Internal Control
Analysis of Joint Study on Estimating the Costs and Benefits of Rendering Opinions on Internal Control over Financial Reporting in the Federal Environment Gao ID: GAO-06-255R September 6, 2006The Department of Homeland Security (DHS) Financial Accountability Act, Public Law Number 108-330, requires DHS management to provide an assertion on the internal control that applies to financial reporting for fiscal year 2005 and to obtain an auditor's opinion on the department's internal control over its financial reporting for fiscal year 2006. The act also directs the Chief Financial Officers (CFO) Council and the President's Council on Integrity and Efficiency (PCIE) to conduct a joint study, and report to the Congress and to the Comptroller General of the United States, on the potential costs and benefits of requiring agencies subject to the Chief Financial Officers Act of 1990 to obtain audit opinions of their internal control over financial reporting. The DHS Financial Accountability Act also requires that the Comptroller General of the United States review the joint study and report the results of this analysis to the Congress. In December 2005, we briefed available committee staff on our preliminary analysis of the joint study. This report provides further details on our review and on our views regarding a requirement for federal agencies to obtain audit opinions on their internal control over financial reporting.
We recognize that assessing the costs and benefits of obtaining an auditor's opinion on internal control over financial reporting is difficult, and the joint study properly noted many challenges inherent in performing cost-benefit analyses on this issue. The CFO Council and the PCIE acknowledged in the joint study that estimating the costs to render an opinion on internal control over financial reporting was "challenging given the lack of hard data and the number of unknown factors that go into developing a strong estimate" and refer to their reported estimates as "not hard numbers." Of the total reported estimated costs of about $140 million, the joint study attributed about $56 million (40 percent) to internal control audits of the 23 civilian CFO Act agencies, with the balance of $84 million to cover the Department of Defense (DOD). The CFO Council and the PCIE also stated that the benefits from obtaining an opinion on internal control over financial reporting are difficult to measure, and as a result, the joint study discussed some of the potential benefits only qualitatively. Consequently, the joint study did not identify all relevant costs and benefits, which may therefore limit the usefulness of the results and conclusions of the joint study. While the study identified categories of additional work that drive the cost estimates, we believe additional factors are relevant in considering the costs of a requirement for audit opinions on internal control over financial reporting in the federal government. Factors that would likely affect an estimate of the costs of a requirement in the federal government include (1) leveraging the resources already in place in areas of the financial statement audit; (2) using an audit approach that integrates the financial and internal control audits and includes reasoned risk and experience-based auditor judgments, similar to the approach in the GAO/PCIE Financial Audit Manual (FAM); (3) setting criteria for when an agency should initially be required to obtain an audit of internal control over financial reporting; and (4) establishing criteria whereby an agency would qualify for a multiyear cycle for obtaining an audit opinion on internal control rather than an annual cycle. We also note that some of the reasons cited for higher-than-estimated costs in early implementation of the internal control provisions of Sarbanes-Oxley for publicly traded companies, should not, to nearly the same extent, be factors for incremental costs in the federal government environment. For example, auditors of federal agencies have been required for many years to test internal control to achieve a low level of assessed control risk. As a result, the FAM includes an integrated audit approach for testing internal control in connection with a financial statement audit. Similar internal control testing requirements were not in place for public companies prior to section 404 of Sarbanes-Oxley. It is important to note, however, that the standards that currently provide the basis for the FAM approach for providing an auditor's opinion on internal control over financial reporting are being revised by the Auditing Standards Board of the American Institute of Certified Public Accountants. The cost of a requirement for internal control opinions in the federal government could be impacted by any future changes to the underlying auditing standards.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone: