U.S. DEPARTMENT OF
AGRICULTURE
WASHINGTON, D.C. 20250
|
DEPARTMENTAL
MANUAL |
Number: 1110-002 |
|
|
SUBJECT: USDA Management Control Manual |
DATE: November 29, 2002 |
|
|
OPI: |
||
CHAPTER
1
GENERAL POLICIES AND RESPONSIBILITIES
1 PURPOSE
This manual establishes department-wide policy and detailed guidelines and procedures for all agencies and staff offices to: (1) improve the accountability and effectiveness of USDA=s programs and operations through the use of sound systems of internal/management controls, and (2) ensure compliance with laws and regulations. Agencies have the discretion, where necessary, to supplement this policy guidance by developing additional agency-specific instructions.
2 SPECIAL INSTRUCTIONS
USDA agencies should use this manual to implement an effective management controls process in accordance with Departmental Regulation 1110-2, Management Accountability and Control, dated February 23, 1999.
3 INTRODUCTION
Policy
provided in this manual is intended to serve as a framework for the Department=s Management Control
Program. The program recognizes that
management controls are not a stand-alone effort, but are the underlying
management mechanisms which ensure the Department=s
mission, policies and procedures are achieved efficiently and effectively. The Department=s
overall objective is to implement a comprehensive and balanced program that
encompasses agency operations, serves management=s
needs and complies with requirements of laws and regulations. The Management Control Program includes two
key initiatives:
a implementing and maintaining effective management control processes, including reviews and reports;
b defining an effective process that emphasizes accountability for maintaining effective management controls, routinely evaluating those controls, resolving issues and reporting significant control deficiencies
in the Annual Assurance
Statement.
Agencies should use this manual to determine how well their internal control program is structured and performing, how the program may be refined and improved, and to assist them in identifying and addressing major risks for fraud, waste, abuse, and mismanagement.
4 BACKGROUND AND AUTHORITY
Background. The Congress, Office of Management and Budget (OMB), and General Accounting Office (GAO) have directed attention to the need for agencies to establish and maintain sound management control systems as a primary means of providing greater accountability. OMB Circular A-123, as amended, states that:
AManagement accountability is the expectation that managers are responsible for the quality and timeliness of program performance, increasing productivity, controlling cost, mitigating adverse aspects of agency operations, and assuring that programs are managed with integrity and in compliance with applicable law.@
It further states that, Amanagers should continuously monitor and improve the effectiveness of management controls in their respective areas.@ This continuous monitoring, and other periodic evaluations, provide the basis for the Department=s annual assessment and report on management controls.
Management controls are often misunderstood and incorrectly thought of solely as the responsibility of financial managers such as Chief Financial Officers (CFO) and Controllers. To the contrary, management controls cover all aspects of an organization=s operations (program, administrative, financial, and compliance). Effective managers ensure that the following objectives are achieved:
a efficiency and effectiveness in operations,
b sound management decision-making,
c protection of resources,
d collection of reliable information, and
e execution of operations consistent with management=s plans and policies.
The
term management controls (or controls) is synonymous with internal
controls. The goal is not to
establish the greatest possible number of controls, but to develop the most cost
effective controls.
Authority. The basic authority for establishing and maintaining agency controls is the Federal Managers= Financial Integrity Act (FMFIA) of 1982 as codified in 31 U.S.C. 3512. It requires the head of each agency to establish and maintain management controls for all agency programs, organizations, and functions. The Act also stipulates that accounting systems should conform to Federal accounting standards and related requirements. The Chief Financial Officer=s Act of 1990 identifies management control related activities as a primary responsibility of the Department=s Chief Financial Officer. See Appendix D for a listing of sources for additional guidance in implementing effective internal controls.
5 DEPARTMENT POLICY
a USDA agencies will establish, maintain, evaluate, improve, and report on systems of controls. These systems of controls should constitute the full range of controls necessary to assist managers in attaining program objectives and in protecting and using Government resources efficiently and effectively.
b Controls will be an integral part of the entire Departmental cycle of planning, budgeting, management, accounting, reporting, and auditing.
c Systems of management controls will be evaluated on an ongoing basis, and deficiencies, when detected, will be promptly corrected.
d Results of evaluations will be documented, maintained and made available upon request.
6 RESPONSIBILITIES
General. All managers directing or controlling resources within the Department are responsible for establishing, maintaining, evaluating, improving, and reporting on controls for their assigned areas.
(1) The Secretary of Agriculture is responsible for:
(a) ensuring the effectiveness of management control systems throughout the Department; and
(2) reporting annually to the President, Congress, and OMB on the status of systems, plans, and schedules for correcting any material weaknesses.
(2) The Department=s Subcabinet, the Chief Information Officer, the Inspector General, and the Director, Office of Budget and Program Analysis, under the leadership of the Chief Financial Officer will:
(1) ensure department-wide coordination and accountability for the correction of identified material deficiencies;
(2) ensure that adequate resources are sought through the budget process or realigned for the correction of material deficiencies;
(3) review periodic status reports on department-wide progress in achieving corrective action on USDA material deficiencies and ensure appropriate follow-up is carried out as needed; and
(4) establish priorities in the correction and reporting of material deficiencies.
