This is the accessible text file for GAO report number GAO-05-321T 
entitled 'Financial Management: Effective Internal Control Is Key to 
Accountability' which was released on February 17, 2005.

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

Testimony:

Before the Subcommittee on Government Management, Finance, and 
Accountability, Committee on Government Reform, House of 
Representatives:

For Release on Delivery Expected at 2:00 p.m. EST Wednesday, February 
16, 2005:

FINANCIAL MANAGEMENT:

Effective Internal Control Is Key to Accountability:

Statement of Jeffrey C. Steinhoff, Managing Director, Financial 
Management and Assurance:

GAO-05-321T:

GAO Highlights:

Highlights of GAO-05-321T, a report to the Subcommittee on Government 
Management, Finance, and Accountability, Committee on Government 
Reform, House of Representatives:

Why GAO Did This Study:

Internal control is at the heart of accountability for our nationís 
resources and how effectively government uses them. This testimony 
outlines the importance of internal control, summarizes the Congressís 
long-standing interest in internal control and the related statutory 
framework, discusses GAOís experiences and lessons learned from agency 
assessments since the early 1980s, and provides GAOís views on the 
Office of Management and Budgetís (OMB) recent revisions to its 
Circular A-123.

GAO highlights six issues important to successful implementation of the 
revised Circular, specifically, the need for

1. supplemental guidance and implementation tools;
2. vigilance over the broader range of controls covering program 
objectives;
3. strong support from managers throughout the agency, and at all 
levels;
4. risk-based assessments and an appropriate balance between the costs 
and benefits of controls;
5. management testing of controls in operation to assess if they are 
designed adequately and operating effectively; and
6. management accountability for control breakdowns.

Finally, GAO discusses its views on the importance of auditor opinions 
on internal control over financial reporting.

What GAO Found:

Internal control represents an organizationís plans, methods, and 
procedures used to meet its missions, goals, and objectives and serves 
as the first line of defense in safeguarding assets and preventing and 
detecting errors, fraud, waste, abuse, and mismanagement. Internal 
control provides reasonable assurance that an organizationsí objectives 
are achieved through 
(1) effective and efficient operations, (2) reliable financial 
reporting, and 
(3) compliance with laws and regulations. 

The Congress has long recognized the importance of internal control, 
beginning with the Budget and Accounting Procedures Act of 1950, which 
placed primary responsibility for establishing and maintaining internal 
control squarely on the shoulders of management. In 1982, when faced 
with a number of highly publicized internal control breakdowns, the 
Congress passed the Federal Managersí Financial Integrity Act (FMFIA). 
FMFIA required agency heads to establish a continuous process for 
assessment and improvement of their agencyís internal control and to 
annually report on the status of their efforts. In addition the act 
required the Comptroller General to issue internal control standards 
and OMB to issue guidelines for agencies to follow in assessing their 
internal controls.

GAO monitored and reported on FMFIA implementation efforts across the 
government in a series of four reports from 1984 through 1989 as well 
as in numerous reports targeting specific agencies and programs. With 
each report, GAO noted the efforts under way, but also that more needed 
to be done. In 1989, GAO concluded that while internal control was 
improving, the efforts were clearly not producing the results intended. 
The assessment and reporting process itself appeared to have become the 
endgame, and many serious internal control and accounting systems 
weaknesses remain unresolved as evidenced by GAOís high risk report 
which highlights serious long-standing internal control problems.

In 1995, OMB made a major revision to its guidance that provided a 
framework for integrating internal control assessments with other work 
performed and relaxed the assessment and reporting requirements, giving 
the agencies discretion to determine the tools to use in arriving at 
their annual FMFIA assurance statements. OMBís recent 2004 revisions to 
the internal control guidance are intended to strengthen the 
requirements for conducting managementís assessment of control over 
financial reporting. 

GAO supports OMBís recent changes to Circular A-123 and in particular 
the principles-based approach for establishing and reporting on 
internal control. GAO also noted six specific issues that are important 
to successful implementation of OMBís revised guidance and discusses 
its views on the importance of auditor opinions on internal control 
over financial reporting.

www.gao.gov/cgi-bin/getrpt?GAO-05-321T.

