Publication 9200.9-01 March 1992 Office of Emergency and Remedial Response AEPA FMFIA United States Environmental Protection Agency A Managers' Quick Reference Guide to the Federal Managers' Financial Integrity Act ------- TABLE OF CONTENTS What is FMFIA? 1 Legislation Pertaining to FMFIA 2 The Agency Takes FMFIA Seriously 3 General Responsibilities for Managers 4 Specific Responsibilities for Managers 5 Steps for Ensuring Effective Management Controls 6 Main Activities in the FMFIA Process 7 Documents Generated During the FMFIA Process 8 FMFIA Definitions 15 FMFIA Calendar 19 ------- FMFIA ACRONYMS AAL Annual Assurance Letter AICR Alternate Internal Control Review AU Assessable Unit CATS Corrective Action Tracking System BCD Event Cycle Documentation FMFIA Federal Managers' Financial Integrity Act GAO General Accounting Office MCC Management Control Coordinator ICR Internal Control Review MCP Management Control Plan MTS Milestone Tracking System OC Office of Comptroller (EPA) OIG Office of Inspector General OMB Office of Management and Budget PO Project Officer WAM Work Assignment Manager ------- WHAT IS FMFIA? The FEDERAL MANAGERS' FINANCIAL INTEGRITY ACT (FMFIA) was passed by Congress in 1982 and is de- signed to prevent Government resources from being wasted, abused, or misappropriated. FMFIA imposes requirements on all Federal managers, including those in the ENVIRON- MENTAL PROTECTION AGENCY (EPA), to strengthen controls over the Government's limited resources. The basic idea of FMFIA is to force a systematic SELF EXAMINATION of controls on a regular basis. Management Controls are actions taken by management to enhance the likelihood that missions and goals will be carried out effectively, efficiently, and economically and in accordance with the intent of applicable laws and regulations. Management Controls avoid or minimize mismanagement, erroneous reports or data, unauthorized use of resources, illegal or unethical acts, and adverse or unfavorable public opinion. Examples of Management Controls are: paper trails; double signatures; document numbering; documentation of financial transactions; authorizations by persons with specific authority; separation of key duties such as authorizing, processing, record- ing, and reviewing transactions; and qualified and continuous supervision of staffing to limit access to resources and records. FMFIA HELPS YOU ACHIEVE MANAGEMENT CONTROLS. 1 ------- LEGISLATION PERTAINING TO FMHA ACCOUNTING AND auditing ACT OF 1950 Requires federal managers to establish and maintain adequate systems for managemunt controls. OMB CIRULAR A-123 « AND OMB LETTER 1 TT tntc * I'rescibes policies arid standards v>i"vji> LbiTER 1 y for evaluating, improving, and J Nfc 4,1990 |/ reporting on management controls. FMFIA ACT OF 1982 I \ Requires agency heads to report ^ annually on compliance with management control standards prescribed by CAO and guidlcincs issyed by OMB. OMB GUIDELINES Provides detailed guidance on evaluating, improving, and reporting on management controls. GAO STANDARDS r - l\ Establishes government-wide 1983 \ standards for management ~Y controls that apply to both program management and financial management areas. 2 ------- THE AGENCY TAKES FMFIA SERIOUSLY ~ EPA wants to build confidence among OMB and Congres- sional staff that EPA takes FMFIA seriously and does its homework well. ~ EPA must build prevention into our processes, not waiting to find problems after the fact. "Prevention is now more important than ever." ~ Effective management controls are an integral part of Total Quality Management (TQM) and both must be a part of our daily work. ~ Management integrity is a critical component of quality management. ~ Focus on "causes, not culprits." ~ Our goal is to strengthen the link between FMFIA and the budget process. Source: Hank Habicht August 12,1991 3 ------- MANAGER'S GENERAL RESPONSIBILITIES ~ Assume responsibility far establishing and maintaining internal controls. ~ Keep documentation current and accurate. ~ Ensure compliance with MCP. ~ Attend FMF1A training and other management control training. ~ Conduct evaluations according to FMF1A criteria. ~ Assess current procedures for vulnerability to weaknesses. ~ Report corrective actions taken. ~ Be aware of other reviews. ~ Ensure all financial transactions are clearly, promptly, and properly documented. ~ Ensure appropriate personnel are authorized to exchange, transfer, use, or commit resources, and thai there is adequate separation of duties. ~ Ensure qualified and continuous supervision of staff. ~ Ensure access to resources and records is limited to authorized personnel. 