA, the GAO Standards, OMB guidelines, and pertinent Agency internal control I I j I guidance are on file and accessible for review. 3. Managers in,your organization know where to find the copies of FMFIA, the GAO Standards, OMB guidelines, and perjtinent Agency internal control I I | I guidance. 4. FMFIA responsibilities have been included in the Performance Standards of all appropriate I managers/supervisors as defined in 1. above. SEGMENTATION 5. This organization is segmented into Assessable I | | Units (AUs) as required by Agency guidance. 6. All functions, operations, and organizations I | | are fully covered in the FMFIA process. 35 ------- I I 7. The AU managers in the organization have been informed of, or are fully aware of, their responsibilities, in internal control. EVENT CYCLE DOCUMENTATION 8. Event cycle documentation is on file and is complete, up-to-date, and accurate. 9; Event cycle documentation has all elements required by Agency guidance. Event cycles, control objectives, and control techniques are clearly identified. 10. Event cycle documentation has been certified by the organization's managers for accuracy, completeness, and current activities. .I_J I VULNERABILITY (RISK) ASSESSMENTS (VAs) 11. A VA was performed for all assessable units in 1990, or 1991 for new assessable units. 12. Offices rated "highly" vulnerable have com- pleted or planned a review to address their vul- nerability and determine if weaknesses in controls exist or if existing controls are adequate. I I .1 I 13. MANAGEMENT CONTROL PLANS (MCPs) This organization updated its 1991 MCP. 14. The MCP includes "1991 completed reviews" and ."1992 - 1996 planned reviews" based on VA ratings, priority arid resources. INTERNAL CONTROL EVALUATIONS (ICRs and AICRs) 15. Internal control reviews and/or alternative internal control reviews (ICRs/AICRs) have been conducted so that the organization's managers are aware of improvements needed in their controls. 36 ------- 16. Written reports for ICRs/AICRs are on file and are used to make necessary.improvements. 17. Supporting documentation for the ICRs/AICRs is on file verifying that weaknesses identified or recommendations made in these written reports have been corrected or implemented. 18. ICR/AICR-recommended corrective actions were evaluated to determine their effectiveness in eliminating the weakness. Supporting documentation I I | | is on file to substantiate this. 19. ICR/AICR's conducted tested controls. Those I | J | controls are listed in event cycle documentation. CORRECTIVE ACTION TRACKING SYSTEM (CATS) 20.. Corrective Action Plans, containing milestones and completion dates were developed for each weakness. Actions taken to correct the weaknesses I I I I are monitored routinely for quarterly CATS updates. 21. Every IG and GAO report was reviewed for internal control weaknesses. This effort has been . coordinated with the office's Audit Follow-Up I I I | Coordinator. 22. The managers have performed follow-up action to ensure that the corrective actions reported as "complete" in CATS have, indeed, corrected the weakness. Supporting documentation is on file to I I | | substantiate this. . SUMMARY EVALUATION STATEMENT Based on the manager's Quality Control Evaluation .Reports and the personal involvement of the key personnel in this organization, we have implemented the Internal Control process in a I I I | thorough and conscientious manner. 37 ------- REMARKS; ICC's Signature Date AA's or RA's Signature Date 38 ------- ------- APPENDIX TO THE GUIDANCE PACKAGE Optional Sub-Assurance Memoranda Quality Control Evaluation Report by the Assessable Unit Manager Blank Forms for the Attachments Copy of OMB's 1991 Instructions for the FMFIA Report A B C D ------- ------- ------- APPENDIX A THE BODY OF THE SUB-ASSURANCE MEMORANDUM We are providing a simplified, optional approach for sub-assurance memoranda. This means that while the AA and RA memoranda must be based on j the full guidance, subordinate managers have two options for preparing sub- { assurance memoranda: the same format as AAs and RAs, or the abbreviated one. To simplify the preparation of 1991 sub-assurance letters within offices, managers may want to use this optional checklist format and transmittal memo. With this approach, the transmittal memo contains the manager's assurance that a j system of management controls is in place and working, and describes the actions the manager has taken, or plans to take, to improve management controls. The Office of Water has used this streamlined approach and found that it lessens the paperwork burden of assurance letter reporting, saves time, and still . complies with the requirements of the Federal Managers' Financial Integrity Act. If your managers have any questions about using this streamlined approach, please have your ICC call the Resource Management Division's Management Controls Branch. An outline of a model sub-assurance FMFIA report memorandum is presented below. MEMORANDUM SUBJECT: Annual Report on Management Controls FROM: (Division) TO: Assistant Administrator or Regional Administrator I am submitting this annual report as required by Resource Management Directive 2560 - "Internal Controls", to help you comply with OMB Circulars A-123 • "Internal Controls" and A-130 - "Management of Federal Information Resources". ------- ASSURANCE STA TEMENT I have taken the necessary measures to assure that we have evaluated our management controls in accordance with guidance provided by the Office of Administration and Resources Management and OMB. Based on our evaluation process and the following information, it is our opinion that the system of management controls in effect in this office during the fiscal year ending September 30, 1991. provide reasonable assurance of compliance with the objectives of management control. ACTIONS TAKEN OR PLANNED TO IMPROVE MANAGEMENT CONTROLS I have implemented the following steps to improve management controls in my office: 1. 