To view the full product, including the scope
and methodology, click on the link above.
For more information, contact McCoy Williams at (202) 512-6906 or 
williamsm1@gao.gov.

[End of section]

Mr. Chairman and Members of the Subcommittee:

I am pleased to be here today to discuss the importance of sound 
internal control as the foundation of accountability and the recent 
revisions by the Office of Management and Budget (OMB) to its Circular 
A-123, Management's Responsibility for Internal Control.

Today, I would like to:

* highlight the key concepts underlying internal control;

* summarize the Congress's long-standing interest in internal control 
and the related statutory framework;

* outline early experiences and lessons learned from implementation of 
31 U.S.C. 3512 (c), (d), commonly known as the Federal Managers' 
Financial Integrity Act of 1982 (FMFIA);

* provide our views on the recent revisions to Circular A-123 and the 
issues critical to effectively implementing these changes; and:

* discuss our views on the auditor's role in reporting on internal 
control.

The Key Concepts Underlying Internal Control:

Internal control represents an organization's plans, methods, and 
procedures used to meet its missions, goals, and objectives and serves 
as the first line of defense in safeguarding assets and preventing and 
detecting errors, fraud, waste, abuse, and mismanagement. Internal 
control is to provide reasonable assurance that an organization's 
objectives are achieved through (1) effective and efficient operations, 
(2) reliable financial reporting, and (3) compliance with laws and 
regulations. Safeguarding of assets is a subset of all these 
objectives. The term "reasonable assurance" is important because no 
matter how well-designed and operated, internal control cannot provide 
absolute assurance that agency objectives will be met. Cost-benefit is 
an important concept to internal control considerations. Internal 
control is very broad and encompasses all controls within an 
organization, covering the entire mission and operations, not just 
financial operations.

One need only to look at GAO's January 2005 High-Risk Series: An 
Update,[Footnote 1] in which we identify 25 areas of high risk for 
fraud, waste, abuse, and mismanagement, to see the breadth of internal 
control. While these areas are very diverse in nature, ranging from 
weapon systems acquisition to contract management to the enforcement of 
tax laws to the Medicare and Medicaid programs, all share the common 
denominator of having serious internal control weaknesses. In addition, 
as the Comptroller General testified[Footnote 2] before the House 
Committee on Government Reform last week, certain material weaknesses 
in internal control have contributed to our inability to provide an 
opinion on whether the consolidated financial statements of the U.S. 
government are fairly stated in conformity with U.S. generally accepted 
accounting principles. Internal control weaknesses are also at the 
heart of the over $45 billion in improper payments reported by the 
federal government in fiscal year 2004 across a range of programs. 
Further, internal control includes things such as screening of air 
passengers and baggage to help address the risks associated with 
terrorism, network firewalls to keep out computer hackers, and credit 
checks to determine the creditworthiness of potential borrowers.

The Congress Has Long Recognized the Importance of Internal Control:

The Congress has long recognized the importance of internal control, 
beginning with the Budget and Accounting Procedures Act of 
1950,[Footnote 3] over 50 years ago. The 1950 act placed primary 
responsibility for establishing and maintaining internal 
control[Footnote 4] squarely on the shoulders of agency management. As 
I will discuss later, the auditor can serve an important role by 
independently determining whether management's internal control is 
adequately designed and operating effectively and making 
recommendations to management to improve internal control where needed. 
However, the fundamental responsibility for establishing and 
maintaining effective internal control belongs to management.

In 1982, when faced with a number of highly publicized internal control 
breakdowns, the Congress passed FMFIA[Footnote 5] with a goal of 
strengthening internal control and accounting systems. This two-page 
law, a copy of which is in appendix I, defined internal 
control[Footnote 6] broadly to include program, operational, and 
administrative controls as well as accounting and financial management, 
and reaffirmed that the primary responsibility for adequate systems of 
internal control rests with management. Under FMFIA, agency heads are 
required to establish a continuous process for assessment and 
improvement of their agency's internal control and to publicly report 
on the status of their efforts by signing annual statements of 
assurance as to whether internal control is designed adequately and 
operating effectively. Where there are material weaknesses, the agency 
heads are to disclose the nature of the problems and the status of 
corrective actions in an annual assurance statement. Today, agencies 
are generally meeting their FMFIA reporting requirement by including 
this information in their Performance and Accountability reports, which 
also include their audited financial statements. The act also required 
that the Comptroller General establish internal control standards and 
that OMB issue guidelines for agencies to follow in assessing their 
internal control against the Comptroller General's standards.