(3) The Chief Financial Officer has primary responsibility for managing Departmental compliance with the CFO Act, Government Performance and Results Act, and the laws and guidance related to management controls. The CFO will:
(1) coordinate, monitor, manage, direct, evaluate, and report on internal control efforts within the Department, including department-wide efforts under FMFIA, Federal Financial Management Integrity Act, and OMB Circulars A-123 and
A-127;
(2) ensure that each agency establishes an internal control-conscious environment that provides a disciplined atmosphere in which managers are aware of the need to establish systematic controls, monitor their application, and periodically review their effectiveness; and
(3) recommend management control policies and procedures, and provide oversight and guidance to the agencies concerning the maintenance of effective controls.
(4) The Office of Inspector General (OIG) is responsible for performing routine evaluations of internal controls within the scope of their audits, as part of the OIG overall program of audits and investigations, and reporting the results in audit reports. In conducting reviews, OIG will identify specific weaknesses and provide advice on materiality for possible inclusion in the Performance and Accountability Report. Any weaknesses identified must be discussed with the agency and clearly disclosed in the audit report.
(5) Under/Assistant Secretaries, Agency Heads, and Heads of Staff Offices are responsible for establishing and maintaining a system of management control in accordance with GAO=s Standards for Internal Control in the Federal Government within their agencies. This responsibility includes:
(a) establishing a quality assurance process that permits the responsible official to provide reasonable assurance to the Secretary of Agriculture that the objectives of control, as described in OMB Circular A-123 and the FMFIA, are being achieved;
(b) institutionalizing the management control process within their organizations;
(c) establishing priorities in identifying, correcting, and reporting management control material weaknesses and financial management system nonconformances;
(d) establishing quantitative criteria that reflect the relative risk and significance of potential deficiencies, where appropriate, e.g., grant, loan, and purchase card programs, etc;
(e) ensuring that adequate funding is requested in the budget process or realigned to correct identified deficiencies;
(f) ensuring timely correction of all agency identified program and operational material deficiencies;
(g) designating a Management Control Officer to coordinate the agency=s management control program; and
(h) ensuring management control guidelines issued by the CFO are implemented.
(6) Management Control Officers (MCO) are those line management officials charged by agency senior-level management with the establishment and evaluation of and reporting on management controls within assigned agencies in addition to their general control responsibilities as managers. MCOs are responsible for:
(a) coordinating the process to determine, on an annual basis, which programs or functions should be subject to a formal review in order to supplement management=s judgment as to the adequacy of management controls;
(b) coordinating the evaluation of all systems of internal control on an ongoing basis and ensuring that audits, internal control reviews, risk assessments, and other evaluations are coordinated to complement one another with a minimum of
duplication of effort.
(c) planning, directing, and evaluating implementation of the provisions in this manual and DR 1110-2 AManagement Accountability and Control@ for Section 2 and Section 4 of FMFIA in their respective organizations;
(d) working within your agency=s structure with the OIG to resolve potential material weaknesses disclosed in audit reports and monitor timely correction and validation of all agency-identified deficiencies;
(e) reporting to the CFO (in consultation with the appropriate agency head) on management control deficiencies identified in audit reports, internal reviews, and from other sources that have the potential of meeting the Departmental material weakness or system nonconformance criteria; and
(f) maintaining a tracking system with specific data including milestones for correction of deficiencies.
CHAPTER
2
STANDARDS
AND GUIDELINES
1 PURPOSE
This chapter provides policy and guidance to agencies on: (a) the management control standards to be employed, (b) the development of management control plans (MCP), (c) the performance of alternative management control reviews and management control reviews, (d) the follow-through process involving corrective actions, and (e) the reporting system to be used in complying with OMB Circular A-123 and A-127, and FMFIA. This Chapter also incorporates, by reference, other relevant guidance issued by OMB, GAO, and the Department.
2 DEFINITIONS
a Component - encompasses all of the agency head=s mission responsibilities, wherever they may be performed. The component divides an agency head=s area of responsibility into programs, or functional subdivisions so that the level of risk can be assessed and controls can be readily reviewed. A specific component groups together similar activities which have similar inherent risks. Components are agency-wide in nature and may exist in many locations, with each location using the controls prescribed by the agency head.
b Management Controls - the organization, policies, and procedures used to reasonably ensure that:
(1) programs achieve their intended results;
(2) resources are used consistently with agency mission;
(3) programs and resources are protected from waste, fraud, and mismanagement;
(4) laws and regulations are followed; and
(5) reliable and timely information is obtained, maintained, reported and used for decision making.
