Publication 9200.9-01
March 1992
Office of Emergency and Remedial Response
AEPA FMFIA
United States
Environmental Protection
Agency
A Managers'
Quick Reference
Guide to the
Federal Managers'
Financial Integrity
Act

-------
TABLE OF CONTENTS
What is FMFIA?	1
Legislation Pertaining to FMFIA	2
The Agency Takes FMFIA Seriously	3
General Responsibilities for Managers	4
Specific Responsibilities for Managers	5
Steps for Ensuring Effective Management Controls	6
Main Activities in the FMFIA Process	7
Documents Generated During the FMFIA Process	8
FMFIA Definitions	15
FMFIA Calendar	19

-------
FMFIA ACRONYMS
AAL
Annual Assurance Letter
AICR
Alternate Internal Control Review
AU
Assessable Unit
CATS
Corrective Action Tracking System
BCD
Event Cycle Documentation
FMFIA
Federal Managers' Financial Integrity Act
GAO
General Accounting Office
MCC
Management Control Coordinator
ICR
Internal Control Review
MCP
Management Control Plan
MTS
Milestone Tracking System
OC
Office of Comptroller (EPA)
OIG
Office of Inspector General
OMB
Office of Management and Budget
PO
Project Officer
WAM
Work Assignment Manager

-------
WHAT IS
FMFIA?
The FEDERAL MANAGERS' FINANCIAL INTEGRITY
ACT (FMFIA) was passed by Congress in 1982 and is de-
signed to prevent Government resources from being wasted,
abused, or misappropriated. FMFIA imposes requirements
on all Federal managers, including those in the ENVIRON-
MENTAL PROTECTION AGENCY (EPA), to strengthen
controls over the Government's limited resources.
The basic idea of FMFIA is to force a systematic SELF
EXAMINATION of controls on a regular basis.
Management Controls are actions taken by management to
enhance the likelihood that missions and goals will be carried out
effectively, efficiently, and economically and in accordance with
the intent of applicable laws and regulations.
Management Controls avoid or minimize mismanagement,
erroneous reports or data, unauthorized use of resources, illegal
or unethical acts, and adverse or unfavorable public opinion.
Examples of Management Controls are: paper trails; double
signatures; document numbering; documentation of financial
transactions; authorizations by persons with specific authority;
separation of key duties such as authorizing, processing, record-
ing, and reviewing transactions; and qualified and continuous
supervision of staffing to limit access to resources and records.
FMFIA HELPS YOU ACHIEVE
MANAGEMENT CONTROLS.
1

-------
LEGISLATION PERTAINING TO FMHA
ACCOUNTING AND
auditing ACT
OF 1950
Requires federal managers to
establish and maintain adequate
systems for managemunt controls.
OMB CIRULAR A-123 «	
AND OMB LETTER 1	
TT tntc *
I'rescibes policies arid standards
v>i"vji> LbiTER 1	y for evaluating, improving, and
J Nfc 4,1990	|/ reporting on management
controls.
FMFIA ACT OF 1982 I			\
Requires agency heads to report
^ annually on compliance with
management control standards
prescribed by CAO and
guidlcincs issyed by OMB.
OMB GUIDELINES
Provides detailed guidance on
evaluating, improving, and
reporting on management
controls.
GAO STANDARDS r -	l\ Establishes government-wide
1983			 \ standards for management
~Y controls that apply
to both program management
and financial management areas.
2

-------
THE AGENCY TAKES FMFIA SERIOUSLY
~	EPA wants to build confidence among OMB and Congres-
sional staff that EPA takes FMFIA seriously and does its
homework well.
~	EPA must build prevention into our processes, not waiting
to find problems after the fact. "Prevention is now more
important than ever."
~	Effective management controls are an integral part of Total
Quality Management (TQM) and both must be a part of
our daily work.
~	Management integrity is a critical component of quality
management.
~	Focus on "causes, not culprits."
~	Our goal is to strengthen the link between FMFIA and the
budget process.
Source: Hank Habicht
August 12,1991
3

-------
MANAGER'S GENERAL RESPONSIBILITIES
~	Assume responsibility far establishing and maintaining
internal controls.
~	Keep documentation current and accurate.
~	Ensure compliance with MCP.
~	Attend FMF1A training and other management control
training.
~	Conduct evaluations according to FMF1A criteria.
~	Assess current procedures for vulnerability to weaknesses.
~	Report corrective actions taken.
~	Be aware of other reviews.
~	Ensure all financial transactions are clearly, promptly, and
properly documented.
~	Ensure appropriate personnel are authorized to exchange,
transfer, use, or commit resources, and thai there is
adequate separation of duties.
~	Ensure qualified and continuous supervision of staff.
~	Ensure access to resources and records is limited to
authorized personnel.
4