OMB first issued Circular A-123, then entitled Internal Control 
Systems, in October 1981, in anticipation of FMFIA becoming law. In 
December 1982, following FMFIA enactment, OMB issued the assessment 
guidelines required by the act. OMB's Guidelines for the Evaluation and 
Improvement of and Reporting on Internal Control Systems in the Federal 
Government detailed a seven-step internal control assessment process 
targeted to an agency's mission and organizational structure. The 
Comptroller General issued Standards for Internal Control in the 
Federal Government in 1983.[Footnote 7] These standards apply equally 
to financial and nonfinancial controls.[Footnote 8] In August 1984, OMB 
issued a question and answer supplement to its assessment guidelines, 
intended to clarify the applicability of the Comptroller General's 
internal control standards and to assist agencies in assessing risk and 
correcting weaknesses.

The 1990s brought additional legislation that reinforced the 
significance of effective internal control. The Chief Financial 
Officers (CFO) Act,[Footnote 9] which among other things provided for 
major transformation of financial management, including the 
establishment of CFOs, called for financial management systems to 
comply with the Comptroller General's internal control standards. The 
Government Performance and Results Act of 1993[Footnote 10] required 
agencies to clarify missions, set strategic and performance goals, and 
measure performance toward those goals. Internal control plays a 
significant role in helping managers achieve their goals. The 
Government Management Reform Act of 1994[Footnote 11] expanded the CFO 
Act by establishing requirements for the preparation and audit of 
agencywide financial statements and consolidated financial statements 
for the federal government as a whole. The 1996 Federal Financial 
Management Improvement Act[Footnote 12] identified internal control as 
an integral part of improving financial management systems. These are 
just a few of the legislative initiatives over the years aimed at 
improving government effectiveness and accountability. The Congress has 
been consistent over the years in demanding that agencies have 
effective internal control and accounting systems.

Early Experiences and Lessons Learned from Agency FMFIA Implementation:

From the outset, agencies faced major challenges in implementing FMFIA. 
The first annual assessment reports were due by December 31, 1983. This 
time frame gave agencies a little over a year to develop and implement 
an agencywide internal control assessment and reporting process to 
provide the information needed to support the first agency head 
assurance statement to the President and the Congress. OMB assembled an 
interagency task force called the Financial Integrity Task Force and 
visited all federal departments and the 10 largest agencies to foster 
implementation of its internal control assessment guidelines. Starting 
in 1983, GAO monitored and reported on FMFIA implementation efforts 
across the government in a series of four reports from 1984 through 
1989 as well as in numerous reports targeting specific agencies and 
programs.

In our first governmentwide report,[Footnote 13] issued in 1984, we 
noted that although early efforts were primarily learning experiences, 
agencies had demonstrated a commitment to implementing FMFIA with a 
good start at assessing their internal control and accounting systems. 
We found agencies had established systematic processes to assess, 
improve, and report on their internal control and accounting systems, 
and we observed that federal managers had become more aware of the need 
for good internal control and improved accounting systems. OMB played 
an active role, providing guidance and central direction to the 
program. Though the nature and extent of participation varied, most 
inspectors general also played a major role in the first year. Our 1984 
report outlined key steps to improve implementation, including adequate 
training and guidance, the importance of a positive attitude and a mind-
set to hold managers accountable for results, and the need for more 
internal control testing.

Our second governmentwide report in 1985[Footnote 14] noted that FMFIA 
had provided a significant impetus to the government's attempts to 
improve internal control and accounting systems by focusing attention 
on the problems. Agencies continued to identify material internal 
control and accounting system weaknesses with a number of major 
improvement initiatives under way. We identified needed improvements to 
FMFIA implementation similar to those in our 1984 report, but also 
identified the need to reduce the paperwork associated with agency 
assessment efforts. In particular, vulnerability assessments aimed at 
identifying the areas of highest risk in order to prioritize more 
detailed internal control reviews were widely criticized by agencies as 
paperwork exercises. It was widely thought that while agencies had 
devoted considerable resources assessing the vulnerability of thousands 
of operations and functions, these efforts did not provide management 
with a whole lot of reliable and useful information.

