Statement of John P. Higgins, Jr. Inspector General of the Department of Education and Chair of the Audit Committee President’s Council on Integrity and Efficiency Before the Subcommittee on Government Management, Finance and Accountability Committee on Government Reform United States House of Representatives February 16, 2005 Mr. Chairman and Members of the Subcommittee: On behalf of the President’s Council on Integrity and Efficiency (PCIE), thank you for the opportunity to discuss our perspectives on the changes made to the Office of Management and Budget (OMB) Circular A-123, Management’s Responsibility for Internal Control (A-123). I would also like to thank the committee for its dedication to the goal of improving financial management government-wide. The Federal Manager’s Financial Integrity Act of 1982 (FMFIA) and OMB’s implementing guidance contained in A-123 define management's responsibility for internal control in Federal agencies, and are the center of the existing Federal requirements to improve internal control. Other significant laws since passage of FMFIA continued to highlight the importance of efficient and effective internal controls to improving financial management and programmatic performance. Examples of such laws include the Chief Financial Officers Act of 1990, the Government Performance and Results Act of 1993, the Federal Financial Management Improvement Act of 1996, and the Clinger-Cohen Act, to name a few. My testimony will focus on the importance of effective internal control, why A-123 was revised, how the audit community can coordinate its independent role with agency management’s requirement to assess the effectiveness of internal control, our perspective on how the recent changes to A-123 may affect Federal financial management in general, and our views on future legislative action on Federal financial management. Importance of Internal Control Effective internal control is a key factor in helping agencies to achieve the following objectives: Effectiveness and efficiency of operations and programs; Reliability of financial reporting, including reports on budget execution, financial statements, and other reports for external and internal decision-makers; and Compliance with applicable laws and regulations. Internal control also serves as the first line of defense in safeguarding assets and preventing and detecting errors and fraud. FMFIA required the Government Accountability Office (GAO) to issue standards for internal control in the Federal government. The latest version of the standards was issued in November 1999 and is based on the private sector internal control guidance known as Internal Control — Integrated Framework, published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). GAO discusses the fundamental objectives identified above and establishes five standards of internal control that define the minimum level of quality acceptable for internal control in the Federal government and provide the basis against which internal control is to be evaluated. The five standards for internal control are: Control Environment, Risk Assessment, Control Activities, Information and Communications, and Monitoring. It is a fundamental and statutory responsibility of management to institute effective controls, assess them periodically, and make course corrections as needed, to ensure accountability for resources and achievement of organizational objectives. Events of recent years have dispelled the myth that internal control is but a mere academic exercise or is of interest only to accountants or auditors. High profile fraud and mismanagement in the private sector, and the Federal government’s own financial reporting problems, have resulted in an increased focus on management’s responsibility for internal control. My own office’s audit and investigative efforts have shown weak or poorly executed internal controls to be at the heart of problems that led to poor management decisions, ineffective financial reporting, and outright theft and fraud. For example, in recent work, we have recommended that the Department of Education improve internal controls to ensure that the data used to identify the most at-risk schools is complete, accurate, and applicable to the schools being evaluated. Other work found a guaranty agency’s claim review process for defaulted loans was not adequate to ensure that it claimed reinsurance only when appropriate. Conversely, Education’s success as one of the first cabinet level agencies to earn an unqualified or clean opinion on its financial statements by the accelerated date of November 15, 2003, one year ahead of the requirement, is due primarily to a sustained commitment by management to improving controls in the area of financial reporting. As these and future financial reporting improvements take hold across government, agencies should have better information for external reporting and internal management decisions. As important as internal control is, I do want to point out that having effective internal control is not a guarantee that the previously mentioned objectives of internal control will be achieved. Effective internal control is designed to provide reasonable, not absolute, assurance of achieving those objectives. Also, the establishment of specific controls is subject to cost/benefit considerations, availability of resources, and any limitations or restrictions imposed by law. Effective internal controls also may be overridden by management and circumvented through collusion. Why OMB Circular A-123 was Revised The generally accepted importance of internal control, recent financial reporting problems in both the Federal government and private sector, and the resulting new internal control requirements for public companies under the Sarbanes-Oxley Act of 2002 (Sarbanes-Oxley), converged to lead OMB to convene a joint committee of the Chief Financial Officers Council (CFO