Financial Management

Effective Internal Control Is Key to Accountability Gao ID: GAO-05-321T February 16, 2005

Internal control is at the heart of accountability for our nation's resources and how effectively government uses them. This testimony outlines the importance of internal control, summarizes the Congress's long-standing interest in internal control and the related statutory framework, discusses GAO's experiences and lessons learned from agency assessments since the early 1980s, and provides GAO's views on the Office of Management and Budget's (OMB) recent revisions to its Circular A- 123. GAO highlights six issues important to successful implementation of the revised Circular, specifically, the need for supplemental guidance and implementation tools; vigilance over the broader range of controls covering program objectives; strong support from managers throughout the agency, and at all levels; risk-based assessments and an appropriate balance between the costs and benefits of controls; management testing of controls in operation to assess if they are designed adequately and operating effectively; and management accountability for control breakdowns. Finally, GAO discusses its views on the importance of auditor opinions on internal control over financial reporting.

Internal control represents an organization's plans, methods, and procedures used to meet its missions, goals, and objectives and serves as the first line of defense in safeguarding assets and preventing and detecting errors, fraud, waste, abuse, and mismanagement. Internal control provides reasonable assurance that an organizations' objectives are achieved through (1) effective and efficient operations, (2) reliable financial reporting, and (3) compliance with laws and regulations. The Congress has long recognized the importance of internal control, beginning with the Budget and Accounting Procedures Act of 1950, which placed primary responsibility for establishing and maintaining internal control squarely on the shoulders of management. In 1982, when faced with a number of highly publicized internal control breakdowns, the Congress passed the Federal Managers' Financial Integrity Act (FMFIA). FMFIA required agency heads to establish a continuous process for assessment and improvement of their agency's internal control and to annually report on the status of their efforts. In addition the act required the Comptroller General to issue internal control standards and OMB to issue guidelines for agencies to follow in assessing their internal controls. GAO monitored and reported on FMFIA implementation efforts across the government in a series of four reports from 1984 through 1989 as well as in numerous reports targeting specific agencies and programs. With each report, GAO noted the efforts under way, but also that more needed to be done. In 1989, GAO concluded that while internal control was improving, the efforts were clearly not producing the results intended. The assessment and reporting process itself appeared to have become the endgame, and many serious internal control and accounting systems weaknesses remain unresolved as evidenced by GAO's high risk report which highlights serious long-standing internal control problems. In 1995, OMB made a major revision to its guidance that provided a framework for integrating internal control assessments with other work performed and relaxed the assessment and reporting requirements, giving the agencies discretion to determine the tools to use in arriving at their annual FMFIA assurance statements. OMB's recent 2004 revisions to the internal control guidance are intended to strengthen the requirements for conducting management's assessment of control over financial reporting. GAO supports OMB's recent changes to Circular A-123 and in particular the principles-based approach for establishing and reporting on internal control. GAO also noted six specific issues that are important to successful implementation of OMB's revised guidance and discusses its views on the importance of auditor opinions on internal control over financial reporting.

GAO-05-321T, Financial Management: Effective Internal Control Is Key to Accountability This is the accessible text file for GAO report number GAO-05-321T entitled 'Financial Management: Effective Internal Control Is Key to Accountability' which was released on February 17, 2005. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Testimony: Before the Subcommittee on Government Management, Finance, and Accountability, Committee on Government Reform, House of Representatives: For Release on Delivery Expected at 2:00 p.m. EST Wednesday, February 16, 2005: FINANCIAL MANAGEMENT: Effective Internal Control Is Key to Accountability: Statement of Jeffrey C. Steinhoff, Managing Director, Financial Management and Assurance: GAO-05-321T: GAO Highlights: Highlights of GAO-05-321T, a report to the Subcommittee on Government Management, Finance, and Accountability, Committee on Government Reform, House of Representatives: Why GAO Did This Study: Internal control is at the heart of accountability for our nation‘s resources and how effectively government uses them. This testimony outlines the importance of internal control, summarizes the Congress‘s long-standing interest in internal control and the related statutory framework, discusses GAO‘s experiences and lessons learned from agency assessments since the early 1980s, and provides GAO‘s views on the Office of Management and Budget‘s (OMB) recent revisions to its Circular A-123. GAO highlights six issues important to successful implementation of the revised Circular, specifically, the need for 1. supplemental guidance and implementation tools; 2. vigilance over the broader range of controls covering program objectives; 3. strong support from managers throughout the agency, and at all levels; 4. risk-based assessments