Our third governmentwide report was issued in 1987.[Footnote 15] We 
noted that an important step in strengthening internal control is 
verifying that planned corrective actions have been implemented as 
envisioned and that the completed corrective actions have been 
effective. We found instances where (1) corrective measures taken had 
not completely corrected the identified weaknesses and (2) actions to 
resolve weaknesses had been delayed, in some cases for years.

Our fourth governmentwide report,[Footnote 16] issued in 1989 for which 
the title, Ineffective Internal Controls Result in Ineffective Federal 
Programs and Billion in Losses, is still appropriate in today's 
environment, concluded that while internal control was improving, the 
efforts were clearly not producing the results intended. We noted 
continuing widespread internal control and accounting system problems 
and the need for greater top-level leadership. We reported that what 
started off as a well-intended program to foster the continual 
assessment and improvement of internal control unfortunately had become 
mired in extensive process and paperwork. Significant attention was 
focused on creating a paper trail to prove that agencies had adhered to 
the OMB assessment process and on crafting voluminous annual reports 
that could exceed several hundred pages. It seemed that the assessment 
and reporting processes had, at least to some, become the endgame.

At the same time, there were some important accomplishments coming from 
FMFIA. Thousands of problems were identified and fixed along the way, 
especially at the lower levels where internal control assessments were 
performed and managers could take focused actions to fix relatively 
simple problems. Unfortunately, many of the more serious and complex 
internal control and accounting system weaknesses remained largely 
unchanged and agencies were drowning in paper.

In March 1989, GAO, along with representatives of seven agencies, OMB, 
and the President's Council on Integrity and Efficiency 
(PCIE),[Footnote 17] reviewed aspects of FMFIA implementation as part 
of a subcommittee of the Internal Control Interagency Coordination 
Council. The subcommittee's report highlighted the following seven 
issues as requiring action:

* Link the internal control assessment and reporting process with the 
budget to assist the Congress and OMB in analyzing the impact of 
corrective actions on agency resources.

* Emphasize the early warning capabilities of the internal control 
process to ensure timely actions to correct weaknesses identified.

* Consolidate the review processes of various OMB circulars to 
eliminate overlapping assessment requirements, improve staff 
utilization, and reduce the paper being generated.

* Provide for and promote senior management involvement in the internal 
control process to ensure more effective and lasting oversight and 
accountability for FMFIA activities.

* Highlight the most critical internal control weaknesses in the FMFIA 
assurance statements to increase the usefulness of the report to the 
President and the Congress.

* Report on agency processes to validate actions taken to correct 
material weaknesses, ascertain that desired results were achieved, and 
reduce the likelihood of repeated occurrences of the same weaknesses.

* Improve management awareness and understanding of FMFIA to provide 
for more consistent program manager interpretation and acceptance of 
the act.

Too much process and paper continued to be a problem, and in 1995 OMB 
made a major revision to Circular A-123 that relaxed the assessment and 
reporting requirements. The 1995 revision integrated many policy 
issuances on internal control into a single document and provided a 
framework for integrating internal control assessments with other 
reviews being performed by agency managers, auditors, and evaluators. 
In addition, it gave agencies the discretion to determine which tools 
to use in arriving at the annual assurance statement to the President 
and the Congress, with the stated aim of achieving a streamlined 
management control program that incorporated the then administration's 
reinvention principles.

Revised OMB Circular A-123 Marks an Important Step toward Achieving 
FMFIA Objectives:

And this brings us to the present. The recent December 2004 update to 
Circular A-123 reflects policy recommendations developed by a joint 
committee of representatives from the CFO Council (CFOC)[Footnote 18] 
and PCIE.[Footnote 19] The changes are intended to strengthen the 
requirements for conducting management's assessment of internal control 
over financial reporting. The December 2004 revision to the Circular 
also emphasizes the need for agencies to integrate and coordinate 
internal control assessments with other internal control-related 
activities.

