Circular No. A-123
Revised
June 21, 1995
TO THE HEADS OF EXECUTIVE DEPARTMENTS AND ESTABLISHMENTS
FROM: Alice M. Rivlin, Director
SUBJECT: Management Accountability and Control
1. Purpose and Authority. As Federal employees develop and
implement strategies for reengineering agency programs and
operations, they should design management structures that help
ensure accountability for results, and include appropriate,
cost-effective controls. This Circular provides guidance to
Federal managers on improving the accountability and effectiveness of
Federal programs and operations by establishing, assessing,
correcting, and reporting on management controls.
The Circular is issued under the authority of the Federal
Managers' Financial Integrity Act of 1982 as codified in 31
U.S.C. 3512.
The Circular replaces Circular No. A-123, "Internal Control
Systems," revised, dated August 4, 1986, and OMB's 1982 "Internal
Controls Guidelines" and associated "Questions and Answers"
document, which are hereby rescinded.
2. Policy. Management accountability is the expectation that
managers are responsible for the quality and timeliness of
program performance, increasing productivity, controlling costs and
mitigating adverse aspects of agency operations, and assuring
that programs are managed with integrity and in compliance with
applicable law.
Management controls are the organization, policies, and
procedures used to reasonably ensure that (i) programs achieve
their intended results; (ii) resources are used consistent with
agency mission; (iii) programs and resources are protected from
waste, fraud, and mismanagement; (iv) laws and regulations are
followed; and (v) reliable and timely information is obtained,
maintained, reported and used for decision making.
3. Actions Required. Agencies and individual Federal managers
must take systematic and proactive measures to (i) develop and
implement appropriate, cost-effective management controls for
results-oriented management; (ii) assess the adequacy of
management controls in Federal programs and operations; (iii) identify
needed improvements; (iv) take corresponding corrective action; and (v)
report annually on management controls.
4. Effective Date. This Circular is effective upon issuance.
5. Inquiries. Further information concerning this Circular may
be obtained from the Management Integrity Branch, Office of
Federal Financial Management, Office of Management and Budget,
Washington, DC 20503, 202/395-6911.
6. Copies. Copies of this Circular may be obtained by
telephoning the Executive Office of the President, Publication
Services, at 202/395-7332.
7. Electronic Access. This document is also accessible on the
U.S. Department of Commerce's FedWorld Network under the OMB
Library of Files.
- The Telnet address for FedWorld via Internet is "fedworld.gov".
- The World Wide Web address is "http://www.fedworld.gov/ftp.htm#omb".
- For file transfer protocol (FTP) access, the address is "ftp://fwux.fedworld.gov/pub/omb/omb.htm".
The telephone number for the FedWorld help desk is 703/487-4608.
Attachment
Note to Internet Users: This document, with associated
explanatory material, was published in the Federal Register on
June 29, 1995, Volume 60, Number 125, pages 33876-33872. This
can be accessed from the Federal Register Online via GPO Access
[wais.access.gpo.gov].
Attachment
I. Introduction
II.
Establishing Management Controls
III.
Assessing and Improving Management Controls
IV.
Correcting Management Control Deficiencies
V.
Reporting on Management Controls
I. INTRODUCTION
The proper stewardship of Federal resources is a fundamental
responsibility of agency managers and staff. Federal employees
must ensure that government resources are used efficiently and
effectively to achieve intended program results. Resources must
be used consistent with agency mission, in compliance with law and
regulation, and with minimal potential for waste, fraud, and
mismanagement.
To support results-oriented management, the Government
Performance and Results Act (GPRA, P.L. 103-62) requires agencies to develop
strategic plans, set performance goals, and report annually on
actual performance compared to goals. As the Federal government
implements this legislation, these plans and goals should be
integrated into (i) the budget process, (ii) the operational
management of agencies and programs, and (iii) accountability
reporting to the public on performance results, and on the
integrity, efficiency, and effectiveness with which they are
achieved.
Management accountability is the expectation that managers are
responsible for the quality and timeliness of program
performance, increasing productivity, controlling costs and mitigating adverse
aspects of agency operations, and assuring that programs are
managed with integrity and in compliance with applicable law.
Management controls -- organization, policies, and procedures --
are tools to help program and financial managers achieve results
and safeguard the integrity of their programs. This Circular
provides guidance on using the range of tools at the disposal of
agency managers to achieve desired program results and meet the
requirements of the Federal Managers' Financial Integrity Act
(FMFIA, referred to as the Integrity Act throughout this
document).
Framework. The importance of management controls is addressed,
both explicitly and implicitly, in many statutes and executive
documents. The Federal Managers' Financial Integrity Act (P.L.