and an appropriate balance between the costs and benefits of controls; 5. management testing of controls in operation to assess if they are designed adequately and operating effectively; and 6. management accountability for control breakdowns. Finally, GAO discusses its views on the importance of auditor opinions on internal control over financial reporting. What GAO Found: Internal control represents an organization‘s plans, methods, and procedures used to meet its missions, goals, and objectives and serves as the first line of defense in safeguarding assets and preventing and detecting errors, fraud, waste, abuse, and mismanagement. Internal control provides reasonable assurance that an organizations‘ objectives are achieved through (1) effective and efficient operations, (2) reliable financial reporting, and (3) compliance with laws and regulations. The Congress has long recognized the importance of internal control, beginning with the Budget and Accounting Procedures Act of 1950, which placed primary responsibility for establishing and maintaining internal control squarely on the shoulders of management. In 1982, when faced with a number of highly publicized internal control breakdowns, the Congress passed the Federal Managers‘ Financial Integrity Act (FMFIA). FMFIA required agency heads to establish a continuous process for assessment and improvement of their agency‘s internal control and to annually report on the status of their efforts. In addition the act required the Comptroller General to issue internal control standards and OMB to issue guidelines for agencies to follow in assessing their internal controls. GAO monitored and reported on FMFIA implementation efforts across the government in a series of four reports from 1984 through 1989 as well as in numerous reports targeting specific agencies and programs. With each report, GAO noted the efforts under way, but also that more needed to be done. In 1989, GAO concluded that while internal control was improving, the efforts were clearly not producing the results intended. The assessment and reporting process itself appeared to have become the endgame, and many serious internal control and accounting systems weaknesses remain unresolved as evidenced by GAO‘s high risk report which highlights serious long-standing internal control problems. In 1995, OMB made a major revision to its guidance that provided a framework for integrating internal control assessments with other work performed and relaxed the assessment and reporting requirements, giving the agencies discretion to determine the tools to use in arriving at their annual FMFIA assurance statements. OMB‘s recent 2004 revisions to the internal control guidance are intended to strengthen the requirements for conducting management‘s assessment of control over financial reporting. GAO supports OMB‘s recent changes to Circular A-123 and in particular the principles-based approach for establishing and reporting on internal control. GAO also noted six specific issues that are important to successful implementation of OMB‘s revised guidance and discusses its views on the importance of auditor opinions on internal control over financial reporting. www.gao.gov/cgi-bin/getrpt?GAO-05-321T. To view the full product, including the scope and methodology, click on the link above. For more information, contact McCoy Williams at (202) 512-6906 or williamsm1@gao.gov. [End of section] Mr. Chairman and Members of the Subcommittee: I am pleased to be here today to discuss the importance of sound internal control as the foundation of accountability and the recent revisions by the Office of Management and Budget (OMB) to its Circular A-123, Management's Responsibility for Internal Control. Today, I would like to: * highlight the key concepts underlying internal control; * summarize the Congress's long-standing interest in internal control and the related statutory framework; * outline early experiences and lessons learned from implementation of 31 U.S.C. 3512 (c), (d), commonly known as the Federal Managers' Financial Integrity Act of 1982 (FMFIA); * provide our views on the recent revisions to Circular A-123 and the issues critical to effectively implementing these changes; and: * discuss our views on the auditor's role in reporting on internal control. The Key Concepts Underlying Internal Control: Internal control represents an organization's plans, methods, and procedures used to meet its missions, goals, and objectives and serves as the first line of defense in safeguarding assets and preventing and detecting errors, fraud, waste, abuse, and mismanagement. Internal control is to provide reasonable assurance that an organization's objectives are achieved through (1) effective and efficient operations, (2) reliable financial reporting, and (3) compliance with laws and regulations. Safeguarding of assets is a subset of all these objectives. The term "reasonable assurance" is important because no matter how well-designed and operated, internal control cannot provide absolute assurance that agency objectives will be met. Cost-benefit is an important concept to internal control considerations. Internal control is very broad and encompasses all controls within an organization, covering the entire mission and operations, not just financial operations. One need only to look at GAO's January 2005 High-Risk Series: An Update,[Footnote 1] in which we identify 25 areas of high risk for fraud, waste, abuse, and mismanagement, to see the breadth of internal control. While these areas are very diverse in nature, ranging from weapon systems acquisition to contract management to the enforcement of tax laws to the Medicare and Medicaid programs, all share the common denominator of having serious internal control weaknesses. In addition, as the Comptroller General testified[Footnote 2] before the House Committee on Government