-------
MANAGER'S SPECIFIC RESPONSIBILITIES
IDENTIFYING AND TRACKING WEAKNESSES
~	Create a workplan for each weakness.
~	Keep workpians updated every quarter.
~	Ensure all information on a workplan is correct and
accurate.
~	Check FMFIA calendar to determine upcoming schedule.
~	Keep in contact with the other divisions and the FMFIA
coordinator.
~	Understand criteria for proper verification of time cards
and leave slips.
~	Ensure an element for FMFIA exists in all managers'
performance standards as well as those of applicable
staff.
~	Ensure all WAMs and POs have been properly trained.
~	Perform audit follow-up in accordance with OMB Circu-
lar A-50 as requested.
5

-------
SEVEN STEPS FOR ENSURING EFFECTIVE
MANAGEMENT CONTROLS
STEP	DESCRIPTION	ACTIVITY
1.
Document the routine activities that you manage.
EVENT CYCLES
2.
State the operational objectives of the activity you
are documenting, including the statutes, mandates,
or directives that reflect the event cycle to be
performed.
State how you know you achieve your objectives
in the most efficient and effective manner.
CONTROL
OBJECTIVES
CONTOOL
TECHNIQUES
3.
Determine which event cycles may be most at
risk for waste, fraud, or abuse.
RISK
ASSESSMENT
4.
Schedule which event cycles need reviewing based
on the vulnerability (risk) assessment.
MANAGEMENT
CONTROL PLAN
5.
Conduct an alternate internal control review or
an internal control review for "high risk" event
cycles.
AICR/ICR
6.
Disclose in the Annual Assurance Letter the needed
improvements identified in your ICRs and AICRs,
and outline the corrective action plan for each area
identified as "needs improvement."
MATERIAL/
AGENCY-LEVEL
WEAKNESS
7.
Report on weaknesses, milestones, and progress
each quarter.
CATS REPORT
6

-------
MAIN ACTIVITIES IN THE FMFIA PROCESS
REPORT ON
WEAKNESSES
TRACK
CORRECTIVE
ACTIONS
IDENTIFY
WEAKNESSES
DEVELOP
CORRECTIVE
ACTION
DOCUMENT
FUNCTIONS
7

-------
DOCUMENTS GENERATED DURING THE
FMFIA PROCESS
ECO AND RISK
ASSESSMENT
AICR/LCR
MANAGEMENT
CONTROL PLAN
ANNUAL
ASSURANCE
LETTER
CATS
REPORT
8

-------
DOCUMENTS GENERATED DURING THE
FMFIA PROCESS
EVENT CYCLE
DOCUMENTATION
Purpose: Identifies repetitive duties (event cycles), objectives of
event cycles, and controls for achieving objectives. Describes
internal control methods and measures applicable events. Com-
municates responsibilities for implementing these methods and
measures. Provides a basis for A ICR/ICR. This is basically the
"what, why, and how of our duties."
Timing/Accountability: Event cycles are documented and up-
dated annually to comply with G AO standards for implementing
FMFIA. This report is done in March.
Helpful Hints:
~	Assign a manager accountable for each event cycle.
~	Be sure to list all event cycles.
~	Include the title of the directive, statute, or mandate that
requires the event cycles to be performed in the control
objective.
~	Be sure to include all control technique steps for each event
cycle.
~	State the intent/desired goal of the event cycle in the
control objective.
9

-------
DOCUMENTS GENERATED DURING THE
FMFIA PROCESS
RISK
ASSESSMENT
DO]
N1
Purpose: Calculates potential for vulnerability of a program or
function to the occurrence of waste, loss, or misappropriation.
Also helps to determine the focus of reviews.
Timing/Accountability: This report is updated every 3 years, in
April, by the AU manager.
Helpful Hints:
~	Document event cycles.
~	Keep accurate records of all AICRs/ICRs.
10

-------
DOCUMENTS GENERATED DURING THE
FMFIA PROCESS
AICR/ICR
OOCUI
Purpose: A detailed examination of a system of internal controls
to determine whether adequate control measures exist, and if
controls to prevent or detect the occurrence of potential risks are
implemented in a cost-effective manner. Makes recommendations
of controls needing correction and indicates documentation
needing refinement. Provides managers with assessment of
effectiveness and efficiency of management controls.
Timing/Accountability: Conducted according to the MCP sched-
ule signed by AU managers. Performed any time throughout the
year.
Helpful Hints:
~	Analyze general control environment to determine the
degree of overall risk.
~	Review event cycles.
~	Identify and document potential risks in and control
objectives for each event cycle.
~	Test internal control techniques.
11

