How Does EVERY Manager Get Involved?” “OMB Circular A-123 How Does EVERY Manager Get Involved?”

Philip J. Giza FMS Senior Accountant Financial Management Services Program Support Center Department of Health & Human Services

Association of Government Accountants Richmond Chapter Henrico Training Center, Richmond, VA OMB Circular A-123 - How Does EVERY Manager Get Involved? Wednesday, May 16th, 2007 8:45 am to 9:35 am Philip J. Giza phil.giza@psc.hhs.gov 301-443-3499

SOX SOX or Sarbanes-Oxley or Sarbanes-Oxley of 2002 or section 404 of the Sarbanes-Oxley Act of 2002 was enacted in response to corporate accountability failures of the past several years and contains a provision calling for management’s assessment of internal control over financial reporting similar to the long-standing requirements for executive branch agencies in 31 U.S.C. § 3512 (c),(d), commonly referred to as the Federal Managers’ Financial Integrity Act (FMFIA), to issue annual statements of assurance over internal control in the agency. Opinions on internal control over financial reporting as required by the Sarbanes-Oxley Act for publicly traded companies are important to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws. Regulators, public companies, audit firms, and investors generally agree that the Sarbanes-Oxley Act of 2002 has had a positive and significant impact on investor protection and confidence. At the same time, the costs associated with the Sarbanes-Oxley Act have been significant and additional steps should be taken to improve the efficiency and cost-effectiveness of its implementation.

SOX to A-123 In initiating the revisions to Circular No. A-123, OMB cited the new internal control requirements for publicly traded companies that are contained in section 404 of the Sarbanes-Oxley Act of 2002. Federal agencies also have a duty to attain and maintain the public’s trust and confidence. Specifically, federal agencies have a stewardship obligation to prevent fraud, waste, and abuse; to use tax dollars appropriately; and to ensure financial accountability to the President, the Congress, and the American people. In the broadest context, internal control represents an organization’s plans, methods, and procedures used to meet its missions, goals, and objectives and serves as the first line of defense in safeguarding assets and preventing and detecting errors, fraud, waste, abuse, and mismanagement.

Circular A-123: Background Federal Managers’ Financial Integrity Act (FMFIA) of 1982 and its implementing regulation, OMB Circular A-123 Rigorous Implementation of the 1980s - -> - - > Focus shifted to CFO Act Audits in 1990s Corporate Scandals led to Sarbanes-Oxley Act of 2002 (SOX) and Revised OMB Circular A-123 (December 2004) Revised Circular A-123 Requires Management to Assess, Test, Document, and Report on Internal Controls Over Financial Reporting (ICOFR) by using prescribed methodology included in Appendix A

A-123 New & Improved The Office of Management and Budget (OMB) revised its Circular Number A-123, in December 2004 (effective beginning with fiscal year 2006) to: strengthen the requirements for conducting management’s assessment of internal control over financial reporting. Major revisions contained in Appendix A of the circular: include requiring CFO Act agency management to annually assess the adequacy of internal control over financial reporting, provide a report on identified material weaknesses and corrective actions, and provide separate assurance on the agency’s internal control over financial reporting.

Federal Agencies = 15 Departments and ~ 86 Independent Agencies Federal Legislative History: Integration and Coordination with Other Control Activities Federal Agencies = 15 Departments and ~ 86 Independent Agencies are subject to numerous legislative and regulatory requirements that promote and support an effective internal control structure. Management should coordinate and integrate the Internal Control over Financial Reports (ICOFR) assessment with these reviews, including FMFIA and other existing internal reviews to leverage the benefit of work already being performed and avoid duplication of effort.

Examples of existing control-related activities include those listed below. Federal Managers’ Financial Integrity Act of 1982 (FMFIA); Federal Financial Management Improvement Act of 1996 (FFMIA); Chief Financial Officers Act of 1990, as amended (CFO Act); Improper Payments Information Act of 2002 (IPIA); Section 831 of the Defense Authorization Act of 2002 (Recovery Auditing); Single Audit Act, as amended; Inspector General Act of 1978 (IG Act); Federal Information Security Management Act of 2002 (FISMA); Information Technology Management Reform Act of 1996 (Clinger Cohen Act) Enterprise Architecture Documentation; and Financial Management Systems Documentation.

OMB A-123 Related Legislation & Regulatory Requirements Integration and Coordination with Other Control Activities (another view) Accounting and Auditing Act of 1950 The Grandfather of legislation for Internal Controls Federal Financial Management Improvement Act of 1996 (FFMIA) An Act to amend the Accounting and Auditing Act of 1950 to require ongoing evaluations and reports on the adequacy of the systems of internal accounting and administrative control of each executive and others are: Chief Financial Officers Act of 1990, as amended (CFO Act); Improper Payments Information Act of 2002 (IPIA); Section 831 of the Defense Authorization Act of 2002 (Recovery Auditing); Single Audit Act, as amended; Inspector General Act of 1978 (IG Act); Federal Information Security Management Act of 2002 (FISMA); Information Technology Management Reform Act of 1996 (Clinger Cohen Act) Enterprise Architecture Documentation; and Financial Management Systems Documentation.