Reform last week, certain material weaknesses in internal control have contributed to our inability to provide an opinion on whether the consolidated financial statements of the U.S. government are fairly stated in conformity with U.S. generally accepted accounting principles. Internal control weaknesses are also at the heart of the over $45 billion in improper payments reported by the federal government in fiscal year 2004 across a range of programs. Further, internal control includes things such as screening of air passengers and baggage to help address the risks associated with terrorism, network firewalls to keep out computer hackers, and credit checks to determine the creditworthiness of potential borrowers. The Congress Has Long Recognized the Importance of Internal Control: The Congress has long recognized the importance of internal control, beginning with the Budget and Accounting Procedures Act of 1950,[Footnote 3] over 50 years ago. The 1950 act placed primary responsibility for establishing and maintaining internal control[Footnote 4] squarely on the shoulders of agency management. As I will discuss later, the auditor can serve an important role by independently determining whether management's internal control is adequately designed and operating effectively and making recommendations to management to improve internal control where needed. However, the fundamental responsibility for establishing and maintaining effective internal control belongs to management. In 1982, when faced with a number of highly publicized internal control breakdowns, the Congress passed FMFIA[Footnote 5] with a goal of strengthening internal control and accounting systems. This two-page law, a copy of which is in appendix I, defined internal control[Footnote 6] broadly to include program, operational, and administrative controls as well as accounting and financial management, and reaffirmed that the primary responsibility for adequate systems of internal control rests with management. Under FMFIA, agency heads are required to establish a continuous process for assessment and improvement of their agency's internal control and to publicly report on the status of their efforts by signing annual statements of assurance as to whether internal control is designed adequately and operating effectively. Where there are material weaknesses, the agency heads are to disclose the nature of the problems and the status of corrective actions in an annual assurance statement. Today, agencies are generally meeting their FMFIA reporting requirement by including this information in their Performance and Accountability reports, which also include their audited financial statements. The act also required that the Comptroller General establish internal control standards and that OMB issue guidelines for agencies to follow in assessing their internal control against the Comptroller General's standards. OMB first issued Circular A-123, then entitled Internal Control Systems, in October 1981, in anticipation of FMFIA becoming law. In December 1982, following FMFIA enactment, OMB issued the assessment guidelines required by the act. OMB's Guidelines for the Evaluation and Improvement of and Reporting on Internal Control Systems in the Federal Government detailed a seven-step internal control assessment process targeted to an agency's mission and organizational structure. The Comptroller General issued Standards for Internal Control in the Federal Government in 1983.[Footnote 7] These standards apply equally to financial and nonfinancial controls.[Footnote 8] In August 1984, OMB issued a question and answer supplement to its assessment guidelines, intended to clarify the applicability of the Comptroller General's internal control standards and to assist agencies in assessing risk and correcting weaknesses. The 1990s brought additional legislation that reinforced the significance of effective internal control. The Chief Financial Officers (CFO) Act,[Footnote 9] which among other things provided for major transformation of financial management, including the establishment of CFOs, called for financial management systems to comply with the Comptroller General's internal control standards. The Government Performance and Results Act of 1993[Footnote 10] required agencies to clarify missions, set strategic and performance goals, and measure performance toward those goals. Internal control plays a significant role in helping managers achieve their goals. The Government Management Reform Act of 1994[Footnote 11] expanded the CFO Act by establishing requirements for the preparation and audit of agencywide financial statements and consolidated financial statements for the federal government as a whole. The 1996 Federal Financial Management Improvement Act[Footnote 12] identified internal control as an integral part of improving financial management systems. These are just a few of the legislative initiatives over the years aimed at improving government effectiveness and accountability. The Congress has been consistent over the years in demanding that agencies have effective internal control and accounting systems. Early Experiences and Lessons Learned from Agency FMFIA Implementation: From the outset, agencies faced major challenges in implementing FMFIA. The first annual assessment reports were due by December 31, 1983. This time frame gave agencies a little over a year to develop and implement an agencywide internal control assessment and reporting process to provide the information needed to support the first agency head assurance statement to the President and the Congress. OMB assembled an interagency task force called the Financial Integrity Task Force and visited all federal departments and the 10 largest agencies to foster implementation of its internal control assessment guidelines. Starting in 1983, GAO monitored and reported on FMFIA