Council) and PCIE to reassess internal control requirements in the Federal government. The new A-123 guidance resulted from that joint effort. The joint committee considered that at the heart of Sarbanes-Oxley is the new requirement that management of publicly traded companies assess the effectiveness of internal control over financial reporting and that the independent auditors provide an opinion on those controls. While FMFIA and A-123 had already required Federal government management to make an assertion about controls, the committee concluded that the guidance should be revisited in light of Sarbanes-Oxley. The result was an increased focus on management’s assessment and improvement of internal control over financial reporting, more stringent documentation requirements for all of management’s internal control assessment activities under FMFIA, and inclusion of a non-compliance clause that permits OMB to require an agency to obtain an audit opinion over the internal control over financial reporting if agreed upon deadlines for correcting material weaknesses are not met. Coordination Between the Audit Community and Agency Management on Internal Control Issues The type of cooperation that occurred between the CFO Council and PCIE on the revisions to A-123 is not uncommon. The Inspector General Act of 1978 (IG Act) has as one of its purposes “…to create independent and objective units…to provide leadership and coordination and recommend policies for activities designed (A) to promote economy, efficiency, and effectiveness in the administration of, and (B) to prevent and detect fraud and abuse in…programs and operations.” There is an ongoing coordination between agencies and their OIGs that can be helpful to the agencies as they work to implement the new guidance. However, we must guard against consulting type arrangements that might impair our independence for performing future audits. Coordination between the audit community and agency management on internal control matters is inherent in the OIG’s mission. The continuing assessment of controls surrounding an agency’s programmatic, financial and compliance efforts, and the subsequent public reporting of the results require this coordination. The requirements of A-123 are the responsibility of an agency’s management and not its auditors. Therefore, while OIG work can be a useful supplement to management’s own assessments of controls and plans for corrective actions, and can provide an independent validation of management’s assessments, OIG work does not replace management’s efforts. The resolution of audit findings provides a primary avenue for OIGs and agency management to discuss control assessments and corrective actions. The audit resolution process, where the auditors and agency management reach agreement on corrective actions for reported OIG findings, is a fundamental part of the PCIE community’s work. While the final decision about how to implement corrective actions is a management decision, there is still significant coordination and communication between the OIG and management on the course of action to be taken. Another avenue for coordination on internal control issues is in the requirements of the Reports Consolidation Act of 2000. This act requires each IG to summarize what the IG considers to be the most serious management and performance challenges facing the agency and briefly assess the agency’s progress in addressing those challenges. This is included in the agency’s annual Performance and Accountability Report, along with the audited financial statements and auditor’s reports. My office currently has two special efforts underway with Education’s management that address internal control issues. The first is a joint effort by my office and the Department of Education to develop a systematic process for identifying fraud types, both actual and potential, in the Student Financial Aid (SFA) programs. A second effort is an on-going campaign to alert students to the threat of identify theft by updating our website, www.ed.gov/misused, with information concerning recent scams against the SFA programs. This website was developed in conjunction with the Department’s Office of Federal Student Aid (FSA). At the government-wide level, the audit community under the PCIE periodically works with the CFO Council on internal control and management issues. An example is the Joint CFO Council and PCIE Working Group on Improper Payments. This collaborative Working Group’s mission is to facilitate the reduction of improper payments throughout the Federal government. The Working Group researched improper payments, critiqued potential methods of identifying and quantifying improper payments, developed improper payment indicators, and established benchmarks for measuring and preventing improper payments. In addition, the Working Group developed a common format for reporting improper payment results in agencies’ Performance and Accountability Reports. These ongoing efforts to address internal control issues are a natural outgrowth of the responsibilities and relationships OIGs have with their agencies. The work of the OIGs, while helpful to the agencies as they make their own assessments, cannot replace management’s assessment efforts contemplated under the new guidance. Significant Changes to A-123 and the Impact on Federal Financial Management I would like to turn our attention to the major changes to A-123 and their potential impact on Federal financial management. Across the government, the implementation of FMFIA has been inconsistent. GAO reports for several years have noted agency FMFIA reporting that does not accurately characterize or fully disclose the weaknesses in their controls. And in some cases, agencies have settled into a pattern of reporting what the OIG or GAO may find, with little or no emphasis on management performing its own risk assessments and control testing. The