We support OMB's efforts to revitalize FMFIA through the December 2004 
revisions to Circular A-123. These revisions recognize that effective 
internal control is critical to improving federal agencies' 
effectiveness and accountability and to achieving the goals that the 
Congress established in 1950 and reaffirmed in 1982. The Circular 
correctly recognizes that instead of considering internal control an 
isolated management tool, agencies should integrate their efforts to 
meet the requirements of FMFIA with other efforts to improve 
effectiveness and accountability. Internal control should be an 
integral part of the entire cycle of planning, budgeting, management, 
accounting, and auditing. It should support the effectiveness and the 
integrity of every step of the process and provide continual feedback 
to management.

In particular, we support the principles-based approach in the revised 
Circular for establishing and reporting on internal control that should 
increase accountability. This type of approach provides a floor for 
expected behavior, rather than a ceiling, and by its nature, greater 
judgment on the part of those applying these principles will be 
necessary. Accordingly, clear articulation of objectives, the criteria 
for measuring whether the objectives have been successfully achieved, 
and the rigor with which these criteria are applied will be critical. 
Providing agencies with supplemental guidance and implementation tools 
is particularly important, in light of the varying levels of internal 
control maturity that exist across government as well as the expected 
divergence in implementation that is typically found when a range of 
entities with varying capabilities apply a principles-based approach.

I would now like to highlight what I think will be the six issues 
critical to effectively implementing the changes to Circular A-123 
based on the lessons learned over the past 20 years under FMFIA.

First, OMB indicated that it plans to work with the CFOC and PCIE to 
provide further implementation guidance. For the reasons I just 
highlighted, we support the development of supplemental guidance and 
implementation tools, which will be particularly important to help 
ensure that agency efforts are properly focused and meaningful. These 
materials should demand an appropriate rigor to whatever assessment and 
reporting process management adopts as well as set the bar at a level 
to ensure that the objectives of FMFIA are being met in substance, with 
a caution to guard against excessive focus on process and paperwork. 
Supplemental guidance and implementation tools should be aimed at 
helping agency management achieve the bottom-line goal of getting 
results from effective internal control.

Second, while the revised Circular A-123 emphasizes internal control 
over financial reporting, it will be important that proper attention 
also be paid to the other two internal control objectives covered by 
FMFIA and discussed in the Circular, which are (1) achieving effective 
and efficient operations and (2) complying with laws and regulations. 
Also, as I mentioned earlier, safeguarding assets is a subset of all 
three objectives.

Third, managers throughout an agency and at all levels will need to 
provide strong support for internal control. As I discussed earlier, 
the responsibility for internal control does not reside solely with the 
CFO. A case in point is internal control over improper payments, which 
is the responsibility of a range of agency officials outside of the CFO 
operation. Also, with respect to financial reporting, which the revised 
OMB Circular A-123 specifically refers to as a priority area, the CFO 
generally does not control all of the needed information and often 
depends on other business systems for much of the financial data. For 
example, at the Department of Defense (DOD), about 80 percent of the 
information needed to prepare annual financial statements comes from 
other business systems, such as logistics, procurement, and personnel 
information systems, that are not under the CFO.

Fourth, agencies must strike an appropriate balance between costs and 
benefits, while at the same time achieving an appropriate level of 
internal control. Internal controls need to be designed and implemented 
only after properly identifying and analyzing the risks associated with 
achieving control objectives. Agencies need to have the right controls, 
in the right place, at the right time, with an appropriate balance 
between related costs and benefits. In this regard, the revisions to 
Circular A-123 outline the concept of risk assessment for internal 
control over financial reporting by laying out an assessment approach 
at the process, transaction, and application levels. A similar approach 
needs to be applied as well to the other business areas and the range 
of programs and operations as envisioned in FMFIA.

Fifth, management testing of controls in operation to determine their 
soundness and whether they are being adhered to and to assist in the 
formulation of corrective actions where problems arise will be 
essential. This is another area covered by the revised Circular A-123. 
Testing can show whether internal controls are in place and operating 
effectively to minimize the risk of fraud, waste, abuse, and 
mismanagement and whether accounting systems are producing accurate, 
timely, and useful information. Through adequate testing, agency 
managers should know what is working well and what is not. Management 
will then be able to focus on corrective actions as needed and on 
streamlining controls if testing shows that existing controls are not 
cost-effective.