-------
DOCUMENTS GENERATED DURING THE
FMFIA PROCESS
Purpose: Facilitates the implementation of FMFIA by summariz-
ing the risk assessments, planned actions, and internal control
evaluations which have been undertaken during the current year
and which will be undertaken in the coming 5-year period. Iden-
tifies high risk areas deemed by management to require an inter-
nal control evaluation.
Timing/Accountability; Covers a five year period and is updated
annually by the AU manager. This report is done in August of
every year.
Helpful Hints:
~	All AICRs must be listed in your MCP.
~	You must report in the AAL what is listed in the MCP.
MANAGEMENT
CONTROL
PLAN

12

-------
!)(>( I MK\ I S <;i NKRM11) 1)1 KIMi THK
FMKIA PROCUSS
ANNUAL
ASSURANCE
LETTER
Purpose: Certifies that internal control systems are working
effectively, recognizes internal controls as important management
tools, and evaluates and improves continually existing material
weaknesses. Identifies improvements made and the need to
ensure a reasonable program of internal controls. Provides the
Administrator with personal assurance that controls are in place,
tested, effective, updated, and documented.
Timing/Accountability: Produced each year by AA/RA to be
included in EPA's Annual Assurance Letter to the President and
Congress. Done in September/October every year.
Helpful Hints:
*	Keep updated workplans as the year progresses.
*	Comply with audit follow-up procedures throughout the
year.
*	Use last year's AAL and this year's MCP to ensure all
studies/workplans are included.
13

-------
DOCUMENTS GENERATED DURING THE
FMFIA PROCESS
Purpose: Tracks correction of weaknesses identified in the An-
nual Assurance Letter via OIG audits, GAO studies, and internal
studies. Informs management of progress for improving controls.
Timing/Accountability: Provided quarterly by MCC via manag-
ers to OARM and/or Senior Council. Due 2-6 weeks after the
end of every quarter.
Helpful Hints:
~	Update all FMFIA workplans at the end of the quarter in
theMTS.
~	Be sure all workplans in MTS have a verification of
completion milestone and methodology for follow-up
(validation process).
~	Revise current plan dates in the workplan if the milestone
was not accomplished or on schedule and explain any
delays.
~	Use the status box on the workplan to summarize the
activi ty which occurred during tba t quarter.
CATS
REPORT
14

-------
FMFIA DEFINITIONS
Assessable Unit
In OERR, each division is an AU and the program as a whole is
also an AU. An AU is a program operation, administrative func-
tion, or a subdivision which is subject to a risk assessment and
internal control evaluation. An AU is comprised of related event
cycles and is usually a division or a branch of an office. The
ultimate decision rests with the Assistant Administrator or
Regional Administrator.
Alternate Internal Control Review
Any review of internal controls which does not examine the entire
event cycle. OIG audits, computer security reviews, management
studies, and reviews conducted in accordance with other OMB
Circulars are examples of AICRs. Such reviews usually focus on
high risk areas/activities and determine whether the control
techniques in an agency component are operating in compliance
with OMB Circular A-123. These reviews must determine overall
compliance and include testing of controls and a written report of
the review detailing the activity reviewed, the findings, and the
recommended corrective action(s).
Control Objective
A desired goal or standard for a specific event cycle that ensures
that the component's mission and objectives are accomplished
efficiently and effectively.
Control Techniques I
The management process or documents designed, implemented,
monitored, and changed as necessary to achieve the control
objectives or to reduce risks to acceptable levels. Examples of
control techniques include passwords to limit access to data bases,
internal procedures for delegating programs to states, planning
calendars with specific milestones, and segregating sensitive
duties among several personnel. (Also see "Examples of Manage-
ment Controls" on Page 1.)

-------
FMFIA DEFINITIONS (continued)
Event Cycles
A series of related steps that constitutes a distinct and separate
process or activity within each office (Division in OERR). An event
cycle refers to the related processes or actions that carry out a
recurring responsibility, create the necessary documentation, and
gather and report related data. The number of event cycles within
an assessable unit depends upon the size and complexity of the
unit.
General Control Environment
Various factors that may influence the effectiveness of internal
controls over programs and administrative functions such as
budget cuts, changes in personnel, reorganization, and new man-
agement policies.
Internal Control I
The plan of organization, methods, and procedures adopted by
management to provide reasonable assurance that obligations and
costs comply with applicable law; safeguards exist to protect funds,
property, and other assets against waste, loss, unauthorized use, or
misappropriation; and personnel properly record and account for
revenues and expenditures applicable to agency operations.
Internal Control Documentation
Any written material (including software) that describes internal
control methods and measures, communicates responsibilities and
authorities for internal control methods and measures, or serves
as a reference for persons reviewing internal controls and their
functions.
16