4 ------- MANAGER'S SPECIFIC RESPONSIBILITIES IDENTIFYING AND TRACKING WEAKNESSES ~ Create a workplan for each weakness. ~ Keep workpians updated every quarter. ~ Ensure all information on a workplan is correct and accurate. ~ Check FMFIA calendar to determine upcoming schedule. ~ Keep in contact with the other divisions and the FMFIA coordinator. ~ Understand criteria for proper verification of time cards and leave slips. ~ Ensure an element for FMFIA exists in all managers' performance standards as well as those of applicable staff. ~ Ensure all WAMs and POs have been properly trained. ~ Perform audit follow-up in accordance with OMB Circu- lar A-50 as requested. 5 ------- SEVEN STEPS FOR ENSURING EFFECTIVE MANAGEMENT CONTROLS STEP DESCRIPTION ACTIVITY 1. Document the routine activities that you manage. EVENT CYCLES 2. State the operational objectives of the activity you are documenting, including the statutes, mandates, or directives that reflect the event cycle to be performed. State how you know you achieve your objectives in the most efficient and effective manner. CONTROL OBJECTIVES CONTOOL TECHNIQUES 3. Determine which event cycles may be most at risk for waste, fraud, or abuse. RISK ASSESSMENT 4. Schedule which event cycles need reviewing based on the vulnerability (risk) assessment. MANAGEMENT CONTROL PLAN 5. Conduct an alternate internal control review or an internal control review for "high risk" event cycles. AICR/ICR 6. Disclose in the Annual Assurance Letter the needed improvements identified in your ICRs and AICRs, and outline the corrective action plan for each area identified as "needs improvement." MATERIAL/ AGENCY-LEVEL WEAKNESS 7. Report on weaknesses, milestones, and progress each quarter. CATS REPORT 6 ------- MAIN ACTIVITIES IN THE FMFIA PROCESS REPORT ON WEAKNESSES TRACK CORRECTIVE ACTIONS IDENTIFY WEAKNESSES DEVELOP CORRECTIVE ACTION DOCUMENT FUNCTIONS 7 ------- DOCUMENTS GENERATED DURING THE FMFIA PROCESS ECO AND RISK ASSESSMENT AICR/LCR MANAGEMENT CONTROL PLAN ANNUAL ASSURANCE LETTER CATS REPORT 8 ------- DOCUMENTS GENERATED DURING THE FMFIA PROCESS EVENT CYCLE DOCUMENTATION Purpose: Identifies repetitive duties (event cycles), objectives of event cycles, and controls for achieving objectives. Describes internal control methods and measures applicable events. Com- municates responsibilities for implementing these methods and measures. Provides a basis for A ICR/ICR. This is basically the "what, why, and how of our duties." Timing/Accountability: Event cycles are documented and up- dated annually to comply with G AO standards for implementing FMFIA. This report is done in March. Helpful Hints: ~ Assign a manager accountable for each event cycle. ~ Be sure to list all event cycles. ~ Include the title of the directive, statute, or mandate that requires the event cycles to be performed in the control objective. ~ Be sure to include all control technique steps for each event cycle. ~ State the intent/desired goal of the event cycle in the control objective. 9 ------- DOCUMENTS GENERATED DURING THE FMFIA PROCESS RISK ASSESSMENT DO] N1 Purpose: Calculates potential for vulnerability of a program or function to the occurrence of waste, loss, or misappropriation. Also helps to determine the focus of reviews. Timing/Accountability: This report is updated every 3 years, in April, by the AU manager. Helpful Hints: ~ Document event cycles. ~ Keep accurate records of all AICRs/ICRs. 10 ------- DOCUMENTS GENERATED DURING THE FMFIA PROCESS AICR/ICR OOCUI Purpose: A detailed examination of a system of internal controls to determine whether adequate control measures exist, and if controls to prevent or detect the occurrence of potential risks are implemented in a cost-effective manner. Makes recommendations of controls needing correction and indicates documentation needing refinement. Provides managers with assessment of effectiveness and efficiency of management controls. Timing/Accountability: Conducted according to the MCP sched- ule signed by AU managers. Performed any time throughout the year. Helpful Hints: ~ Analyze general control environment to determine the degree of overall risk. ~ Review event cycles. ~ Identify and document potential risks in and control objectives for each event cycle. ~ Test internal control techniques. 11 ------- DOCUMENTS GENERATED DURING THE FMFIA PROCESS Purpose: Facilitates the implementation of FMFIA by summariz- ing the risk assessments, planned actions, and internal control evaluations which have been undertaken during the current year and which will be undertaken in the coming 5-year period. Iden- tifies high risk areas deemed by management to require an inter- nal control evaluation. Timing/Accountability; Covers a five year period and is updated annually by the AU manager. This report is done in August of every year. Helpful Hints: ~ All AICRs must be listed in your MCP. ~ You must report in the AAL what is listed in the MCP. MANAGEMENT CONTROL PLAN 12 ------- !)