Internal Control
Analysis of Joint Study on Estimating the Costs and Benefits of Rendering Opinions on Internal Control over Financial Reporting in the Federal Environment Gao ID: GAO-06-255R September 6, 2006The Department of Homeland Security (DHS) Financial Accountability Act, Public Law Number 108-330, requires DHS management to provide an assertion on the internal control that applies to financial reporting for fiscal year 2005 and to obtain an auditor's opinion on the department's internal control over its financial reporting for fiscal year 2006. The act also directs the Chief Financial Officers (CFO) Council and the President's Council on Integrity and Efficiency (PCIE) to conduct a joint study, and report to the Congress and to the Comptroller General of the United States, on the potential costs and benefits of requiring agencies subject to the Chief Financial Officers Act of 1990 to obtain audit opinions of their internal control over financial reporting. The DHS Financial Accountability Act also requires that the Comptroller General of the United States review the joint study and report the results of this analysis to the Congress. In December 2005, we briefed available committee staff on our preliminary analysis of the joint study. This report provides further details on our review and on our views regarding a requirement for federal agencies to obtain audit opinions on their internal control over financial reporting.
We recognize that assessing the costs and benefits of obtaining an auditor's opinion on internal control over financial reporting is difficult, and the joint study properly noted many challenges inherent in performing cost-benefit analyses on this issue. The CFO Council and the PCIE acknowledged in the joint study that estimating the costs to render an opinion on internal control over financial reporting was "challenging given the lack of hard data and the number of unknown factors that go into developing a strong estimate" and refer to their reported estimates as "not hard numbers." Of the total reported estimated costs of about $140 million, the joint study attributed about $56 million (40 percent) to internal control audits of the 23 civilian CFO Act agencies, with the balance of $84 million to cover the Department of Defense (DOD). The CFO Council and the PCIE also stated that the benefits from obtaining an opinion on internal control over financial reporting are difficult to measure, and as a result, the joint study discussed some of the potential benefits only qualitatively. Consequently, the joint study did not identify all relevant costs and benefits, which may therefore limit the usefulness of the results and conclusions of the joint study. While the study identified categories of additional work that drive the cost estimates, we believe additional factors are relevant in considering the costs of a requirement for audit opinions on internal control over financial reporting in the federal government. Factors that would likely affect an estimate of the costs of a requirement in the federal government include (1) leveraging the resources already in place in areas of the financial statement audit; (2) using an audit approach that integrates the financial and internal control audits and includes reasoned risk and experience-based auditor judgments, similar to the approach in the GAO/PCIE Financial Audit Manual (FAM); (3) setting criteria for when an agency should initially be required to obtain an audit of internal control over financial reporting; and (4) establishing criteria whereby an agency would qualify for a multiyear cycle for obtaining an audit opinion on internal control rather than an annual cycle. We also note that some of the reasons cited for higher-than-estimated costs in early implementation of the internal control provisions of Sarbanes-Oxley for publicly traded companies, should not, to nearly the same extent, be factors for incremental costs in the federal government environment. For example, auditors of federal agencies have been required for many years to test internal control to achieve a low level of assessed control risk. As a result, the FAM includes an integrated audit approach for testing internal control in connection with a financial statement audit. Similar internal control testing requirements were not in place for public companies prior to section 404 of Sarbanes-Oxley. It is important to note, however, that the standards that currently provide the basis for the FAM approach for providing an auditor's opinion on internal control over financial reporting are being revised by the Auditing Standards Board of the American Institute of Certified Public Accountants. The cost of a requirement for internal control opinions in the federal government could be impacted by any future changes to the underlying auditing standards.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-06-255R, Internal Control: Analysis of Joint Study on Estimating the Costs and Benefits of Rendering Opinions on Internal Control over Financial Reporting in the Federal Environment
This is the accessible text file for GAO report number GAO-06-255R
entitled 'Internal Control: Analysis of Joint Study on Estimating the
Costs and Benefits of Rendering Opinions on Internal Control over
Financial Reporting in the Federal Environment' which was released on
September 6, 2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
September 6, 2006:
The Honorable Susan M. Collins:
Chairman:
The Honorable Joseph I. Lieberman:
Ranking Minority Member:
Committee on Homeland Security and Governmental Affairs:
United States Senate:
The Honorable Thomas M. Davis:
Chairman:
The Honorable Henry A. Waxman:
Ranking Minority Member:
Committee on Government Reform:
House of Representatives:
Subject: Internal Control: Analysis of Joint Study on Estimating the
Costs and Benefits of Rendering Opinions on Internal Control over
Financial Reporting in the Federal Environment:
The Department of Homeland Security (DHS) Financial Accountability Act,
Public Law Number 108-330, requires DHS management to provide an
assertion on the internal control that applies to financial reporting
for fiscal year 2005 and to obtain an auditor's opinion on the
department's internal control over its financial reporting for fiscal
year 2006. The act also directs the Chief Financial Officers (CFO)
Council[Footnote 1] and the President's Council on Integrity and
Efficiency (PCIE)[Footnote 2] to conduct a joint study, and report to
the Congress and to the Comptroller General of the United States, on
the potential costs and benefits of requiring agencies subject to the
Chief Financial Officers Act of 1990[Footnote 3] to obtain audit
opinions of their internal control over financial reporting.[Footnote
4] The DHS Financial Accountability Act also requires that the
Comptroller General of the United States review the joint study and
report the results of this analysis to the Congress. In December 2005,
we briefed available committee staff on our preliminary analysis of the
joint study. This report provides further details on our review and on
our views regarding a requirement for federal agencies to obtain audit
opinions on their internal control over financial reporting.
The Office of Management and Budget (OMB) revised its Circular Number A-
123[Footnote 5] in December 2004 (effective beginning with fiscal year
2006) to strengthen the requirements for conducting management's
assessment of internal control over financial reporting. Major
revisions contained in Appendix A of the circular include requiring CFO
Act agency management to annually assess the adequacy of internal
control over financial reporting, provide a report on identified
material weaknesses and corrective actions, and provide separate
assurance on the agency's internal control over financial reporting. In
initiating the revisions to Circular No. A-123, OMB cited the new
internal control requirements for publicly traded companies that are
contained in section 404 of the Sarbanes-Oxley Act of 2002 (Sarbanes-
Oxley).[Footnote 6] Sarbanes-Oxley was enacted in response to corporate
accountability failures of the past several years and contains a
provision calling for management's assessment of internal control over
financial reporting similar to the long-standing requirements for
executive branch agencies in 31 U.S.C. § 3512 (c),(d), commonly
referred to as the Federal Managers' Financial Integrity Act (FMFIA),
to issue annual statements of assurance over internal control in the
agency. Opinions on internal control over financial reporting as
required by the Sarbanes-Oxley Act for publicly traded companies are
important to protect investors by improving the accuracy and
reliability of corporate disclosures made pursuant to the securities
laws. Regulators, public companies, audit firms, and investors
generally agree that the Sarbanes-Oxley Act of 2002 has had a positive
and significant impact on investor protection and confidence. At the
same time, the costs associated with the Sarbanes-Oxley Act have been
significant and additional steps should be taken to improve the
efficiency and cost-effectiveness of its implementation.
Federal agencies also have a duty to attain and maintain the public's
trust and confidence. Specifically, federal agencies have a stewardship
obligation to prevent fraud, waste, and abuse; to use tax dollars
appropriately; and to ensure financial accountability to the President,
the Congress, and the American people. In the broadest context,
internal control represents an organization's plans, methods, and
procedures used to meet its missions, goals, and objectives and serves
as the first line of defense in safeguarding assets and preventing and
detecting errors, fraud, waste, abuse, and mismanagement. Effective
internal control should provide reasonable assurance that an
organization achieves the following objectives: (1) effective and
efficient operations, (2) reliable financial reporting, and (3)
compliance with applicable laws and regulations. Safeguarding of assets
is a subset of these objectives. The scope of this report mainly deals
with one objective of internal control, specifically that related to
the reliability of financial reporting.
Consistent with the DHS Financial Accountability Act's requirements,
our objective was to review the joint study and provide our perspective
on the important issues regarding a potential requirement for CFO Act
agencies to obtain audit opinions on their internal control over
financial reporting. Specifically, this report provides our analysis of
(1) the joint study and key issues to consider in assessing the costs
and benefits of obtaining an opinion on internal control over financial
reporting and (2) factors to consider in establishing criteria for when
such an internal control opinion is warranted. To address our
objective, we reviewed and discussed the joint study's methodology,
results, and conclusions with officials from OMB and members of the CFO
Council and the PCIE. In conducting their joint study, the CFO Council
and the PCIE obtained cost and benefit data from the CFO Act agency
inspectors general (IG), but did not verify the cost data supporting
the cost-benefit analysis. We reviewed the development and
administration of the questionnaire, but because the scope of our work
did not include independently validating the cost information reported
by questionnaire respondents, we cannot comment on the reliability of
its cost estimates.
We reviewed numerous reports and other professional literature that
contributed to the development of the joint study. These materials are
referenced in Attachment A of the joint study. We obtained a copy of
the questionnaire sent to the IGs of the 24 CFO Act agencies and the
two additional questions that were subsequently asked of the CFOs and
IGs. We also reviewed prior GAO reports; applicable federal laws and
regulations; and private sector results after implementation of the
Sarbanes-Oxley Act of 2002, including documents issued by the
Securities and Exchange Commission and the Public Company Accounting
Oversight Board (PCAOB). We performed our work from September 2005
through July 2006 in accordance with U.S. generally accepted government
auditing standards. We requested comments on a draft of this report
from OMB. Written comments from OMB's Deputy Director for Management
are reprinted in enclosure IV. We also received several technical
comments, which we have addressed as appropriate.
Results in Brief:
We recognize that assessing the costs and benefits of obtaining an
auditor's opinion on internal control over financial reporting is
difficult, and the joint study properly noted many challenges inherent
in performing cost-benefit analyses on this issue. The CFO Council and
the PCIE acknowledged in the joint study that estimating the costs to
render an opinion on internal control over financial reporting was
"challenging given the lack of hard data and the number of unknown
factors that go into developing a strong estimate" and refer to their
reported estimates as "not hard numbers." Of the total reported
estimated costs[Footnote 7] of about $140 million, the joint study
attributed about $56 million (40 percent) to internal control audits of
the 23 civilian CFO Act agencies, with the balance of $84 million to
cover the Department of Defense (DOD). The CFO Council and the PCIE
also stated that the benefits from obtaining an opinion on internal
control over financial reporting are difficult to measure, and as a
result, the joint study discussed some of the potential benefits only
qualitatively. Consequently, the joint study did not identify all
relevant costs and benefits, which may therefore limit the usefulness
of the results and conclusions of the joint study.
While the study identified categories of additional work that drive the
cost estimates, we believe additional factors are relevant in
considering the costs of a requirement for audit opinions on internal
control over financial reporting in the federal government. Factors
that would likely affect an estimate of the costs of a requirement in
the federal government include (1) leveraging the resources already in
place in areas of the financial statement audit; (2) using an audit
approach that integrates the financial and internal control audits and
includes reasoned risk and experience-based auditor judgments, similar
to the approach in the GAO/PCIE Financial Audit Manual (FAM); (3)
setting criteria for when an agency should initially be required to
obtain an audit of internal control over financial reporting; and (4)
establishing criteria whereby an agency would qualify for a multiyear
cycle for obtaining an audit opinion on internal control rather than an
annual cycle. We also note that some of the reasons cited for higher-
than-estimated costs in early implementation of the internal control
provisions of Sarbanes-Oxley for publicly traded companies, should not,
to nearly the same extent, be factors for incremental costs in the
federal government environment. For example, auditors of federal
agencies have been required for many years to test internal control to
achieve a low level of assessed control risk. As a result, the FAM
includes an integrated audit approach for testing internal control in
connection with a financial statement audit. Similar internal control
testing requirements were not in place for public companies prior to
section 404 of Sarbanes-Oxley. It is important to note, however, that
the standards[Footnote 8] that currently provide the basis for the FAM
approach for providing an auditor's opinion on internal control over
financial reporting are being revised by the Auditing Standards Board
of the American Institute of Certified Public Accountants. The cost of
a requirement for internal control opinions in the federal government
could be impacted by any future changes to the underlying auditing
standards.