An Agency’s FMFIA assessment should … Consider the work done to comply with these various statutes, as well as the laws and regulations identified in the ICOFR Process. Use that information to determine the extent to which such work contributes to the overall assessment and whether any deficiencies identified should be included in the FMFIA report.

Assessment of Internal Controls Administrative and Program Compliance The assessment of internal controls over operations (administrative and program) reports whether those controls are operating effectively. The assessment is based: on general management knowledge gained from daily operations of agency programs and systems, management reviews to assess internal controls, and other available sources.

General Management knowledge for a Federal Agency can and should include the following: Audits of financial statements under the Chief Financial Officers Act of 1990, as amended (CFO Act); IG and GAO reports; Reviews of financial systems under Federal Financial Management Improvement Act of 1996 (FFMIA) or OMB Circular A-127, Financial Systems; Annual evaluations under Federal Information Security Management Act of 2002 (FISMA) and OMB Circular A-130, Management of Federal Information Resources; Government Performance and Results Act (GPRA) annual performance plans and reports;

And also the following sources: Program Assessment Rating Tool (PART) Assessments; Improper Payments Information Act of 2002 (IPIA) risk assessments and reports; Single audit reports; Management reviews with internal control assessment as a by-product; Reports and other information provided by Congressional committees; Program evaluations; Other reviews or reports related to Federal Agency operations; and Results from tests of key controls performed as part of the ICOFR assessment under Appendix A. 

The content and source of survey tools, testing instruments, etc The content and source of survey tools, testing instruments, etc. used by the program manager should be coordinated through an Internal Control Officer. For FMFIA, A-123 requires that agency managers and employees identify deficiencies in internal controls from the sources listed above and the results of their internal control assessment process and report the control deficiencies. Management must document the findings/conclusions of all Internal Control Reviews and ensure that such evaluations/self-assessments are adequately planned and coordinated. All reports, work papers, correspondence, and related memoranda are to be maintained by the sub-organization and readily available for inspection by the Agency.

Congress recognized the importance of internal controls. 57 years ago, the Budget and Accounting Procedures Act of 1950 became the first major act to place primary responsibility for establishing and maintaining internal control squarely on the shoulders of MANAGEMENT.

And to put all of the related A-123 history into perspective, the first major Accounting Act occurred 57 years ago and …

… Jamestown, Virginia was settled 400 years ago, on Monday, May 14th, 1607.

Federal Government-Wide Results: FY 2006 Status of the Implementation of A-123, Appendix A = All 24 CFO Act agencies or 100% completed first year of A-123 implementation. 16 of the 24 CFO Act agencies or 66% implemented a full scope A-123 assessment (testing all key processes) 8 of the 24 CFO Act agencies or 33% implemented a multi-year phased-in assessment (testing a portion of the key processes) and provided plans for testing the remaining processes within three years. Government-wide internal control material (FMFIA) weaknesses increased by 12% from 2005.

Government-Wide Results: FMFIA Issues Identified by Agency Heads as of FY 2005 and FY 2006 = Section 2 Overall Internal Control Weaknesses Section 4 Systems Nonconformances 2005 2006 Beginning 83 68 15 16 New 20 36 6 Resolved 33 2 4 Consolidated 1 5 Reassessed 3 Ending 80 14

Why did the Federal material weaknesses increase in 2006? Transparency was achieved in many agencies? Federal Agencies successfully reached the non-accountant/financial managers who are provided more of the organization’s vulnerabilities or “hidden” issues? Amnesty was given in 2006; turn in your “findings” and no (or few) questions are asked in 2006? “Show us now or show others later” was explained well? Process/Cycle memos’ documented procedures in 2005 showed the discovered anomalies in managers’ processes?

Corrective Action Plan or CAP (guideline examples for your consideration) Year the issue was first identified Organization official to monitor progress Progress performance indicators Quantifiable target or milestone progress Original targeted corrective action date Revised targeted corrective action date Actual corrective action date

Why have we not solved ALL of the accounting IC issues since the first OMB A-123 in 1983? Did we have the right people with the right skills in the right positions? Did we listen to the “noise?.” Did we bring “bad” news out ASAP & “fix” the process and not the people? Could the “Feds” consolidate their A-123 related legislation, Acts, etc.? Are there too many? There are KEY legislations, acts, and circulars, and documents that have invented the financial wheel. There is some overlap, duplication, or redundancy that has occurred over the last 57 years. Could Revised OMB A-123 be the start of a consolidation process?