2. 3. and so on... DETAILED INFORMATION ON MANAGEMENT CONTROLS The attached forms provide detailed information on management control training, vulnerability assessments, management control evaluation(s), implementing corrective action(s), and plans for review(s) in the upcoming fiscal year. Attachment ------- Attachment FEDERAL MANAGERS' FINANCIAL INTEGRITY ACT ANNUAL REPORT i OFFICE: (AA OFFICE or REGION) . ' • i ASSESSABLE UNIT: (DIVISION) j ASSESSABLE UNIT NUMBER: The attached forms support the actions taken to strengthen our management , controls. ! FORM TITLE APPLICABLE N/A | ' i i A Statistical Summary of Performance ; | B Review Process C Progress Report on High Risk Areas D Material Weaknesses/Corrective Actions E Agency-Level Weaknesses/ Corrective Actions Quality Control Evaluation Report ------- ------- APPENDIX B QUALITY CONTROL EVALUATION REPORT (Assessable Unit Manager) The Assistant Administrator for Administration and Resources Management, as the Agency's Senior Internal Control Official, must report to the Administrator each year on whether the Agency's internal control process was performed in compliance with OMB Circular A-123 and the Federal Managers' Financial Integrity Act (FMFIA). The steps of the process were: 1. Organizing the process - Annual Work Plan; 2. Updating CATS Reports; 3. Training personnel; 4. Updating EPA's Segmentation; 5. Reviewing and revising Event Cycle Documentation; 6. Conducting Vulnerability/Risk Assessments; 7. Evaluating "highly vulnerable" assessable units; 8. Updating Management Control Plans; 9. Performing Internal Control Evaluations (ICRs and AlCRs); 10. Resolving weaknesses and improving controls; 11. Reporting on the process and developing assurance fetters; 12. Ensuring Quality Assurance This Quality Control Evaluation Report and your assurance letter helps you, your Internal Control Coordinator, the Resource Management Division, and the Office of the Inspector General evaluate your organization's implementation of this process. The basic purpose for this form is to provide a quality control mechanism for your 1991 internal control program. It is a quick reference form for seeing what parts of your internal control program need improvement. Any statement answered with a "NO" or "NOT SURE" must be accompanied by a narrative explanation and should be addressed in your 1992 FMFIA program. Please ensure that all statements are answered and any other requested information is provided to your primary organization's Internal Control Coordinator. You will notice that statement number 2 has been marked "not applicable". Your organization's Internal Control Coordinator is responsible for responding to this one. ------- FEDERAL MANAGERS' FINANCIAL INTEGRITY ACT QUALITY CONTROL EVALUATION REPORT AA or Regional Office Assessable Unit Assessable Unit Manager Any statement answered with "NO" or "NOT SURE" requires a narrative statement describing the reasons for your response. |YES|NO|NOT | I I | SURE| ORGANIZATION/ORIENTATION/AWARENESS 1. All SES, GM supervisors, and others with significant FMFIA responsibility have been trained or briefed on FMFIA and/or internal I I I I controls. 2. Copies of FMFIA, the GAO Standards, OMB guide lines, and pertinent EPA internal control guidance Not Applicable are on file and accessible .for review. 3. Managers in your organization know where to find the copies of FMFIA, the GAO Standards, OMB guidelines, and pertinent Agency internal control I | | | guidance. 4. FMFIA responsibilities have been included in the Performance Standards of all appropriate managers/supervisors as defined in 1. above. SEGMENTATION 5. My office is a segmented Assessable Unit in I | I I accordance with Agency FMFIA guidance. 6. All functions, operations, programs, and activities are fully covered in the FMFIA I | | | process. 7. I, as the manager of this designated Assessable Unit, have been informed of my responsibilities for internal control as outlined in FMFIA. 8 ------- : EVENT CYCLE DOCUMENTATION 8. Event cycle documentation is on file and I I I is complete, up-to-date, and accurate. 9. Event cycle documentation has all elements required by Agency guidance. Event cycles, ' control objectives and control techniques are _| | clearly defined techniques. 