Additionally, as reported by the joint study, a majority of the IGs and
CFOs believe that benefits would be derived from an audit of internal
control over financial reporting. A majority of the IGs and CFOs cited
the following as benefits that may be derived from this type of audit:
(1) improved internal control and reduced material weaknesses; (2)
reduced errors and improved data integrity, documentation reliability,
and reporting; and (3) improved agency focus and oversight. According
to the study, the true benefit of the auditor's opinion on internal
control is the added independent assurance it provides that
management's assessment of its internal control is reliable. We agree
with the benefits identified by the IGs and CFOs, and in turn, these
benefits provide additional incentives for timely identifying and
correcting internal control weakness over financial reporting. In
addition, we have identified several other benefits that should be
considered when concluding on the merits of establishing a requirement
to obtain an opinion on internal control over financial reporting. We
believe independent assessments and auditor reporting can also:
* strengthen the audit work done to support implementation of laws
enacted to enhance internal control or reinforce the significance of
effective internal control, such as FMFIA and the Government
Performance and Results Act (GPRA);
* help to improve other efforts, such as cost analyses, budgeting, and
performance metrics, through additional assurances over the reliability
of financial and relevant nonfinancial data; and:
* improve monitoring of the effectiveness of an entity's risk
management and accountability systems.
We view auditor opinions on internal control over financial reporting
as an important component of monitoring the effectiveness of an
entity's risk management and accountability systems. We agree in part
with the study's overall conclusion that federal agencies should first
be given the opportunity to implement revised Circular No. A-123 before
there is an across-the-board requirement to obtain an audit opinion on
internal control over financial reporting. However, we also believe
that having set criteria as to when an agency should initially be
required to obtain an opinion, instead of agency or OMB discretion,
would be useful. We recognize that not all agencies have the same
maturity level of internal control over financial reporting and that an
initial determination of an agency's readiness to undergo an audit may
be appropriate. Such an approach should consider specific criteria to
ascertain when an agency should initially obtain an opinion on internal
control, such as whether management has properly assessed its internal
control and has a reasonable basis for its statement of assurance. We
also believe that criteria can be established to achieve a balance
between value, risk, and cost, whereby once agency management has
demonstrated a stabilized effective system of internal control over
financial reporting, subsequent audits could be performed on a
multiyear cycle, for instance, every 3 years. Important to this
consideration is that during the years not subject to an internal
control audit, agency management would still have to comply with the
revised Circular No. A-123, which requires agency management to
annually assess the adequacy of internal control over financial
reporting by providing a report on identified material weaknesses and
corrective actions and providing a separate assurance statement on the
agency's internal control over financial reporting. The overarching
goal of obtaining an audit opinion on internal control is to provide
reasonable independent assurance that management's assessment of
internal control is adequate, which significantly contributes to
ongoing improvement in federal agency internal control and
accountability. Any criteria used to determine when an agency should
undergo initial and continual implementation of the requirement for an
audit opinion on internal control audit should consider at what point
the audit will contribute to this goal.
To reasonably ensure that audit opinions on agency internal control
over financial reporting are obtained at the proper time and for a
reasonable cost, we are making two recommendations to the Director,
Office of Management and Budget, as a function of OMB's financial
management leadership role: (1) develop specific criteria as to when
agencies should initially be required to obtain opinions on internal
control over financial reporting and (2) develop criteria as to when
agencies have demonstrated a stabilized, effective system of internal
control over financial reporting in order to move to a multiyear cycle
for obtaining subsequent opinions on internal control. During the years
not subject to an internal control audit, agency management would still
adhere to a comprehensive ongoing management assessment and reporting
process for internal control over financial reporting, as required by
the revised Circular No. A-123.
In written comments on a draft of this report, OMB agreed with the
ultimate goal of improving internal control in the federal government.
OMB's comments also highlighted the continued cooperation of GAO and
the PCIE and the CFO Council on important issues and stated that OMB
looked forward to working together to achieve the joint goal of
effective internal control in the federal government. (OMB's comments
are reprinted in enc. IV.)
Background:
Federal agencies have a significant responsibility for accurate and
timely accounting, controlling, and reporting of the receipts,
disbursements, and applications of public moneys. The Congress has long
recognized the importance of internal control, beginning with the
Budget and Accounting Procedures Act of 1950,[Footnote 9] which placed
primary responsibility for establishing and maintaining internal
control squarely on the shoulders of agency management. In 1982, the
Congress passed FMFIA, requiring agency heads to establish a continuous
process for assessment and improvement of their agencies' internal
control and to annually report on the adequacy of internal control. In
addition, FMFIA required the Comptroller General to establish internal
control standards and OMB to issue guidelines for agencies to follow in
assessing their internal control. In December 1982, following FMFIA
enactment, OMB issued Circular No. A-123, which included the assessment
guidelines required by the act. The Comptroller General issued
Standards for Internal Control in the Federal Government in 1983, which
was last revised in November 1999.[Footnote 10]
We monitored and reported on FMFIA implementation efforts across the
government in a series of four reports[Footnote 11] from 1984 through
1989, as well as in numerous reports targeting specific agencies and
programs. With each report, we noted the efforts under way, but also
emphasized that more needed to be done. In 1989, we concluded that
while internal control was improving, the efforts were clearly not
producing the results intended. The management assessment and reporting
process itself appeared to have become the objective of the annual
efforts rather than actually improving internal control, and many
serious internal control and accounting systems weaknesses remain
unresolved. We have highlighted these long-standing weaknesses in our
series of high-risk reports starting in 1990, the most recent of which
we issued in January 2005.[Footnote 12]
In 1995, OMB made a major revision to its Circular No. A-123 guidance
that provided a framework for integrating internal control assessments
with other work performed and relaxed the management assessment and
reporting requirements, giving the agencies discretion to determine the
tools to use in arriving at their annual FMFIA assurance statements.
OMB's December 2004 revisions (effective beginning with fiscal year
2006) to Circular No. A-123 are intended to strengthen the requirements
for conducting management's assessment of internal control over
financial reporting at CFO Act agencies. Major revisions include
requiring CFO Act agency management to annually provide a separate
assurance statement on internal control over financial reporting in its
performance and accountability report, along with a report on
identified material weaknesses and corrective actions. The revision
also establishes that OMB may, at its discretion, require a CFO Act
agency to obtain an opinion on internal control over financial
reporting if the agency is not meeting its deadlines as outlined in its
corrective action plans. In general, we supported the revisions to
Circular No. A-123 as they recognize that effective internal control is
critical to improving federal agencies' effectiveness and
accountability and to achieving the goals that the Congress established
for them.[Footnote 13]
The recent revisions to Circular No. A-123 were initiated in response
to the new internal control requirements for publicly traded companies
that are contained in Sarbanes-Oxley. Under section 404 of Sarbanes-
Oxley, management of a publicly traded company is required to (1)
annually assess internal control over financial reporting at the
company and (2) issue an annual statement on the effectiveness of
internal control over financial reporting. The company's auditors are
then required to attest to management's assessment as to the
effectiveness of its internal control over financial reporting and
issue an auditor's opinion as to the effectiveness of internal control
over financial reporting.
The Joint Study and Key Issues to Consider in Assessing Costs and
Benefits:
The CFO Council and the PCIE joint study transmits the results obtained
from a questionnaire of the IGs for the 24 CFO Act agencies with
additional input from the CFO Council's Policies and Practice
Committee. A copy of the joint study report is reprinted in enclosure
I. The CFO Council and the PCIE acknowledged inherent limitations in
conducting the joint study and noted that "performing any sort of
meaningful cost/benefit analysis has proven elusive." Specifically, the
joint study faced numerous challenges, including (1) identifying and
estimating all relevant costs and benefits and (2) a lack of historical
data from the agencies on the costs and benefits of implementing the
requirement. Because only a few agencies have experience with obtaining
audit opinions on internal control over financial reporting, there is
limited specific information about the trade-offs between the costs of
obtaining an opinion and the benefits provided. The joint study
identified general categories of the additional work that it stated
drive the cost estimates, along with a qualitative discussion of some
benefits. We believe additional factors related to both costs and
benefits are also relevant and should be included in considering the
cost-benefit of the audit requirement.
Methodology, Results, and Conclusion of the Joint Study:
To accomplish their objective, the CFO Council and the PCIE, under the
leadership of OMB, which chairs both councils, gathered information
from the IGs and the CFOs about the costs and benefits of the proposed
requirement. The PCIE Audit Committee coordinated the collection of
cost and benefit information from the IGs. The Audit Committee Chair
sent a questionnaire to the IGs at the 24 CFO Act agencies to gather
data on the estimated audit costs and the benefits of performing an
examination under the standards of AT§501, Reporting on an Entity's
Internal Control Over Financial Reporting,[Footnote 14] which are
issued by the American Institute of Certified Public Accountants and
incorporated by reference as part of U.S. generally accepted government
auditing standards. Enclosure II contains a copy of the PCIE
questionnaire used to gather estimated costs and benefits of opining on
internal control over financial reporting. The CFO Council and the PCIE
acknowledged some limitations in the joint study. For example, they
acknowledged that they did not validate the cost estimates submitted by
the 24 CFO Act agency IGs. In addition, the study noted that the
estimates are "not hard numbers," meaning that they were only overall
estimates that were not necessarily based, for example, on the
potential number of hours and labor rates that would be included by a
contracted auditor in a formal contract proposal.
The PCIE Audit Committee summarized the responses from each of the IGs
at the 24 CFO Act agencies, and then shared the summary with the
respondents to ensure they had accurately captured their comments. The
PCIE Audit Committee also shared the results with the CFO Council's
Financial Management Policies and Practices Committee[Footnote 15] and
incorporated its comments. The draft study was then shared with both
the full CFO Council and the PCIE, whose comments were also
incorporated. During the final comment period, two additional questions
were asked of the CFOs and IGs about the expected benefits of the
revised Circular No. A-123 and on obtaining opinions on internal
control over financial reporting. Enclosure III contains the two
additional questions that were asked of the CFOs and IGs. The CFO
Council and PCIE also considered the experiences of publicly traded
companies by reviewing numerous articles, surveys, and statements made
before regulatory bodies relating to the implementation of section 404
of the Sarbanes-Oxley Act.
Of the total reported estimated costs of about $140 million, the joint
study attributed about $56 million (40 percent) to internal control
audits of the 23 civilian CFO Act agencies, with the balance of $84
million to cover DOD. The joint study notes that driving the cost
estimates are the additional work that the auditor would need to
perform beyond the requirements of OMB Bulletin No. 01-02, Audit
Requirements for Federal Financial Statements,[Footnote 16] and the
GAO/PCIE FAM in order to render an opinion on an agency's internal
control over financial reporting.
The joint study also noted that the benefits of obtaining an opinion on
internal control are difficult to measure. The joint study stated that
"benefits can only be described in general terms, making a cost/benefit
analysis difficult." Some of the benefits cited were (1) improved
internal control and reduced material weaknesses; (2) reduced errors
and improved data integrity, documentation reliability, and reporting;
and (3) improved agency focus and oversight. The joint study did not
quantify these benefits, but noted that these benefits should largely
be achieved when agencies effectively implement the revisions to
Circular No. A-123.
The joint study concluded that (1) most industry experts agree that
there are significant incremental costs to obtaining an opinion on
internal control over financial reporting; (2) before incurring the
additional costs, it would be prudent to see how federal managers
implement the revised Circular No. A-123 and to evaluate the private
sector's implementation of the internal control provisions of Sarbanes-
Oxley when additional information becomes available; and (3) the
decision on whether to obtain an opinion needs to be decided on an
agency-by-agency basis, depending on the condition of an agency's
financial management program. The CFOs and the IGs recommended that all
CFO Act agencies should not be required to conduct such an audit at
this time. Rather, agencies should be given the opportunity to
implement the revised Circular No. A-123, and obtain an internal
control audit only where particular circumstances warrant such an
audit.
Certain Factors That Could Influence Costs and Benefits Not Included in
the Joint Study:
We view auditor opinions on internal control over financial reporting
as an important component of monitoring the effectiveness of an
entity's risk management and accountability systems. We agree in part
with the study's overall conclusion that agencies should first be given
the opportunity to implement the revised Circular No. A-123 before
there is an across-the-board requirement to obtain an audit opinion on
internal control over financial reporting. Internal control is a
fundamental management responsibility. Management, not the auditor,
should be the first line of defense and be held accountable for
establishing a continuous evaluation process to ensure the adequacy of
internal control. However, as discussed later, we also believe that
there should be specific criteria for ascertaining when an agency
should initially be required to obtain an opinion on internal control.
