OMB A-123 What is it, where did it come from, and what is happening now? Marty Conger, CPA CFO & Director of Business Support Services
What is A-123?
OMB Circular A-123 Management’s Responsibility for Internal Controls
Provides guidance to Federal managers
on improving the accountability and effectiveness of Federal programs and operations
by establishing, assessing, correcting, and reporting on internal control…
All Federal agencies covered by the CFO Act
DOE is flowing requirements to major and integrated contractors
A-123 Internal Controls Timeline 1970 1975 1980 1985 1990 1995 2000 2005 1972-75 Bribes to foreign governmental officials 1989 Thrift & bank failures 1992 Continuing bank problems 1997 Corporate corruption scandals 2003 Corporate corruption scandals (Enron, WorldCom) 1980 Thrift & bank failures 1977 Audit GAAP SASs Foreign Corrupt Practices Act (FCPA) 1982 Federal Manager’s Financial Integrity Act (FMFIA) 1982 OMB’s Internal Control Guidelines 1987 National commission on fraudulent financial reporting (Treadway Commission) 1986 OMB A-123 Internal Controls Systems 1992 & 1994 Internal Control-Integrated Framework (COSO) 2004 Enterprise Risk management – Integrated Framework (COSO ERM) 2002 Sarbanes-Oxley Act 1995 OMB A-123 Management Accountability and Controls 2004 OMB A-123 Management’s Responsibility for Internal Controls Evolution of OMB Circular A-123
Why A-123 Changed
“ Circular A-123 and the statute it implements, the Federal Managers’ Financial Integrity Act of 1982, are at the center of the existing Federal requirements to improve internal control.”
“ To ensure Congress and the public that the Federal Government is committed to safeguarding its assets and providing reliable financial information .” “ A re-examination of the existing internal control requirements for Federal agencies was initiated in light of the new internal control requirements for publicly-traded companies contained in the Sarbanes-Oxley Act of 2002 .”
What Actions does A-123 Require ?
“ Agencies and individual Federal managers must take systematic and proactive measures to:
(i) develop and implement appropriate, cost-effective internal control for results-oriented management
(ii) assess the adequacy of internal control in Federal programs and operations
(iii) separately assess and document internal control over financial reporting consistent with the process defined in Appendix A
(iv) identify needed improvements
(v) take corresponding corrective action
(vi) report annually on internal control through management assurance statements. “
End in Mind – Management Assertions
Responsibility for Internal Controls
Assessment of Internal Controls was done
Based on assessment can provide assurance
Internal Controls operating effectively
No material weaknesses were found in design or operations
August 29, 2006 Manager Department of Energy Fiscal Year 2xxx Annual Assurance Statement on Internal Control over Financial Reporting The [Agency’s] management is responsible for establishing and maintaining effective internal control over financial reporting, which includes safeguarding of assets and compliance with applicable laws and regulations. The [Agency] conducted its assessment of the effectiveness of the [Agency’s] internal control over financial reporting in accordance with OMB Circular A-123, Management’s Responsibility for Internal Control. Based on the results of this evaluation, the [Agency] can provide reasonable assurance that internal control over financial reporting as of June 30, 2xxx was operating effectively and no material weaknesses were found in the design or operation of the internal controls over financial reporting. Sincerely, Head of Agency
Similarities of SOX and Circular A-123 Appendix A An audit is required for DHS and the U.S. Postal Service is electing to include an audit Audit opinion on internal controls over financial reporting Management assertion on internal control effectiveness Testing of control design and operating effectiveness Documentation of internal controls “ Top Down” approach Materiality criteria COSO internal control standard Management responsibility for effectiveness of internal controls over financial reporting A-123 App A SOX Sec 404 Area
What are Internal Controls?
“ Internal control is an integral component of an organization’s management that provides reasonable assurance that the following objectives are being achieved:
effectiveness and efficiency of operations,
reliability of financial reporting, and
compliance with applicable laws and regulations."
Internal control standards and the definition of internal control are based on GAO, Standards for Internal Control in the Federal Government, November 1999, “Green Book.”
Committee of Sponsoring Organizations (COSO) Framework
Control Environment The control environment sets the tone of an organization, influencing the control consciousness of its people
Risk Assessment Every entity faces a variety of risks from external and internal sources that must be assessed both at the entity and the activity level.
Control Activities These policies and procedures help ensure management directives are carried out.
Information and Communication Pertinent information must be identified, captured and communicated in a form and timeframe that supports all other control components.
Monitoring Internal control systems need to be monitored – that assesses the quality of the system’s performance over time.
Treadway Commission established Internal Control Integrated Framework published in 1992 Image courtesy of sox-online.com
Financial Statement Assertion Framework from A-123 P E R C V The financial report is presented in the proper form and any required disclosures are present resentation and Disclosure All assets and liabilities have been properly valued, and where applicable, all costs have been properly allocated aluation All reported transactions actually occurred during the reporting period and all assets and liabilities exist as of the reporting date xistence and Occurrence All assets are legally owned by the agency and all liabilities are legal obligations of the agency ights and Obligations All assets, liabilities, and transactions that should be reported have been included and no unauthorized transactions or balances are included ompleteness
Two Types of Internal Controls per A-123
Higher leverage, usually lower cost
Example: Prevent unauthorized use – Password access to systems
More costly to maintain because of the number of steps: identify, assess and correct errors, etc.
Example: Monthly review of P-card transactions to detect errors, sensitive transactions, etc.
Examples of Control Techniques
Each agency must negotiate an implementation plan with OMB
DOE has negotiated a general implementation schedule of 3 years
2-year implementation schedule for contractors
Year 1, test high-risk processes
Year 2, test the remaining processes
A-123 parallels SOX by requiring agency executives to validate the effectiveness of internal controls with the agency head making assurances to the taxpayers that internal controls are working effectively.