In other words, management controls are not separate systems and processes, they are the tools used by managers to achieve desired results. Some examples are: separation of duties, reconciliation of records from two sources, reconciliation of records with physical inventories, limiting access (e.g., authorizations on data systems), providing supervision, documentation of processes and procedures, and written delegations of authority.
c Reasonable assurance - a concept that recognizes that no system of management control is perfect and that the cost of a control should not exceed the benefits likely to be derived.
d Risk - the degree of exposure to an entity of not achieving the goals intended by establishing effective management controls.
e Risk Assessment - A systematic analysis by management of a program=s or function=s susceptibility of failing to: (1) achieve its missions or goals, (2) produce accurate reports or data, (3) allow only authorized use of resources, (4) operate according to laws or ethical rules, and (5) receive an unqualified audit opinion.
f Financial System Non-conformance - A situation in which the design, procedures, and/or the degree of operational compliance does not provide reasonable assurance that the financial management system conforms to accounting principles, standards, and related requirements.
g Control Deficiency - a condition in which the specific management control procedure or the degree of compliance with the procedure does not reduce to a relatively low level the risk that errors or irregularities may occur and not be detected by employees in the normal course of performing their assigned functions.
h Nominal Control Deficiency - a control deficiency where standards may not be met and when the risk of loss, waste, abuse, or deviation from standards is relatively small (e.g., risk occurs infrequently or there is need for minor changes in management control procedures.) These deficiencies should be brought to the responsible manager=s attention, but are not included in the Department=s Performance and Accountability Report;
i Significant Control Deficiency - a control deficiency that has a moderate or high inherent risk that is not mitigated by adequate controls and warrants reporting to the next level of management and merits the attention of the Secretary. These deficiencies may be included in the Department=s Performance and Accountability Report.
j Material Weakness/System Nonconformance - a deficiency that the Department=s leadership determines to be significant enough to be reported outside of USDA (i.e., included in the Performance and Accountability Report to the President, OMB, and the Congress). A material weakness/nonconformance results in a failure to meet one or more of the objectives of Section 2 or 4 of FMFIA.
3 MANAGEMENT CONTROL STANDARDS
GAO=s AStandards for Internal Control in the Federal Government,@ provides standards for use in establishing and maintaining systems of management control. These control standards define the minimum level of quality acceptable for control systems in a program, system, or operation and constitute the criteria against which systems are to be evaluated. When properly applied in conducting reviews of controls, these standards will assist managers in determining the adequacy of management controls in place.
a GAO Standards for Internal Controls
(1) Control Environment. Management and employees should establish and maintain an environment throughout the organization that sets a positive and supportive attitude toward internal control and conscientious management.
(2) Risk Assessment. A precondition to risk assessment is the establishment of clear, consistent agency goals and objectives at both the entity level and at the activity (program or mission) level. Risk assessments includes risk identification and analysis.
(3) Control Activities. Internal control activities are the policies, procedures, techniques, and mechanisms that help ensure that management=s directives are carried out to mitigate risks identified during the risk assessment process.
(4) Information and Communication. Agencies must have relevant, reliable information, both financial and nonfinancial, relating to external and internal events.
(5) Monitoring. Internal control monitoring should assess the quality of performance over time and ensure that the findings of audits and other reviews are resolved promptly.
b GAO further describes these standards as general and specific standards for internal control in programs and information systems.
(1) Program Control Standards:
(a) The general standards refer to the overall aspects of management control considered essential to successful application of the specific controls. The general standards include such items as: (1) establishing reasonable assurance that the objectives of the control system are accomplished, (2) maintaining a supportive attitude toward controls, (3) using competent personnel, (4) identifying or developing control objectives, and (5) specifying effective management control techniques.
(2)The specific standards refer to the essential techniques necessary to provide reasonable assurance that the control objectives will be achieved. The specific standards relate to: (1) documentation, (2) records of transactions and events, (3) execution of transactions and events, (4) separation of duties, (5) qualified supervision, and (6) access to and accountability for resources.
(2) Information Systems Control Standards:
(1) The general control standards apply to all information systems - mainframe, mini-computer servers, personal computers, network, and end-user environments. This category includes department-wide security program and disaster recovery and contingency planning, management, control over data center, system software, hardware, firmware and telecommunications, access security, and application system development and maintenance.
(b) The application controls are designed to help ensure completeness, accuracy, authorization, and validity of all transactions during application processing. Controls should be installed at an application=s interfaces with other systems to ensure that all inputs are received and are valid, and outputs are correct and properly distributed.
4 ESTABLISHING A MANAGEMENT CONTROL SYSTEM
Each agency is to establish an ongoing process to evaluate controls in accordance with the policies, standards and procedures prescribed by this Manual. Each agency also is responsible for developing and implementing any supplemental procedures required to evaluate, on an ongoing basis, the effectiveness of agency control systems.
5 GUIDELINES FOR DEVELOPING A MANAGEMENT CONTROL PROCESS (MCP)
a General.
The MCP is an integrated set of actions to develop risk assessments,
planned actions, and internal control evaluations to provide reasonable
assurance that controls are in place and working. It is used to manage FMFIA implementation.
b Identify and maintain an accurate inventory of all components.
Component Inventory. The first step of the MCP process is to review and adjust the current inventory of components to reflect changes in agency missions, programs, organization or resources.
c Assess the risk of each component and assign a component priority rating.
(1) Priority Ratings. The second step of the MCP process is to assess the risk associated with individual components and objectively assign each component an appropriate priority rating. (See Appendix B for specific guidance for completing a risk assessment.)