10. I have certified the event cycle documentation for accuracy, completeness, and current activities. I I My ICC has the certification. VULNERABILITY (RISK) ASSESSMENTS (VAs) I I I I 11. I completed a VA for my assessable unit in 1989, 1990, or 1991 if it is new. 12. If my organization is rated "highly" vulnerable I have completed or planned a review to determine if weaknesses in controls exist or existing controls I I I I are adequate. (Put N/A if rated "medium" or "low") . MANAGEMENT CONTROL PLANS (MCPs) I | | 13. I updated my assessable unit's 1991 MCP. 14. I included "1991 completed reviews" and __ "1992 - 1996 planned reviews" on my organization's '| I I 1991 MCP. INTERNAL CONTROL EVALUATIONS (ICRs and AICRs) 15. Internal control reviews and/or alternative internal control reviews (ICRs/AICRs) have been conducted so that I, as the AU Manager, am aware I | of improvements needed in my controls. 16. Written reports for ICRs/AICRs are on file and I | are used to make necessary improvements. ------- 17. Supporting documentation for the ICRs/AICRs is on file verifying that weaknesses identified or • recommendations made in these written reports have I I I I been corrected or implemented. 18. ICR/AICR-recommended corrective actions were evaluated to determine their effectiveness in • ' eliminating the weakness. Supporting documentation I I I I is on file to substantiate this. 19. ICRs/AICRs conducted tested controls, and those I I I I controls are listed in event cycle documentation. CORRECTIVE ACTION TRACKING SYSTEM (CATS) 20. Corrective Action Plans, containing milestones and completion dates were developed for each weakness. Actions taken to correct the weaknesses I I are monitored routinely for quarterly CATS updates. 21. Every IG and GAO report was reviewed for internal control weaknesses. I have coordinated this effort with the office's Audit Follow-Up I I Coordinator. 22. I have taken follow-up action to ensure that the corrective action reported as "complete" in CATS have, indeed, corrected the weakness. Supporting documentation is on file to .substantiate I I this. SUMMARY EVALUATION STATEMENT I am confident that my organization has implemented the Internal Control process in a thorough and conscientious manner. 10 \ ------- REMARKS: AU Manager's Signature Date 11 ------- 12 ------- APPENDIX C BLANK FORMS FOR THE AA AND RA REPORT AND SUB-ASSURANCE REPORT ATTACHMENTS A. Statistical Summary of Performance B. Review Process C. Progress Report on High Risk Areas D. Material Weaknesses / Corrective Actions E. Agency-Level Weaknesses / Corrective Actions F. Optional Sub-Assurance Memorandum 13 ------- 14 ------- . ATTACHMENT A . STATISTICAL SUMMARY OF PERFORMANCE OVERALL COMPLIANCE; Overall, do your management control systems comply with the objectives of FMFIA (to reasonably assure that they protect Government assets from waste, fraud, and mismanagement)? Yes ; year achieved . No . NUMBER OF MATERIAL WEAKNESSES: In year indicated, For that year, For that year, number reported number that have number still for the first time, been corrected. pending. Prior Years: 1989 Report: 1990 Report: 1991 Report: TOTAL: PENDING MATERIAL WEAKNESSES: Category Number Program Management: —Program Execution —Systems Development & Implementation —Asset Disposition —Environmental Impact —Safety/Health-Related —Other (Specify) Functional Management: —Procurement —Grant Management —Personnel & Organizational Management —ADP Security —Payment Systems & Cash Management —Loan Management & Debt Collection —Property & Inventory Management —Other (Specify) TOTAL ------- ATTACHMENT B REVIEW PROCESS DESCRIPTION OF OFFICE AND STRUCTURE OF REVIEW PROCESS: 1991 STATISTICAL DATA FOR REVIEW PROCESS; o Number of assessable units? . o Number of vulnerability assessments? Planned . Conducted . o Number of 1991 Internal Control Reviews? Planned . Conducted . o Number of 1991 Alternative Internal Control Reviews? Planned . Conducted . o Percentage of assessable units reviewed in 1991 COMMENTS ON DISCREPANCY BETWEEN REVIEWS PLANNED VERSUS CONDUCTED: DESCRIPTION OF THE OFFICE SYSTEM FOR TRACKING REVIEWS, WEAKNESSES, AND CORRECTIVE ACTIONS; DESCRIPTION OF THE OFFICE'S PROCESS FOR VALIDATING CORRECTIVE ACTIONS: DESCRIPTION OF THE OFFICE'S TRAINING IN MANAGEMENT CONTROLS: ------- ATTACHMENT C PROGRESS REPORT ON HIGH RISK AREAS PRINCIPAL STAFF CONTACT Name: Title: Agency/Office: Telephone Number: FTS HIGH RISK AREA: o Appropriation. o Year Identified. o How Identified. o Targeted Correction Date in Last Year's Report, o Current Target Date. o Reason for Change in Date(s). STRATEGY: CRITICAL MILESTONES COMPLETION DATE ORIGINAL CURRENT ACTUAL PLAN PLAN CRITICAL MILESTONES, DATES AND RESOURCE REQUIREMENTS A. Completed Actions/Events; B. Planned Actions/Events (FY 1992); C. Planned Actions/Events (FY 1993 and beyond): ------- D. Resource Requirements: FY 1992 FY 1993 OMB Submission President's Additional Appropria t ion Budget , Request Need S&E ($000) AC&C SF R&D ' TOTAL S&E FTE SF FTE TOTAL FTE Budget Implications; RESULTS INDICATORS: ASSESSMENT OF PROGRESS: ------- . . ATTACHMENT D MATERIAL WEAKNESSES/CORRECTIVE ACTIONS PART ONE; SUMMARY/TABLE. _ YEAR Title First 1990 FMFIA Current Reported Report Target Target for for Correction Correction PART TWO: DESCRIPTION OF UNCORRECTED MATERIAL WEAKNESSES. CATS Tracking Number; Title of Material Weakness: Description of Material Weakness and Its Impact on Agency Operations: Functional Category in Statistical Summary; Appropriation/Program Element; Administrative Activity/Program Activity: Year Identified; Source of Discovery; Original Target Correction Date; Targeted Correction Date in Last Year's Report: Current Target Date: Reason for Change in Date(s); ------- Critical Milestones in Corrective Action; A. Completed Actions/Events; B. Planned Actions/Events (FY 1992): c-. Planned Actions/Events (FY 1993 and beyond); D. Resource Requirements; FY 1992 FY 1993 OMB Submission President's Additional Appropriation Budget Request Need S&E ($000) AC&C SF R&D TOTAL S&E FTE SF FTE ' TOTAL FTE Budget Implications; Validation Process to be Used; Corrective Action Plan Status Updates; o September 30, 1991, Status Update; o December 31, 1991, Status Update; o March 31, 1992, Status Update; o June 30, 1992, Status Update: o September 30, 1992, Status Update; PART THREE; DESCRIPTION OF CORRECTED MATERIAL WEAKNESSES. CATS Tracking Number; ------- Title of Material Weakness: Description of Material Weakness and Its Impact on Agency Operations; • . • Functional Category in Statistical Summary; Appropriation/Program Element: Administrative Activity/Program Activity; Year Identified; Source of Discovery: Original Target Correction Date; Targeted Correction Date in Last Year7s Report; Actual Completion Date; Reason for Change irt Date(s): Corrective Actions Taken; Results of Validation Actions; ------- . •:.••• . ATTACHMENT E AGENCY-LEVEL WEAKNESSES/CORRECTIVE ACTIONS CATS Tracking Number: Assessable Unit/AU #; Title of Agency-level Weakness and Description: Year Identified and Source of Discovery; Critical Milestones in Corrective Action: Validation Milestone: Budget Implications, If Any; Corrective Action Plan Status Updates: o September 30, 1991, Status Update; o December 31, 1991, Status Update: o March 31, 1992, Status Update; '• - o June 30, 1992, Status Update: o September 30, 1992, Status Update; ------- ATTACHMENT F MEMORANDUM SUBJECT: Annual Report on Management Controls FROM: TO: I am submitting this annual report as required by Resource Management Directive 2560 - "Internal Controls", to help you comply with OMB Circulars A-123 - "Internal Controls" and A-130 - "Management of Federal Information Resources". ASSURANCE STATEMENT I have taken the necessary measures to assure that we have evaluated our management controls in accordance with guidance provided by the Office of Administration and Resources Management and OMB. Based on our evaluation process and the following information, it is our opinion that the system of management controls in effect in this office during the fiscal year ending September 30, 1991, provide reasonable assurance of compliance with the objectivesof management control. ACTIONS TAKEN OR PLANNED TO IMPROVE MANAGEMENT CONTROLS I have implemented the following steps to improve management controls in my office: 1. 2. 3. . . DETAILED INFORMATION ON MANAGEMENT CONTROLS The attached forms provide detailed information on management control training, vulnerability assessments, management control evaluation(s), implementing corrective action(s), and plans for review(s) in the upcoming fiscal year. Attachment ------- Attachment FEDERAL MANAGERS' FINANCIAL INTEGRITY ACT ANNUAL REPORT . OFFICE: ASSESSABLE UNIT: ASSESSABLE UNIT NUMBER: The attached forms support the actions taken to strengthen our management controls. FORM TITLE APPLICABLE N/A A Statistical Summary of Performance B Review Process C Progress Report on High Risk Areas Material Weaknesses/Corrective Actions Agency-Level Weaknesses/ Corrective Actions Quality Control Evaluation Report ------- ------- APPENDIX D OMB'S 1991 INSTRUCTIONS FOR THE FMFIA REPORT 15 ------- EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON. D.C. 20503 August 3, 1991 MEMORANDUM FOR THE DEPUTY SECRETARIES OF EXECUTIVE DEPARTMENTS DEPUTY ADMINISTRATOR OF THE ENVIRONMENTAL PROTECTION AGENCY DEPUTY ADMINISTRATOR OF THE NATIONAL AERONAUTICS AND SPACE ADMINISTRATION SELECTED HEADS OF INDEPENDENT AGENCIES / FROM: Frank Hodsoll Executive Associate Director SUBJECT: 1991 Federal Managers' Financial Integrity Act (FMFIA) Reporting Requirements Attached is the guidance to be used in preparing your agency's 1991 FMFIA report to the President and the congress. This guidance should be followed by the agencies listed in Attachment A. Smaller independent agencies will receive modified guidelines. The report is due to the President and the Congress on December 31, 1991. However, agencies are encouraged to submit the report early, so that OMB can use agency FMFIA findings during the budget formulation process. I ask your personal attention in assuring that the 1991 FMFIA report reflects the true state of your agency's management controls. Please ask your staff to direct any questions to your agency's OMB Management Examiner or to the Management Integrity Branch on 395-6911. Attachments ------- . Attachment A The following agencies are subject to the Federal Managers' Financial Integrity Act (FMFIA) and the attached guidance: Department of Agriculture . Department of Commerce Department of Defense Department of Education Department of Energy Department of Health and Human Services Department of Housing and Urban Development Department of the Interior Department of Justice Department of Labor Department of State Department of Transportation Department