OMB A123 What is it where did it

OMB A-123 What is it, where did it come from, and what is happening now? Marty Conger, CPA CFO & Director of Business Support Services

What is A-123? OMB Circular A-123 Management’s Responsibility for Internal Controls Purpose Provides guidance to Federal managers l l Applicability on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on internal control… All Federal agencies covered by the CFO Act l DOE is flowing requirements to major and integrated contractors 2

A-123 Internal Controls Timeline 1972 -75 Bribes to foreign governmental officials 1970 Evolution of OMB Circular A-123 1975 1980 Thrift & bank failures 1980 1989 Thrift & bank failures 1985 1992 Continuing bank problems 1990 1977 1982 1987 Audit GAAP Federal National SASs Manager’s commission on Financial fraudulent Foreign Integrity Act financial Corrupt (FMFIA) reporting (Treadway Practices Act Commission) (FCPA) 1982 1986 OMB’s OMB A-123 Internal Controls Guidelines Systems 2003 Corporate corruption scandals (Enron, World. Com) 1997 Corporate corruption scandals 1995 1992 & 1994 Internal Control. Integrated Framewor k (COSO) 1995 OMB A-123 Management Accountability and Controls 2000 2002 Sarbanes -Oxley Act 2005 2004 Enterprise Risk management – Integrated Framework (COSO ERM) 2004 OMB A-123 Management’s Responsibility for Internal Controls 3

Why A-123 Changed “To ensure Congress and the public that the Federal Government is committed to safeguarding its assets and providing reliable financial information. ” “Circular A-12 3 and the statute it imp e lements, h t f o n o i t a the Federal M amin x e anagers’ l e r o r “A ont c l a n r Financial Int inte g l n egrity Act i a t r s e i x d e e F r o f of 1982, are a ents m e r n i i t the u d q re tiate i n i s a center of the es w l a existing n r e t agenci in w e n Federal requir f the o r t o f h ements g s i l ent m e r i u to improve inte req rnal control d e d a r control. ” -t in d e publicly n i a s cont e i n a p y Act com e l x O anes b r a S the 2. ” of 200 4

What Actions does A-123 Require? “Agencies and individual Federal managers must take systematic and proactive measures to: (i) develop and implement appropriate, cost-effective internal control for results-oriented management (ii) assess the adequacy of internal control in Federal programs and operations (iii) separately assess and document internal control over financial reporting consistent with the process defined in Appendix A (iv) identify needed improvements (v) take corresponding corrective action (vi) report annually on internal control through management assurance statements. “ 5

End in Mind – Management Assertions August 29, 20 06 1. Responsibility for Internal Controls 2. Assessment of Internal Controls was done 3. Based on assessment can provide assurance • • Internal Controls operating effectively No material weaknesses were found in design or operations Manager Department o f. E nergy Fiscal Year Statement o 2 nxxx Annual Assurance Financial Re Internal Control over porting The [Agency’s establishing a ] management is respon control over fi nd maintaining effective sible for safeguarding nancial reporting, which internal applicable lawof assets and complianc includes e with s and regulati ons. The [Agency] effectiveness conducted its assessme over financial of the [Agency’s] interna nt of the OMB Circular reporting in accordance l control Responsibility A-123, Management’s with for Internal C ontrol. Based on the re s u lts of this eva [Agency] can lu p ro v id e reasonable ation, the that internal c ass of June 30, 2 ontrol over financial repourance no material wxxx was operating effecti rting as design or opeeaknesses were found invely and over financial ration of the internal con the trols reporting. Sincerely, Head of Agen cy 6

Similarities of SOX and Circular A-123 Appendix A Area SOX Sec 404 A-123 App A Management responsibility for effectiveness of internal controls over financial reporting COSO internal control standard Materiality criteria “Top Down” approach Documentation of internal controls Testing of control design and operating effectiveness Management assertion on internal control effectiveness Audit opinion on internal controls over financial reporting An audit is required for DHS and the U. S. Postal Service is electing to include an audit 7

What are Internal Controls? “Internal control is an integral component of an organization’s management that provides reasonable assurance that the following objectives are being achieved: 1. effectiveness and efficiency of operations, 2. reliability of financial reporting, and 3. compliance with applicable laws and regulations. " Internal control standards and the definition of internal control are based on GAO, Standards for Internal Control in the Federal Government, November 1999, “Green Book. ” 8

Committee of Sponsoring Organizations (COSO) Framework Treadway Commission established Internal Control Integrated Framework published in 1992 Control Environment The control environment sets the tone of an organization, influencing the control consciousness of its people Risk Assessment Every entity faces a variety of risks from external and internal sources that must be assessed both at the entity and the activity level. Control Activities These policies and procedures help ensure management directives are carried out. Information and Communication Pertinent information must be identified, captured and communicated in a form and timeframe that supports all other control components. Monitoring Internal control systems need to be monitored – that assesses the quality of the system’s performance over time. Image courtesy of sox-online. com 9

Financial Statement Assertion Framework from A-123 P E R C V resentation and Disclosure xistence and Occurrence The financial report is presented in the proper form and any required disclosures are present All reported transactions actually occurred during the reporting period and all assets and liabilities exist as of the reporting date ights and Obligations All assets are legally owned by the agency and all liabilities are legal obligations of the agency ompleteness All assets, liabilities, and transactions that should be reported have been included and no unauthorized transactions or balances are included aluation All assets and liabilities have been properly valued, and where applicable, all costs have been properly allocated 10

Two Types of Internal Controls per A-123 Prevention l Higher leverage, usually lower cost n Example: Prevent unauthorized use – Password access to systems Detection l More costly to maintain because of the number of steps: identify, assess and correct errors, etc. n Example: Monthly review of P-card transactions to detect errors, sensitive transactions, etc. 11

Examples of Control Techniques 12

Closing Thoughts Each agency must negotiate an implementation plan with OMB DOE has negotiated a general implementation schedule of 3 years 2 -year implementation schedule for contractors n n Year 1, test high-risk processes Year 2, test the remaining processes A-123 parallels SOX by requiring agency executives to validate the effectiveness of internal controls with the agency head making assurances to the taxpayers that internal controls are working effectively. 13