implementation efforts across the government in a series of four reports from 1984 through 1989 as well as in numerous reports targeting specific agencies and programs. In our first governmentwide report,[Footnote 13] issued in 1984, we noted that although early efforts were primarily learning experiences, agencies had demonstrated a commitment to implementing FMFIA with a good start at assessing their internal control and accounting systems. We found agencies had established systematic processes to assess, improve, and report on their internal control and accounting systems, and we observed that federal managers had become more aware of the need for good internal control and improved accounting systems. OMB played an active role, providing guidance and central direction to the program. Though the nature and extent of participation varied, most inspectors general also played a major role in the first year. Our 1984 report outlined key steps to improve implementation, including adequate training and guidance, the importance of a positive attitude and a mind- set to hold managers accountable for results, and the need for more internal control testing. Our second governmentwide report in 1985[Footnote 14] noted that FMFIA had provided a significant impetus to the government's attempts to improve internal control and accounting systems by focusing attention on the problems. Agencies continued to identify material internal control and accounting system weaknesses with a number of major improvement initiatives under way. We identified needed improvements to FMFIA implementation similar to those in our 1984 report, but also identified the need to reduce the paperwork associated with agency assessment efforts. In particular, vulnerability assessments aimed at identifying the areas of highest risk in order to prioritize more detailed internal control reviews were widely criticized by agencies as paperwork exercises. It was widely thought that while agencies had devoted considerable resources assessing the vulnerability of thousands of operations and functions, these efforts did not provide management with a whole lot of reliable and useful information. Our third governmentwide report was issued in 1987.[Footnote 15] We noted that an important step in strengthening internal control is verifying that planned corrective actions have been implemented as envisioned and that the completed corrective actions have been effective. We found instances where (1) corrective measures taken had not completely corrected the identified weaknesses and (2) actions to resolve weaknesses had been delayed, in some cases for years. Our fourth governmentwide report,[Footnote 16] issued in 1989 for which the title, Ineffective Internal Controls Result in Ineffective Federal Programs and Billion in Losses, is still appropriate in today's environment, concluded that while internal control was improving, the efforts were clearly not producing the results intended. We noted continuing widespread internal control and accounting system problems and the need for greater top-level leadership. We reported that what started off as a well-intended program to foster the continual assessment and improvement of internal control unfortunately had become mired in extensive process and paperwork. Significant attention was focused on creating a paper trail to prove that agencies had adhered to the OMB assessment process and on crafting voluminous annual reports that could exceed several hundred pages. It seemed that the assessment and reporting processes had, at least to some, become the endgame. At the same time, there were some important accomplishments coming from FMFIA. Thousands of problems were identified and fixed along the way, especially at the lower levels where internal control assessments were performed and managers could take focused actions to fix relatively simple problems. Unfortunately, many of the more serious and complex internal control and accounting system weaknesses remained largely unchanged and agencies were drowning in paper. In March 1989, GAO, along with representatives of seven agencies, OMB, and the President's Council on Integrity and Efficiency (PCIE),[Footnote 17] reviewed aspects of FMFIA implementation as part of a subcommittee of the Internal Control Interagency Coordination Council. The subcommittee's report highlighted the following seven issues as requiring action: * Link the internal control assessment and reporting process with the budget to assist the Congress and OMB in analyzing the impact of corrective actions on agency resources. * Emphasize the early warning capabilities of the internal control process to ensure timely actions to correct weaknesses identified. * Consolidate the review processes of various OMB circulars to eliminate overlapping assessment requirements, improve staff utilization, and reduce the paper being generated. * Provide for and promote senior management involvement in the internal control process to ensure more effective and lasting oversight and accountability for FMFIA activities. * Highlight the most critical internal control weaknesses in the FMFIA assurance statements to increase the usefulness of the report to the President and the Congress. * Report on agency processes to validate actions taken to correct material weaknesses, ascertain that desired results were achieved, and reduce the likelihood of repeated occurrences of the same weaknesses. * Improve management awareness and understanding of FMFIA to provide for more consistent program manager interpretation and acceptance of the act. Too much process and paper continued to be a problem, and in 1995 OMB made a major revision to Circular A-123 that relaxed the assessment and reporting requirements. The 1995 revision integrated many policy issuances on internal control into a single document and provided a framework for integrating internal control assessments with other reviews being performed by agency managers, auditors, and evaluators. In addition, it gave agencies the discretion to determine which tools to use in arriving at the annual assurance statement to the President and the Congress, with the stated aim of achieving a streamlined management control program that incorporated the then administration's reinvention principles. Revised OMB Circular A-123 Marks an Important Step toward Achieving FMFIA Objectives: And this brings us to the present. The recent December 2004 update to Circular A-123 reflects policy recommendations developed by a joint committee of representatives from the CFO Council (CFOC)[Footnote 18] and PCIE.