We also recognize that assessing the costs and benefits of obtaining an
opinion is difficult and agree there are many challenges inherent to
performing cost-benefit analyses on this issue. While the joint study
identified categories of additional work that drive the cost estimates
along with key benefits, we believe additional factors that could
influence costs and benefits are relevant in considering a requirement
for audit opinions on internal control.
Additional Factors That Could Influence Costs:
We identified five additional factors that could influence costs and
should be considered: (1) leveraging resources, (2) using an efficient
auditor approach, (3) using a staggered implementation approach, (4)
implementing a multiyear cycle for an audit opinion on internal control
over financial reporting, and (5) applying Sarbanes-Oxley lessons
learned.
Leveraging resources. In developing cost estimates to obtain an opinion
on internal control over financial reporting, consideration needs to be
given to fully leveraging the resources already deployed as part of the
financial statement audits. For example, it may be possible to leverage
the resources deployed to determine compliance with laws and regulatory
requirements that were enacted to strengthen internal control or
reinforce the significance of effective internal control, such as the
following:
* OMB Bulletin No. 01-02, Audit Requirements for Federal Financial
Statements, which requires auditors of federal financial statements to
test and report on agencies' internal control over financial reporting
in connection with the audit of the financial statements;
* FMFIA, which since its passage in 1982 has called for a continuous
process for assessment and improvement of internal control, including
control over financial reporting, and an annual assessment and
statement of assurance by agency heads;
* revised Circular No. A-123, which is intended to strengthen the
requirements for conducting management's assessment of internal control
over financial reporting; and:
* revised Circular No. A-127, which is intended to highlight internal
control requirements unique to financial management systems.
Leveraging the resources already deployed in other areas of the
financial statement audit would help reduce the additional work needed
to opine on internal control over financial reporting and therefore
decrease the incremental cost. For example, OMB Bulletin 01-02 requires
auditors to (1) gain an understanding of internal control over
financial reporting, (2) obtain an understanding of the process by
which the agency identifies and evaluates weaknesses required to be
reported under FMFIA, (3) determine if internal control has been
properly designed and placed in operation, (4) assess control risk, (5)
perform tests of internal control to determine whether it is effective,
and (6) report any identified deficiencies. In meeting the requirements
of OMB's Bulletin No. 01-02, auditors are already performing steps that
could be leveraged for opining on internal control over financial
reporting. As noted in the FAM, audit work performed in connection with
OMB Circular No. 01-02 may be sufficient to provide an opinion on
internal control over financial reporting.
The CFO Council and the PCIE requested and received from the IG
community cost estimates to obtain an opinion on internal control over
financial reporting. The guidance given to the IG community was to
exclude management's cost to support the audit effort or to implement
the new requirements of Appendix A to Circular No. A-123.[Footnote 17]
Costs incurred to comply with Circular No. A-123 will be incurred
irrespective of a requirement to obtain an opinion on internal control
over financial reporting. We agree that these costs do not add to the
incremental cost of obtaining an opinion on internal control over
financial reporting and should not be included in the estimate to
perform the opinion-level work. Instead, these activities can be
leveraged by the auditors to reduce internal control audit costs. The
activities that must be performed for agency compliance with the
revised Circular No. A-123 include identifying, documenting, and
testing internal control over financial reporting. These are the same
types of activities that would have to be performed in conducting an
audit of internal control over financial reporting and would offer the
auditor the ability to consider the work of management in evaluating
the effectiveness of internal control over financial reporting and
deciding on the level of audit evidence needed to support an opinion.
Specifically, the auditor might decide to consider the work of
management as part of the process of gaining an understanding of
internal control over financial reporting and in determining the
nature, timing, and extent of the auditor's tests. Preparation of such
information by management reduces the costs for the auditor to gather
the information. This requires close coordination and up-front planning
so that the auditor is in a position to leverage management's work.
Efficient auditor approach. An audit approach that uses reasoned risk
and experience-based auditor judgments in areas such as designing
efficient internal control testing and additional flexibility in using
the work of others, similar to the approach in the FAM, would provide
an efficient and cost-effective means to accomplish audits of internal
control. These flexibilities in audit approaches would also help reduce
the additional audit work needed to opine on internal control and thus
decrease the incremental cost. It is important to note, however, that
the standards[Footnote 18] that currently provide the basis for the FAM
approach for providing an auditor's opinion on internal control over
financial reporting are being revised by the Auditing Standards Board
of the American Institute of Certified Public Accountants. The cost of
a requirement for internal control opinions in the federal government
could be impacted by any future changes to the underlying auditing
standards.
Staggered implementation approach. Having set criteria as to when an
agency should initially be required to obtain an opinion on internal
control over financial reporting would be an important cost
consideration. As discussed later, not all agencies will be in a
position to have efficient internal control audits at this time. For
example, in our view, under most circumstances, it would not be prudent
for agencies with extensive known internal control weaknesses to pay
for opinions on internal control over financial reporting, assuming
that an agency acknowledges the seriousness of its problems and is
working to remediate those weaknesses. However, in the case of DHS,
where the Congress has particular oversight concerns because it is a
new agency comprising numerous entities, auditor involvement in
overseeing management's efforts to evaluate and report on internal
control should be beneficial to both management and congressional
oversight. In addition, if management of an agency, such as DHS, which
has a significant number of material weaknesses,[Footnote 19] either
decides to or is required to report on internal control over financial
reporting and is willing to acknowledge the agency's weaknesses in its
assurance statement, then there should be very minimal costs for the
auditor to issue an adverse opinion on internal control.
Multiyear audit cycle. Once agency management has demonstrated
effective internal control over financial reporting as evidenced by
unqualified opinions issued by an independent external auditor, we
believe establishing a multiyear audit cycle could be appropriate.
Important to this consideration is that during the years not subject to
audit, agency management would still have to comply with the revised
Circular No. A-123, which requires agency management to annually assess
the adequacy of internal control over financial reporting, provide a
report on identified material weaknesses and corrective actions, and
provide separate assurance on the agency's internal control over
financial reporting. On a multiyear cycle, the audit of internal
control over financial reporting would provide independent assurance
that management's assessment of its internal control is reliable. This
would be a similar quality control practice much like that used in the
peer review requirements for audit organizations, which occur every 3
years.
Sarbanes-Oxley lessons learned. According to the joint study report,
some of the agencies pointed to the higher-than-estimated cost of
implementing section 404 of Sarbanes-Oxley as a deterrent to requiring
an opinion on internal control over financial reporting in the federal
government. However, the private sector internal control environment
differs from that of federal agencies. Although many companies in the
private sector have been required to maintain effective internal
control under the Foreign Corrupt Practices Act of 1977,[Footnote 20]
there was no management assessment or reporting requirement until
passage of Sarbanes-Oxley. On the other hand, federal managers have
been subject to statutory internal control assessment and reporting
similar to the requirements of Sarbanes-Oxley since 1982, as well as
other numerous legislative and regulatory requirements that promote and
support effective internal control. Although these laws and regulatory
requirements have not proven fully effective in establishing a strong
system of internal control by themselves, taken as a whole, they have
long created an environment that has demanded and promoted effective
control and management accountability.
In November 2005, PCAOB, which, among other things, is charged by
Sarbanes-Oxley to issue auditing, quality control, and ethics standards
for public company audits, issued a report on the first-year
implementation of Sarbanes-Oxley requirement for an audit of internal
control over financial reporting performed in conjunction with an audit
of financial statements.[Footnote 21] The board's monitoring focused on
whether public accounting firms' audit methodologies, as well as firms'
execution of those methodologies, have resulted in audits of internal
control that are effective and efficient. PCAOB found that both public
accounting firms and public companies faced enormous challenges in the
first year of implementation, arising from the limited time frame that
firms and public companies had to implement the new requirements; a
shortage of staff with prior training and experience in designing,
evaluating, and testing control; and related strains on available
resources. These challenges were compounded in those companies that
needed to make significant improvements in their internal control
systems to make up for deferred maintenance of those systems.
In our review of the lessons learned from the private sector first-year
implementation of section 404 of Sarbanes-Oxley, we noted that some of
the issues identified that affected the efficiency of the audit and,
therefore, the cost of the audit, should not affect CFO Act agencies to
the same extent. Proper implementation of the FAM integrated audit
approach, which uses reasoned risk, efficient internal control testing,
additional flexibilities in using the work of others, as well as other
measures, would to a large extent mitigate the inefficiencies noted in
the lessons learned for first-year section 404 implementation. Based on
the PCAOB report, the following is a summary of the audit lessons
learned as a result of the implementation of section 404 of Sarbanes-
Oxley.
* Some independent public accountants (IPA) did not integrate their
audits of internal control with their audits of financial statements.
In an integrated audit of the financial statements and internal
control, the auditor designs and simultaneously executes procedures
that accomplish the objectives of both audits. These objectives are not
identical but are interrelated. By not integrating both audits, the
auditors may perform additional audit work than would otherwise be
necessary, therefore increasing the costs of the audits.
* Some IPAs did not effectively apply a preferred top-down approach. To
varying degrees, auditors often approached the audit of internal
control from the bottom up. Using a top-down approach, the auditor
would instead begin by evaluating company-level control and significant
accounts at the financial statement level and then work down to
relevant individual control at the process, transaction, or application
levels. The results of the auditors' testing at each level help the
auditor tailor the remainder of the work. Therefore, auditors may be
able to reduce tests of internal control, which should result in
reduced audit costs.
* Some IPAs performed inefficient, and sometimes ineffective, walk-
throughs of major classes of transactions because they used different
transactions to test each control separately rather than walking a
single transaction through the entire process.
* Some IPAs did not use the work of others to the extent permitted by
PCAOB Auditing Standard No. 2.[Footnote 22] Auditors that more
effectively use the work of others as permitted will likely be able to
make more efficient use of their own time in performing the audits of
internal control.
Additionally, in the report, PCAOB noted that the most common reasons
why audits were not as effective as expected include the following:
* In the face of identified control deficiencies, often discovered late
in the audit process, some auditors failed to sufficiently evaluate the
adequacy of compensating controls. For example, in some cases, auditors
relied on management assertions about compensating controls without
testing those controls in operation.
* Some IPAs did not perform sufficient testing of the controls over
preparing financial statement disclosures. The controls in this area
are among the most important in the financial reporting process because
of the relatively high risk of material misstatement or omission due to
fraud or error. Sufficient testing of controls in this area also can
make the auditors' substantive testing of financial statement
disclosures more efficient.
Further, implementing the requirements of section 404 of Sarbanes-Oxley
has put tremendous pressure on the availability of resources in the
accounting and auditing profession. For instance, the four largest
accounting firms have reported that they have significantly increased
their assurance staff in the past 5 years and are expected to continue
to experience a significant strain on resources to supply their need
for assurance staff in the next 5 years.
Additional Benefits:
The CFO Council and PCIE joint study identified several important
benefits of obtaining an opinion on internal control over financial
reporting, such as independent assurance, improved internal control,
reduced material weaknesses, reduced errors and improved data
integrity, improved documentation reliability and reporting, and
improved agency focus and oversight, with which we agree. We believe
that there are additional benefits that should also be considered when
concluding on the merits of such a requirement. Some of the benefits we
identified are not direct benefits of having an opinion on internal
control, but they are important indirect benefits that should be
considered in concluding on the merits of this requirement. We believe
annual independent assessments and audit reporting can also:
* Strengthen the work done to support implementation of other laws
enacted to enhance internal control or reinforce the significance of
effective internal control. Examples include (1) FMFIA, which calls for
a continuous process for assessment of internal control, and (2) GPRA,
which requires agencies to set strategic and performance goals and
measure performance toward those goals. Internal control plays a
significant role in helping managers achieve their goals.
* Help to improve other efforts, such as cost analyses, budgeting, and
performance metrics, through assurances over the reliability of
financial and relevant nonfinancial data. For example, the internal
control audit would provide additional assurances about internal
control over the accuracy of management's estimates of improper
payments (over $38 billion reported by the federal government for
fiscal year 2005) across federal programs. Identifying improper
payments and accurately measuring them over time is an important factor
in eventually addressing and reducing them.
* Improve monitoring of the effectiveness of an entity's risk
management and accountability systems. An audit requirement would not
only provide assurance, but would also provide a mechanism for
reporting on the extent to which management is carrying out its
fundamental responsibilities in establishing and maintaining internal
control.