(2) Risk Assessment. The purpose of a risk assessment is to appropriately identify, measure, and prioritize risks so that primary focus is placed on the areas of greatest significance. It also ensures that proper internal controls are in place to manage identified risks. The process can assist management in identifying problems or weaknesses and, with proper follow-through, result in improvements. Risk assessments should generally be conducted at least every five years, but more frequently in components where changes are taking place in the mission, service, organization structure, policies and procedures or leadership staffing.
(3) Risk Identification. Agencies must be comprehensive in their identification of risks and should consider all significant interactions between it, other USDA agencies, and other stakeholders as well as internal, external, and inherent factors.
(a) Methods of risk identification (agency can consider any combination of these methods in identifying risk).
1 Qualitative approach - identify and rank high-risk program/activities by defining risk in a subjective and general term such as high, medium, and low with reliance on expertise, experience and judgment of those conducting the assessment
2 Quantitative approach - generally estimates the monetary cost of risk and risk reduction techniques based on: (a) the likelihood that a damaging event will occur, (b) the costs of potential losses, and (c) the costs of mitigating actions that could be taken
3 senior management planning conferences
4 short and long-range forecasting and strategic planning
(b) Internal factors for risk identification
1 downsizing agency operations
2 reengineering agency operating processes
3 disruption of information systems processing
4 highly decentralized program operations
5 the skills and abilities of personnel hired and training provided
6 heavy reliance on contractors or other related parties to perform critical agency functions
7 changes in management responsibilities
8 the nature of the agency=s activities and employee access to assets
(c) External factors for risk identification
1 technological developments
2 changing needs or expectations of the Congress, agency officials, and the public
3 new legislation and/or regulations
4 natural catastrophes
5 business, political, and economic changes
(d) Inherent factors for risk identification
1 size of budget
2 life of component (age and life expectancy of the component)
3 nature of component=s activities
4 component=s impact outside the Department
5 special concerns
d Establish Control Objectives.
Management control objectives are the positive outcomes agency managers or legislators want to happen or the negative outcomes managers or the legislators want to prevent from happening. The occurrence of waste, loss, and misuse can be significantly reduced if management control objectives are adequately achieved. Management control objectives must be observable and measurable.
e Perform the Risk Analysis.
The risk analysis methodology can vary because levels of risk are difficult to quantify. However, the process of analysis would generally include the following:
(1) estimating the risk significance;
(2) assessing frequency/likelihood of occurrence; and
(3) considering how to manage the risk and the actions to be taken.
All of these must be considered together. A risk that has little significance and low probability of occurring may require no action at all. Yet, one with high significance and high frequency will usually require much attention.
f Analyzing and Reporting on Risk.
However risk is determined and whatever the outcome of the risk analyses, the assessing manager should ensure all moderate and high risk elements have cost-effective controls or that Asubsequent actions@ are scheduled to implement needed controls; and/or review the element to understand how well controls are functioning to mitigate inherent risks. Chapter 3 describes the process for conducting a management control review.
A number of different outcomes can occur in analyzing the results of the risk assessments:
(1) The inherent risk may be extraordinarily high. However, because the manager deems that effective controls are in place to mitigate this risk, this element is rated as an overall low risk and no further action is required.
(2) The inherent risk may be moderate; however, the assessment determines that effective controls are not in place. The manager rates this element as an overall moderate risk, defines specific controls procedures to be implemented, and reports the deficiency in the assurance process.
(3) The inherent risk may be low risk. The control mechanisms are satisfactory. The element is rated low and no further action is required.
(4) The inherent risk may be low risk. Control mechanisms are not satisfactory. However, the manager makes a judgment that the cost of new/additional controls would outweigh the benefits of lowering risk. The element is rated low risk and no further action is required.
g Document the risk assessments, by components, to include planned corrective actions and the official responsible for the corrective actions.
h Provide to the OCFO a summary of the
agency/staff office assessment which identifies its primary risks and planned
and completed actions. The summary must be submitted to the OCFO annually by
October 31. (See Appendix C for
Summary)
6 SCHEDULING EVALUATIONS/REVIEWS
a The final step in the Management Control Process is to schedule components for control evaluations. Each agency should schedule and perform a sufficient number of control evaluations in order to make a determination for the Annual Assurance Statement. Agencies should not rely solely upon audits of controls performed by GAO, the OIG or other control evaluations performed by independent parties, to identify internal control problems. The results of internal evaluations/reviews should be the primary source used for preparing an organization=s annual statement of assurance. High Risk activities and significant GPRA-related activities should be given priority in scheduling evaluations/reviews. Emphasis should also be placed upon using the type of evaluation which is most efficient and cost effective in reviewing a component=s system of control.
b Alternative Management Control Reviews (AMCR). An AMCR is sometimes the preferred method of reviewing controls since it is generally more cost effective and efficient than a management control review. AMCRs permit more economical use of resources since they concentrate on controls over the highest component risks or use existing control review processes such as management studies, consulting studies, OMB Circular reviews, and similar control evaluations. GAO and OIG audits are also acceptable as AMCRs provided that component controls are within the scope of the audit. AMCRs can be used when verifying the correction of a previously reported material management control weakness, and the component priority rating is high, medium or low.
c Management Control Reviews (MCR). MCRs are comprehensive reviews of component control systems conducted in accordance with OMB guidelines. MCRs divide component activities into event cycles, and identify the high risks and control objectives associated with each
event cycle. Controls over the high risks in each cycle are then tested and evaluated. MCRs are to be considered for components that have: (a) high risks throughout the component, (b) a crucial agency mission, and (c) complex relationships requiring an integrated approach to conduct appropriate reviews.