97-255) establishes specific requirements with regard to
management controls. The agency head must establish controls that
reasonably ensure that: (i) obligations and costs comply with applicable
law; (ii) assets are safeguarded against waste, loss, unauthorized use
or misappropriation; and (iii) revenues and expenditures are
properly recorded and accounted for. 31 U.S.C. 3512(c)(1). In
addition, the agency head annually must evaluate and report on
the control and financial systems that protect the integrity of
Federal programs. 31 U.S.C. 3512(d)(2). The Act encompasses program,
operational, and administrative areas as well as accounting and
financial management.
Instead of considering controls as an isolated management tool,
agencies should integrate their efforts to meet the requirements
of the Integrity Act with other efforts to improve effectiveness and
accountability. Thus, management controls should be an integral
part of the entire cycle of planning, budgeting, management,
accounting, and auditing. They should support the effectiveness
and the integrity of every step of the process and provide
continual feedback to management.
For instance, good management controls can assure that
performance measures are complete and accurate. As another example, the
management control standard of organization would align staff and
authority with the program responsibilities to be carried out,
improving both effectiveness and accountability. Similarly,
accountability for resources could be improved by more closely
aligning budget accounts with programs and charging them with all
significant resources used to produce the program's outputs and
outcomes.
Meeting the requirements of the Chief Financial Officers Act (P.L.
101-576, as amended) should help agencies both establish and
evaluate management controls. The Act requires the preparation
and audit of financial statements for 24 Federal agencies. 31 U.S.C.
901(b), 3515. In this process, auditors report on internal
controls and compliance with laws and regulations. Therefore,
the agencies covered by the Act have a clear opportunity both to
improve controls over their financial activities, and to evaluate
the controls that are in place.
The Inspector General Act (P.L. 95-452, as amended) provides for
independent reviews of agency programs and operations. Offices
of Inspectors General (OIGs) and other external audit organizations
frequently cite specific deficiencies in management controls and
recommend opportunities for improvements. Agency managers, who
are required by the Act to follow up on audit recommendations, should
use these reviews to identify and correct problems resulting from
inadequate, excessive, or poorly designed controls, and to build
appropriate controls into new programs.
Federal managers must carefully consider the appropriate balance
of controls in their programs and operations. Fulfilling
requirements to eliminate regulations ("Elimination of One-Half of
Executive Branch Internal Regulations," Executive Order 12861) should
reinforce to agency managers that too many controls can result in
inefficient and ineffective government, and therefore that they
must ensure an appropriate balance between too many controls and
too few controls. Managers should benefit from controls, not be
encumbered by them.
Agency Implementation. Appropriate management controls should be
integrated into each system established by agency management to
direct and guide its operations. A separate management control
process need not be instituted, particularly if its sole purpose
is to satisfy the Integrity Act's reporting requirements.
Agencies need to plan for how the requirements of this Circular
will be implemented. Developing a written strategy for internal
agency use may help ensure that appropriate action is taken
throughout the year to meet the objectives of the Integrity Act.
The absence of such a strategy may itself be a serious management
control deficiency.
Identifying and implementing the specific procedures necessary to
ensure good management controls, and determining how to evaluate
the effectiveness of those controls, is left to the discretion of
the agency head. However, agencies should implement and evaluate
controls without creating unnecessary processes, consistent with
recommendations made by the National Performance Review.
The President's Management Council, composed of the major
agencies' chief operating officers, has been established to foster
governmentwide management changes ("Implementing Management
Reform in the Executive Branch," October 1, 1993). Many agencies are
establishing their own senior management council, often chaired
by the agency's chief operating officer, to address management
accountability and related issues within the broader context of
agency operations. Relevant issues for such a council include
ensuring the agency's commitment to an appropriate system of
management controls; recommending to the agency head which
control deficiencies are sufficiently serious to report in the annual
Integrity Act report; and providing input for the level and
priority of resource needs to correct these deficiencies. (See
also Section III of this Circular.)
II. ESTABLISHING MANAGEMENT CONTROLS
Definition of Management Controls. Management controls are the
organization, policies, and procedures used by agencies to
reasonably ensure that (i) programs achieve their intended
results; (ii) resources are used consistent with agency mission; (iii)
programs and resources are protected from waste, fraud, and
mismanagement; (iv) laws and regulations are followed; and (v)
reliable and timely information is obtained, maintained, reported
and used for decision making.