Factors to Consider in Establishing Criteria for an Internal Control
Audit Requirement:
We view auditor opinions on internal control over financial reporting
as an important component of monitoring the effectiveness of an
entity's risk management and accountability systems. In putting this
concept into practice at GAO, we not only issue an opinion on internal
control over financial reporting at the federal entities where we
perform the financial statement audit,[Footnote 23] including the
consolidated financial statements of the U.S. government, but since the
early 1990s, we have also obtained an auditor's opinion on internal
control over financial reporting in conjunction with the audit of our
own annual financial statements. Other agencies have also exhibited
such initiative. For example, the Social Security Administration (SSA)
and the Nuclear Regulatory Commission received opinions (unqualified
and qualified, respectively) on their internal control over financial
reporting for fiscal year 2005 from their respective independent
auditors.
We agree in part with the study's conclusion that CFO Act agencies
should first be given the opportunity to implement the revised OMB
Circular No. A-123 before there is an across-the-board requirement to
obtain an audit opinion on internal control over financial reporting.
At the same time, we also believe that specific criteria should be
established as to when such an audit initially would be warranted and,
therefore, required. Establishing specific criteria will help ensure
that current efforts are sustained over time and with changes in
administrations. As discussed previously, while management already has
the fundamental responsibility to maintain and assess internal control
as a key element of properly managing a federal agency, history has
shown that sustained financial management progress requires ongoing,
active congressional oversight. A requirement for an auditor's opinion
on internal control over financial reporting would help ensure that the
intended benefits of management's assertion are fully realized and that
the Congress, through an independent set of eyes, has an important tool
for oversight. Additionally, once effective internal control over
financial reporting has been established, as evidenced by an
unqualified opinion, the cost of the requirement may be mitigated by
implementing a multiyear cycle for the audit opinion on internal
control over financial reporting, as noted previously.
As we stressed in our February 2005 testimony,[Footnote 24] the
auditor's role, similar to its opinion on the financial statements
issued by management, would be to state whether the auditor agrees with
management's assertion about the effectiveness of its internal control
so that the reader has independent assurances about management's
assertion. This is especially important when management asserts its
internal control is adequate. The following are some key factors to
consider when establishing criteria for when to require an auditor
opinion on internal control over financial reporting at each entity.
* Is management providing an unqualified assurance statement? If so, an
auditor opinion can be cost effective and would serve as an independent
validation of the reliability of management's conclusions.
* What is the effectiveness of management's process for assessing
internal control? Even though internal control weaknesses may be
reported, an opinion can add value to the reliability of management's
process. Further, if there are indications that management's process
for assessing internal control is not effective, a targeted, limited
scope review of the process could be performed to identify deficiencies
in management's process.
* What is the current condition of internal control over financial
reporting? The condition can be assessed by a number of factors,
including:
- recent audit opinion findings;
- nature of material weaknesses over financial reporting, if any;
- reported weaknesses or noncompliance under FMFIA and the Federal
Financial Management Improvement Act;
- results of OMB Circular No. A-123 assessments;
- the President's Management Agenda "Report card" status; and:
- percentage or amount of improper payments reported under the Improper
Payments Information Act.
* Is the agency demonstrating measurable improvements in its internal
control? If not, OMB may encourage progress by requiring an audit on
internal control over financial reporting, as it may assist agencies to
identify and prioritize solutions to long-standing internal control
weaknesses.
As stated previously, set criteria for when an agency should initially
require audits of internal control over financial reporting would be
more cost effective and efficient in many cases. For example, DOD has
many known material internal control weaknesses. Of the 25 areas on
GAO's high-risk list, 14 relate to DOD, including DOD financial
management. DOD management is currently working on a long-term plan to
remediate its weaknesses, and today it is clearly not even close to
being in a position to state that the department has effective internal
control over financial reporting. Therefore, little, if any, additional
work would be needed for an auditor to render an opinion that internal
control over financial reporting was not effective. Thus, the joint
study's reported estimate of about $84 million for a DOD internal
control opinion does not appear to reflect a reasonable approach to
DOD's current situation, and the DOD Inspector General would likely not
even contemplate undertaking such an effort at this time. On the other
hand, for fiscal year 2005, SSA management reported that SSA had
adequate internal control over financial reporting. The auditor's
unqualified opinion on internal control over financial reporting at SSA
for fiscal year 2005 provided an independent assessment of management's
assertion about internal control, which we believe by its nature adds
value and credibility similar to the auditor's opinion on the financial
statements and provides an external check on the effectiveness of
internal control and accountability at SSA.
As noted in the joint study, in deciding when to require an opinion on
internal control over financial reporting, the facts and circumstances
of individual agencies should be considered on a case-by-case basis.
For example, as in the case of the recently enacted internal control
audit requirement at DHS, the Congress may have particular oversight
concerns that could be addressed by an internal control audit. As
discussed earlier, because DHS is a new agency comprising numerous
entities, the requirement for an internal control audit at this time
should be beneficial to both management and congressional oversight.
Similar to DOD, DHS has many documented internal control weaknesses,
the number and nature of which are so serious they should minimize any
additional work and incremental cost necessary to issue an adverse
opinion on internal control over financial reporting. On the other
hand, it is likely that the requirement for an internal control audit
has expedited DHS management's development of remediation plans to
correct DHS's internal control weaknesses. In any event, while DHS
continues toward remediation of its internal control weaknesses, the
current incremental cost to render an opinion on DHS's internal control
over financial reporting should be minimal.
Conclusions:
As the Congress and the American public have increased demands for
accountability, the federal government must respond by having a high
standard of accountability for its programs and activities. We view
auditor opinions on internal control over financial reporting as an
important component of monitoring the effectiveness of an entity's risk
management and accountability systems. OMB's efforts to enhance
Circular No. A-123 through the December 2004 revision and its continued
efforts to improve the quality of internal control in the federal
government financial management environment reflect substantial
progress in both the criteria and expectations for this issue. History,
though, has proven that the execution of laws and regulations needs to
be monitored to effectively implement and maintain financial management
improvement in the federal government. To that end, specific criteria
to ascertain when an agency should initially be required to obtain an
audit opinion on its internal control over financial reporting are
critical to ensuring that the internal control audits fully contribute
to the overarching goal of ongoing improvement in federal agency
internal control and accountability. Additionally, implementing a
multiyear cycle for an opinion on internal control over financial
reporting could assist in mitigating the cost of the requirement while
still providing an effective quality control mechanism for ascertaining
that management's assessment of its internal control is reliable. The
benefits identified in the joint study along with the additional
benefits we identified, although not quantifiable in monetary terms,
clearly indicate that having set criteria as to when an agency should
initially be required to obtain an auditor opinion on internal control
over financial reporting would be a key oversight mechanism for the
Congress and ultimately the American taxpayer.
Recommendations for Executive Action:
To ensure that audit opinions on agency internal control over financial
reporting are obtained at the proper time and for a reasonable cost, we
recommend that the Director, Office of Management and Budget, as a
function of OMB's financial management leadership role, (1) develop
specific criteria related to when an agency should initially be
required to obtain an opinion on internal control over financial
reporting and (2) consider establishing criteria whereby an agency
would qualify for a multiyear cycle for obtaining an audit opinion on
internal control over financial reporting, rather than an annual cycle.
Such criteria should address the overarching goal of ongoing
improvements in federal agency internal control and also consider the
facts and circumstances of individual agencies and oversight needs.
Agency Comments and Our Evaluation:
In comments on a draft of this report, reprinted in enclosure IV, OMB's
Deputy Director for Management agreed with the ultimate goal of
improving internal control in the federal government. While not
specifically addressing our two recommendations, OMB indicated that the
most effective and efficient path toward the goal is to give agencies
reasonable time to fully implement the requirements of the revised OMB
Circular No. A-123 before considering additional requirements. As noted
in our report, we agree that agencies should be given the opportunity
to implement the revised Circular No. A-123 before there is an across-
the-board requirement to obtain an audit opinion on internal control
over financial reporting. OMB also provided technical comments, which
we reviewed and incorporated as appropriate.
We are sending copies of this report to other interested congressional
committees and to the Deputy Director of the Office of Management and
Budget, who chairs both the CFO Council and the PCIE. Copies will be
made available to others upon request. In addition, this report will
also be available at no charge on GAO's home page at [Hyperlink,
http://www.gao.gov].
If you or your staffs have any questions regarding this report, please
contact me at (202) 512-9095 or at williamsm1@gao.gov. Contact points
for our Offices of Congressional Relations and Public Affairs may be
found on the last page of this report. Major contributors to this
report include Casey Keplinger, Assistant Director; Cherry Clipper;
Francine DelVecchio; Gabrielle Fagan; and Tim Guinane.
Signed by:
McCoy Williams:
Director, Financial Management and Assurance:
Enclosures - 4:
Enclosure I: Joint Study by the Chief Financial Officers Council and
the President's Council on Integrity and Efficiency on Estimating the
Costs and Benefits of Rendering an Opinion on Internal Control over
Financial Reporting:
Estimating the Costs and Benefits of Rendering an Opinion on Internal
Control over Financial Reporting:
A Joint Study by the Chief Financial Officers' Council and the
President's Council on Integrity and Efficiency:
Table of Contents:
Reason for Survey and Recommendations:
Executive Summary:
Introduction:
Where We Are Today:
The Federal Environment:
New Efforts to Improve Internal Control:
Survey Results:
Estimating the Cost to Render an Opinion on Internal Control:
Identifying the Benefits of Rendering an Opinion on Internal Control:
Experiences of Publicly-Traded Companies:
Experience Estimating the Cost:
First Year Benefits Realized:
Conclusion:
Objectives, Scope, and Methodology:
Attachment A:
Table A: Estimated Audit Costs of Opining on Internal Control over
Financial Reporting:
Table B: Additional Work Required to Render an Opinion on Internal
Control over Financial Reporting:
Table C: Disadvantages of Opinion on Internal Control over Financial
Reporting:
Table D: Benefits of Opining on Internal Control over Financial
Reporting:
Reason for Survey and Recommendations:
The Department of Homeland Security Financial Accountability Act, P.L.
108-330, directs the Chief Financial Officers Council (CFOC) and the
President's Council on Integrity and Efficiency (PCIE) to conduct a
joint study on the potential costs and benefits of requiring the Chief
Financial Officers (CFOs) Act agencies to obtain audit opinions on
internal control over financial reporting. This report contains the
results of that joint study. Because the estimates to render an opinion
on internal control are so substantial, both CFOs and Inspectors
General (IGs) recommend that all CFO Act agencies should not be
required to conduct such an audit at this time. Rather, agencies should
be given the opportunity to implement the revised Office of Management
and Budget (OMB) Circular A-123, Management's Responsibility for
Internal Control, (A-123) and obtain an internal control audit only
where particular circumstances warrant such an audit.
Executive Summary:
Much of the debate on the internal control provisions of Section 404 of
the Sarbanes-Oxley Act (Section 404) (which requires management to
provide an assessment on the effectiveness of internal control and the
auditor to attest to, and report on, the assessment made by management)
centers around the costs and related benefits of the additional audit
assurance. The value and benefit of rendering a separate opinion on
internal control over financial reporting must be balanced against the
added costs. Estimating these added costs, however, is challenging
given the lack of hard data and the number of factors that go into
developing a reliable estimate. Similarly, measuring the benefits of
the independent audit assurance is equally difficult since ongoing and
new management initiatives and existing audit coverage also contribute
to strengthening internal control in the Federal Government. Chief
among the management initiatives expected to significantly contribute
to improved internal control are the recent revisions to A-123.
The cost information provided in this report was developed using
estimates and should not be considered "hard" numbers. Moreover,
quantifying the incremental benefits of obtaining an audit opinion on
the internal control over financial reporting, and hence performing any
sort of meaningful cost/benefit analysis, has proven elusive. How does
one, for example, assign a dollar value to preventing a misstatement or
fraud of an unknown amount that may or may not occur, or may occur with
unknown frequency?
Federal IGs estimate that the incremental costs of the audit work
needed to render an opinion on internal control for all 24 CFO Act
agencies would be more than $140.6 million. Approximately 60 percent of
this total, or $84.4 million, is the estimate to render an opinion on
internal control for the Department of Defense (DoD). For the 24 CFO
Act agencies, the average estimated incremental audit cost is
approximately 51 percent of the financial statement audit costs, or
more than $5.8 million per reporting entity. Excluding the costs to
audit DoD's internal control, the average estimated incremental audit
cost is reduced to $2.4 million per reporting entity.