of the Treasury Department of Veterans Affairs ACTION Agency for International Development Appalachian Regional Commission Arms Control and Disarmament Agency Central Intelligence Agency Commission.on Civil Rights Commodity Futures Trading Commission Consumer Product Safety Commission Equal Employment Opportunity Commission Environmental Protection Agency Executive Office of the President Farm Credit Administration Federal Communications Commission Federal Election Commission Federal Emergency Management Agency Federal Energy Regulatory Commission Federal Labor Relations Authority Federal Maritime Commission Federal Mediation and Conciliation Service Federal Retirement Thrift Investment Board Federal Trade Commission General Services Administration International Trade Commission Interstate Commerce Commission Merit Systems Protection Board National Aeronautics and Space Administration National Archives and.Records Administration National Credit Union Administration National Endowment for the Arts National Endowment for the Humanities National Gallery of Art National Labor Relations Board • National Science Foundation ------- National Transportation Safety Board Nuclear Regulatory Commission Office of Personnel Management . Panama Canal Commission Peace Corps Railroad Retirement Board Resolution Trust Corporation Oversight Board Securities and Exchange Commission Selective Service System Small Business Administration U.S. Information Agency U.S. Soldiers' and Airmen's Home The following agencies are exempt from the provisions of FMFIA but are subject to OMB Circulars No. A-123, Internal Control Systems. and No. A-127, Financial Management Systems, and to the attached guidance: Commodity Credit Corporation Export-Import Bank of the United States Federal Crop Insurance Corporation Federal Housing Finance Board Federal Housing Administration Fund Federal Prison Industries, Inc. Government National Mortgage Association Overseas Private Investment Corporation Pension Benefit Guaranty corporation Rural Telephone Bank Saint Lawrence Seaway Development Corporation Smithsonian Institution ------- • ;-..' Attachment B GUIDANCE FOR PREPARING 1991 INTEGRITY ACT REPORT This guidance should be used in preparing your agency's 1991 report to the President and the Congress under the Federal Managers' Financial Integrity Act (FMFIA). This . guidance applies to the Cabinet departments and major independent agencies, as listed in Attachment A. Separate instructions will be issued for smaller agencies. The report is due to the President and Congress on December 31, 1991. However, agencies are encouraged to submit the report early. This will allow OMB to make maximum use of the report during the budget formulation process. The report should highlight the major management control and financial systems accomplishments and problems of the year ending September 30, 1991, as well as your commitment to future improvements. The report should cover both Section 2, and Section 4 of the FMFIA. Section 2 addresses improving management controls over program and administrative areas — as well as financial activities — to protect against fraud, waste or mismanagement. Section 4 requires that financial management systems comply with standards applicable to Executive Branch agencies. Your submission should include those material weaknesses in management controls, and material non-conformances in financial systems, significant enough to be of interest to the President and the Congress. Special consideration should be given to whether nbncompliance with commonly accepted security practices in a sensitive system constitutes a material weakness. Questions may be directed to your agency's OMB Management Examiner or to OMB's Management Integrity Branch on 395-6911. ------- Overall Requirements The 1991 year-end management integrity report should consist of a single letter from the agency head to the President and the Congress, with five Enclosures: A. Statistical Summary of Performance; B. Summary of Agency's Management Control Review Process; C. Progress Report on High Risk Areas; D. Description of Material Weaknesses and Critical Milestones for Corrective Actions; and E. Description of Material Non-conformances and Critical Milestones for Corrective Actions. Assessing Materiality of Weaknesses - Section 2 Internal Controls For purposes of determining what constitutes a material weakness in internal control systems (Section 2), the criteria set forth in OMB Circular A-123 should be used. The criteria require reporting weaknesses that: o significantly impair the fulfillment of an agency or component's mission; o deprive the public of needed services; o violate statutory or regulatory requirements; o significantly weaken safeguards against waste, loss, unauthorized use or misappropriation of funds, property, or other assets; or o result in a conflict of interest. Since the above factors are judgmental and can be widely interpreted, the following additional factors should be used to determine whether weaknesses are to be reported to the President and the Congress. Each material weakness should meet one or more of the following additional criteria: o merits the attention of the agency head/senior management, the Executive Office of the