Highlights of GAO-05-321T, a report to the Subcommittee on Government Management, Finance, and Accountability, Committee on Government Reform, House of Representatives Internal control is at the heart of accountability for our nation’s resources and how effectively government uses them. The testimony – outlined the importance of internal control, summarized the Congress’s long-standing interest in internal control and the related statutory framework, discussed GAO’s experiences and lessons learned from agency assessments since the early 1980s, and provided GAO’s views on the Office of Management and Budget’s (OMB) recent revisions to its 2004 Circular A-123.

GAO highlighted six issues important to successful implementation of the revised Circular, specifically, the need for: supplemental guidance and implementation tools; 2. vigilance over the broader range of controls covering program objectives; 3. strong support from MANAGERS through out the agency, and at all levels; 4. risk-based assessments and an appropriate balance between the costs and benefits of controls; 5. management testing of controls in operation to assess if they are designed adequately and operating effectively; and 6. MANAGEMENT accountability for control breakdowns.

What GAO said and found: Internal control represents an organization’s plans, methods, and procedures used to meet its missions, goals, and objectives and serves as the first line of defense in safeguarding assets and preventing and detecting errors, fraud, waste, abuse, and mismanagement. Internal control provides reasonable assurance that an organizations’ objectives are achieved through (1) effective and efficient operations, (2) reliable financial reporting, and (3) compliance with laws and regulations.

Polling Question for you ! My organization has a comprehensive and coordinated approach to internal control management? Possible Answers: Yes No I do not know - I am just waiting for Joe K., Ester H., Mike B., Joe D., Mike W., and Valerie T. to speak after you.

Circular A-123, Appendix A Evaluate Internal Control at the entity level using COSO Framework (GAO Checklist) Assess Tone at the Top Perform Risk Assessments Evaluate Internal Control at the Process, Transaction, or Application Level (Agency Guidance Manual) Identify and gain an understanding of Major Business Cycles Identify and test significant cycles This work could also provide support for overall FMFIA assurance statement relating to operations and compliance objectives

2004 Revised A-123 Short Answer Who makes up your Organization’s “Board of Directors” (OMB-123 or Accounting Style)? Or Who was and is responsible under the Evolution of the A-123? 1983 Original OMB A-123 Answer = CFO, Senior Accountant, or anyone who was not wearing green eye shades and using columnar pads of paper (as PCs only started to became popular.) 2004 Revised A-123 Current Possible Answers = CFO Council, Oversight board, Governance Board, County Executives, and Financial and Program Stakeholders 2004 Revised A-123 Short Answer Every MANAGER in the entire organization Future Answer for most agencies + Present Answer for a Select few Everyone in the organization

A COSO internal control framework for your ideas

What is the Environment of your Organization? Tone at the top? Positive; process and results oriented; and “attack” the processes, not the messenger or the people? Documentation? Would we rather shred it or document it? Communication? Is there collaboration on financial, administrative, AND program issues? Are our employees and managers able to speak up when the find problems and situations? Is there a history of dialogue and honest communication Do you get out of our cubicles, offices, and buildings, to meet face-to-face? Transparency? Your policy/themes or just your windows? Transitions? How did Jennifer Cavedo transition AGA Richmond Chapter to Joy Yeh?

Marketing OMB A-123 and Internal Controls: Understanding your non-accounting audience Simplifying the Accounting jargon … KISS (Keep it simple and short)

Marketing OMB A-123 and Internal Controls: (continued) Legalese (noun) or Law Jargon = language that is typically used in legal documents, and is generally considered by lay people to be difficult to understand. Accounting Speak, Accountingese, or Accounting Jargon = language that is typically used in accounting documents, and is universally considered by lay people to be impossible to understand and boring to read.

One example of the Marketing of A-123: The first draft of a letter I wrote to introduce the OMB A-123 to an Agency’s executives and sub-organizations’ executives, did NOT use these two words - “Internal Controls.” Why? (Their eyes would have …) The draft letter was not written “DOWN to the audience”, instead it was written “TO the audience.” Understanding our audience, brings us closer to successfully marketing to the managers we want to reach. In most of the Federal 13 Departments and 86 agencies, the focus is Program related and not Administrative. As accountants and finance types, we should, we must understand our customers to be able to relate and translate our “Accountingease” to their professional perspectives.

How heavy is this bottle of water? What is your answer and how do you interpret what I am really asking and communicating in my question?

Answers to questions depend on … How our customer interprets our communications. How comfortable he or she is with Accounting, Auditing Financial, and internal control terms. And hundreds of factors …

The text book answer is … It depends on how long … This is how difficult it is for most of our customers to understand what we are attempting to accomplish when we ask our “A-123 questions.” Many of our customer managers are focused and involved with their own professions and not as much on “administrative support” functions and professions such as accounting, finance, etc.