(>( I MK\ I S <;i NKRM11) 1)1 KIMi THK FMKIA PROCUSS ANNUAL ASSURANCE LETTER Purpose: Certifies that internal control systems are working effectively, recognizes internal controls as important management tools, and evaluates and improves continually existing material weaknesses. Identifies improvements made and the need to ensure a reasonable program of internal controls. Provides the Administrator with personal assurance that controls are in place, tested, effective, updated, and documented. Timing/Accountability: Produced each year by AA/RA to be included in EPA's Annual Assurance Letter to the President and Congress. Done in September/October every year. Helpful Hints: * Keep updated workplans as the year progresses. * Comply with audit follow-up procedures throughout the year. * Use last year's AAL and this year's MCP to ensure all studies/workplans are included. 13 ------- DOCUMENTS GENERATED DURING THE FMFIA PROCESS Purpose: Tracks correction of weaknesses identified in the An- nual Assurance Letter via OIG audits, GAO studies, and internal studies. Informs management of progress for improving controls. Timing/Accountability: Provided quarterly by MCC via manag- ers to OARM and/or Senior Council. Due 2-6 weeks after the end of every quarter. Helpful Hints: ~ Update all FMFIA workplans at the end of the quarter in theMTS. ~ Be sure all workplans in MTS have a verification of completion milestone and methodology for follow-up (validation process). ~ Revise current plan dates in the workplan if the milestone was not accomplished or on schedule and explain any delays. ~ Use the status box on the workplan to summarize the activi ty which occurred during tba t quarter. CATS REPORT 14 ------- FMFIA DEFINITIONS Assessable Unit In OERR, each division is an AU and the program as a whole is also an AU. An AU is a program operation, administrative func- tion, or a subdivision which is subject to a risk assessment and internal control evaluation. An AU is comprised of related event cycles and is usually a division or a branch of an office. The ultimate decision rests with the Assistant Administrator or Regional Administrator. Alternate Internal Control Review Any review of internal controls which does not examine the entire event cycle. OIG audits, computer security reviews, management studies, and reviews conducted in accordance with other OMB Circulars are examples of AICRs. Such reviews usually focus on high risk areas/activities and determine whether the control techniques in an agency component are operating in compliance with OMB Circular A-123. These reviews must determine overall compliance and include testing of controls and a written report of the review detailing the activity reviewed, the findings, and the recommended corrective action(s). Control Objective A desired goal or standard for a specific event cycle that ensures that the component's mission and objectives are accomplished efficiently and effectively. Control Techniques I The management process or documents designed, implemented, monitored, and changed as necessary to achieve the control objectives or to reduce risks to acceptable levels. Examples of control techniques include passwords to limit access to data bases, internal procedures for delegating programs to states, planning calendars with specific milestones, and segregating sensitive duties among several personnel. (Also see "Examples of Manage- ment Controls" on Page 1.) ------- FMFIA DEFINITIONS (continued) Event Cycles A series of related steps that constitutes a distinct and separate process or activity within each office (Division in OERR). An event cycle refers to the related processes or actions that carry out a recurring responsibility, create the necessary documentation, and gather and report related data. The number of event cycles within an assessable unit depends upon the size and complexity of the unit. General Control Environment Various factors that may influence the effectiveness of internal controls over programs and administrative functions such as budget cuts, changes in personnel, reorganization, and new man- agement policies. Internal Control I The plan of organization, methods, and procedures adopted by management to provide reasonable assurance that obligations and costs comply with applicable law; safeguards exist to protect funds, property, and other assets against waste, loss, unauthorized use, or misappropriation; and personnel properly record and account for revenues and expenditures applicable to agency operations. Internal Control Documentation Any written material (including software) that describes internal control methods and measures, communicates responsibilities and authorities for internal control methods and measures, or serves as a reference for persons reviewing internal controls and their functions. 