impact on Federal financial management of the recent changes to A-123 depends on how aggressively an agency assessed its controls under the old guidance, and how it implements the new requirements. The most significant change is the new requirement for management to assess and document internal control over financial reporting, and provide a corresponding assurance statement annually that asserts to the effectiveness of internal control over financial reporting as of June 30th. A separate appendix addressing this area was added to A-123 and provides specific requirements for conducting management’s assessment of the effectiveness of internal control over financial reporting. This emphasizes that management, and not the financial statement auditor, is responsible for implementing and assessing controls over financial reporting. Having an annual assessment by management will help ensure that once an agency has effective internal control, it will not deteriorate over time as personnel change and financial systems are replaced or changed. This renewed emphasis is critical to ensuring that agencies have good financial management information for managing their operations and should assist the Federal government in eventually receiving an unqualified opinion on its financial statements. Another significant change is the more specific and strengthened requirement for management to “have a clear, organized strategy with well-defined documentation processes that contain an audit trail, verifiable results, and specify document retention periods so that someone not connected with the procedures can understand the assessment process.” This documentation standard pertains to all the internal control assessments management performs, not just those related to controls over financial reporting. Updating the language and definitions in A-123 to align with the language in the COSO framework, the GAO internal control standards and the auditing literature should help eliminate confusion over what internal control really is, and promote a common understanding of materiality when assessing and reporting on internal control over financial reporting. It will be interesting to see if the new definition of reportable condition results in the reporting of more internal control deficiencies, which could provide the impetus for additional improvements in agencies’ financial management. We also agree with OMB’s inclusion of the provision requiring an opinion on internal controls over financial reporting, if an agency continually misses agreed-upon deadlines for correcting material financial control weaknesses. This was a prudent, cost effective way to provide flexibility to address serious, longstanding problems, without forcing a one size fits all approach government-wide. The argument could be made that in the government arena, FMFIA and A-123 requirements have been around for a long time and the incremental costs should not be significant. However, the two documentation requirements described above could have significant resource impacts on the agencies implementing them. Both requirements provide greater specificity regarding what an agency should document and retain in support of its assessment of internal control. Similar type changes in the private sector suggest that, if aggressively implemented, the A-123 requirements could have significant costs associated with them. For example, much has been written about the impact of implementing the Sarbanes-Oxley requirement for a management assertion on the effectiveness of internal control over financial reporting of public companies, including the costs of enabling management to make the required assessments and assertions. There has also been discussion about the impact on accountants and auditors as companies compete for a limited pool of resources to help them meet their new responsibilities, and on CPA firms as they pare back smaller clients and reassign staff to the large public companies that must address the new requirements. This gives us an indication of increased costs associated with implementing the required assessments in A-123. In the end, the effectiveness of FMFIA depends on management’s commitment to the intent of the law and implementing guidance. If aggressively implemented in a cost effective manner, the resulting improvements to internal control should assist government program managers in achieving desired results through effective stewardship of public resources. Future Legislative Action on Federal Financial Management Effective internal control and financial management are core concerns of the PCIE community, and we appreciate the opportunity to communicate with you on these issues today. As your subcommittee moves forward to address the patchwork of laws affecting these areas, we in the IG community welcome the opportunity to continue the dialogue and provide assistance. Our accumulated experience in reviewing Federal operations since passage of the Inspector General Act over 25 years ago could provide valuable insight for a reassessment of the existing financial management laws. Finally, the reassessment of financial management requirements of Federal agencies should be conducted in a cautious and deliberate manner, carefully considering the costs and anticipated benefits of any changes. This concludes my statement. I would be happy to answer any questions you may have. 7
Statement of Inspector General John P. Higgins, Jr. on the changes made to the Office of Management and Budget (OMB) Circular A-123, Management's Responsibility for Internal Control (A-123), Before the Subcommittee on Government Management, Finance and Accountability Committee on Government Reform United States House of Representatives, February 16, 2005 MS Word, PDF [109k]
Published by the Department of Education, Office of Inspector General on 2005-02-16.
Below is a raw (and likely hideous) rendition of the original report.