CIRCULAR A-123 Internal Control Systems

TO THE HEADS OF EXECUTIVE DEPARTMENTS AND ESTABLISHMENTS

SUBJECT: Internal Control Systems

1. Purpose. This circular prescribes policies and procedures to be followed by executive departments and agencies in establishing, maintaining, evaluating, improving, and reporting on internal controls in their program and administrative activities.

2. Rescission. This circular replaces Circular A-123, Revised, "Internal Control Systems," dated August 16, 1983.

3. Background. The Budget and Accounting Act of 1950 requires the head of each department and agency to establish and maintain adequate systems of internal control.

The Federal Managers Financial Integrity Act, P.L. 97-255, (hereafter referred to as the Integrity Act), amended the

Budget and Accounting and Procedures Act of 1950 and requires that internal accounting and administrative control standards be developed by the General Accounting Office, annual evaluations be conducted by each executive agency of its system of

internal accounting and administrative control in accordance

with guidelines established by the Director of the office of Management and Budget; and annual statements be submitted by the heads of each executive agency to the President and the Congress on the status of the agency's system of internal controls.

4. Policy. Agencies shall establish and maintain a costeffective system of internal controls to provide reasonable assurance that Government resources are protected against fraud, waste, mismanagement or misappropriation and that both existing and new program and administrative activities are effectively and efficiently managed to achieve the goals of the agency. The system shall comply with the Integrity Act and the internal control standards developed by the General Accounting Office and implemented by this circular. All levels of management shall be involved in ensuring the adequacy of controls. Internal control does not encompass such matters as statutory development or interpretation, determination of program need, resource allocation, rulemaking, or other discretionary policymaking processes in as agency.

5. Definitions. For the purpose of this circular, the following terms are defined.

a. Agency -- any department or independent establishment in the executive branch.

b. Agency Component -- a major program, administrative activity, organization, or functional subdivision of an agency.

c. Internal Control Objective -- specific end to be achieved by control techniques used in a component. Each objective is to take into consideration the nature of the component and the requirements of this circular. Limiting factors such as budget constraints, statutory and regulatory restrictions, staff limitations, and the cost-benefits of each control technique are to be considered in determining desired internal control objectives.

d. Internal Control Documentation -- written materials of two types.

(1) System documentation includes policies and procedures, organization charts, manuals, memoranda, flow charts, and related written materials necessary to describe organizational structure, operating procedures, and administrative practices; and to communicate responsibilities and authorities for accomplishing programs and activities. Such documentation should be present to the extent required by management to effectively control their operations.

(2) Review documentation shows the type and scope of review, the responsible official, the pertinent dates and facts, the key findings, and the recommended corrective actions. Documentation is adequate if the information is under standable to a reasonably knowledgeable reviewer.

e. Internal Control Guidelines -- the guidelines issued by the Office of Management and Budget (OMB) in December 1982, entitled "Guidelines for the Evaluation and Improvement of and Reporting on Internal Control Systems in the Federal Government," or as they may be modified subsequently. These guidelines, present a suggested approach, and should adapted to meet the needs of the individual agencies provided that any such adaptation remains in compliance with this circular.

t. Internal Control Evaluation -- a detailed evaluation of a program or administrative activity to determine whether adequate control techniques exist and are implemented to achieve cost-effective compliance with the Integrity Act.' Control evaluations are of two types.

(1) Internal Control Review is a detailed examination of a system of internal controls using the methodology specified in the Internal Control Guidelines. All reviews should produce written materials documenting what was done and what was found. See 5(d), Internal Control Documentation.

(2) Alternative Internal Control Review is a process such as Circular A-l30 computer security reviews, Circular A-127 financial system reviews, Inspector General audits, and other management and consulting reviews to determine that the control techniques in an agency component are operating in compliance with this circular. Such alternative reviews must determine overall compliance and include. testing of controls and the development of required documentation.

g. Internal Control Standards -- the standards. developed by the General Accounting Office, and published in "Standards for Internal Controls in the Federal Government," October 31, 1984. Implementation of the standards should be in accordance with this circular, consistent with agency needs for sound cost-effective internal control systems.

h. Internal Control system -- the organization structure, operating procedures, and administrative practices adopted by all levels of management to provide reasonable assurance that programs and administrative activities are effectively carried out in accordance with the objectives of the Integrity Act and this circular.

i. Internal Control Techniques -- the management processes and documents necessary to accomplish an internal control objective.