President, or the relevant Congressional oversight committee; o exists in a major program or activity; o could result in the loss of $10 million or more, or 5 percent or more of the resources of a budget line item; or o its omission from the report could reflect adversely on the management integrity of the agency. Assessing Materiality of Weaknesses - Section 4 Each material non-conformance (Section 4) should meet one or more of the following criteria: o merits the attention of the agency head/senior management, the Executive Office of the President, or the relevant Congressional oversight committee; o prevents the agency primary accounting system from achieving central control over agency financial transactions and ------- resource balances;.. o prevents compliance of the primary accounting system, subsidiary system or program system with OMB Circular A-127 (Financial Management Systems), the Standard General Ledger. and the Core Financial Systems Requirements: or o results in an actual material misstatement (either 5 percent or more of a budget line item or $10 million or more) in reports required by .the OMB, the Treasury Department, or the Congress. Assessing Overall Compliance with Section 4 To report compliance with Section 4, agencies must provide reasonable assurance that the quality of both agency budget and accounting information and agency financial systems meets the requirements described below. Agencies may report overall compliance even with a number of material non-conformances, as long as the non-conformances when considered together are not sufficiently serious to prevent compliance. As a general rule, agencies with systems on the OMB high risk list must report non- compliance, or compliance with specific exceptions. until corrective action is completed. Compliance with information standards requires: (crosswalks o implementation of the Standard General Ledger acceptable); and o accurate, timely, comparable, useful budget and accounting information for the current and past fiscal years. Compliance with systems functional standards requires: o for the agency (bureau level acceptable): a primary financial system featuring general ledger control (including fund control) over agency resources, obligations and spending; single entry of data (or adequate reconciliation) between primary and subsidiary systems; and appropriate accounting capability for cost and for production units. o for individual systems or subsystems: adequate systems documentation and audit trails; and — adequate overall performance of assigned mission. ------- FORMAT FOR THE 1991 FMFIA REPORT Letter From the Agency Head Your letter . to the President substantive. It should: and the Congress should be o state whether there is reasonable assurance that the agency, as a whole, complies with both Sections 2 and 4 of the FMFIA (such assurance may be provided even though limited exceptions are cited); o state high risk areas in priority order; o state critical material weaknesses and non-conformances other than those identified as high risk areas; o describe concisely the impact or potential impact of these problems on agency programs; and o summarize corrective actions being taken or planned to address these problems. Enclosures Detailed requirements for Enclosures A - E follow. Transmission of Report The letter and enclosures, addressed to the following persons, must be signed by the agency head and transmitted to the recipients no later than December 31 (Agencies are encouraged to make early submissions.} : Addressee The President The President of the Senate Speaker of the House of Representatives Address on letter The President The White House Washington, D.C. 20500 Honorable J. Danforth Quayle President of the Senate Washington, D.C. 20510 Honorable Thomas S. Foley Speaker of the House of Representatives Washington, D.C. 20515 Salut Dear Mr. President: Dear Mr. President: Dear Mr. Speaker: In addition, fifteen copies of the report to the President should be sent to: Ms. Susan Gaffney Acting Assistant Director for Financial Management Office of Management and Budget New Executive Office Building, room 10235 Washington, D.C. 20503 ------- ENCLOSURE A — STATISTICAL SUMMARY OF PERFORMANCE Enclosure A to the agency letter should present a statistical summary of the agency's performance under Section 2 (internal controls} and Section 4 (financial systems) using the format on the following pages. . The enclosure should, where necessary, describe changes in the definition of material weakness and non-conformance, and any other action that would affect the statistical summary. STATISTICAL SUMMARY OF PERFORMANCE SECTION 2, INTERNAL CONTROL SYSTEMS Overall compliance Yes No Year achieved Number of Material Weaknesses In year indicated, For that year For that year, number reported number that have number still for the first time been corrected pending Prior years 1989 report 1990 report 1991 report Total : Of the total number corrected, how many were corrected in 1991? Pending Materia1 Weaknesses Category Number Program management: Program execution Systems development and implementation Asset disposition Environmental impact Safety, health-related . • Other (specify) Functional management: Procurement Grant management Personnel