Management controls, in the broadest sense, include the plan of
organization, methods and procedures adopted by management to
ensure that its goals are met. Management controls include
processes for planning, organizing, directing, and controlling
program operations. A subset of management controls are the
internal controls used to assure that there is prevention or
timely detection of unauthorized acquisition, use, or disposition of the
entity's assets.
Developing Management Controls. As Federal employees develop and
execute strategies for implementing or reengineering agency
programs and operations, they should design management structures
that help ensure accountability for results. As part of this
process, agencies and individual Federal managers must take
systematic and proactive measures to develop and implement
appropriate, cost-effective management controls. The expertise
of the agency CFO and IG can be valuable in developing appropriate
controls.
Management controls guarantee neither the success of agency
programs, nor the absence of waste, fraud, and mismanagement, but
they are a means of managing the risk associated with Federal
programs and operations. To help ensure that controls are
appropriate and cost-effective, agencies should consider the
extent and cost of controls relative to the importance and risk
associated with a given program.
Standards. Agency managers shall incorporate basic management
controls in the strategies, plans, guidance and procedures that
govern their programs and operations. Controls shall be
consistent with the following standards, which are drawn in large part from
the "Standards for Internal Control in the Federal Government,"
issued by the General Accounting Office (GAO).
General management control standards are:
- Compliance With Law. All program operations, obligations and
costs must comply with applicable law and regulation. Resources should be
efficiently and effectively allocated for duly authorized purposes.
- Reasonable Assurance and Safeguards. Management controls
must provide reasonable assurance that assets are safeguarded
against waste, loss, unauthorized use, and misappropriation.
Management controls developed for agency programs should be logical,
applicable, reasonably complete, and effective and efficient in
accomplishing management objectives.
- Integrity, Competence, and Attitude. Managers and employees
must have personal integrity and are obligated to support the ethics
programs in their agencies. The spirit of the Standards of Ethical
Conduct requires that they develop and implement effective management
controls and maintain a level of competence that allows them to
accomplish their assigned duties. Effective communication within and
between offices should be encouraged.
Specific management control standards are:
- Delegation of Authority and Organization. Managers should
ensure that appropriate authority, responsibility and accountability are
defined and delegated to accomplish the mission of the organization, and
that an appropriate organizational structure is established to
effectively carry out program responsibilities. To the extent
possible, controls and related decision-making authority should be in
the hands of line managers and staff.
- Separation of Duties and Supervision. Key duties and
responsibilities in authorizing, processing, recording, and reviewing
official agency transactions should be separated among individuals.
Managers should exercise appropriate oversight to ensure individuals do
not exceed or abuse their assigned authorities.
- Access to and Accountability for Resources. Access to
resources and records should be limited to authorized individuals, and
accountability for the custody and use of resources should be assigned
and maintained.
- Recording and Documentation. Transactions should be promptly
recorded, properly classified and accounted for in order to prepare
timely accounts and reliable financial and other reports. The
documentation for transactions, management controls, and other
significant events must be clear and readily available for ex amination.
- Resolution of Audit Findings and Other Deficiencies. Managers
should promptly evaluate and determine proper actions in response to
known deficiencies, reported audit and other findings, and related
recommendations. Managers should complete, within established
timeframes, all actions that correct or otherwise resolve the
appropriate matters brought to management's attention.
Other policy documents may describe additional specific standards
for particular functional or program activities. For example,
OMB Circular No. A-127, "Financial Management Systems," describes
government-wide requirements for financial systems. The Federal
Acquisition Regulations define requirements for agency
procurement activities.
III. ASSESSING AND IMPROVING MANAGEMENT
CONTROLS
Agency managers should continuously monitor and improve the
effectiveness of management controls associated with their
programs. This continuous monitoring, and other periodic
evaluations, should provide the basis for the agency head's
annual assessment of and report on management controls, as required by
the Integrity Act. Agency management should determine the
appropriate level of documentation needed to support this assessment.
Sources of Information. The agency head's assessment of management
controls can be performed using a variety of information sources.
Management has primary responsibility for monitoring and assessing
controls, and should use other sources as a supplement to -- not a
replacement for -- its own judgment. Sources of information include:
- Management knowledge gained from the daily operation of agency
programs and systems.
- Management reviews conducted (i) expressly for the purpose of
assessing management controls, or (ii) for other purposes with an
assessment of management controls as a by-product of the review.
- IG and GAO reports, including audits, inspections, reviews,
investigations, outcome of hotline complaints, or other products.
- Program evaluations.
- Audits of financial statements conducted pursuant to the Chief
Financial Officers Act, as amended, including: information revealed in
preparing the financial statements; the auditor's reports on the
financial statements, internal controls, and compliance with laws and
regulations; and any other materials prepared relating to the statements.
