Date: January 4, 2001
Sunset Review: January 4, 2005
SUBJECT: Treasury Internal (Management) Control Program
1. PURPOSE. The purpose of this directive is to ensure that an appropriate internal control program is in place and operational for all bureaus [including Departmental Offices (DO)] in the Department of the Treasury (the Department). This directive is designed to implement applicable statutes, regulations, and other guidance related to internal controls, including the Federal Managers Financial Integrity Act of 1982 (FMFIA), and the revised General Accounting Office (GAO) Standards for Internal Control in the Federal Government. This directive also authorizes the issuance of Treasury Directive Publication (TDP) 40-04, "Treasury Internal (Management) Control Program Guidance for Conducting Internal Control Reviews."
2. SCOPE. This directive applies throughout the Department, and to the Office of the Inspector General (OIG) and the Office of the Treasury Inspector General for Tax Administration (TIGTA) to the extent the directive is not inconsistent with any provisions of the Inspector General Act of 1978, as amended, and the Internal Revenue Service Restructuring and Reform Act of 1998. As used in this directive, "bureau" includes all bureaus, and DO [including, but not limited to, the Office of D.C. Pensions, the Community Development Financial Institutions Fund (CDFI), the Executive Office of Asset Forfeiture, the Financial Crimes Enforcement Network (FinCEN)].
3. DEFINITION. The GAO Standards for Internal Control in the federal government (November, 1999) state that internal (management) control comprises, "the plans, methods, and procedures used to meet Departmental missions, goals, and objectives and, in doing so, supports performance-based management." Internal control is the first line of defense in safeguarding assets, and preventing and detecting errors and fraud. Internal control, "helps government program managers achieve desired results through effective stewardship of public resources." Specifically, systems of internal control should provide reasonable assurance that the following objectives are being achieved:
a. effectiveness and efficiency of operations, including using agency resources in a manner consistent with the agency mission and objectives, and safeguarding agency assets from waste, fraud and mismanagement;
b. reliability of financial reporting, including reports on budget execution and financial statements; and
c. compliance with applicable laws and regulations.
A subset of these objectives is the safeguarding of assets. Internal control should be designed to provide reasonable assurance regarding prevention of or prompt detection of unauthorized acquisition, use, or disposition of an agency’s assets.
Internal control applies to all operations: programmatic, financial, and compliance. However, it is not intended to limit or interfere with duly granted authority related to developing legislation, rule making, or other discretionary policy-making.
4. BACKGROUND. The Congress, Office of Management and Budget (OMB) and GAO have directed attention to the need for agencies to establish and maintain sound management control systems as a primary means of providing greater accountability, effectiveness and efficiency in achieving program goals and objectives, and in preventing fraud, waste and mismanagement. Treasury promotes the continuous monitoring of management controls as part of a daily program and operations management as a means of strengthening management accountability, and enhancing and improving program performance and operations.
The FMFIA and OMB Circular A-123 require the agency head to conduct an ongoing review of controls and to report annually on the adequacy of agency management and accounting control systems. Under the Federal Financial Management Improvement Act of 1996 (FFMIA), managers should increase the accountability and credibility of federal financial management and improve its performance, productivity and efficiency. The Chief Financial Officers Act (CFO Act) and the Government Performance and Results Act (GPRA) reinforce the need for effective management controls. These acts also call for the development of program performance indicators to monitor management's success in reaching program goals and desired outcomes. Department managers are to establish an environment in which management controls are understood, encouraged, practiced and implemented.
5. POLICY. This policy is designed to improve the accountability and effectiveness of management controls for all programs and operations within the Department, and ensure compliance with laws and regulations. Bureaus have the discretion, where necessary, to supplement this policy guidance by developing additional bureau-specific instructions. Further, policy provided in this directive is intended to serve as a general framework for the Department's Management Control Program. As needed, the Office of Accounting and Internal Control (AIC) issues supplemental guidance regarding the Department's Management Control Program.
Bureaus will establish, maintain, evaluate, improve and report on their systems of program and operations controls and assure their effectiveness and adequacy. These control systems should constitute the full range of controls necessary to assist managers in reaching program goals and objectives, and in using Government resources efficiently and effectively. These controls will be an integral part of the entire Departmental cycle of planning, budgeting, management, accounting, and auditing. Also, all systems of management and accounting controls will be evaluated on an ongoing basis, and deficiencies, when detected, will be corrected promptly. The results of evaluations should be documented, maintained and made available upon request to the OIG, TIGTA, GAO, or AIC.