Marketing of OMB A-123’s concepts to our customers Who is our target audience in the Federal universe? What are the HR classifications of these managers or types of functions they manage? What are your organization’s major transaction cycles and sub-cycles.

Next few slides will show = Major transaction cycles and their sub-cycles. This is similar to the “Old” JFMIP circle flowcharts. Examples of how sub-organizations could ensure that all significant financial statement accounts are covered and the key controls at the sub-cycle level are addressed.

Examples of Sub-Cycles Major Transaction Cycle Examples of Sub-Cycles Funds Management Fund Balance with Treasury Investments Financial Reporting General Ledger Maintenance Account Analysis & Reconciliation Notes & Supplementary Information External Financial Reporting Contingencies Financial Closeout Budget Execution and Monitoring Execution Monitoring Human Resources Management Payroll Time and Attendance Personnel (Hiring/Terminating) Benefits Purchasing and Procurement Requests and Awards Receipt of Goods/Services Contracts Monitoring Contract Closeouts Cash Disbursements / Payments Revenue Billing Interagency Agreements Non-Exchange Revenue Cash Receipts Disaster Relief Program Eligibility and Coverage Obligations and Billings Claims Processing Reporting Inventory Control Acquisition Distribution Disposals Inventory Count Property Management Capital Acquisition Requests Depreciation Capitalization Leases (Operating or Capital) Grants Management Closeouts Medicaid SCHIP Payments Entitlement Benefits Due and Payable Medicare Medicaid/SCHIP Medicare Advantage and Part D Benefits Payments Medicare Fee for Service Medicare Advantage Part D Social Insurance Trust Fund A Trust Fund B Trust Fund D

Human Resources, Human Capital, or Personnel Management - Examples Newly hired accountants and auditors must be able to identify, understand, and resolve legal and regulatory compliance issues. Develop tomorrow's stakeholders – identifying candidates with skills and backgrounds to work in the current environment. Pre-employment screening for all managers (and employees) Efficient Interview processes Employment Investigation Requirements Position Descriptions that include financial responsibilities.

Federal Grants In my previous position as the HHS director, my division paid out the grants for HHS and 12 other Federal Agencies.  These grant funds (a $1 billion a work day) for 12 Federal Agencies continue to flow down through 32,000 accounts to the states and local areas, and to 127 other countries. To what degree do you believe I promoted internal control to my worldwide customers and stakeholders?

Grant Payment And Cycle Memo - Examples (OPDIV = an operating division)

RISK – Are our we or our managers ignoring A-123 issues? If so … What is the probability that the Washington Post or the Richmond Time-Dispatch will find out about this before you do as the CFO, accountant, auditor, or financial guru? Do you know your Newspaper/Internet factors and rating?

My interpretations & presentations … of the numerous acts, circulars, legislation, documents and examples presented today are for teaching purposes. Use the tools presented to go back and read the intent and richness of the original documents. Present and market A-123 and its 57 years of historical support in a way that is meaningful and useful to each of your managers in the organizations you serve.

Latest news on the non-governmental SOX & A-123. Will they be strengthened or diluted in 2007 and 2008? What is your opinion? Some people say, ‘Where SOX and private industry goes, so shall the government.’ What do you believe?

Try one of these A-123 Sites: CFO Council’s “Implementation Guide for OMB Circular A-123.” The Audit Process (2nd Edition – January 3, 2005) by the HHS OIG’s Office of Audit Services (http://oig.hhs.gov/organization/OAS/OIGAuditProcess.pdf OMB Circular No. A-123, Management’s Responsibility for Internal Control, (http://www.whitehouse.gov/omb/circulars/a123/a123_rev.pdf)

More Sites: CFO Council Implementation Guide for OMB Circular No. A-123, Management’s Responsibility for Internal Control, Appendix A, Internal Control over Financial Reporting (http://www.cfoc.gov/documents/Implementation_Guide_for_OMB_Circular_A-123.pdf) GAO: Standards for Internal Control in the Federal Government, November 1999, GAO/AIMD-00-21.3.1 (http://www.gao.gov/special.pubs/ai00021p.pdf) GAO: Internal Control Management and Evaluation Tool, August 2001, GAO-01-1008G (http://www.gao.gov/new.items/d011008g.pdf

Contact these Organizations’ sites for their OMB A-123 perspectives: U.S. Government Federal Departments & Agencies Federal Office of Inspector Generals (OIGs) State & Local Governments Accounting, Auditing, Consulting Corporations

Thank You for your time and your input. Philip J. Giza phil.giza@psc.hhs.gov Direct = 301-443-3499 Address: Department of HHS Philip Giza, FMS 5600 Fishers Lane, Suite 18B-45 Rockville, MD 20852-1750

OMB A-123 & Its Rich History … just the end of the Beginning.