Although these estimates are not hard numbers and could be less over
time as auditors gain more experience developing a fully integrated
audit approach, these costs are significant. These numbers also
represent only the increased costs directly attributable to the
requirement to render an opinion on internal controls. Several Offices
of the Chief Financial Officers (OCFOs) believe they also will incur
additional costs to support the audit effort. The additional costs that
management must incur to support this effort are not part of this
report.
A majority of the OIGs and OCFOs believe that some benefits may be
derived from this type of audit. They cited (1) improved internal
control and reduced material weaknesses, (2) reduced errors and
improved data integrity, documentation reliability and reporting, and
(3) improved agency focus and oversight as the top three potential
benefits that may be gained from an opinion on internal control. They
also believe that identifying new material weaknesses and reportable
conditions are possible benefits.
Both groups, however, believe that these benefits should largely be
achieved when agencies effectively implement the revisions to A-123.
The revisions strengthened the requirements for management's assessment
of internal control over financial reporting. Because the IGs assisted
OMB in revising A-123, along with the CFOs, there is a level of
confidence that, if agencies properly implement A-123, the result
should be an effective internal control review and testing program.
Therefore, except for the additional assurance provided by an opinion
on internal control, the benefits can already be realized from an
internal control review program implemented by management (similar to
Section 404).
An effective and meaningful cost/benefit analysis should not compare
the incremental audit costs to all of the benefits that could be
achieved through a process similar to that under Section 404. The true
benefit of the auditor's opinion on internal control is the added
independent assurance it provides that management's assessment of its
internal control is fairly presented. It is difficult, if not
impossible, to determine the incremental benefit of the auditor's
opinion without first knowing how well management does in performing
its assessment under the revised A-123. That knowledge will come, at
least in part, through the financial statement audit process, as
auditors are required to report on an agency's compliance with laws and
regulations. While not a formal opinion, it will be a useful tool in
helping OMB and other stakeholders assess the implementation effort on
the part of federal managers.
Based on cost data currently available from the private sector (which
is significantly higher than originally projected) and the estimates
that are beginning to be developed for the public sector, most industry
experts agree that there are significant incremental costs associated
with obtaining an opinion on internal control over financial reporting.
In addition, there is a general consensus that, at least in the early
stages of implementing Section 404, it is difficult to determine the
incremental benefits that might be gained from the additional work.
Before incurring these additional costs in the Federal sector, the OIGs
and OCFOs believe that it would be prudent to take a less costly
approach and allow Federal managers to first implement the revised A-
123, and then evaluate that effort, along with the private sector's
implementation of Sarbanes-Oxley, as additional information becomes
available.
And even then, given the inherent differences between agencies, it
might be judicious to follow the same logic that forms the basis for A-
123, and implement any incremental work on a case-by-case basis. The
decision to obtain an audit opinion must be decided initially by each
agency, and other knowledgeable parties, based on the condition of its
financial management program. Agencies that already have problems
obtaining a clean opinion on their financial statements do not need to
obtain an opinion on internal control to tell them they have material
weaknesses. On the other hand, some agencies may want the added
assurance that is achieved by obtaining an opinion on internal control.
Introduction:
The Department of Homeland Security Financial Accountability Act, P.L.
108-330, directs the CFOC and the PCIE to conduct a joint study, and to
report to the Congress and to the Comptroller General of the United
States, on the potential costs and benefits of requiring agencies
subject to the CFO Act to obtain audit opinions of their internal
control over financial reporting. This report contains the results of
that joint effort.
Working under the leadership of OMB who chairs both councils, we
surveyed the IGs for their estimate of the costs of the incremental
audit work and asked the IGs and the CFOs for their input on the
challenges and benefits of obtaining an opinion on internal control. In
addition, we looked at the experiences of publicly-traded companies
which, at this point, have had a year of experience implementing
Section 404 of the Sarbanes-Oxley Act. We also considered the
environment in which the Federal Government operates which differs
considerably from the one in which publicly-traded companies operate.
Finally, we considered the anticipated benefits that are expected to be
achieved through the revisions to A-123 which become effective in
fiscal year 2006.
Where We Are Today:
The Federal Environment:
Unlike the private sector, the Federal Government operates in an
environment that is subject to more legislative and regulatory
requirements designed to promote and support effective internal
control. Although these laws and regulatory requirements have not
proven fully effective in establishing a strong system of internal
control by themselves, taken as a whole, they have created an
environment in which accuracy, timeliness, and accountability have
become a maxim for many Federal agencies. Also contributing to this
robust control environment are the rigorous existing auditing
requirements relating to internal control and the many initiatives
implemented by the Administration through the President's Management
Agenda (PMA).
While the Sarbanes-Oxley Act created a new requirement for managers of
publicly-traded companies to report on internal controls over financial
reporting, Federal managers have been subject to similar internal
control reporting requirements for many years as well as other numerous
legislative and regulatory requirements that promote and support
effective internal control. The Federal Managers' Financial Integrity
Act (FMFIA) of 1982 provides the statutory basis for management's
responsibility for and assessment of internal control. In addition, the
CFO Act, which was passed in 1990, requires agency CFOs to, "develop
and maintain an integrated agency accounting and financial management
system, including financial reporting and internal controls, which .
complies with applicable . internal control standards." The Federal
Financial Management Improvement Act (FFMIA) of 1996 and OMB Circular
No. A-127, Financial Management Systems, instructed agencies to
maintain an integrated financial management system that complies with
Federal system requirements, Federal accounting standards, and the U.S.
Standard General Ledger at the transaction level. The Federal
Information Security Management Act of 2002 requires agencies to
provide information security controls proportionate with the risk and
potential hann of not having those controls in place. The Improper
Payments Information Act of 2002 requires agencies to review and
".identify programs and activities that may be susceptible to
significant improper payments." The Inspector General Act (IG Act) of
1978, as amended, requires that IGs submit semiannual reports to the
Congress on significant abuses and deficiencies identified in their
audits, and to recommend actions to correct those deficiencies.
Just as Federal agency management has been subject to more stringent
internal control requirements than private sector entities, auditors of
Federal entity financial statements have traditionally been subject to
more rigorous auditing requirements relating to internal control than
their counterparts in the private sector. Before the passage of the
Sarbanes-Oxley Act and its increased audit requirements, auditing
standards in the private sector did not require auditors to test
internal control if they did not plan to rely on the internal control
in performing their audit. These standards also did not require
auditors to publicly report, in writing, internal control deficiencies
found during the audit. In contrast, the auditing requirements issued
by OMB for audits of agency-wide financial statements under the CFO Act
have always required the auditor to perform sufficient tests of
internal control to support a low assessed level of control risk for
those internal controls that have been properly designed and placed in
operation. And since 1981, Government Auditing Standards have required
auditors to publicly report, in writing, deficiencies in internal
control found during financial statement audits.
In addition to legislative and regulatory requirements, initiatives
implemented by the Administration have also strongly impacted the
Federal control environment. Under the PMA, OMB monitors internal
control weaknesses regularly. To receive green, or a successful rating,
on the PMA scorecard, agencies must eliminate all internal control
weaknesses. Quarterly, OMB monitors agency performance in meeting
corrective action plan targets established under the PMA scorecard.
Agencies are required to submit corrective action plans to OMB to
resolve internal control weaknesses reported. Quarterly, agencies are
graded on their progress in achieving the corrective action milestones
contained in their plans. Across the government, a total of 13 new
weaknesses were reported in FY 2004 - a net increase of two new
weaknesses from FY 2003. This increase, albeit small, may be attributed
to the accelerated reporting requirement mandated by OMB, which placed
greater emphasis on the need for effective financial reporting
controls. However, as internal control is strengthened at agencies to
routinely meet accelerated reporting dates, internal control weaknesses
should be reduced. Total FMFIA material weaknesses and nonconformances
decreased by nearly 11 percent.
New Efforts to Improve Internal Control:
In light of the new requirements for publicly-traded companies
contained in the Sarbanes-Oxley Act, OMB re-examined the existing
internal control requirements for Federal agencies. As a result, A-123,
which implements FMFIA, has been revised to strengthen the requirements
for conducting management's assessment of internal control over
financial reporting. The circular is effective beginning in fiscal year
2006.
A-123 recognizes that there is an appropriate balance between controls
and risk in an agency's programs and operations. Too many controls can
result in inefficient and ineffective government. The benefit should
outweigh the cost. Under A-123, agencies are required to integrate
their internal control efforts to meet the requirements of FMFIA with
other efforts to improve effectiveness and accountability. Internal
control should be an integral part of the entire cycle of planning,
budgeting, management, accounting, and auditing. It should support the
effectiveness and the integrity of every step of the process and
provide continual feedback to management. Thus the revisions to A-123
require management to strategically evaluate internal control risks and
directly test, document, and report on the effectiveness of financial
controls. Additionally, existing audit requirements in OMB Bulletin 01-
02, Audit Requirements for Federal Financial Statements, require the
auditor to obtain an understanding of the process by which the agency
identifies and evaluates weaknesses reported under FMFIA, and to report
instances where the agency's FMFIA process failed to detect and report
material weaknesses.
In keeping with the balance between controls and risk, under A-123
agencies may, at their discretion, elect to receive an audit opinion on
internal control over financial reporting. Also, if an agency cannot
meet the deadlines outlined in its approved corrective action plan, OMB
may, at its discretion, require the agency to obtain an independent
audit opinion of the agency's internal control over financial reporting
as part of its financial statement audit.
Today, three[Footnote 25] of the 24 CFO Act agencies have subjected
their internal control over financial reporting to examination. In the
most recent report on internal control over financial reporting, one
agency received an unqualified opinion, and the other two received
qualified opinions because of material weaknesses. The agency that
received an unqualified opinion identified reportable conditions.
Survey Results:
Estimating the Cost to Render an Opinion on Internal Control:
Given the IGs' responsibility to audit the financial statements, or to
determine the independent external auditor, we asked them to provide an
estimate of the cost to render an opinion on internal control over
financial reporting. It is important to recognize, however, that
estimating the cost to render an internal control opinion is
challenging given the lack of hard data and the number of unknown
factors that go into developing a strong estimate. While we provide
estimated cost information in this report, these estimates should not
be considered hard numbers.
In a number of responses, the OIGs reported a range for the cost
estimate rather than a single dollar amount. In these cases, the cost
estimate that we included in our totals and averages reflects the
middle of the range provided by the OIGs. These estimates are only for
the incremental cost of the additional internal control work required
to render an opinion on internal control. They exclude management's
cost to support the audit effort, or to implement the new requirements
in A- 123, Appendix A. Although we did not collect cost estimates for
management's activities, some CFOs believe that additional costs would
be incurred. See Table A for information on the estimated incremental
audit costs.
In addition, to avoid skewing the overall and agency totals, we also
provide estimates that exclude the audit costs for DoD. These
alternative numbers are useful since there may be limited utility in
obtaining an opinion on internal control given the material weaknesses
at DoD, and the great uncertainty in developing a cost estimate for a
department that has not yet established a baseline cost to audit its
financial statements.
The estimated costs to render an audit opinion on internal control for
all 24 CFO Act agencies is more than $140.6 million, of which $56.2
million, or 40%, is for the 23 civilian CFO Act agencies. The average
estimated incremental audit costs are estimated to be approximately 51
percent of the financial statement audit costs, or more than $5.8
million per reporting entity. Excluding DoD, the cost per reporting
entity is $2.4 million. The incremental cost estimates ranged from as
low as 6.5 percent to more than 100 percent of the cost of the
financial statement audit. In dollar terms, these costs ranged from
$38,000[Footnote 26] to $84.4 million. The wide range of costs reflects
the relative size and complexity of the entity being audited.
Driving these costs are the additional work that the auditor would need
to perform beyond the requirements of OMB Bulletin 01-02, Audit
Requirements for Federal Financial Statements, and the PCIE/Government
Accountability Office Financial Audit Manual. in order to render an
opinion on an agency's internal control. In general, OIGs believe a
substantial amount of additional work would need to be performed in
order to render an opinion on internal control, but noted that the
extent of additional testing necessary is subject to auditor judgment.
Additional or different controls would have to be tested based on
management's assessment of those controls and risk factors associated
with the entity. In this regard, the auditor would need to evaluate
management's own testing and documentation of the controls, assess the
criteria used, review the internal control documentation, identify
missing controls, test the identified controls, and report on the
effectiveness of those controls. See Table B for OIG responses on the
additional work needed to render an opinion on internal control.