CHAPTER
3
PERFORMING
MANAGEMENT CONTROL REVIEWS
1 PROCEDURES FOR CONDUCTING REVIEWS AND TESTING CONTROLS
a General. Agencies have the discretion to determine the methodology used to conduct a management control review. An effective review of management controls begins with the recognition of the responsibilities and characteristics of each agency component. The performance of control reviews will be a continuing process requiring quarterly progress reports to OCFO on deficiencies identified. The focus must, therefore, be on management=s responsibility to provide reasonable assurance that:
(1) programs are efficiently and effectively carried out in accordance with applicable law and management policy;
(2) obligations and costs are in compliance with applicable law;
(3) funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation; and
(4) revenues and expenditures applicable to agency operations are properly recorded and accounted for to permit the preparation of accounts and reliable financial and statistical reports and to maintain accountability over the assets.
b Test of Controls. Management control reviews require appropriate tests of existing control procedures. Control techniques are the procedures managers use to provide reasonable assurance that controls are operating as intended and that the control objectives are achieved. Test results should be considered in conjunction with other sources of information to form a final conclusion about the adequacy of controls. Methods used to test controls may include:
(1) reviewing records;
(2) observing performance of control procedures;
(3) tracing transactions through the system of control; and
(4) interviewing individuals responsible for operation of the control.
CHAPTER
4
MONITORING AND REPORTING
1 Monitoring and FMFIA Reporting.
a General. The following three standards address management and reporting of internal controls. In particular, the first standard provides a basis for determining whether an agency=s internal controls are effective. The second standard cites the requirements of FMFIA for reporting on internal control. The final standard requires the prompt resolution of audit findings and recommendations related to internal control.
(1) Effectiveness of Internal Control
(a) Agencies must ensure that operational objectives are being met.
(b) Published financial statements and reports prepared for internal and external use (such as budget execution reports) must be prepared reliably.
(c) Agency programs must comply with applicable laws and regulations.
(2) Reporting to External Parties
Management shall provide an annual public report about the effectiveness of its internal controls, identifying any material weaknesses and plans for correcting them.
(3) Audit Resolution
Audit findings shall be resolved promptly. Managers are to evaluate findings promptly, determine proper actions in response to audit findings and recommendations, and complete, within established time frames, all actions that correct or otherwise resolve the matters brought to management=s attention.
b The Secretary, under the FMFIA, has the following annual reporting responsibilities to the President, Congress, and OMB:
(1) results of evaluations made on the Department=s systems of management controls including any material management control weakness identified (Section 2 FMFIA), and
(2) conformance of the Department=s accounting systems to accounting principles, standards, and related requirements (Section 4 FMFIA).
USDA and its agencies are required to record and track planned corrective actions and to monitor related progress against planned completion dates. Appendix A provides guidance to assist agencies in determining materiality for FMFIA reporting.
c Agency heads are required to submit an annual statement of assurance/Assurance Statement (through their Under/Assistant Secretary) to the CFO. This statement of reasonable assurance represents the agency head=s informed judgment as to the overall adequacy and effectiveness of management controls within the agency and whether the agency=s financial management systems conform with government-wide requirements. The statement must take one of the following forms: statement of assurance; qualified statement of assurance, considering the exceptions explicitly noted; or statement of no assurance.
In deciding on the type of assurance to provide, the agency head should consider information from internal reviews, program evaluations, OIG or GAO audit reports, reviews of systems and applications, and other types reviews - with input from senior program and administrative officials and the OIG. The agency head must describe the analytical basis for the type of assurance being provided, and the extent to which agency activities were assessed. The statement of assurance must be signed by the agency head.
The Assurance Statement shall accompany the Report on Material Deficiencies which includes the agency=s plans to correct the material deficiencies and progress against those plans. The agencies= statement of assurance forms the basis for the Department=s Annual Assurance Statement, which is submitted by the Secretary to the President. OCFO issues specific guidance annually to agencies for preparation of assurance statements.
APPENDIX A
GUIDANCE FOR DETERMINING A MATERIAL WEAKNESS AND
SYSTEM NON-CONFORMANCE
a General. All material weaknesses identified in audit reports are to be considered for inclusion in the Annual Report on Internal Controls. However, OMB=s definition of Amaterial weakness@ should not be confused with use of the same term by government auditors to identify management control weaknesses which, in their opinion, pose a risk or a threat to the internal control systems of a program or operation. Auditors are required to identify and report those types of weaknesses at any level of operation or organization, even if the management of the audited entity would not report the weaknesses outside the agency.