[Footnote 19] The changes are intended to strengthen the requirements for conducting management's assessment of internal control over financial reporting. The December 2004 revision to the Circular also emphasizes the need for agencies to integrate and coordinate internal control assessments with other internal control-related activities. We support OMB's efforts to revitalize FMFIA through the December 2004 revisions to Circular A-123. These revisions recognize that effective internal control is critical to improving federal agencies' effectiveness and accountability and to achieving the goals that the Congress established in 1950 and reaffirmed in 1982. The Circular correctly recognizes that instead of considering internal control an isolated management tool, agencies should integrate their efforts to meet the requirements of FMFIA with other efforts to improve effectiveness and accountability. Internal control should be an integral part of the entire cycle of planning, budgeting, management, accounting, and auditing. It should support the effectiveness and the integrity of every step of the process and provide continual feedback to management. In particular, we support the principles-based approach in the revised Circular for establishing and reporting on internal control that should increase accountability. This type of approach provides a floor for expected behavior, rather than a ceiling, and by its nature, greater judgment on the part of those applying these principles will be necessary. Accordingly, clear articulation of objectives, the criteria for measuring whether the objectives have been successfully achieved, and the rigor with which these criteria are applied will be critical. Providing agencies with supplemental guidance and implementation tools is particularly important, in light of the varying levels of internal control maturity that exist across government as well as the expected divergence in implementation that is typically found when a range of entities with varying capabilities apply a principles-based approach. I would now like to highlight what I think will be the six issues critical to effectively implementing the changes to Circular A-123 based on the lessons learned over the past 20 years under FMFIA. First, OMB indicated that it plans to work with the CFOC and PCIE to provide further implementation guidance. For the reasons I just highlighted, we support the development of supplemental guidance and implementation tools, which will be particularly important to help ensure that agency efforts are properly focused and meaningful. These materials should demand an appropriate rigor to whatever assessment and reporting process management adopts as well as set the bar at a level to ensure that the objectives of FMFIA are being met in substance, with a caution to guard against excessive focus on process and paperwork. Supplemental guidance and implementation tools should be aimed at helping agency management achieve the bottom-line goal of getting results from effective internal control. Second, while the revised Circular A-123 emphasizes internal control over financial reporting, it will be important that proper attention also be paid to the other two internal control objectives covered by FMFIA and discussed in the Circular, which are (1) achieving effective and efficient operations and (2) complying with laws and regulations. Also, as I mentioned earlier, safeguarding assets is a subset of all three objectives. Third, managers throughout an agency and at all levels will need to provide strong support for internal control. As I discussed earlier, the responsibility for internal control does not reside solely with the CFO. A case in point is internal control over improper payments, which is the responsibility of a range of agency officials outside of the CFO operation. Also, with respect to financial reporting, which the revised OMB Circular A-123 specifically refers to as a priority area, the CFO generally does not control all of the needed information and often depends on other business systems for much of the financial data. For example, at the Department of Defense (DOD), about 80 percent of the information needed to prepare annual financial statements comes from other business systems, such as logistics, procurement, and personnel information systems, that are not under the CFO. Fourth, agencies must strike an appropriate balance between costs and benefits, while at the same time achieving an appropriate level of internal control. Internal controls need to be designed and implemented only after properly identifying and analyzing the risks associated with achieving control objectives. Agencies need to have the right controls, in the right place, at the right time, with an appropriate balance between related costs and benefits. In this regard, the revisions to Circular A-123 outline the concept of risk assessment for internal control over financial reporting by laying out an assessment approach at the process, transaction, and application levels. A similar approach needs to be applied as well to the other business areas and the range of programs and operations as envisioned