- Reviews of financial systems which consider whether the requirements
of OMB Circular No. A-127 are being met.
- Reviews of systems and applications conducted pursuant to the
Computer Security Act of 1987 (40 U.S.C. 759 note) and OMB Circular No.
A-130, "Management of Federal Information Resources."
- Annual performance plans and reports pursuant to the Government
Performance and Results Act.
- Reports and other information provided by the Congressional
committees of jurisdiction.
- Other reviews or reports relating to agency operations, e.g. for the
Department of Health and Human Services, quality control reviews of the
Medicaid and Aid to Families with Dependent Children programs.
Use of a source of information should take into consideration whether
the process included an evaluation of management controls. Agency
management should avoid duplicating reviews which assess management
controls, and should coordinate their efforts with other evaluations to
the extent practicable.
If a Federal manager determines that there is insufficient information
available upon which to base an assessment of management controls, then
appropriate reviews should be conducted which will provide such a basis.
Identification of Deficiencies. Agency managers and employees
should identify deficiencies in management controls from the sources of
information described above. A deficiency should be reported if it is
or should be of interest to the next level of management. Agency
employees and managers generally report deficiencies to the next
supervisory level, which allows the chain of command structure to
determine the relative importance of each deficiency.
A deficiency that the agency head determines to be significant enough to
be reported outside the agency (i.e. included in the annual Integrity
Act report to the President and the Congress) shall be considered a
"material weakness."
[1] This designation requires a judgment by agency managers as to
the relative risk and significance of deficiencies. Agencies may wish
to use a different term to describe less significant deficiencies,
which are reported only internally in an agency. In identifying and
assessing the relative importance of deficiencies, particular attention
should be paid to the views of the agency's IG.
Agencies should carefully consider whether systemic problems exist that
adversely affect management controls across organizational or program
lines. The Chief Financial Officer, the Senior Procurement Executive,
the Senior IRM Official, and the managers of other functional offices
should be involved in identifying and ensuring correction of systemic
deficiencies relating to their respective functions.
Agency managers and staff should be encouraged to identify and report
deficiencies, as this reflects positively on the agency's commitment to
recognizing and addressing management problems. Failing to report a
known deficiency would reflect adversely on the agency.
Role of A Senior Management Council. Many agencies have found
that a senior management council is a useful forum for assessing and
monitoring deficiencies in management controls. The membership of such
councils generally includes both line and staff management;
consideration should be given to involving the IG. Such councils
generally recommend to the agency head which deficiencies are deemed to
be material to the agency as a whole, and should therefore be included
in the annual Integrity Act report to the President and the Congress.
(Such a council need not be exclusively devoted to management control
issues.) This process will help identify deficiencies that although
minor individually, may constitute a material weakness in the
aggregate. Such a council may also be useful in determining when
sufficient action has been taken to declare that a deficiency has been
corrected.
IV. CORRECTING MANAGEMENT CONTROL DEFICIENCIES
Agency managers are responsible for taking timely and effective action
to correct deficiencies identified by the variety of sources discussed
in Section III. Correcting deficiencies is an integral part of
management accountability and must be considered a priority by the agency.
The extent to which corrective actions are tracked by the agency should
be commensurate with the severity of the deficiency. Corrective action
plans should be developed for all material weaknesses, and progress
against plans should be periodically assessed and reported to agency
management. Management should track progress to ensure timely and
effective results. For deficiencies that are not included in the
Integrity Act report, corrective action plans should be developed and
tracked internally at the appropriate level.
A determination that a deficiency has been corrected should be made
only when sufficient corrective actions have been taken and the desired
results achieved. This determination should be in writing, and along
with other appropriate documentation, should be available for review by
appropriate officials. (See also role of senior management council in
Section III.)
As managers consider IG and GAO audit reports in identifying and
correcting management control deficiencies, they must be mindful of
the statutory requirements for audit followup included in the IG Act, as
amended. Under this law, management has a responsibility to complete
action, in a timely manner, on audit recommendations on which agreement
with the IG has been reached. 5 U.S.C. Appendix 3. (Management must make
a decision regarding IG audit recommendations within a six month period
and implementation of management's decision should be completed within
one year to the extent practicable.) Agency managers and the IG share
responsibility f or ensuring that IG Act requirements are met.