The Department=s Subcabinet, the CIO, the IG, and the Director, OBPA will evaluate agencies= submissions of significant control deficiencies and determine the material weaknesses to be reported to the President, Congress, and OMB. By performing the materiality considerations contained below, agencies can ensure that the Secretary accurately reports on Section 2 FMFIA material management control weaknesses and Section 4 FMFIA conformance and FFMIA.
b Materiality Considerations. The following questions should be considered by organizational personnel in making a decision to report identified deficiencies through management levels:
1. Could this problem lead to a serious injury or loss of life?
2. If the problem is fixed in one part of the organization, is there a good possibility that the same problem may exist in other parts of the organization (the office, the area, the region, the agency, or the Department)?
3. Is there a likelihood that higher levels of management may be questioned by Congress or the media about the problem?
4. Is it going to take more than a year to correct the deficiency? (deficiencies that take longer to correct should be reported to the next management level.)
5. Was there a significant loss of government resources? Is there a potential for significant resource loss?
6. Was there a significant financial loss either through misuse of appropriated funds or under collection of revenues? Is there a potential for a significant financial loss?
7. Were laws broken or regulations violated?
8. Could the Department have any potential liability to employees or to third parties as a result of the deficiency?
9. Were there ethical violations by organizational personnel?
10. Was inaccurate information reported upon which management or third parties based decisions?
11. Could this problem lead to an audit qualification or disclaimer of opinion on financial statements?
APPENDIX A
GUIDANCE FOR DETERMINING A MATERIAL WEAKNESS AND
SYSTEM NON-CONFORMANCE
CONTINUED
c Classification of deficiencies as material weaknesses. The following describes criteria used by the Department in determining identified deficiencies deemed material weaknesses that should be reported to OMB and Congress:
1. Merit the attention of the Executive Office of the President and the relevant Congressional oversight committees;
2.
Violate
statutory or regulatory requirements;
3.
Deprive
the public of needed services;
4. Significantly weaken safeguards against waste, loss, unauthorized use or misappropriation of funds, property or other assets;
5. Significantly impair the fulfillment of the Department or organization mission;
6. Result in a conflict of interest;
7. Are of a nature such that omission from the annual FMFIA report could reflect adversely on the actual or perceived management integrity of the Department;
8. Exist in a major program or activity; or
9. Meet or exceed agencies= established quantitative thresholds.
A material nonconformance under
Section 4 generally falls into one or
more of the categories below:
1. Merits the attention of the Executive Office of the President and the relevant Congressional oversight committees.
2. Prevents USDA primary accounting systems from achieving central control over agency financial transactions and resource balances. Indicates systemic deficiencies across agencies or in the Department=s central support systems.
3. Prevents compliance of the primary accounting system with standards published by GAO, which include the availability of timely, consistent, and relevant financial information for decision-making purposes. Could lead to inaccurate or incomplete information being provided in areas of major importance to operations or policy and/or result in an audit qualification on a financial statement.
APPENDIX
B
GUIDANCE FOR COMPLETING A RISK ASSESSMENT
a Definition
Risk Assessment - a systematic analysis by management of a program=s or function=s susceptibility to failing to achieve its missions or goals; to producing erroneous reports or data; to allowing unauthorized use of resources, or permitting illegal or unethical acts; and to receiving an adverse or unfavorable opinion.
b Purpose
A risk assessment is conducted in order to appropriately identify, measure, and prioritize risks so that primary focus is placed on the areas of greatest significance. It also ensures that proper internal controls are in place to manage identified risks. The process can assist management in identifying problems or weaknesses and, with proper follow-through, result in improvements. The assessment reflects the perception, understanding and opinion of the evaluator (ideally someone with a solid working knowledge of the component) and, when performed objectively, is a very good indicator of risk. Keep in mind that the existence of risk is not detrimental as long as it is recognized and properly controlled.
c Approach
The following form is recommended for use by agency managers in conjunction with their knowledge of the risks, controls in place and associated circumstances of a program or function. This form is not all-inclusive and should be customized to meet the needs of each agency=s operations/programs. It should be used in conjunction with other risk assessment resources such as the ones listed below.
Other Risk Assessment Resources include:
S the program/function managers= knowledge of the program=s operations;
S the rationale for changes occurring in a program, function, or procedure;
S the results of recent reviews or evaluations by OIG, GAO, or management evaluations.
The risk assessment form consists of the following sections:
S Section A - Control Environment
S Section B - Risk
S Section C - Evaluation of Safeguards
S Section D - Overall Vulnerability
APPENDIX B
GUIDANCE FOR COMPLETING A RISK ASSESSMENT
PROGRAM/FUNCTION RISK ASSESSMENT WORKSHEET
|
Office/Division: Component/Function: |
|
Component/Function Manager: |
|
Component Description: |
|
Overall Risk Assessment: (High, Moderate, Low) |
|
Significant issues (if any): |
|
Status of corrective actions: |
APPENDIX B
GUIDANCE FOR COMPLETING A RISK ASSESSMENT
COMPONENT/FUNCTION
|
RISK ASSESSMENT INSTRUCTIONS: Read each question and check the number in the SCORE
column that best describes your assessment |
|||||
|
LEGEND: 1- Always Agree; 2-Usually
Agree; 3-Sometimes Agree; 4-Rarely Agree; 5-Disagree |
|||||
|
SECTION A - CONTROL ENVIRONMENT |
SCORE |
||||
|
(1) There are written policies and
procedures for the establishment and maintenance of a system of internal
controls. These policies are
complete, accurate, current and clearly documented. |
1 |
2 |
3 |
4 |
5 |
|
|
|
|
|
|
|
|
(2) There are clearly defined and
established organizational units to perform the necessary functions and
reporting relationships.