and organizational management ADP security Payment systems and cash management Loan management and debt collection Property and inventory management Other (specify) Total ------- SECTION 4. FINANCIAL MANAGEMENT SYSTEMS Compliance assurance Yes Overall compliance with Section 4 o Compliance with financial information standards o Compliance with systems functional standards Number of Material Non-conformances In year indicated, For that year, number reported number that have for first time been corrected Year No Achieved For that . year, number still pending Prior years 1989 report 1990 report 1991 report Total Of the total number corrected, how many were corrected in 1991? Pending Non-conformances Name of System Type of Non-conformance Title of Non-conformance Non-conformance types are as follows: o Financial information standards Compliance with SGL Data quality o Systems functional standards Primary financial system Effective interfaces — Cost accounting Documentation/audit trails — Mission performance ------- ENCLOSURE B — REVIEW PROCESS This enclosure should describe the agency's FMFIA review process. 1. Section 2 o Description of organization and structure of review process: o 1991 statistical data for review process: Number of assessable units . Number of vulnerability assessments , planned . Conducted . Number of .internal control reviews planned . Conducted . Number of alternative reviews planned . Conducted . — Percentage of assessable units reviewed . o Comment on results versus plan: 2. Section 4 o Description of organization and structure of review process: o Provide an inventory of agency's financial management systems, and indicate the total number of systems *: o 1991 statistical data for review process: Number of annual reviews . Number of detailed cyclical reviews . o Comments on results versus plan: 3. Overall o Describe the agency system for tracking reviews, material weaknesses, material non-conformances, and corrective actions; o Describe process for validating corrective actions; o Briefly describe how the agency provides training in management controls; o Describe actions taken or planned to ensure accountability for results in identifying and correcting material weaknesses and non-conformances. * Use agency response to OMB Memorandum 91-05 (April 15, 1991) if available. ------- ENCLOSURE C --- PROGRESS REPORT ON HIGH RISK AREAS This enclosure should be used by agencies that have a high risk area. The relationship between high risk areas and material weaknesses varies. Some high risk areas have a direct relationship to one or more material weaknesses. For example, a high risk area entitled 11 procurement" might be comprised of five discrete material weaknesses. Other high risk areas are broadly defined and have not been identified as material weaknesses. High risk areas in the latter category should be reported in this enclosure. For high risk areas made up of one or more material weaknesses, a crosswalk between this enclosure and Enclosure D or .E is acceptable. The name of the high risk area and material weakness(es) should be noted in this enclosure, but detailed information should be included in Enclosure D or E. High Risk Area; . Describe problem/weakness. If the area is on the OMB high risk list, that description should be used or updated. If a new high risk area is reported here, prior consultation with OMB on the description is advised. Bureau/Appropriation; Pace of Corrective Action Year Identified: Original Targeted Correction Date; Targeted Correction Date in Last Year's Report: Current Target Date; Reason for Change in Datefs): Strategy; Briefly describe how the agency is correcting the problem/weakness. Completion Date Critical Milestones Original Plan Current Plan Actual Provide a complete plan of action for correcting the high risk. A. Completed Actions/Events B. Planned Actions/Events (short term - next 12 months) C. Planned Actions/Events (longer termV Results Indicators Describe key results indicators. Results indicators are quantitative and/or qualitative measures to determine whether agency actions have corrected the weakness or deficiency. Assessment of Progress Highlight both significant achievements and problems. ------- ENCLOSURE D — MATERIAL WEAKNESSES/CORRECTIVE ACTIONS This enclosure consists of three parts: (1) a summary/table of contents of material weaknesses; (2) a description of each pending material weakness in internal controls (Section 2); and, (3) a description of each material weakness that was corrected in 1991. The summary/table of contents section includes material on correction targets which is also requested in the description sections. This is done to facilitate analysis of the agency's overall performance on pace of corrective actions. Part 1.. Provide a summary of all pending material weaknesses. The summary should: list the . titles of the weaknesses in priority order; provide information on the correction schedule; and indicate the page number of the more detailed description to follow. The following format should be used: Title Year First Reported Target for Correction in 1990 FMFIA Report Current Target for Correction Page Part 2. Describe each pending material weakness and provide a complete plan of action to correct the