Observation:
A number of OIGs and CFOs believe that significant audit costs are a
major deterrent to requiring an opinion on internal control. This is
especially true when one considers A-123 since the benefits realized by
the Federal sector after implementing the revised circular may not be
as dramatic as in the private sector, where companies have gone from
virtually no internal control reporting to the requirements of Section
404. See Table C for disadvantages reported by the OIGs. Many OIGs and
OCFOs commented that the costs associated with obtaining the audit
opinion may exceed the benefit that would be derived from the process.
As reported above, the OIGs estimated that the additional work could
increase the audit fees by more than 50 percent. Although the costs in
the later years may drop, the incremental audit costs are expected to
be substantial, costing an estimated average of more than $2.4 million.
It is questionable whether the benefits from obtaining an audit opinion
are substantial enough, beyond those derived from implementing the
revised A-123, to justify the incremental audit cost and the costs to
support the audit.
The OIGs also identified budget constraints as another disadvantage to
requiring an opinion on internal control. OIGs commented that some
agencies may not be able to obtain the resources, both staff and
funding, needed to prepare for a successful audit, let alone the
resources needed to perform the audit. One OIG noted that strong
performance measures, such as a reduction in financial management costs
and improved reporting, be in place to ensure the efficient use of
resources before an opinion on internal control is required.
Some OIGs commented that their budgets barely cover their costs to meet
existing audit requirements. These OIGs felt that if an opinion on
internal control is mandated, it must also be funded. They noted that
unfunded mandates would be difficult to absorb and would require them
to divert resources and fiends from other audit areas that could
provide far greater benefits than what an opinion on internal control
over financial reporting would provide.
Some OIGs and OCFOs also questioned the need to obtain an opinion on
internal control in certain circumstances. For example, if an agency is
reporting material weaknesses through its financial statement audit
process, there is a high likelihood that the auditors would issue a
qualified, or disclaimer of, opinion on internal control, adding little
benefit for an opinion. Also, if an agency effectively implements the
revised requirements of A-123, there may be little value in requiring
an opinion on internal control.
Several OIGs commented that any new requirements to obtain an opinion
on internal control over financial reporting should be implemented
gradually, if at all. It should not be a "one size fits all." Any
requirement to obtain an opinion on internal control should strike a
reasonable balance between the costs and benefits, recognizing the
strengthened controls and oversight that already exist in the Federal
Government.
Identifying the Benefits of Rendering an Opinion on Internal Control:
Unlike costs, which to some degree can be estimated, benefits can only
be described in general terms, making a cost/benefit analysis
difficult. The most easily identifiable benefit is the further
independent assurance. Specific OIG responses on the benefits of
obtaining an opinion varied, and not all benefits identified are
captured in this report. For purposes of effectively analyzing and
reporting on the OIG responses, we summarized their responses into
seven categories. The seven categories and OIG responses are included
in Table D.
The OIGs for the three agencies that already provide an opinion on
internal control over financial reporting identified several benefits
to obtaining an opinion on internal control over financial reporting.
Specifically, all three reported (1) improved internal control and
reduced material weaknesses, and (2) reduced errors and improved data
integrity, documentation reliability and reporting as benefits of the
additional work. Two of the OIGs also reported identifying new material
weaknesses and reportable conditions as benefits from this process. One
OIG reported improved agency focus and oversight as an additional
benefit. None of the three OIGs could quantify the benefits realized.
Most of the OIGs of agencies that do not provide an opinion on internal
control over financial reporting believe that benefits may be derived
from this type of audit. Their answers were similar to answers provided
by their counterparts at agencies that do provide an opinion on
internal control. They also cited a third benefit --improved agency
focus and oversight. Six OIGs also reported the detection of new
material weaknesses and reportable conditions as possible benefits.
Four OIGs reported that there is little or minimal benefit in obtaining
an opinion on internal control over financial reporting. For example,
if an agency receives a clean opinion, has no material weaknesses or
reportable conditions, and actively corrects the identified internal
control deficiencies; new material weaknesses may not be identified.
Conversely, in situations where an agency has existing material
weaknesses, it may not be an efficient use of resources to require an
opinion on internal control over financial reporting until the material
weaknesses are resolved.
Observation:
The benefits identified above should largely be achieved by a number of
management and audit initiatives that are currently underway, and
cannot be attributed solely to an opinion on internal control.
Specifically, many of these benefits should be achieved when agencies
effectively implement the revisions to A-123[Footnote 27] which
strengthened the requirements for management's assessment of internal
control over financial reporting. Because the IGs assisted OMB in
revising A-123, along with the CFOs, there is a level of confidence
that, if agencies properly implement A-123, the result should be an
effective internal control review and testing program. Therefore,
except for the additional assurance provided by an opinion on internal
control, the benefits can already be realized from an internal control
review program implemented by management (similar to Section 404). In
addition, the financial statement audits as currently conducted include
tests of compliance with laws and regulations, which will provide an
independent check on agencies' A-123 implementation efforts.
In addition, as part of the financial statement audit, the auditor must
already (1) obtain an understanding of the process by which the agency
identifies and evaluates weaknesses required to be reported under FMFIA
and related agency implementing procedures, and (2) compare material
weaknesses disclosed during the audit with those material weaknesses
reported in the agency's FMFIA report that relate to the financial
statements and document material weaknesses disclosed by the audit that
were not reported in the agency's FMFIA report. The auditor must also
consider whether the failure to detect and report material weaknesses
constitutes a reportable condition or material weakness in the entity's
internal control.
Other initiatives currently underway that contribute to the achievement
of the above benefits include the process and control improvements
resulting from accelerated reporting, and the focus on internal control
in the Executive Scorecard that rates agencies' performance in meeting
the PMA initiative on improving financial management.
An effective and meaningful cost/benefit analysis should not compare
the incremental audit costs reported above to all of the benefits that
could be achieved through a process similar to that done under Section
404. The real benefit of the auditor's opinion on internal control is
the added independent assurance it provides that management's
assessment of its internal control is fairly presented. It is
difficult, if not impossible, to determine the incremental benefit of
the auditor's opinion without first knowing how effectively management
performs on its assessment under the revised A-123.
To some extent, this assessment will be done under the current
requirements for Federal financial statements since the auditor must
obtain an understanding of the process by which the agency identifies
and evaluates weaknesses required to be reported under FMFIA and to
report instances where the reporting entity's FMFIA process failed to
detect and report material weaknesses. Beginning in fiscal year 2006,
this process will be done using the revised A-123 which strengthened
management's assurance statements process.
Experiences of Publicly-Traded Companies:
In addition to surveying the OIGs and OCFOs, we also reviewed
information about the private sector to provide additional insight on
the costs, benefits, and challenges of obtaining an opinion on internal
control over financial reporting. The information is drawn from
articles on the costs, and associated benefits, of complying with the
Sarbanes-Oxley Act and statements made by representatives of public
companies, members of audit committees, and auditors who testified
before the Securities and Exchange Commission on their experiences
implementing the Act. We did not corroborate this information.
Experience Estimating the Cost:
Initial cost estimates to comply with the Sarbanes-Oxley Act were low.
Studies conducted by an association for financial executives[Footnote
28] found that total costs, including the costs of management's
assurance assessment, averaged $4.36 million. These costs were up 39
percent from the $3.14 million they expected to pay initially. Total
cost of compliance averaged $1.34 million for internal control, $1.72
million for external costs, and $1.30 million for auditor fees. The
auditor fees are in addition to companies' financial statement audit
fecs, on average 57 percent higher.
Data in another study[Footnote 29] from 90 Fortune 1000 companies
[Footnote 30] who are audited by the nation's four largest accounting
firms[Footnote 31] shows that issuers spent substantial stuns to comply
with the new reporting requirements. On average, the companies in the
sample each spent $7.8 million to implement Section 404 overall. Audit
fees accounted for approximately one quarter of the total compliance
costs, or an average of $1.9 million.
Some have suggested that Section 404 compliance costs will decline over
time, pointing to one-time start-up expenditures and "learning curve"
costs that typically occur with any new reporting requirement. Others
have suggested that first year costs include deferred maintenance of
internal control systems that have been allowed to degrade. If these
views are correct, compliance costs would be expected to decline over
time. Survey responses by audit firms support this hypothesis. On
average, audit firm respondents believe that the total 2005 compliance
costs of the clients in the sample, including Section 404 audit fees,
will average $4.2 million - 46 percent less than the estimated 2004
costs.
First Year Benefits Realized:
A primary benefit cited by many observers is that the heightened
attention to internal control will enhance the reliability of financial
statements by helping companies to identify internal control
deficiencies and remediate these deficiencies in a timer manner. To
assess the full effects of the new reporting requirement, Charles River
Associates[Footnote 32], a consulting firm, sampled 90 Fortune 1000
companies to gather information about the total number of deficiencies
identified by the issuer or the auditor in the Section 404 process
regardless of whether the deficiency was remediated prior to the year-
end assessment date.[Footnote 33]
On average, for year-end 2004, management and the independent auditor
identified 348 deficiencies per company. Of these, management
remediated an average of 271 deficiencies prior to their year-end
assessment date. The remaining 77 deficiencies are expected to be
remediated in the future. Of the unremediated deficiencies, almost 96
percent were classified as control deficiencies not rising to the level
of a significant deficiency or material weakness. The data showed an
average of 74 control deficiencies and three significant deficiencies
per company still existed at year-end. A total of five material
weaknesses were unremediated as of the year-end assessment date across
the 90 companies for which data was available.[Footnote 34]
Observation:
Recognizing that the number of the findings per company is quite
substantial, the number of material weaknesses for 90 companies was
low, with only five unremediated material weaknesses at the end of the
assessment period. The cost for 90 companies to identify these material
weaknesses, however, was significant, totaling $702 million.[Footnote
35]
Also, on the whole, it is difficult to imagine that Federal agencies
would identify the same number of deficiencies that publicly-traded
companies identified in their first year of implementing Section 404.
Although companies in the private sector have been required to maintain
effective internal controls under the Foreign Corrupt Practices Act of
1977, many behavioral changes did not occur until the Sarbanes-Oxley
Act. The same cannot be said of the Federal Government, which has seen
tremendous improvements in financial management practices in the past
15 years. Passage of key legislation, more congressional oversight on
financial management matters, hiring highly recognized CFOs from the
corporate world, and the PMA have all contributed toward creating an
environment that supports strong internal control.
Many of the articles and links that we used in conducting this study
are included in Attachment A.
Conclusion:
Based on data currently available from the private sector and the
estimates that are beginning to be developed for the public sector,
most industry experts agree that there are significant incremental
costs to obtaining an opinion on internal control over financial
reporting. In addition, there is a general consensus that, at least in
the early stages of implementing Section 404, it is difficult to
determine the incremental benefits that might be gained from the
additional work.
The critical question which needs to be addressed in assessing the
benefits of obtaining an audit opinion on internal controls is whether
the benefits derived significantly exceed the results of agencies'
implementation of the revised A-123. Before incurring these additional
costs, it would be prudent to see how Federal managers implement the
revised A-123 and evaluate the private sector's implementation of
Sarbanes-Oxley when additional information becomes available.
And even then, given the inherent differences between agencies, it
would be judicious to implement the incremental work on a case-by-case
basis. The decision on whether to obtain an opinion needs to be decided
by each agency, and other knowledgeable parties, depending on the
condition of its financial management program. Agencies that already
have problems obtaining a clean opinion on their financial statements
do not need to obtain an opinion on internal control to tell them they
have material weaknesses. On the other hand, agencies that believe they
are leading organizations may want the added assurance that can be
achieved by obtaining an opinion on internal control.
Objectives, Scope, and Methodology:
The objective of our study was to gather information on the potential
costs and benefits of requiring the CFO Act agencies to obtain audit
opinions on internal control over financial reporting. To accomplish
this objective, the CFOC and the PCIE, under the leadership of OMB, who
chairs each council, canvassed the Federal community for their input.
OMB requested that the PCIE Audit Committee coordinate the collection
of cost and benefit information from the IG community. The Audit
Committee Chair sent a questionnaire to the IG community to gather data
on the estimated audit costs and the benefits of performing an
examination under the standards of AT § 501, Reporting on an Entity's
Internal Control Over Financial Reporting. The Audit Committee received
responses from each of the IGs at the 24 CFO Act agencies and then
summarized the information. We shared the summary with the respondents
to ensure that we had accurately captured their comments.