Organizational charts are current and distributed to all employees. |
|
|
|
|
|
|
(3) Employees have appropriate
knowledge and training about the mission, program, tasks, and vulnerabilities
that enables them to achieve program/function goals. Cross-training is provided and policies
and procedures are in place to facilitate reassignment of staff with minimal
loss of efficiency or work product quality. |
|
|
|
|
|
|
(4) Management decisions, program
direction and management action plans are in place. Organizational components regularly and effectively communicate
requirements, issues and concerns and resolve problems in a timely manner. |
|
|
|
|
|
|
(5) Appropriate delegations or
limitations of authority are current, written, well defined, and communicated
in a manner that provides assurance that responsibilities are effectively
discharged. Authorities are promptly
revoked when no longer required. |
|
|
|
|
|
|
(6) Policies and procedures as to
how the agency component is intended to perform in all situations are clearly
defined, documented, and disseminated to all employees in a timely manner. |
|
|
|
|
|
|
(7) Program/function goals are
specific, documented, and communicated and their accomplishment is
continually monitored. |
|
|
|
|
|
|
(8) An appropriate level of
financial and management controls have been established and are maintained. |
|
|
|
|
|
|
(9) Management is aware of the
strengths and exposures inherent in automated information systems and ensures
the existence of appropriate controls. |
|
|
|
|
|
|
(10) Resource levels (budget and
staff) are adequate to support achievement of program/function goals. |
|
|
|
|
|
|
(11) Internal control activities are sufficient to control
recognized risks. |
|
|
|
|
|
|
SECTION TOTAL |
|
|
|
|
|
APPENDIX B
GUIDANCE FOR COMPLETING A RISK ASSESSMENT
COMPONENT/FUNCTION
|
RISK ASSESSMENT INSTRUCTIONS: Read each question and check the
number in the SCORE column that best describes your assessment |
|||||
|
LEGEND: 1- Always Agree; 2-Usually
Agree; 3-Sometimes Agree; 4-Rarely Agree; 5-Disagree |
|||||
|
SECTION B - RISK |
SCORE |
||||
|
(1) Program/function mission,
goals, and objectives are clear and documented. Applicable legislative mandates and regulations are clearly
communicated by management to employees. |
1 |
2 |
3 |
4 |
5 |
|
|
|
|
|
|
|
|
(2) Controlled properties are
safeguarded and access is limited to authorized personnel. |
|
|
|
|
|
|
(3) There is no impact on outside
persons or organizations, in terms of economic status or health and safety,
which might make the agency susceptible to external pressures and cause
internal controls to be circumvented. |
|
|
|
|
|
|
(4)The program/function is stable,
and is expected to remain so for the near term. Changes are not likely to cause major revisions to policies or
procedures, loss of experience managers, lowering of personnel interest and
motivation, or weakening of controls. |
|
|
|
|
|
|
(5) The degree of management
oversight and control is consistent with the needs of the program/function. |
|
|
|
|
|
|
(6) The program/function is not
subject to special interest in the form of Congressional or other high-level
inquiries, media attention, or litigation. |
|
|
|
|
|
|
(7) The program/function has been
the subject of periodic audits, reviews, and inspections that have not
disclosed significant or repeated findings. |
|
|
|
|
|
APPENDIX B
GUIDANCE FOR COMPLETING A RISK ASSESSMENT
COMPONENT/FUNCTION
|
RISK ASSESSMENT INSTRUCTIONS: Read each question and check the
number in the SCORE column that best describes your assessment |
|||||
|
LEGEND: 1- Always Agree; 2-Usually
Agree; 3-Sometimes Agree; 4-Rarely Agree; 5-Disagree |
|||||
|
SECTION C - EVALUATION OF
SAFEGUARDS |
SCORE |
||||
|
(1) Established internal control
systems are cost-effective and provide reasonable assurance that risk has
been reduced to the extent practicable. |
1 |
2 |
3 |
4 |
5 |
|
|
|
|
|
|
|
|
(2) Managers and employees
demonstrate a positive attitude and supportive behavior toward internal
controls. Internal control reviews are completed in a timely manner. |
|
|
|
|
|
|
(3) Managers and employees maintain
and demonstrate personal and professional integrity. For example, mandatory ethics training is
completed as required. |
|
|
|
|
|
|
(4) Specific internal control
objectives are established and documented to address the particular risks
associated with this program/function or activity. The objectives are documented in the internal control review process. |
|
|
|
|
|
|
(5) Established internal control
mechanisms are effective and efficient in meeting control objectives and are
documented in program/function internal control reviews. |
|
|
|
|
|
|
(6) Internal control objectives and
techniques, work flow, operational procedures, and other significant control