-------
FMFIA DEFINITIONS (continued)
Internal Control Evaluation
A detailed evaluation of program or administrative activity to
determine whether adequate control techniques exist and are
implemented to achieve cost-effective compliance with FMFIA.
There are two types of control evaluations, Internal Control
Reviews and Alternate Internal Control Reviews.
Internal Control Review
A detailed examination of a system of internal control in accor-
dance with Agency internal control review guidance dated
October 1983. The purpose is to determine whether adequate
control measures exist and are implemented to prevent or detect
potential risks cost-effectively. The entire event cycle is reviewed
when conducting an ICR.
Internal Control System I
All methods and measures used to achieve the objectives of
internal control for all or part of an organizational component,
program, or administrative function.
Management Control Plan I
A structured process for planning agency efforts to develop,
maintain, evaluate, improve, and report on internal controls to
ensure that the objectives of FMFIA are achieved cost-effectively.
The plan is based on management's judgement regarding the
potential risks associated with each agency component and the
steps required to review and improve internal controls. It is a 5-
year rolling plan to be updated annually. Based upon the
Administrator's review and approval, EPA submits the plan to
OMB at the end of each calendar year. It is basically a list of all
OIG and GAO audits and other internal studies planned by
management within the program.
17

-------
FMFIA DEFINITIONS (continued)
Material Weakness
A situation in which the designed procedures or degree of opera-
tional compliance do not provide reasonable assurance that the
objectives of internal control are being accomplished. The assur-
ance letter process identifies material weaknesses annually. Such
a weakness would significantly impair the fulfillment of a
component's mission, deprive the public of needed services,
violate statutory or regulatory requirements, significantly weaken
safeguards against waste loss, promotes the unauthorized use of
funds, property or other assets, results in a conflict of interest, or
cause adverse public opinion.
Reasonable Assurance
A satisfactory level of confidence in achieving program objectives
effectively and efficiently under given considerations of costs,
benefits, and risks. This concept recognizes that the cost of inter-
nal control should not exceed the benefit derived.
Risk Assessment
A review of the susceptibility of a program or function to the
occurrence of waste, loss, unauthorized use, or misappropriation.
The assessment usually identifies the relative risks of each compo-
nent as high, medium, or low in a 2-page questionnaire form. The
questionnaire is completed every three years.
Weakness
A weakness is a breakdown in an internal control system that may
prevent control objectives from being met. A weakness exists
when existing internal controls fail to provide reasonable assur-
ance that fraud, waste, and abuse of Government resources will
not occur, or when policies and procedures that detect and pre-
vent misuse of federal resources are not effectively implemented.
18

-------
FMFIA CALENDAR FOR FY 1992
Q1CATS Report;
Update Workplans
Division Workgroup Meets
Managers' Working Session/Training
Draft Report Completed
Division Approval/Comments
Final Report Completed
Senior Management Briefing
Report Due to OSWER
January 2
January 9
January 16
January 23
January 30
February 6
February 13
February 14
Q2 CATS Report:
Update Workplans
Division Workgroup Meets
Managers' Working Session/Training
Draft Report Completed
Division Approval/Comments
Final Report Completed
Senior Management Briefing
Report Due to OSWER
March 2
March 9
March 16
March 23
March 30
April 6
April 9
April 10
Event Cycle Documentation;
Division Workgroup Meets
Managers' Working Session/Training
All Materials Due to OPM
Report Due to OSWER
February 12
February 23
February 23
March 13
Risk Assessment;
Report Due to OSWER
April 27
19

-------
FMFIA CALENDAR FOR FY 1992
(continued)
Q3 CATS Report:
Update Workplans	June 1
Division Workgroup Meets	June 8
Managers' Working Session/Training	June 15
Draft Report Completed	June 22
Division Approval/Comments	June 29
Final Report Completed	July 6
Senior Management Briefing	July 9
Report Due to OSWER	July 10
Management Control Plan:
Division Workgroup Meets	June 25
Managers' Working Session/Training	July 2
All Materials Due to Division Coordinator	July 16
Draft Report Completed	July 23
Division Approval/Comments Due	August 6
Final Report Completed	August 13
Report Due to OSWER	August 24
Annual Assurance Letter:
Workgroup Meets	July 28
Managers' Working Session/Training	August 4
Submit Audit/New Workplans to OPM	August 18
Update All Workplans to OPM	September 1
Update Workplans with Late Sept. Dates	September 15
Draft Report Completed	September 22
Division Approval/Comments to OPM	September 29
Final Report Completed	October 6
Senior Management Briefing	October 13
Letter Due to OSWER	October 16
20

-------
NOTES:

-------
NOTES:

-------