6. STANDARDS. The following standards define the minimum acceptable level of quality for internal control and provide the basis against which internal control is to be evaluated. These standards apply to all operations - programmatic, financial, and compliance - and shall be used in establishing and maintaining effective internal controls:
a. Control environment. Officials throughout will foster a positive and supportive attitude toward internal control and conscientious management, as well as make and encourage a commitment to competence, integrity, and ethical values by all employees. The Department's overall organizational structure, as well as the structure for each bureau, will clearly define the key areas of employee authority and responsibility and will establish appropriate lines of reporting. The control environment should encourage employee awareness of the existence of controls and their individual responsibilities in the development and implementation of controls;
b. Risk assessment and analysis. Officials will have an adequate process to identify, analyze, and reduce exposure to risks from both external and internal sources. This process should assess and analyze both ongoing and new programs to identify associated risks and determine how they should be managed;
c. Control activities. Officials will develop and implement policies, procedures, techniques, and mechanisms ensuring that management directives are carried out. At a minimum, control activities should be established and maintained in the following categories:
(1) Top level reviews of actual performance - senior Department officials and bureau management should track major achievements and compare them to the plans, goals, and objectives detailed in GPRA;
(2) Reviews by management at the program activity level - program managers should compare actual performance to planned or expected results and analyze significant differences;
(3) Management of human capital - effective management of Treasury's workforce focuses on hiring the right personnel for the job and then providing them with the right training, tools, structures, incentives and responsibilities;
(4) Controls over information processing - examples of these control activities include edit checks of data entered, accounting for transactions in numerical sequences, comparing file totals with control accounts and controlling access to data, files, and programs;
(5) Physical control over vulnerable assets - bureau and program managers must establish physical control to secure and safeguard vulnerable assets such as cash, securities, inventories and equipment which might be vulnerable to risk or loss or unauthorized use;
(6) Establishment and review of performance measures and indicators – these controls should be established to monitor performance measures and indicators by comparing and assessing actual performance data with performance goals and analyzing significant differences between the two;
(7) Segregation of duties - key duties and responsibilities should be divided or segregated among different people to reduce the risk of error or fraud. This should include timely, independent reconciliations of transaction activity, as necessary;
(8) Proper execution of transactions and events - transactions and other significant events should be authorized and executed only by persons acting within the scope of their authority. Authorizations should be clearly communicated to managers and employees;
(9) Accurate and timely recording of transactions and events - transactions should be promptly recorded to maintain their relevance and value to management in controlling operations and making decisions;
(10) Access restrictions to and accountability for resources and records - access to resources and records should be limited to authorized individuals and accountability for their custody and use should be assigned and maintained; and
(11) Appropriate documentation of transactions and internal controls – internal controls, all transactions, and other significant events should be clearly documented. The documentation should be readily available for examination.
d. Information and communications. Departmental management and staff will ensure that each bureau has relevant, reliable, and timely communications relating to internal as well as external events. Pertinent information should be identified, captured and distributed in a form and time frame that permits people to perform their duties efficiently;
e. Monitoring. Officials will perform monitoring activities to assess the quality of Departmental performance over time and the effectiveness of internal controls, and to ensure that the findings of audits and other reviews are resolved promptly. (See TD 40-03, "Treasury Audit Resolution, Follow-Up, and Closure.") Monitoring activities should include:
(1) Continuous monitoring to include routine management and supervisory activities, transaction comparisons and reconciliations, and other actions taken by Departmental staff in the course of normal operations; and
(2) Separate and discrete control evaluations, including internal self-assessments and external reviews.
7. RESPONSIBILITIES.
a. The Assistant Secretary for Management & Chief Financial Officer (ASM&CFO) oversees all activities related to the internal control systems of the Department and ensures the proper and timely completion of reporting requirements related to internal controls. Primary responsibility for managing the Department's compliance with OMB Circulars A-123 (Management Accountability and Control), and A-127 (Financial Management Systems), and A-130 (Management of Federal Information Resources), the FMFIA, the CFO Act, FFMIA and GPRA rests with the ASM&CFO.