16 ------- FMFIA DEFINITIONS (continued) Internal Control Evaluation A detailed evaluation of program or administrative activity to determine whether adequate control techniques exist and are implemented to achieve cost-effective compliance with FMFIA. There are two types of control evaluations, Internal Control Reviews and Alternate Internal Control Reviews. Internal Control Review A detailed examination of a system of internal control in accor- dance with Agency internal control review guidance dated October 1983. The purpose is to determine whether adequate control measures exist and are implemented to prevent or detect potential risks cost-effectively. The entire event cycle is reviewed when conducting an ICR. Internal Control System I All methods and measures used to achieve the objectives of internal control for all or part of an organizational component, program, or administrative function. Management Control Plan I A structured process for planning agency efforts to develop, maintain, evaluate, improve, and report on internal controls to ensure that the objectives of FMFIA are achieved cost-effectively. The plan is based on management's judgement regarding the potential risks associated with each agency component and the steps required to review and improve internal controls. It is a 5- year rolling plan to be updated annually. Based upon the Administrator's review and approval, EPA submits the plan to OMB at the end of each calendar year. It is basically a list of all OIG and GAO audits and other internal studies planned by management within the program. 17 ------- FMFIA DEFINITIONS (continued) Material Weakness A situation in which the designed procedures or degree of opera- tional compliance do not provide reasonable assurance that the objectives of internal control are being accomplished. The assur- ance letter process identifies material weaknesses annually. Such a weakness would significantly impair the fulfillment of a component's mission, deprive the public of needed services, violate statutory or regulatory requirements, significantly weaken safeguards against waste loss, promotes the unauthorized use of funds, property or other assets, results in a conflict of interest, or cause adverse public opinion. Reasonable Assurance A satisfactory level of confidence in achieving program objectives effectively and efficiently under given considerations of costs, benefits, and risks. This concept recognizes that the cost of inter- nal control should not exceed the benefit derived. Risk Assessment A review of the susceptibility of a program or function to the occurrence of waste, loss, unauthorized use, or misappropriation. The assessment usually identifies the relative risks of each compo- nent as high, medium, or low in a 2-page questionnaire form. The questionnaire is completed every three years. Weakness A weakness is a breakdown in an internal control system that may prevent control objectives from being met. A weakness exists when existing internal controls fail to provide reasonable assur- ance that fraud, waste, and abuse of Government resources will not occur, or when policies and procedures that detect and pre- vent misuse of federal resources are not effectively implemented. 18 ------- FMFIA CALENDAR FOR FY 1992 Q1CATS Report; Update Workplans Division Workgroup Meets Managers' Working Session/Training Draft Report Completed Division Approval/Comments Final Report Completed Senior Management Briefing Report Due to OSWER January 2 January 9 January 16 January 23 January 30 February 6 February 13 February 14 Q2 CATS Report: Update Workplans Division Workgroup Meets Managers' Working Session/Training Draft Report Completed Division Approval/Comments Final Report Completed Senior Management Briefing Report Due to OSWER March 2 March 9 March 16 March 23 March 30 April 6 April 9 April 10 Event Cycle Documentation; Division Workgroup Meets Managers' Working Session/Training All Materials Due to OPM Report Due to OSWER February 12 February 23 February 23 March 13 Risk Assessment; Report Due to OSWER April 27 19 ------- FMFIA CALENDAR FOR FY 1992 (continued) Q3 CATS Report: Update Workplans June 1 Division Workgroup Meets June 8 Managers' Working Session/Training June 15 Draft Report Completed June 22 Division Approval/Comments June 29 Final Report Completed July 6 Senior Management Briefing July 9 Report Due to OSWER July 10 Management Control Plan: Division Workgroup Meets June 25 Managers' Working Session/Training July 2 All Materials Due to Division Coordinator July 16 Draft Report Completed July 23 Division Approval/Comments Due August 6 Final Report Completed August 13 Report Due to OSWER August 24 Annual Assurance Letter: Workgroup Meets July 28 Managers' Working Session/Training August 4 Submit Audit/New Workplans to OPM August 18 Update All Workplans to OPM September 1 Update Workplans with Late Sept. Dates September 15 Draft Report Completed September 22 Division Approval/Comments to OPM September 29 Final Report Completed October 6 Senior Management Briefing October 13 Letter Due to OSWER October 16 20 ------- NOTES: ------- NOTES: ------- |