To gather input from the CFOs on the challenges and benefits of
obtaining an opinion on internal control, we shared the results of the
IG survey with the CFOC's Policies and Practices Committee and
incorporated their comments. We then shared the draft study with the
full PCIE and CFOC whose comments and insights were also subsequently
incorporated. During this final comment period, we also asked the
members to respond to two questions about the expected benefits of A-
123 and obtaining an opinion on internal control.
Because publicly-traded companies had one year of experience
implementing Section 404, we also looked at their experiences. We
considered these experiences in light of the different environments in
which the Federal Government and publicly-traded companies operate. We
also considered the revisions to A-123, effective beginning in fiscal
year 2006, which has many similarities to Sarbanes-Oxley.
We did not ask for supporting documentation on how the OIGs developed
the cost estimates and we made some interpretation in analyzing the
results. We reviewed numerous articles, surveys, and statements made
before regulatory bodies relating to the implementation of Section 404
of the Sarbanes-Oxley Act. We did not, however, review all statements
made before regulatory bodies.
Attachment A:
Below are some of the links to articles or studies that we used that
provide cost/benefit information related to implementation of Sarbanes-
Oxley or similar requirements related to reporting on internal control
over financial reporting.
1. http://www.nysscpa.org/cpajournal/2004/1104/perspectives/p6.htm
2. http://www.404institute.com/docs/SOXSurveyJuly.pdf:
3. http://www.managementconsultancy.co.uk/news/1137963:
4. http://www.usatoday.com/money/companies/regulation/2003-10-19-
sarbanes_x.htm:
5. http://www.auditnet.org/articles/Sarbanes-
Oxley_Implementation_Costs.pdf
6. http://www.cfo.com/index.cfm/1_emailauthor/3661477/c_3661527/2984986
7.
http://www.cfo.com/article.cfm/3010299/l/c_3046597?f=TIFarticle021105:
8.
http://searchcio.techtarget.com/originalContent/0,289142,sid19_gci103135
7,00.html
9. http://www.404institute.com/archived_results.aspx
10.
Word document: Sarbanes-Oxley for Feds.doc:
PDF: SO Act Section 404 Practical Guide July 2:
PDF: Federal Agencies - Will Sarbanes-Oxley:
Word Document: SOX 404.doc:
Word Document: Audit Fees Double Due to Sarbox.doc:
11. http://accounting.smartpros.com/x46291.xml:
12. http://accounting.smartpros.com/x42491.xml:
13. http://www.eweek.com/article2/0,4149,1238790,00.asp
14.
http://techupdate.zdnet.com/techupdate/stories/main/Sarbanes_Oxley_Compl
iance_Spending.html?tag=tu.fd.css.link
15. http://www.cfodirect.com/:
16. http://www.amrresearch.com/content/resourcecenter.asp?id=429#
17. http://www.fei.org (numerous Sarbanes-Oxley articles and resources)
18. http://www.sec.gov/spotlight/soxcomp.htm:
Supporting Tables:
Table A: Estimated Audit Costs of Opening on Internal Control Over
Financial Reporting:
[See PDF for Image]
Total Cost for 24 CFO Act Agencies: $140,637,980:
Total Cost for 23 Civilian CFO Act Agencies: $56,287,980:
Average Cost per Agency to Render an Opinion on Internal Control:
24 CFO Act Agencies: $5,859,916:
23 Civilian CFO ACt Agencies: $2,447,303:
* = Agency previously has obtained an opinion on internal controls.
** = Audit Costs include significant OIG and/or independent Public
Accountant costs to conduct the financial statement audit but exclude
CFO preparation costs related to the audits.
*** = When an agency provided a range of the cost estimate or percent,
the mid-level range was used to calculate the cost or the percent
amounts.
[End of Table]
Table B: Additional Work Required to Render an Opinion on Internal
Control Over Financial Reporting:
Agency: AID;
Test Additional/Different Controls Based On Management's Assessments:
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control: X;
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope:
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing:
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase: X;
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report: X;
Minimal additional testing/or no answer:
Agency: DHS;
Test Additional/Different Controls Based On Management's Assessments:
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control: X;
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope: X;
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing:
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase:
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report: X;
Minimal additional testing/or no answer:
Agency: DOC;
Test Additional/Different Controls Based On Management's Assessments:
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control:
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope:
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing:
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase:
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report:
Minimal additional testing/or no answer: X.
Agency: DOD;
Test Additional/Different Controls Based On Management's Assessments:
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control:
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope:
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing:
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase: X;
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report:
Minimal additional testing/or no answer:
Agency: DOE;
Test Additional/Different Controls Based On Management's Assessments:
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control: X;
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope: X;
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing:
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase:
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report:
Minimal additional testing/or no answer:
Agency: DOI;
Test Additional/Different Controls Based On Management's Assessments:
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control: X;
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope: X;
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing:
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase:
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report:
Minimal additional testing/or no answer:
Agency: DOJ;
Test Additional/Different Controls Based On Management's Assessments:
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control: X;
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope: X;
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work: X;
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing:
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase:
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report:
Minimal additional testing/or no answer:
Agency: DOL;
Test Additional/Different Controls Based On Management's Assessments:
X;
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control:
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope:
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing:
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase: X;
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report:
Minimal additional testing/or no answer:
Agency: DOT;
Test Additional/Different Controls Based On Management's Assessments:
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control:
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope: X;
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing:
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase:
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report:
Minimal additional testing/or no answer:
Agency: ED;
Test Additional/Different Controls Based On Management's Assessments:
X;
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control: X;
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope: X;
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work: X;
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing: X;
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase: X;
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report: X;
Minimal additional testing/or no answer:
Agency: EPA;
Test Additional/Different Controls Based On Management's Assessments:
X;
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control: X;
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope:
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing:
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase: X;
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report:
Minimal additional testing/or no answer:
Agency: GSA*;
Test Additional/Different Controls Based On Management's Assessments:
X;
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control:
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope:
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing:
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase:
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report:
Minimal additional testing/or no answer:
Agency: HHS;
Test Additional/Different Controls Based On Management's Assessments:
X;
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control: X;
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope:
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing: X;
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase: X;
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report:
Minimal additional testing/or no answer:
Agency: HUD;
Test Additional/Different Controls Based On Management's Assessments:
X;
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control:
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope:
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing:
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase:
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report: X;
Minimal additional testing/or no answer:
Agency: NASA;
Test Additional/Different Controls Based On Management's Assessments:
X;
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control: X;
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope:
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing:
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase:
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report:
Minimal additional testing/or no answer:
Agency: NRC*;
Test Additional/Different Controls Based On Management's Assessments:
X;
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control: X;
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope:
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing:
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase: X;
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report:
Minimal additional testing/or no answer:
Agency: NSF;
Test Additional/Different Controls Based On Management's Assessments:
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control:
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope:
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing:
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase:
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report:
Minimal additional testing/or no answer: X.
Agency: OPM;
Test Additional/Different Controls Based On Management's Assessments:
X;
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control:
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope:
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing:
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase:
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report:
Minimal additional testing/or no answer:
Agency: SBA;
Test Additional/Different Controls Based On Management's Assessments:
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control: X;
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope: X;
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing:
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase: X;
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report: X;
Minimal additional testing/or no answer:
Agency: SSA*;
Test Additional/Different Controls Based On Management's Assessments:
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control: X;
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope:
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing: X;
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase:
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report: X;
Minimal additional testing/or no answer:
Agency: State;
Test Additional/Different Controls Based On Management's Assessments:
X;
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control: X;
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope:
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing:
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase:
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report:
Minimal additional testing/or no answer:
Agency: Treasury;
Test Additional/Different Controls Based On Management's Assessments:
X;
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control: X;
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope: X;
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing:
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase:
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report:
Minimal additional testing/or no answer:
Agency: USDA;
Test Additional/Different Controls Based On Management's Assessments:
X;
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control:
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope: X;
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing:
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase:
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report:
Minimal additional testing/or no answer:
Agency: VA;
Test Additional/Different Controls Based On Management's Assessments:
X;
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control:
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope:
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing:
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase:
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report:
Minimal additional testing/or no answer:
Sum Totals;
Test Additional/Different Controls Based On Management's Assessments:
18;
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control: 13;
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope: 6;
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing: 2;
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase: 9;
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report: 5;
Minimal additional testing/or no answer: 2.
Opinion;
Test Additional/Different Controls Based On Management's Assessments:
2;
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control: 2;
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope: 0;
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work: 1;
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing: 0;
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase: 2;
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report: 0;
Minimal additional testing/or no answer:
No Opinion;
Test Additional/Different Controls Based On Management's Assessments:
16;
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control: 11;
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope: 6;
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work: 1;
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing: 2;
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase: 7;
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report: 5;
Minimal additional testing/or no answer: 2.
All 24;
Test Additional/Different Controls Based On Management's Assessments:
75%;
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control: 54.2%;
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope: 25%;
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
8.3%;
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing: 8.3%;
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase: 37.5%;
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report: 20.8%;
Minimal additional testing/or no answer: 8.3%.
Opinion;
Test Additional/Different Controls Based On Management's Assessments:
8.3%;
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control: 8.3%;
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope: 0.0%;
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
4.2%;
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing: 0%;
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase: 8.3:;
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report: 0%;
Minimal additional testing/or no answer: 0%.
No Opinion;
Test Additional/Different Controls Based On Management's Assessments:
66.7%;
More Planning and Coverage Of Cycles, Understanding, Identifying,
Documenting, Reviewing, Internal Control and Activities/Other
Components of Internal Control: 45.8%
Management Must document/Test Internal Control; Inadequate
Documentation/ Testing May Cause Rework or Increase in Scope: 25%;
Number/Severity of Control Deficiencies and Evaluation and
Classification of Control Deficiencies Will increase level of work:
4.2%;
Won't be Able to Rotate Testing of Controls or Totally rely on Other
Firm's Work, thus Increasing the Amount of testing: 8.3%;
New or Modified systems Processes; Controls can increase the scop of
work; Will have to document/test IT/ General and Application Controls
Testing Increase: 29.2%;
Reporting- Extra Time needed to Complete Auditor's Report, including
Consultation of Wording of report: 20.8%;
Minimal additional testing/or no answer: 8.3%.
* Agency previously has obtained an opinion on internal control.
[End of Table]
Table C: Disadvantages of Opining on Internal Control Over Financial
Reporting:
[See PDF for Image]
[End of Table]
Table D: Benefits of Opining on Internal Control Over Financial
Reporting:
[See PDF for Image]
[End of Table]
To access the Joint Study, see www.ignet.gov/randp/rpts1.html#2005.
[End of Section]
Enclosure II: PCIE Survey - "Estimated Audit Costs of Opining on Your
Agency's Internal Control over Financial Reporting in Accordance with
AT§501 of the Professional Standards and Related Information"
Estimated Audit Costs of Opining on Your Agency's Internal Control over
Financial Reporting In Accordance with AT §501 of the Professional
Standards And Related Information:
Costs:
1. Have you been providing an opinion on your agency's internal control
over financial reporting? If so, for how long. What opinion(s) was
rendered?
2. For agencies already engaged in opining on internal control over
financial reporting, what was the estimated total dollar cost of
performing the work to obtain the opinion? Include only the cost to the
OIG, not management's costs to support the audit effort or to implement
the new requirements of Appendix A to Circular A-123. Please provide
only the incremental costs of the additional internal control work
required to render an opinion over the internal control work required
by OMB Bulletin 01-02, for the first year the opinion was rendered. If
the costs are inseparable from the overall financial statement audit
costs, please provide an estimate of the incremental cost.
3. For those agencies that have not previously performed opinion level
work, please provide the best estimate of cost that you can. Include
only the estimated cost to the OIG, not management's estimated costs to
support the audit effort or to implement the new requirements of
Appendix A to Circular A-123-For those agencies contracting for the
financial statement audits, you probably need to seek the input of your
engagement partner. You may provide a range of the estimated cost or
state it as a percentage of the financial statement audit costs, if
that is more reasonable. Also, please provide any assumptions made and
any other contextual basis for your estimate.
4. What is the total cost of the annual financial statement audit for
the years for which you provided an estimate of the cost of an opinion
on internal control over financial reporting? This will help provide
context for the cost of the additional internal control work.
Additional Work Required:
For those agencies that already render opinions on their agencies'
internal control, please answer questions 5 and 6 based on your actual
experience. For those agencies that do not render opinions on their
agencies internal control, please provide your thoughts on the
additional work you believe would be needed for your agency.