in FMFIA. Fifth, management testing of controls in operation to determine their soundness and whether they are being adhered to and to assist in the formulation of corrective actions where problems arise will be essential. This is another area covered by the revised Circular A-123. Testing can show whether internal controls are in place and operating effectively to minimize the risk of fraud, waste, abuse, and mismanagement and whether accounting systems are producing accurate, timely, and useful information. Through adequate testing, agency managers should know what is working well and what is not. Management will then be able to focus on corrective actions as needed and on streamlining controls if testing shows that existing controls are not cost-effective. Sixth, personal accountability for results will be essential, starting with top agency management and cascading down through the organization. Regular oversight hearings, such as this one, will be critical to keeping agencies accountable and expressing the continual interest and expectations of the Congress. Independent verification and validation through the audit process, which I will talk about next, is another means of providing additional accountability. There should be clear rewards (incentives) for doing the right things and consequences (disincentives) for doing the wrong things. If a serious problem occurs because of a breakdown in internal control and it is found that management did not do its part to establish a proper internal control environment, or did not act expeditiously to fix a known problem, those responsible need to be held accountable and face the consequences of inaction. The revised Circular A-123 encourages the involvement of senior management councils in internal control assessment and monitoring, which can be an excellent means of establishing accountability and ownership for the program. The Auditor's Role in Evaluating Management's Internal Control Efforts: In initiating the revisions to Circular A-123, OMB cited the new internal control requirements for publicly traded companies that are contained in the Sarbanes-Oxley Act of 2002.[Footnote 20] Sarbanes- Oxley was born out of the corporate accountability failures of the past several years. Sarbanes-Oxley is similar in concept to the long- standing requirements for federal agencies in FMFIA and Circular A-123. Under Sarbanes-Oxley, management of a publicly-traded company is required to (1) annually assess the internal control over financial reporting at the company and (2) issue an annual statement on the effectiveness of internal control over financial reporting.[Footnote 21] The company's auditors are then required to attest to and report on management's assessment as to the effectiveness of its internal control. This is where Sarbanes-Oxley differs from FMFIA. FMFIA does not call for an auditor opinion on management's assessment of internal control over financial reporting nor does it call for an auditor opinion on the effectiveness of internal control. Likewise, Circular A- 123 does not adopt these requirements, although the Circular does recognize that some agencies are voluntarily getting an audit opinion on internal control over financial reporting. Our position is that an auditor's opinion on internal control over financial reporting is similarly important in the government environment. We view auditor opinions on internal control over financial reporting as an important component of monitoring the effectiveness of an entity's risk management and accountability systems. In practicing what we preach, we not only issue an opinion on internal control over financial reporting at the federal entities where we perform the financial statement audit,[Footnote 22] including the consolidated financial statements of the U.S. government, but we also obtain an auditor's opinion on internal control on our own annual financial statements. On their own initiative, the Social Security Administration (SSA) and Nuclear Regulatory Commission also received opinions on internal control over financial reporting for fiscal year 2004 from their respective independent auditors. In considering when to require an auditor opinion on internal control, the following four questions can be used to frame the issue. 1. Is this a major federal entity, such as the 24 departments and agencies covered by the CFO Act? There would be different consideration for small simple entities versus large complex entities. 2. What is the maturity level of internal control over financial reporting? 3. Is the agency currently in a position to attest to the effectiveness of internal control over financial reporting and subject that conclusion to independent audit? 4. What are the benefits and costs of obtaining an opinion? What underlies these questions is whether management has done its job of assessing its internal control and has a firm basis for its assertion statement before the auditor is tasked with performing work to support an opinion on internal control over financial reporting. As I have stressed throughout my testimony today, internal control is a fundamental responsibility of management, including ongoing oversight. The auditor's role, similar to its opinion on the financial statements issued by management, would be to state whether the auditor agrees [Footnote 23] with management's assertion that its internal control is adequate so that the reader has an independent view. As an example, consider DOD which has many known material internal control weaknesses. Of the 25 areas on GAO's high-risk list, 14 relate to DOD, including DOD financial management. Given that DOD management is clearly not in a position to state that the department has effective internal control over financial reporting, there would be no need for the auditor to do additional audit work to render an opinion that internal control