Sixth, personal accountability for results will be essential, starting 
with top agency management and cascading down through the organization. 
Regular oversight hearings, such as this one, will be critical to 
keeping agencies accountable and expressing the continual interest and 
expectations of the Congress. Independent verification and validation 
through the audit process, which I will talk about next, is another 
means of providing additional accountability. There should be clear 
rewards (incentives) for doing the right things and consequences 
(disincentives) for doing the wrong things. If a serious problem occurs 
because of a breakdown in internal control and it is found that 
management did not do its part to establish a proper internal control 
environment, or did not act expeditiously to fix a known problem, those 
responsible need to be held accountable and face the consequences of 
inaction. The revised Circular A-123 encourages the involvement of 
senior management councils in internal control assessment and 
monitoring, which can be an excellent means of establishing 
accountability and ownership for the program.

The Auditor's Role in Evaluating Management's Internal Control Efforts:

In initiating the revisions to Circular A-123, OMB cited the new 
internal control requirements for publicly traded companies that are 
contained in the Sarbanes-Oxley Act of 2002.[Footnote 20] Sarbanes- 
Oxley was born out of the corporate accountability failures of the past 
several years. Sarbanes-Oxley is similar in concept to the long- 
standing requirements for federal agencies in FMFIA and Circular A-123. 
Under Sarbanes-Oxley, management of a publicly-traded company is 
required to (1) annually assess the internal control over financial 
reporting at the company and (2) issue an annual statement on the 
effectiveness of internal control over financial reporting.[Footnote 
21] The company's auditors are then required to attest to and report on 
management's assessment as to the effectiveness of its internal 
control. This is where Sarbanes-Oxley differs from FMFIA. FMFIA does 
not call for an auditor opinion on management's assessment of internal 
control over financial reporting nor does it call for an auditor 
opinion on the effectiveness of internal control. Likewise, Circular A- 
123 does not adopt these requirements, although the Circular does 
recognize that some agencies are voluntarily getting an audit opinion 
on internal control over financial reporting.

Our position is that an auditor's opinion on internal control over 
financial reporting is similarly important in the government 
environment. We view auditor opinions on internal control over 
financial reporting as an important component of monitoring the 
effectiveness of an entity's risk management and accountability 
systems. In practicing what we preach, we not only issue an opinion on 
internal control over financial reporting at the federal entities where 
we perform the financial statement audit,[Footnote 22] including the 
consolidated financial statements of the U.S. government, but we also 
obtain an auditor's opinion on internal control on our own annual 
financial statements. On their own initiative, the Social Security 
Administration (SSA) and Nuclear Regulatory Commission also received 
opinions on internal control over financial reporting for fiscal year 
2004 from their respective independent auditors.

In considering when to require an auditor opinion on internal control, 
the following four questions can be used to frame the issue.

1. Is this a major federal entity, such as the 24 departments and 
agencies covered by the CFO Act? There would be different consideration 
for small simple entities versus large complex entities.

2. What is the maturity level of internal control over financial 
reporting?

3. Is the agency currently in a position to attest to the effectiveness 
of internal control over financial reporting and subject that 
conclusion to independent audit?

4. What are the benefits and costs of obtaining an opinion?

What underlies these questions is whether management has done its job 
of assessing its internal control and has a firm basis for its 
assertion statement before the auditor is tasked with performing work 
to support an opinion on internal control over financial reporting. As 
I have stressed throughout my testimony today, internal control is a 
fundamental responsibility of management, including ongoing oversight. 
The auditor's role, similar to its opinion on the financial statements 
issued by management, would be to state whether the auditor agrees 
[Footnote 23] with management's assertion that its internal control is 
adequate so that the reader has an independent view.

As an example, consider DOD which has many known material internal 
control weaknesses. Of the 25 areas on GAO's high-risk list, 14 relate 
to DOD, including DOD financial management. Given that DOD management 
is clearly not in a position to state that the department has effective 
internal control over financial reporting, there would be no need for 
the auditor to do additional audit work to render an opinion that 
internal control was not effective. On the other hand, as I just 
mentioned for fiscal year 2004, SSA management reported that it does 
not have any material internal control weaknesses over financial 
reporting. The auditor's unqualified opinion over financial reporting 
at SSA provided an independent assessment of management's assertion 
about internal control, which we believe by its nature adds value and 
creditability similar to the auditor's opinion on the financial 
statements.

As you know, Mr. Chairman, recent legislation[Footnote 24] making the 
Department of Homeland Security (DHS) subject to the provisions of the 
CFO Act, which this Subcommittee spearheaded, requires DHS management 
to provide an assertion on the effectiveness of internal control over 
financial reporting for fiscal year 2005 and to obtain an auditor's 
opinion on its internal control over financial reporting for fiscal 
year 2006. In addition, the CFO Council and PCIE are required by the 
DHS legislation to jointly study the potential costs and benefits of 
requiring CFO Act agencies to obtain audit opinions on their internal 
control over financial reporting, and GAO is to perform an analysis of 
the information provided in the report and provide any findings to the 
House Committee on Government Reform and the Senate Committee on 
Homeland Security and Governmental Affairs.[Footnote 25] We believe 
that the study and related analysis are important steps in resolving 
the issues associated with the current reporting on the adequacy of 
internal control. In addition, this issue is being discussed by the 
Principals of the Joint Financial Management Improvement Program--the 
Comptroller General, the Director of OMB, the Secretary of the 
Treasury, and the Director of the Office of Personnel Management.

In closing, as the Congress and the American public have increased 
demands for accountability, the federal government must respond by 
having a high standard of accountability for its programs and 
activities. Areas vulnerable to fraud, waste, abuse, and mismanagement 
must be continually evaluated to ensure that scarce resources reach 
their intended beneficiaries; are used properly; and are not diverted 
for inappropriate, illegal, inefficient, or ineffective purposes.

I want to emphasize our commitment to continuing our work with the 
Congress, the administration, the federal agencies, and the audit 
community to continually improve the quality of internal control 
governmentwide, and to help ensure that action is taken to address the 
internal control vulnerabilities that exist today. To that end, as I 
said earlier, the leadership of this Subcommittee will continue to be 
an important catalyst for change, and I again thank you for the 
opportunity to participate in this hearing.

Mr. Chairman, this completes my prepared statement. I would be happy to 
respond to any questions you or other Members of the Subcommittee may 
have at this time.

Contacts and Acknowledgments:

For information about this statement, please contact Jeffrey C. 
Steinhoff at (202) 512-2600 or McCoy Williams, Director, Financial 
Management and Assurance, at (202) 512-6906 or at [Hyperlink, 
williamsm1@gao.gov]. Individuals who made key contributions to this 
testimony include Mary Arnold Mohiyuddin, Abe Dymond, and Paul Caban. 
Numerous other individuals made contributions to the GAO reports cited 
in this testimony.

[End of section]

Appendix I: Federal Managers' Financial Integrity Act of 1982:

Federal Managers' Financial Integrity Act of 1982:

Public Law 97-255:

(96 Stat. 814):

AN ACT To amend the Accounting and Auditing Act of 1950 to require 
ongoing evaluations and reports on the adequacy of the systems of 
internal accounting and administrative control of each executive 
agency, and for other purposes:

Be it enacted by the Senate and House of Representatives of the United 
States of America in Congress assembled,

Section 1. This Act may be cited as the "Federal Managers' Financial 
Integrity Act of 1982". (31 U.S.C. 65 note).

SEC. 2. Section 113 of the Accounting and Auditing Act of 1950 (31 
U.S.C. 66a) is amended by adding at the end thereof the following new 
subsection:

"(d)(1)(A) To ensure compliance with the requirements of sub-section 
(a)(3) of this section, internal accounting and administrative controls 
of each executive agency shall be established in accordance with 
standards prescribed by the Comptroller General, and shall provide 
reasonable assurances that:

"0) obligations and costs are in compliance with applicable law;

"(ii) funds, property, and other assets are safeguarded against waste, 
loss, unauthorized use, or misappropriation; and "(iii) revenues and 
expenditures applicable to agency operations are properly recorded and 
accounted for to permit the preparation of accounts and reliable 
financial and statistical reports and to maintain accountability over 
the assets.