j. Management Control Plan (MCP) -- a brief written plan which summarizes the agencies risk assessments, planned actions, and internal control evaluations to be undertaken to provide reasonable assurance that controls are in place and working and is used to manage Integrity Act implementation.

k. Material Weakness -- a specific instance of non-compliance with the Integrity Act of sufficient importance to be reported to the President and congress. Such weakness would significantly impair the fulfillment of an agency component's mission; deprive the public of needed services; violate statutory or regulatory requirements; significantly weaken safeguards against waste, loss, unauthorized use or misappropriation of funds, property, or other assets; or result in a conflict of interest.

l. Reasonable Assurance -- a judgment by an agency head based upon all available information that the systems of internal control are operating as intended by the Integrity Act.

m. Risk Assessment -- a documented review by management of a component's susceptibility to waste, loss, unauthorized use, or misappropriation. Risk assessments are of two types:

(1) vulnerability assessments as provided in the guidelines, and

(2) alternative procedures tailored to agency circumstances.

n. Testing -- procedures to determine whether internal control systems are working in accordance with management internal control objectives.

6. Responsibility. The head of each agency is responsible for ensuring that the design, installation, documentation, evaluation, and improvement of internal controls, and issuance of reports on the agency's internal controls are in accordance with the requirements of the Integrity Act and this circular.

a. A senior official shall be designated in each agency who shall be responsible for coordinating the overall agency-wide effort to comply and evaluate compliance with the Integrity Act and this circular.

b. Heads of agency components are responsible for developing and administering the systems of internal controls in their units. This responsibility includes reporting to the agency head each year on the compliance of the' internal control systems in their component with the requirements of the Integrity Act and this circular. Quality controls are to be established to assure the accuracy of reports to the agency head.

c. The Inspector General (IG) or the senior audit official where there is no IG, through a program of audits and investigations, is an integral part of the agency's internal control process. Routine evaluations of internal controls should be included within the scope of internal audits and reflected in the resultant reports. The reports are to be included within the sum of all information available to managers for their consideration in making the reasonable assurance determination to use in the annual internal control statement.

d. In addition, the IG or senior audit official should be consulted in the internal control process. The IG should provide technical assistance in the agency efforts to evaluate and improve systems affected by this circular, and may advise the agency head whether the agency's review and evaluation process has been conducted cons is tent with this circular. Consultation and the provision of technical advice by the IG during agency planning efforts should not preclude the IG from independently making any reviews or audits or otherwise limit the authority of the IG.

7. Objectives of Internal Control. The objectives of internal control apply to all program and administrative activities. Internal control systems are to provide management with reasonable assurance that:

a. Obligations and costs comply with applicable law.

b. Assets are safeguarded against waste, loss, unauthorized use and misappropriation.

c. Revenues and expenditures applicable to agency operations are recorded and accounted for properly so that accounts and reliable financial and statistical reports may `be prepared and accountability of the assets may be maintained.

d. Programs are efficiently and effectively carried out in accordance with applicable law and management policy.

8. Required Agency Actions. Each agency shall meet the following requirements in a cost-effective manner.

a. Maintain a current internal control directive assigning management responsibility for internal controls in accordance with this circular and the Internal Control Guidelines with the following provisions. Provide for coordination on internal control matters among the designated internal control official, heads of agency components, program managers and staffs, and the IG office or its equivalent. Establish administrative procedures to enforce the intended functioning of internal controls: Require performance agreements, for each Senior Executive Service and Merit Pay or equivalent employee with significant responsibility for internal controls, which result in recognition for positive internal control accomplishments such as timely correction of internal control weaknesses and appropriate action for violations of internal controls.

b. Develop a Management Control Plan (MCP) or plans to be updated annually. The primary purpose of an MCP is to identify component inventory, to show risk rating of component (high, medium, low), and to provide for necessary evaluations over a five-year period. Material weaknesses and other areas of management concern may also be monitored through the plan. High risk components and material weaknesses must be acted upon during the first year of the plan. The plan should be based upon the schedule of actions in each major component, and identify the senior managers responsible. Management should utilize the plan for monitoring progress and ensuring that planned actions are in fact taken. MCP's are intended to be part of each agency's overall planning process and at a minimum should be linked to activities under A-l27 and A-l30. The first MCP should be issued and in effect by December 31, 1987.