activities are clearly documented in program/function internal control
reviews, and the documentation is readily available for examination. Documentation is the written description
of what should beBnot what actually happened, and is
a required part of internal control reviews. |
|
|
|
|
|
|
(7) Transactions (i.e., invoices,
tracking/suspense items) and other significant activities are properly
classified and recorded. |
|
|
|
|
|
|
(8) The organizational structure
ensures that key duties and responsibilities in authorizing, processing,
recording and reviewing transactions are separated among individuals to
prevent financial loss or conflict of interest. Transactions include items such as invoices, complaints or
service requests. |
|
|
|
|
|
|
SECTION TOTAL |
|
|
|
|
|
APPENDIX B
GUIDANCE FOR COMPLETING A RISK ASSESSMENT
COMPONENT/FUNCTION
|
RISK ASSESSMENT INSTRUCTIONS: Read each question and check the
number in the SCORE column that best describes your assessment |
|||||
|
LEGEND: 1- Always Agree; 2-Usually
Agree; 3-Sometimes Agree; 4-Rarely Agree; 5-Disagree |
|||||
|
SECTION C - EVALUATION OF
SAFEGUARDS |
SCORE |
||||
|
(9) Work is assigned, reviewed, and approved by supervisors to ensure that internal control objectives are achieved. Program/function managers review the results of internal control reviews. |
1 |
2 |
3 |
4 |
5 |
|
|
|
|
|
|
|
|
(10) Access to resources and
sensitive records is limited to authorized individuals, and accountability
for the custody and use of resources is assigned are maintained. Access privileges are revoked when no
longer required. The pre-exit
clearance process for departing employees is strictly utilized. Periodic checks are made to ensure
compliance. |
|
|
|
|
|
|
(11) Managers in this
program/function promptly review findings and recommendations reported by
auditors and reviewers, determine proper action to be taken in response to
findings and recommendations, and ensure that corrective actions are
completed within established time-frames. |
|
|
|
|
|
|
(12) Contract oversight is appropriate
to ensure that work is performed according to the agreement, claims receive
prompt action, and invoices are reviewed and paid within established
time-frames. |
|
|
|
|
|
|
(13) Safeguards are established to
protect personnel, their work environment and property. Periodic checks are made to ensure safety
and compliance. |
|
|
|
|
|
|
SECTION TOTAL |
|
|
|
|
|
APPENDIX B
GUIDANCE FOR COMPLETING A RISK ASSESSMENT
COMPONENT/FUNCTION
|
Section D. Overall Vulnerability Check the risk ranking below that corresponds to the TOTAL SCORE computed. HIGH RISK (TOTAL SCORE is 101 or greater) MEDIUM RISK (TOTAL SCORE IS 51-100) LOW RISK (TOTAL SCORE is 50 or less) (Note: In assigning risk ranking, the evaluator should consider qualitative factors in addition to the total ranking score) |
|
COMPONENT/FUNCTION: Manager Signature: DATE: COMPONENT/FUNCTION: Manager Title: |
|
AGENCY HEAD COMMENTS: FINAL COMPONENT/FUNCTION RANKING: _________________ |
|
AGENCY HEAD SIGNATURE: DATE: |
APPENDIX C
AGENCY/STAFF OFFICE
RISK ASSESSMENT SUMMARY
|
Agency/Staff
Office: Agency/Staff
Office Head: |
|
|
Primary
Risk(s) Identified: (List) |
Responsible
Manager/Owner |
|
(1) (2) (3) |
(1) (2) (3) |
|
Planned
actions to address risk: (List) (Note: Planned actions should correspond to risk
identified above. If a management control review is planned, provide estimated start and end date) (1) (2) (3) |
|
|
Actions
already taken to address risk identified above, if any: (List) (1) (2) (3) |
|
|
Agency/Staff
Office Head Comments: |
|
|
Agency/Staff
Office Head Signature: |
Date: |
APPENDIX D
REFERENCE GUIDE
LISTING OF SOURCES FOR ADDITIONAL GUIDANCE
IN IMPLEMENTING EFFECTIVE INTERNAL CONTROLS
USDA
Departmental Regulation 1110-2, Management Accountability and Control Dated
February 23, 1999
Committee
of Sponsoring Organization of the Treadway Commission AInternal Control -
Integrated Framework@
Dated September 1992
OMB Circular A-123 Revised AManagement Accountability and Control@ Dated June 21, 1995
USDA Departmental Regulation 2100-001 Dated February 14, 1996
GAO AFramework for Federal Financial Management System Checklist, Systems Reviewed Under the Federal Financial Management improvement Act of 1996" GAO/AIMD-98-21-2.1, Dated May 1998
GAO AFederal Information System Controls Audit Manual@ GAO/AIMD-12.19.6, Dated January 1999
JFMIP ACore Financial Systems Requirements@ JFMIP-SR-99-4 Dated February 1999
GAO AStandards for Internal Control in the Federal Government@ GAO/AIMD-00-21.3.1 Dated November 1999
GAO AInternal Control Management and Evaluation Tool@ GAO-01-1008G Dated August 2001
GAO AInformation Security Risk Assessment@ GAO/AIMD-00-33 Dated January 1999
Federal Financial Management Improvement Act of 1996 (FFMIA), 31 U.S.C. 3512