b. The Deputy Chief Financial Officer (DCFO) will:
(1) Coordinate, monitor, manage, direct, and evaluate internal control efforts within the Department, including department-wide efforts under FMFIA, FFMIA, GAO Standards for Internal Control, and OMB Circular A-123 and A-127;
(2) Ensure that each bureau establishes a control-conscious environment that provides a disciplined atmosphere in which managers are aware of the need to establish systematic controls, monitor their application, and periodically review their effectiveness;
(3) Recommend management control policies and procedures, and provide oversight and guidance to the bureaus concerning the maintenance of effective controls;
(4) Coordinate reporting responsibilities as required by Section 5 of the Inspector General Act of 1978, as amended;
(5) Make recommendations to the ASM&CFO regarding the adoption, revision, and implementation of new and revised principles and standards governing internal control systems and accounting systems (with the assistance and technical expertise of the Office of the Fiscal Assistant Secretary for matters related to government-wide accounting and reporting) within the Department;
(6) Issue TDP 40-04, "Treasury Internal (Management) Control Program Guidance for Conducting Internal Control Reviews," which includes samples of risk assessments for accountability units; and
(7) With respect to the DO:
(a) Ensure that DO's offices and programs conduct management control program activities;
(b) Designate the DO officials that are responsible for these activities in their organizations; and
(c) Provide oversight and guidance to DO organizations concerning the adequacy of these activities.
c. The Deputy Assistant Secretary (Information Systems) and Chief Information Officer will:
(1) Coordinate and monitor Departmental efforts related to information systems and technology, including electronic commerce, under OMB Circular A-130, the Paperwork Reduction Act, as amended, and other applicable statutes and regulations, including the development and issuance of policies, procedures, and guidance;
(2) Develop and issue control evaluation guidelines for conducting reviews of information technology, general support systems, and major applications; assess the results of bureau control evaluations in these areas; and provide a summary assessment of the adequacy of bureau controls in these areas to the ASM&CFO annually;
(3) Ensure that the following specific control activities for information systems are established and carried out in each bureau in accordance with GAO's internal control standards on general control and application controls:
(a) General control is applied to all information systems - mainframe, minicomputer, network, end-user environments, and for data center and client-server operations, includes backup and recovery procedures, IT, and contingency and disaster planning;
(b) Application control covers the processing of data within the application
software; and includes entity-wide systems security program planning, management,
control over data center operations, system software acquisition and maintenance,
access security, and application system development and maintenance. Application
control is designed to help ensure completeness, accuracy, authorization,
and validity of all transactions during application processing. Control
should be installed at an application's interfaces with other systems to
ensure that all inputs are received and are valid, and that all outputs
are correct and properly distributed;
(4) Devise and carry out periodic testing of the adequacy of non-information systems security programs within the Department (via technical assistance visits and/or compliance reviews) and ensure that safeguarding practices and procedures are continuously reviewed, evaluated, and remain effective; and
(5) Ensure adherence to internal controls concerning security programs as established pursuant to TD 71-08.
e. Bureau Heads, the Inspector General, the Treasury Inspector General for Tax Administration, and officials designated pursuant to section 7.b.(7) will:
(1) Take all necessary steps to create a positive control environment within their respective organizations to ensure operational efficiency and adherence to all applicable statutory and regulatory standards related to internal controls, including those standards found in the FMFIA and the GAO Standards for Internal Controls in the Federal Government, and will be responsible for:
(a) institutionalizing the management control process within their organizations;
(b) establishing priorities in identifying, correcting, and reporting management control material weaknesses and accounting non-conformances;
(c) ensuring that adequate funding is requested in the budget process to correct identified deficiencies; and
(d) establishing a quality assurance process that permits the responsible official to provide reasonable assurance to the Secretary of the Treasury (Secretary) that the objectives of the FMFIA are being achieved;
(2) Provide information, data, reports, and assurances, as necessary, to the DCFO that all internal controls and financial management systems within their respective organizations adhere to applicable statutory and regulatory standards;
(3) Ensure that the performance plans for each Senior Executive Service (SES) member or equivalent employee having significant responsibilities for internal control contain appropriate performance requirements and expectations for such responsibilities;
(4) Ensure that all other employees are aware of expectations and are subject to appropriate performance standards related to internal controls. Ensure that a commitment to competence is maintained by taking steps to provide staff with necessary guidance and training, and by appropriately rewarding outstanding performance; and
(5) Designate an Internal Control Officer to administer the internal control processes for their respective organization.