V. REPORTING ON MANAGEMENT CONTROLS
Reporting Pursuant to Section 2. 31 U.S.C. 3512(d)(2) (commonly
referred to as Section 2 of the Integrity Act) requires that annually by
December 31, the head of each executive agency submit to the President
and the Congress (i) a statement on whether there is reasonable
assurance that the agency's controls are achieving their intended
objectives; and (ii) a report on material weaknesses in the agency's
controls. OMB may provide guidance on the composition of the annual report.
- Statement of Assurance. The statement on reasonable assurance
represents the agency head's informed judgment as to the overall
adequacy and effectiveness of management controls within the agency.
The statement must take one of the following forms: statement of
assurance; qualified statement of assurance, considering the exceptions
explicitly noted; or statement of no assurance.
In deciding on the type of assurance to provide, the agency head should
consider information from the sources described in Section III of this
Circular, with input from senior program and administrative officials
and the IG. The agency head must describe the analytical basis for the
type of assurance being provided, and the extent to which agency
activities were assessed. The statement of assurance must be signed by
the agency head.
- Report on Material Weaknesses. The Integrity Act report must
include agency plans to correct the material weaknesses and progress
against those plans.
Reporting Pursuant to Section 4. 31 U.S.C. 3512(d)(2)(B)
(commonly referred to as Section 4 of the Integrity Act) requires an
annual statement on whether the agency's financial management systems
conform with government-wide requirements. These financial
systems requirements are presented in OMB Circular No. A-127, "Financial
Management Systems," section 7. If the agency does not conform with
financial systems requirements, the statement must discuss the agency's
plans for bringing its systems into compliance.
If the agency head judges a deficiency in financial management systems
and/or operations to be material when weighed against other agency
deficiencies, the issue must be included in the annual Integrity Act
report in the same manner as other material weaknesses.
Distribution of Integrity Act Report. The assurance statements and
information related to both Sections 2 and 4 should be provided in a
single Integrity Act report. Copies of the report are to be transmitted
to the President; the President of the Senate; the Speaker of the House
of Representatives; the Director of OMB; and the Chairpersons and
Ranking Members of the Senate Committee on Governmental Affairs, the
House Committee on Government Reform and Oversight, and the relevant
authorizing and appropriations committees and subcommittees. In
addition, 10 copies of the report are to be provided to OMB's Office of
Federal Financial Management, Management Integrity Branch. Agencies are
also encouraged to make their reports available electronically.
Streamlined Reporting. The Government Management Reform Act (GMRA)
of 1994 (P.L. 103-356) permits OMB for fiscal years 1995 through 1997 to
consolidate or adjust the frequency and due dates of certain statutory
financial management reports after consultation with the Congress. GMRA
prompted the CFO Council to recommend to OMB a new approach towards
financial management reporting which could help integrate management
initiatives. This proposal is being pilot-tested by several agencies
for FY 1995. Further information on the implications of this initiative
for other agencies will be issued by OMB after the pilot reports have
been evaluated. In the meantime, the reporting requirements outlined in
this Circular remain valid except for those agencies identified as
pilots by OMB.
Under the CFO Council approach, agencies would consolidate Integrity Act
information with other performance-related reporting into a broader
"Accountability Report" to be issued annually by the agency head. This
report would be issued as soon as possible after the end of the fiscal year,
but no later than March 31 for agencies producing audited financial
statements and December 31 for all other agencies. The proposed
"Accountability Report" would integrate the following information: the
Integrity Act report, management's Report on Final Action as required by
the IG Act, the CFOs Act Annual Report (including audited financial
statements), Civil Monetary Penalty and Prompt Payment Act reports, and
available information on agency performance compared to its stated goals
and objectives, in preparation for implementation of the GPRA.
Government Corporations. Section 306 of the Chief Financial
Officers Act established a reporting requirement related to management
controls for corporations covered by the Government Corporation and
Control Act. 31 U.S.C. 9106. These corporations must submit an annual
management report to the Congress not later than 180 days after the end
of the corporation's fiscal year. This report must include, among other
items, a statement on control systems by the head of the management of
the corporation consistent with the requirements of the Integrity Act.
The corporation is required to provide the President, the Director of
OMB, and the Comptroller General a copy of the management report when it
is submitted to Congress.
[1] This Circular's use of the term "material weakness"
should not be confused with use of the same term by government auditors
to identify management control weaknesses which, in their opinion, pose
a risk or a threat to the internal control systems of an audited entity,
such as a program or operation. Auditors are required to identify and
report those types of weaknesses at any level of operation or
organization, even if the management of the audited entity would not
report the weaknesses outside the agency.
The Budget | Legislative Information | Management Reform/GPRA Grants Management Financial Management | Procurement Policy | Information & Regulatory Policy Contact the White House Web Master
Privacy Statement |