weakness. Changes in previous corrective action schedules should be explained. Correction is accomplished when the weakness is no longer material. Material weaknesses may be consolidated, so long as the identity and character of the weaknesses are not lost. The following format shall be followed for each uncorrected weakness. All data elements are required. Title of Material Weakness; Functional Category in Statistical Summary; Sureau/Appropriation/Account Number: Administrative Activity/Program Activity; Pace of Corrective Action Year Identified; Original Targeted Correction Date; Targeted Correction Date in LastYear's Report; CurrentTarget Date: Reason for Change in Datefs); Description of Material Weakness and Its Impact on Agency Operations; ------- Source of Discovery of Material Weakness; Indicate how material weakness was initially discovered, e.g., IG audit or investigation, management review, evaluation. Provide a reference to a specific source document by report number .or subject matter and date. Critical Milestones inCorrective Action; Provide a complete plan of action to correct/improve the material weakness in the format presented below. Critical Milestones Completion Date Original Plan Current Plan Actual A. B. C. Completed actions/events Planned actions/events (short term - next 12 months! Planned actions/events (longer term) Validation Process to be Used; Explain the validation process to be used by management to verify the completion of the corrective action.. Describe the role the Inspector General can perform in validating corrective action and identify any other independent validation processes to be used. Part 3. For each material weakness corrected this year, please provide the following information: Title of Material Weakness: Bureau/Appropriation/Account Number; Year Identified: Corrective Actions Taken; Results of Validation Actions Taken; 10 ------- ENCLOSURE E — MATERIAL NON-CONFORMANCES/CORRECTIVE ACTIONS . This enclosure consists of three .parts: (l) a summary/table of contents of material non-conformances; (2) a description of each pending material non-conformance (Section 4); and (3) a description of each material non-conformance that was corrected in 1991. The summary\table of contents section includes material on correction targets which is also requested in the description, sections. This is done to facilitate analysis of the agency's overall performance on pace of corrective actions. Fart 1. Provide a summary of all pending material non- conformances. The titles of the non-conformances should be listed in priority order. Information on the correction schedule can be broken down either by system or by individual non-conformance. The following format may be used as a model: Year Name of system/ Title(s) of non-conforraance f s) First Reported Target for Correction in 1990 FMFIA Report Current Target for Correction Page Part 2. Describe each pending material non-conformance and provide a plan of action to correct the non-conformance. . Changes in previous corrective action schedules should be explained. Correction is accomplished when the non-conformance is no longer material. Material non-conformances may be grouped (e.g., by system or organizational unit), so long as the identity and character of the deficiencies are not lost. The following format may be used as a model for uncorrected material non-conformances. Under any .circumstances, all data elements are required. Name of System for Organizational Unit, if appropriate); Title of Material Non-conformance: System Type: Core Financial . Subsidiary Functional Category in-Statistical Summary: Bureau/Appropriation/Account Number; Administrative Activity/Program Activity: Program :\ \ \ ------- A Pace of Corrective Action Year Identified; .. ' Original Targeted Correction Date: Targeted Correction Date in Las_t Year's Report: Current Target Date; Reason for Change in Date(si; Description of Material Non-conformance and Its Impact' on Agency Operations: Source of Discovery of Material Non-conformance; Indicate how material non-conformance was initially discovered, -e.g., IG audit or investigation, management review, evaluation. Provide a reference to a specific source document by report number or subject matter and date. Critical Milestones in Corrective Action: Provide a complete plan of action to correct/improve material non-conformance in the format presented below. Completion Date Critical Milestones Original Plan Current Plan Actual A. Completed actions/events B. Planned actions/events (short term - next 12 months) C. Planned actions /events (longer j-erm) Validation Process to beUsed; Explain the validation process to be used by management to verify the completion of the corrective action. Describe the role the Inspector General can perform in validating corrective action and identify any other independent validation processes to be used. Part 3. Please provide the following information for any material non-conformances corrected this year: Name of System or Organizational Unit (if appropriate): Title of Material Non-conformancefs): System JType^ Core Financial Subsidiary Program Bureau/Appropriation/Account Number; Year Identified: * Corrective Actions Taken: Results of Validation Actions Taken; 12 ------- |