f. Internal Control Officers (ICO) will:
(1) Evaluate all systems of internal control on an ongoing basis and be responsible for ensuring that audits, internal control reviews, risk assessments, and other evaluations are coordinated to complement one another with a minimum duplication of effort (see section 8 below);
(2) Plan, direct, and evaluate implementation of the provisions in this directive and in the Treasury Guidelines for Section 2 and Section 4 of FMFIA in their respective organization;
(3) Determine on an annual basis which programs or administrative functions should be subject to a formal review in order to supplement management's judgment as to the adequacy of management controls, and allocate adequate resources to evaluate their systems of control;
(4) Develop detailed procedures, documentation, training for managers and employees, and reporting requirements necessary to review, establish, maintain, test, improve, and report on control systems within their bureau programs and operations;
(5) Report to the DCFO (in consultation with the appropriate Assistant Secretary, if applicable), management control deficiencies identified in audit reports, internal reviews, and from other sources that have the potential of meeting the Departmental material weakness criteria;
(6) Ensure timely correction and validation of all identified program and operations deficiencies whether material and/or nonmaterial;
(7) Ensure management control guidelines issued are implemented and specify employee accountability; and
(8) Maintain, correct and/or update the Inventory Tracking and Closure (ITC) System with specific data on bureau FMFIA deficiencies and audit findings (and related items) contained in audit reports of the OIG, TIGTA, GAO, internal, and independent auditors.
8. INTERNAL CONTROL REVIEW PROCESS AND FMFIA REPORTING.
a. Internal Control Review Considerations. Each bureau should establish an ongoing internal control review (ICR) process to evaluate controls in accordance with the policies, standards, and procedures issued by GAO, OMB, and the DCFO. This ICR process should be conducted with consideration to other reviews occurring in the organization, such as those conducted by OIG, TIGTA, and GAO. The criteria used to determine areas of review within an organization should be based on risk factors in various program areas, e.g. the size or volatility of transactions or the visibility of a program. TDP 40-04 provides guidelines for performing ICRs and includes a short form risk assessment questionnaire, a worksheet and a scoring card for completing a risk assessment.
An effective ICR process should at least include:
(1) Developing and maintaining an ICR plan and monitoring the progress of control evaluations;
(2) Conducting a sufficient number of evaluations to provide a basis for reasonable assurance conclusions on bureau control systems;
(3) Providing the necessary training to conduct evaluations;
(4) Reviewing the quality of evaluations conducted;
(5) Monitoring and validating actions taken to address deficiencies; and
(6) Managing the bureau management control reporting process.
b. FMFIA Reporting. The Secretary, under FMFIA, reports to the President annually through OMB on: (1) the results of evaluations made on the Department's systems of management controls including any Section 2 FMFIA material management control weakness identified; and, (2) whether the Department's accounting systems conform to accounting principles, standards, and related requirements (Section 4 FMFIA and FFMIA).
Bureau heads are required to submit an annual assurance statement (through their Assistant Secretary if applicable) to the Secretary. The bureaus' assurance statements form the basis for the Department's annual assurance statement, which is submitted by the Secretary to the President. (For DO, the DCFO prepares the annual assurance statement for signature by the ASM&CFO. Section 2 FMFIA material weaknesses and Section 4 FMFIA material system non-conformances should be reported in the format specified by DCFO. DCFO issues specific guidance annually to assist bureaus in the preparation of their assurance statements. Draft assurance statements should be sent to the DCFO and OIG/TIGTA for review; the final statements should be addressed to the Secretary and signed by the bureau head, but sent to the DCFO to provide validation for the Secretary's statement of assurance to the President.
9. REFERENCES.
a. Chapter 35 of title 44, U.S.C., known as the Paperwork Reduction Act;
b. Federal Managers Financial Integrity Act of 1982 (P.L. 97-255), codified at 31 U.S.C. 3512;
c. Chief Financial Officers Act of 1990 (P.L. 101-576);
d. Government Performance and Results Act of 1993 (P.L. 103-62);
e. Federal Financial Management Improvement Act of 1996,Title VIII of Section 101(f) of Title I, Division A of P.L. 104-208, as codified at 31 U.S.C. 3512 note.
f. OMB Circular A-123, Revised, Management Accountability and Control" (June 21, 1995);
g. OMB Circular A-127, "Financial Management Systems" (July 30, 1993);
h. OMB Circular A-130, "Management of Federal Information Resources" (February 8, 1996);
i "GAO Standards for Internal Control in the Federal Government" (November1999);
j. Treasury Directive 71-08, Delegation of Authority for Physical Security Programs.
10. CANCELLATIONS. Treasury Directive 40-04, "Treasury Internal (Management) Control Program," dated December 14, 1992, is superseded.
11. OFFICE OF PRIMARY INTEREST. Office of Accounting and Internal
Control, Office of the Deputy CFO, Office of the Assistant Secretary for
Management and CFO.
/s/ Lisa Ross
Assistant Secretary for Management
and Chief Financial Officer
Attachments: Guidance for Conducting Internal Control Review
Guidance for Completing a Risk Assessment for an Accountability Unit