was not effective. On the other hand, as I just mentioned for fiscal year 2004, SSA management reported that it does not have any material internal control weaknesses over financial reporting. The auditor's unqualified opinion over financial reporting at SSA provided an independent assessment of management's assertion about internal control, which we believe by its nature adds value and creditability similar to the auditor's opinion on the financial statements. As you know, Mr. Chairman, recent legislation[Footnote 24] making the Department of Homeland Security (DHS) subject to the provisions of the CFO Act, which this Subcommittee spearheaded, requires DHS management to provide an assertion on the effectiveness of internal control over financial reporting for fiscal year 2005 and to obtain an auditor's opinion on its internal control over financial reporting for fiscal year 2006. In addition, the CFO Council and PCIE are required by the DHS legislation to jointly study the potential costs and benefits of requiring CFO Act agencies to obtain audit opinions on their internal control over financial reporting, and GAO is to perform an analysis of the information provided in the report and provide any findings to the House Committee on Government Reform and the Senate Committee on Homeland Security and Governmental Affairs.[Footnote 25] We believe that the study and related analysis are important steps in resolving the issues associated with the current reporting on the adequacy of internal control. In addition, this issue is being discussed by the Principals of the Joint Financial Management Improvement Program--the Comptroller General, the Director of OMB, the Secretary of the Treasury, and the Director of the Office of Personnel Management. In closing, as the Congress and the American public have increased demands for accountability, the federal government must respond by having a high standard of accountability for its programs and activities. Areas vulnerable to fraud, waste, abuse, and mismanagement must be continually evaluated to ensure that scarce resources reach their intended beneficiaries; are used properly; and are not diverted for inappropriate, illegal, inefficient, or ineffective purposes. I want to emphasize our commitment to continuing our work with the Congress, the administration, the federal agencies, and the audit community to continually improve the quality of internal control governmentwide, and to help ensure that action is taken to address the internal control vulnerabilities that exist today. To that end, as I said earlier, the leadership of this Subcommittee will continue to be an important catalyst for change, and I again thank you for the opportunity to participate in this hearing. Mr. Chairman, this completes my prepared statement. I would be happy to respond to any questions you or other Members of the Subcommittee may have at this time. Contacts and Acknowledgments: For information about this statement, please contact Jeffrey C. Steinhoff at (202) 512-2600 or McCoy Williams, Director, Financial Management and Assurance, at (202) 512-6906 or at [Hyperlink, williamsm1@gao.gov]. Individuals who made key contributions to this testimony include Mary Arnold Mohiyuddin, Abe Dymond, and Paul Caban. Numerous other individuals made contributions to the GAO reports cited in this testimony. [End of section] Appendix I: Federal Managers' Financial Integrity Act of 1982: Federal Managers' Financial Integrity Act of 1982: Public Law 97-255: (96 Stat. 814): AN ACT To amend the Accounting and Auditing Act of 1950 to require ongoing evaluations and reports on the adequacy of the systems of internal accounting and administrative control of each executive agency, and for other purposes: Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, Section 1. This Act may be cited as the "Federal Managers' Financial Integrity Act of 1982". (31 U.S.C. 65 note). SEC. 2. Section 113 of the Accounting and Auditing Act of 1950 (31 U.S.C. 66a) is amended by adding at the end thereof the following new subsection: "(d)(1)(A) To ensure compliance with the requirements of sub-section (a)(3) of this section, internal accounting and administrative controls of each executive agency shall be established in accordance with standards prescribed by the Comptroller General, and shall provide reasonable assurances that: "0) obligations and costs are in compliance with applicable law; "(ii) funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation; and "(iii) revenues and expenditures applicable to agency operations are properly recorded and accounted for to permit the preparation of accounts and reliable financial and statistical reports and to maintain accountability over the assets. "(B) The standards prescribed by the Comptroller General under this paragraph shall include standards to en-sure the prompt resolution of all audit findings. "(2) By December 31, 1982, the Director of the Office of Management and Budget, in consultation with the Comptroller General, shall establish guidelines for the evaluation by agencies of their systems of internal ac-counting and administrative control to determine such systems' compliance with the requirements of paragraph (1) of this subsection. The Director, in consultation with the Comptroller General, may modify such guidelines from time to time as deemed necessary. "(3) By December 31, 1983, and by December 31 of each succeeding year, the head of each executive agency shall, on the basis of an evaluation conducted in accordance with guidelines prescribed under paragraph (2) of this subsection, prepare a statement: "(A) that the agency's systems of internal accounting and administrative control fully comply with the requirements of paragraph (1); or: "(B) that such systems do not fully comply with such requirements. "(4) In the event that the head of an agency pre-pares a