c. Make risk assessments to identify potential risks in agency operations which require corrective action or further investigation through internal control evaluations or other actions. These may follow the vulnerability assessment procedures in the Internal Control Guidelines or may be based on a systematic review building on management's knowledge, information obtained from management reporting systems, previous risk assessments, audits, etc. Management should update its risk assessment of agency components at least once every 5 years and as major changes occur. Risk assessment on new or substantially revised programs should occur as part of planning for implementation and the results reflected in the MCP. Risk assessments are to be considered as part of developing the MCP.

d. Make internal control evaluations using the procedures in the Internal Control Guidelines or alternative reviews to determine whether the internal control system is effective and is operating in compliance with the' Integrity Act and this circular. These reviews should identify internal controls that need to be strengthened or streamlined. The composite of all information that management relies upon to judge their systems effectiveness must include information on the results of tests of their operating internal control systems.

e. Implement corrective actions identified by agency internal control evaluation efforts on a timely basis. A formal follow-up system should be established that records and tracks recommendations and projected action dates, and monitors whether the changes are made as scheduled. The tracking system should be made part of broader agency management reporting systems whenever feasible.

9. Reporting. By December 31 of each year, the head of an agency subject to P.L. 97-255 (31 U.S.C. 3512) shall submit a statement to the President and to Congress as of the close of the fiscal year: stating whether the evaluation of internal controls was conducted in accordance with this circular, and whether the agency's system of internal controls taken as a whole complies with the standards developed by the General Accounting Office and implemented through this circular and provides reasonable assurance that programs are effectively carried out in accordance with applicable law; reporting the material weaknesses, if any, in the agency's system of internal controls, however identified; and containing a plan for correcting material weaknesses.

Instructions to be followed in preparing this report will be published in supplemental guidance provided by OMB.

10. Effective Date. This circular is effective upon publication.

11. Inquiries. All questions or inquiries should be addressed to the Financial Management Division, Office of Management and Budget, telephone number 202/395-3993.

12. Sunset Review Date. This circular shall have an independent policy review to ascertain its effectiveness three years from the date of issuance.

Internal Control Guidelines

This supplement to the 1982 Internal Control Guidelines is intended to clarify their applicability and to assist agencies in determining risk of fraud, waste, and loss; and rapidly identifying and correcting material weaknesses in management controls.

Compliance with the Internal Control Guidelines is not mandatory, provided agencies adopt alternative procedures of equivalent efficacy. These agency procedures must determine relative risk of fraud, abuse, and other losses in agency programs and administrative activities; and also identify and correct material weaknesses in agency internal-control-systems.

Since agency managers have the responsibility for improving controls, Circular A-123 requires the use of a management control plan to ensure efficient procedures, integration with other management processes, and compliance with the circular.

Management Control Plans (MCPs)

Each agency is required by Circular A-123 to develop a five-year MCP to plan and direct the process for reviewing risk, and identifying and correcting material weaknesses in internal control systems. Because the MCP is primarily a document to manage overall agency efforts under the circular, superfluous detail should be avoided. MCPs must involve senior managers. MCPs should fully utilize managerial knowledge and judgment within a simple, structured process featuring clear, reasonably complete documentation.

Items to be included in the MCP include all components in the inventory, the name of the official responsible for Circular A-123 compliance within the component, management's assessment of the relative risk of the component, year reviews of component internal control systems are planned to be completed. Material weaknesses identified, year identified, and year corrected or scheduled for correction may also be included.

Though the MCP should be updated annually, a complete new MCP

is not required. An example of an MCP is attached.

Alternative Internal Control Reviews

In order to streamline the process of reviewing internal control systems and to better involve program and administrative managers, Circular A-123 encourages agencies to use alternatives to the internal control review process specified in the Internal Control Guidelines.

The requirements that AICRs must meet include compliance with Circular A-123, and sample testing of controls in operation. In responding to these requirements, agencies may use questionnaires, checklists, model control systems, and so on. In part these requirements may be met by using existing agency management reporting and review processes -- including reviews made under OMB Circulars A-76, A-127, and A-130; as well as reviews, audits, management studies, and consultant studies.

S A M P L E

United States Department of the Interior BUREAU OF MINES

2401 C. STREET, NW.

WASHINGTON, D.C. 20241

OFFICE OF THE DIRECTOR

February 14, 1986 Memorandum

To: Assistant Secretary

From: Director, Bureau of Mines

Subject: Management Evaluation Plan 1986

The attached Management Evaluation Plan for 1986 has been prepared in accordance with instructions provided in your memorandum of January 10, 1986.