5. What additional work beyond what is currently performed to meet the
requirements of OMB Bulletin 01-02 and the PCIE/GAO Financial Audit
Manual (FAM) do you believe would need to be performed, in order to
render an opinion on your agency's internal control? For example, would
you need to consider additional or different control activities? Would
you need to increase the extent of your testing of internal control?
Other?
6. How would you characterize the extent of additional work required to
render an opinion on internal control over what is currently required
by Circular 0 1-02 and the FAM? (Please select from the following
choices: Substantial, Moderate or Minimal/None.)
Benefits:
7. For those agencies that have already provided an opinion on internal
control over financial reporting, what benefits to your agency have you
observed from the process? Have you observed any disadvantages? If so,
please describe. This should be based on your observations and
experiences. For example, did you identify additional material
weaknesses and / or reportable conditions not previously identified?
Are there other benefits to you or your agency in doing this work?
Please provide some context concerning the state of internal controls
prior to performing work to render an opinion on controls over
financial reporting.
8. For those agencies that have not been performing the work for an
opinion on internal control over financial reporting, what do you
believe would be the perceived benefits to your agency of obtaining an
opinion on internal control? For example, do you believe additional
material weaknesses or reportable conditions would be identified? Other
benefits? Please provide some context concerning the current state of
internal controls over financial reporting.
9. What would be the disadvantages to obtaining an opinion on internal
control in your agency?
10. Please provide copies of any articles / studies or links to web
sites that you are aware of that provide cost / benefit type
information related to implementation of Sarbanes Oxley or similar
requirements related to reporting on internal control over financial
reporting.
11. Please feel flee to provide any other input or comment regarding
the cost and benefits of obtaining an opinion on internal control over
financial reporting:
[End of Section]
Enclosure III: Two Additional Questions Asked of the CFOs and IGs about
the Expected Benefits of Circular A-123 and Obtaining an Opinion on
Internal Control:
Two Additional Questions Asked of the CFOs and IGs about the Expected
Benefits of Circular A-123 and Obtaining an Opinion on Internal
Control:
1. The study observes that many of the identified benefits of an audit
opinion on internal control will be achieved if agencies effectively
implement the revisions to Circular A-123. In addition to the revised A-
123, many existing management and audit activities contribute to these
same benefits. The real benefit of the auditor's opinion on internal
control is the added independent assurance it provides that
management's assessment is fairly presented. Do you agree with these
statements?
2. Do you believe that the additional costs associated with going
beyond the requirements of the revised Circular A-123 to render an
opinion on internal control are commensurate with the added benefits
that would be a gained?
[End of Section]
Enclosure IV: Comments from the Office of Management and Budget:
Executive Office Of The President:
Office Of Management And Budget:
Washington, D.C. 20503:
Deputy Director For Management:
August 23, 2006:
Mr. McCoy Williams:
Director, Financial Management and Assurance:
United States Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Williams:
Thank you for the opportunity to review and comment on the Government
Accountability Office (GAO) draft report GAO-06-2558, Cost and Benefit
Review of Internal Control Audits.
Overall, the Office of Management and Budget (OMB) agrees that our
ultimate goal is to improve the internal control within the Federal
government. We continue to believe the most effective and efficient
path toward this goal is to give agencies a reasonable time to fully
implement the requirements of the OMB Circular No. A-123, Management's
Responsibility for Internal Control. We also believe it is prudent to
further observe the implementation of the Sarbanes-Oxley Act in the
private sector. This will allow time for the auditing standards
surrounding an opinion on internal control over financial reporting to
stabilize before considering additional requirements within the Federal
government.
We appreciate the continued cooperation between GAO, the President's
Council on Integrity and Efficiency (PCIE) and the Chief Financial
Officers Council (CFOC) on important issues such as the topic of this
report and the related cost/benefit study conducted by the PCIE and
CFOC. We look forward to working together to achieve our joint goal of
maintaining effective internal control within the Federal government.
If you have any additional questions or comments, please feel free to
contact Danny Werfel in the Office of Federal Financial Management at
202-395-3993.
Signed by:
Clay Johnson III:
Deputy Director for Management:
[End of Section]
(195089):
FOOTNOTES
[1] The CFO Council is an organization comprised of the CFOs and Deputy
CFOs of the 24 CFO Act agencies, senior officials in the Office of
Management and Budget (OMB), and the Department of the Treasury who
work collaboratively to improve financial management in the U.S.
government.
[2] The PCIE was established in May 1992 to (1) address integrity,
economy, and effectiveness issues that transcend individual government
agencies and (2) increase the professionalism and effectiveness of
inspector general personnel throughout the government. The PCIE is
composed primarily of the presidentially appointed inspectors general.
Officials from OMB and the Federal Bureau of Investigation, Office of
Government Ethics, Office of Special Counsel, and Office of Personnel
Management serve on the PCIE as well.
[3] See 31 U.S.C. § 901(b)(1) for a list of agencies.
[4] Both the PCIE and the CFO Council are chaired by OMB's Deputy
Director for Management.
[5] OMB Circular No. A-123, Management's Responsibility for Internal
Control (revised December 2004).
[6] Pub. L. No. 107-204, § 404, 116 Stat. 745, 789 (July 30, 2002).
[7] In conducting the joint study, the CFO Council and the PCIE did not
verify the cost data included in the report and our scope of work did
not include independent validation of the cost information.
[8] "Reporting on an Entity's Internal Control over Financial
Reporting," AT Section 501, Codification of Statements on Auditing
Standards, American Institute of Certified Public Accountants.
[9] Pub. L. No. 81-784, 64 Stat. 832 (Sept. 12, 1950).
[10] The Comptroller General revised the standards in 1999, based on
developments in internal control theory, including the internal control
framework recommended in the report of the Committee on Sponsoring
Organization of the Treadway Commission, the effects of information
technology, and the passage of a series of landmark reforms. GAO,
Standards for Internal Control in the Federal Government, GAO/AIMD-00-
21.3.1 (Washington, D.C.: November 1999).
[11] See (1) GAO, Implementation of the Federal Managers' Financial
Integrity Act: First Year, GAO/OCG-84-3 (Washington, D.C.: Aug. 24,
1984); (2) GAO, Financial Integrity Act: The Government Faces Serious
Internal Control and Accounting Systems Problems, GAO/AFMD-86-14
(Washington, D.C.: Dec. 23, 1985); (3) GAO, Financial Integrity Act:
Continuing Efforts Needed to Improve Internal Control and Accounting
Systems, GAO/AFMD-88-10 (Washington, D.C.: Dec. 30, 1987); and (4) GAO,
Financial Integrity Act: Inadequate Controls Result in Ineffective
Federal Programs and Billions in Losses, GAO/AFMD-90-10 (Washington,
D.C.: Nov. 28, 1989).
[12] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.:
January 2005).
[13] GAO, Financial Management: Effective Internal Control Is Key to
Accountability, GAO-05-321T (Washington, D.C.: Feb. 16, 2005).
[14] This section of the Attestation Standards, issued by the American
Institute of Certified Public Accountants, provides the standards for
the practitioner who is engaged to issue or does issue an examination
report on the effectiveness of an entity's internal control over
financial reporting. This section is currently under revision.
[15] The CFO Council's Financial Management Policies and Practices
Committee is comprised of representatives from federal agencies who
work collaboratively to identify and address emerging issues.
[16] OMB Bulletin No. 01-02, Audit Requirements for Federal Financial
Statements, was recently superseded by the updated audit requirements
included in OMB Bulletin No. 06-03, Audit Requirements for Federal
Financial Statements (Aug. 23, 2006).
[17] Appendix A to Circular No. A-123 provides a methodology for agency
management to assess, document, and report on internal control over
financial reporting.
[18] See footnote 14.
[19] In the case of DHS, as part of the audit of its fiscal year 2005
financial statements, the auditor in disclaiming its opinion on the
financial statements reported 10 material weaknesses and 2 reportable
conditions. Individually and collectively, these problems are very
serious.
[20] Pub. L. No. 95-213, 91 Stat. 1494 (Dec. 19, 1977).
[21] Public Company Accounting Oversight Board, Report of the Initial
Implementation of Auditing Standard No. 2, "An Audit of Internal
Control over Financial Reporting Performed in Conjunction with an Audit
of Financial Statements," PCAOB Release No. 2005-023 (Washington, D.C.:
Nov. 30, 2005).
[22] Pursuant to 15 U.S.C. §7213, PCAOB issued Auditing Standard No. 2,
An Audit of Internal Control Over Financial Reporting Performed in
Conjunction with an Audit on Financial Statements, PCAOB Release No.
2003-017 (Washington, D.C.: Oct. 7, 2003). PCAOB has recently announced
that it is considering amending this standard.
[23] Currently, we perform financial statement audits at the Federal
Deposit Insurance Corporation, the Internal Revenue Service, the
Securities and Exchange Commission, and the American Battle Monuments
Commission.
[24] GAO, Financial Management: Effective Internal Control Is Key to
Accountability, GAO-05-321T (Washington, D.C.: Feb. 16, 2005).
[25] The General Services Administration (GSA), the Nuclear Regulatory
Commission, and the Social Security Administration have obtained an
opinion on internal control over financial reporting for 12 years, 10
years, and 8 years, respectively. GSA, however, has not subjected its
internal control over financial reporting to an audit since fiscal year
2003.
[26] The actual costs, however, could be higher than the estimates
which were reported. One agency reported a cost of $38,000 but they
qualified the amount, noting that it was the amount bid five years ago
before the Sarbanes-Oxley Act was implemented. The agency believes that
these costs would be significantly higher in the outgoing years.
[27] The revised A-123 now requires Federal managers, as a subset of
FMFIA Section 2 reporting, to provide an assurance statement on
internal control over financial reporting. To make this assurance
statement, the agency must establish a senior assessment team to ensure
that staff or contractors carry out the assessment in a thorough,
effective, and timely manner. If A-123 is effectively implemented, the
assessment team will be able to conclude whether the design and
operation of the internal controls over financial reporting were
effective or whether material weaknesses exist in the design or
operation of internal control over financial reporting. To evaluate
internal control at the process, transaction or application level, the
assessment team must: (1) determine significant accounts; (2) identify
and evaluate major classes of transactions; (3) understand the
financial reporting process; (4) gain an understanding of control
design to achieve management's assertions; and (5) test controls and
assess compliance to support management's assertions.
[28] Financial Executives International (FEI) Survey: Section 404 Costs
Exceed Estimates. Copyright 2005 FEI. http://www.fei,org/
404_survey_3_21_05.cfm. 3 21:
[29] Charles River Associates, Sarbanes-Oxley Section 404 Costs and
Remediation of Deficiencies: Estimates From a Sample of Fortune 1000
Companies, CRA No. D06155-00. http://www.sec.gov/spotlight/soxcomp/
soxcom-all-attach.pdf.
[30] The average company revenues were $8.1 billion.
[31]Deloitte & Touche LLP, Ernst & Young LLP, KPMG LLP, and
PricewaterhouseCoopers LLP.
[32] Charles River Associates, Sarbanes-Oxley Section 404 Costs and
Remediation of Deficiencies: Estimates From a Sample of Fortune 1000
Companies, CRA No. D06155-00.
http://www.sec.gov/spotlight/soxcomp/soxcom-all-attach.pdf.
[33] For Section 404 purposes, management and the independent auditor
are required to disclose in their public reports only material
weaknesses that exist as of the year-end assessment date. Whether
deficiencies are identified by management or the auditor, management
may implement new controls or strengthen existing procedures to correct
deficiencies before the company's year-end assessment date, in effect
remediating these potential problems. By identifying and remediating
control deficiencies during the year, fewer material weaknesses are
likely to be reported.
[34] If a deficiency was remediated prior to the year-end assessment
date, management and the auditors would not necessarily have evaluated
whether it would have been a significant deficiency or a material
weakness as defined by the Public Company Accounting Oversight Board
Auditing Standard No. 2. Therefore, the number of deficiencies
remediated prior to the year-end assessment date was collected in the
aggregate without determination as to whether some would have been
classified as significant deficiencies or material weaknesses.
[35] Charles River Associates, Sarbanes-Oxley Section 404 Costs and
Remediation of Deficiencies: Estimates From a Sample of Fortune 1000
Companies, CRA No. D06155-00. http://sec.gov/spotlight/soxcomp/soxcom-
all-attach.pdf.
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