statement described in paragraph (3)(B), the head of such agency shall include with such statement a report in which any material weaknesses in the agency's systems of internal accounting and administrative control are identified and the plans and schedule for correcting any such weakness are described. "(5) The statements and reports required by this subsection shall be signed by the head of each executive agency and transmitted to the President and the Congress. Such statements and reports shall also be made available to the public, except that, in the case of any such statement or report containing information which is: "(A) specifically prohibited from disclosure by any provision of law; or: "(B) specifically required by Executive order to be kept secret in the interest of national defense or the conduct of foreign affairs, such information shall be deleted prior to the report or statement being made available to the public.". SEC. 3. Section 201 of the Budget and Accounting Act, 1921 (31 U.S.C. 11), is amended by adding at the end thereof the following new subsection: "(k)(1) The President shall include in the supporting detail accompanying each Budget submitted on or after January 1, 1983, a separate statement, with respect to each department and establishment, of the amounts of appropriations requested by the President for the Office of Inspector General, if any, of each such establishment or department. "(2) At the request of 8 committee of the Congress, additional information concerning the amount of appropriations originally requested by any office of Inspector General, shall be submitted to such committee.". SEC. 4. Section 113(b) of the Accounting and Auditing Act of 1950 (31 U.S.C. 66a(b)), is amended by adding at the end thereof the following new sentence: "Each annual statement prepared pursuant to subsection (d) of this section shall include a separate report on whether the agency's accounting system conforms to the principles, standards, and related requirements prescribed by the Comptroller General under section 112 of this Act.". (31 U.S.C. 66a). Approved September 8, 1982. This Act has not been amended as of December 31, 1995. [End of section] (195064): FOOTNOTES [1] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: January 2005). [2] GAO, Fiscal Year 2004 U.S. Government Financial Statements: Sustained Improvement in Federal Financial Management Is Crucial to Addressing Our Nation's Future Fiscal Challenges, GAO-05-284T (Washington, D.C.: Feb. 9, 2005). [3] Budget and Accounting Procedures Act of 1950, ch. 946, 64 Stat. 832 (1950). [4] The act used the phrase "systems of accounting and internal control." [5] Pub. L. No. 97-255, 96 Stat. 814 (Sept. 8, 1982). FMFIA was repealed as part of the general revisions to title 31, U.S. Code. The key provisions of FMFIA were codified at 31 U.S.C. � 3512 (c), (d). [6] FMFIA used the term "internal accounting and administrative controls." OMB initially used the term "management control." In revising Circular A-123 in 2004, OMB replaced the term management control with internal control, to better align with the Comptroller General's internal control standards. Management control and internal control are synonymous. [7] The Comptroller General revised the standards in 1999, based on developments in internal control theory, the effects of information technology, and the passage of a series of landmark reforms. GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00- 21.3.1 (Washington, D.C.: November 1999). [8] The five standards for internal control are (1) control environment, (2) risk assessment, (3) control activities, (4) information and communications, and (5) monitoring. [9] Pub. L. No. 101-576, 104 Stat. 2838 (Nov. 15, 1990). [10] Pub. L. No. 103-62, 107 Stat. 285 (Aug. 3, 1993). [11] Pub. L. No. 103-356, 108 Stat. 3410 (Oct. 13, 1994). [12] Pub. L. No. 104-208, div. A �101(f), title VIII, 110 Stat. 3009, 3009-389 (Sept. 30, 1996). [13] GAO, Implementation of the Federal Managers' Financial Integrity Act: First Year, GAO/OCG-84-3 (Washington, D.C.: Aug. 24, 1984). [14] GAO, Financial Integrity Act: The Government Faces Serious Internal Control and Accounting Systems Problems, GAO/AFMD-86-14 (Washington, D.C.: Dec. 23, 1985). [15] GAO, Financial Integrity Act: Continuing Efforts Needed to Improve Internal Control and Accounting Systems, GAO/AFMD-88-10 (Washington, D.C.: Dec. 30, 1987). [16] GAO, Financial Integrity Act: Inadequate Controls Result in Ineffective Federal Programs and Billions in Losses, GAO/AFMD-90-10 (Washington, D.C.: Nov. 28, 1989). [17] PCIE was established to address integrity, economy, and effectiveness issues that transcend individual government agencies. [18] CFOC is an organization of the CFOs and deputy CFOs of the largest federal agencies, and senior officials of OMB and the Department of the Treasury who work collaboratively to improve financial management in the U.S. government. [19] Both PCIE and CFOC are chaired by OMB's Deputy Director for Management. [20] Pub. L. No. 107-204, 116 Stat. 745 (July 30, 2002). [21] See Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, 68 Fed. Reg. 36635 (June 18, 2003) (codified at scattered sections of title 17, Code of Federal Regulations). [22] Currently, we perform financial statement audits at the Federal Deposit Insurance Corporation, the Internal Revenue Service, the Bureau of the Public Debt, and the Securities and Exchange Commission. [23] If the auditor follows the joint GAO/PCIE Financial Audit Manual (FAM), as is expected for federal financial statement audits, the work performed should be adequate to render an opinion on internal control. [24] Pub. L. No. 108-330, 118 Stat. 1275 (Oct. 16, 2004). [25] Since passing the legislation, the Senate Committee on Governmental Affairs changed its name to the Senate Committee on Homeland Security and Governmental Affairs.