The process used at the Bureau of Mines complies with recommendations made by the Office of the Inspector General (OIG) in Memorandum Audit Report E-MO-MOA-10-85-B, "Comments on Statements and Reports Prepared by the U.S. Geological Survey and Bureau of Mines for Fiscal Year 1985 Under the Federal Managers Financial Integrity Act of 1982"; and commitments made in the Bureau response of December 18, 1985, to the audit report.

The procedure used in the assignment of risk and the development of the Management Evaluation Plan are described in Attachment II to this memorandum. Several changes have been made in the Inventory. They include:

1. Addition of three components that were recommended in the OIG report-

Division of State Activities, the adjudication process of the Office of Equal Employment Opportunity, and Mineral Institute's Program. The State Activities Program was a component prior to 1984 when the organization was called Office of State Liaison. The Office of Equal Employment Opportunity adjudication process, and the Mineral Institutes Program are new programs.

2. Deletion of the Grants and Cooperative Agreements component because

the grants activity is part of the Mineral Institutes Program and will be reviewed with that component, and the Bureau does not have any cooperative agreements.

The OIG report also recommended component status for the Office of Technical Information, the Office of Congressional Liaison, the Senior Advisory Staff, and the Special Projects Staff. The functions of these organizations were analyzed to determine whether they qualify for component status. The OMB

2

guidelines specifically exclude from component status statutory development or interpretation, determination of program need, and other discretionary policymaking processes in an agency. The organizations proposed for component status by the OIG perform staff functions that qualify for exemption and therefore were not included in the inventory.

We will be pleased to provide any additional information that you may require.

Director

Attachments

Attachment II

Procedure Used in Developing the 1986 Management Evaluation Plan

During the period January 15-24, 1986, the Internal Control Coordinator reviewed past Internal Control Reviews, Vulnerability Assessments,

Audits, reports, and the Component Inventory within the framework of the 1986 Management Evaluation Plan (MEP) Instructions provided by the DOI Office of Financial Management (PFM). The criteria provided by PFM were reviewed for applicability to the various components and modified as appropriate. Recommendations in the Office of the Inspector General (OIG) report on the 1985 process were built into the process for developing the 1986 MEP.

On January 27, 1986, a meeting was held with the Director, Deputy Director, Assistant Director--Finance and Management, and internal Control Coordinator to discuss: changes in the 1986 process for internal control reviews; how the streamlining would affect the Bureau; the most effective way of conducting the risk assessment; developing the plan; and scheduling of the 1986 reviews and training. For the seven organizational entities proposed for component status by the Inspector General, it was decided that a meeting should be held with each manager to review the organization against the PFM criteria for risk and to assess whether there are operational activities that meet the criteria for component status.

On January 28 - February 13, 1986, meetings and conferences were held with the Internal Control Coordinator, each Assistant Director, each Division Chief and, where appropriate, staff persons responsible for the conduct of internal control reviews.

Components in the previous inventory were given a risk assessment and scheduled for review as appropriate. The seven proposed components were examined, and it was determined that the Division of State Activities, Office of Equal Employment Opportunity, and Office of Mineral Institutes have operational functions that should be subject to an internal control review. The Office of Technical Information, Office of Congressional Liaison, Director's Senior Advisory Staff, and the Special Projects Staff of the Assistant Director-Mineral Data Analysis all perform mostly staff and/or policy analysis functions that exclude them from component status, according to definitions provided by OMB.

In assigning level of risk, the following additional criteria were used: (1) interactions with other organizations in such a way that the ability of either organization to accomplish its mission would be adversely affected by actions of the other, (2) degree of impact the program might have on resources of the Bureau as a whole, (3) size and scope of the program, and (4) congressional interest in the program.

Although no component material control weaknesses were identified as a result

of this process, it should be noted that the risk assessment ratings appear to be more realistic than those assigned in the past. Managers judged the risk

Page 2 of Attachment II

potential using weighting factors in making their risk assessments that were tailored to their program. Some components that had received a LOW rating under the old system were given a MEDIUM rating under the new system. Also, some of the functional components that had received a HIGH rating under the old system were given either MEDIUM or LOW ratings this time.

Details of the risk assessments for each of the components are available from the Bureau's Internal Control Coordinator.

The Director will present the final ratings and the schedule for internal control reviews over the next three years to the Assistant Directors and Division and Office Chiefs at a staff meeting Tuesday, February 18, 1986. The Director of the Office of Financial Management is expected to attend the meeting and discuss the revised and streamlined procedures.