"(B) The standards prescribed by the Comptroller General under this 
paragraph shall include standards to en-sure the prompt resolution of 
all audit findings.

"(2) By December 31, 1982, the Director of the Office of Management and 
Budget, in consultation with the Comptroller General, shall establish 
guidelines for the evaluation by agencies of their systems of internal 
ac-counting and administrative control to determine such systems' 
compliance with the requirements of paragraph (1) of this subsection. 
The Director, in consultation with the Comptroller General, may modify 
such guidelines from time to time as deemed necessary.

"(3) By December 31, 1983, and by December 31 of each succeeding year, 
the head of each executive agency shall, on the basis of an evaluation 
conducted in accordance with guidelines prescribed under paragraph (2) 
of this subsection, prepare a statement:


"(A) that the agency's systems of internal accounting and 
administrative control fully comply with the requirements of paragraph 
(1); or:

"(B) that such systems do not fully comply with such requirements.

"(4) In the event that the head of an agency pre-pares a statement 
described in paragraph (3)(B), the head of such agency shall include 
with such statement a report in which any material weaknesses in the 
agency's systems of internal accounting and administrative control are 
identified and the plans and schedule for correcting any such weakness 
are described.

"(5) The statements and reports required by this subsection shall be 
signed by the head of each executive agency and transmitted to the 
President and the Congress. Such statements and reports shall also be 
made available to the public, except that, in the case of any such 
statement or report containing information which is:

"(A) specifically prohibited from disclosure by any provision of law; 
or:

"(B) specifically required by Executive order to be kept secret in the 
interest of national defense or the conduct of foreign affairs, such 
information shall be deleted prior to the report or statement being 
made available to the public.".

SEC. 3. Section 201 of the Budget and Accounting Act, 1921 (31 U.S.C. 
11), is amended by adding at the end thereof the following new 
subsection:

"(k)(1) The President shall include in the supporting detail 
accompanying each Budget submitted on or after January 1, 1983, a 
separate statement, with respect to each department and establishment, 
of the amounts of appropriations requested by the President for the 
Office of Inspector General, if any, of each such establishment or 
department.

"(2) At the request of 8 committee of the Congress, additional 
information concerning the amount of appropriations originally 
requested by any office of Inspector General, shall be submitted to 
such committee.".

SEC. 4. Section 113(b) of the Accounting and Auditing Act of 1950 (31 
U.S.C. 66a(b)), is amended by adding at the end thereof the following 
new sentence: "Each annual statement prepared pursuant to subsection 
(d) of this section shall include a separate report on whether the 
agency's accounting system conforms to the principles, standards, and 
related requirements prescribed by the Comptroller General under 
section 112 of this Act.". (31 U.S.C. 66a).

Approved September 8, 1982.

This Act has not been amended as of December 31, 1995.

[End of section]

(195064):

FOOTNOTES

[1] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: 
January 2005).

[2] GAO, Fiscal Year 2004 U.S. Government Financial Statements: 
Sustained Improvement in Federal Financial Management Is Crucial to 
Addressing Our Nation's Future Fiscal Challenges, GAO-05-284T 
(Washington, D.C.: Feb. 9, 2005).

[3] Budget and Accounting Procedures Act of 1950, ch. 946, 64 Stat. 832 
(1950).

[4] The act used the phrase "systems of accounting and internal 
control."

[5] Pub. L. No. 97-255, 96 Stat. 814 (Sept. 8, 1982). FMFIA was 
repealed as part of the general revisions to title 31, U.S. Code. The 
key provisions of FMFIA were codified at 31 U.S.C. ß 3512 (c), (d).

[6] FMFIA used the term "internal accounting and administrative 
controls." OMB initially used the term "management control." In 
revising Circular A-123 in 2004, OMB replaced the term management 
control with internal control, to better align with the Comptroller 
General's internal control standards. Management control and internal 
control are synonymous.

[7] The Comptroller General revised the standards in 1999, based on 
developments in internal control theory, the effects of information 
technology, and the passage of a series of landmark reforms. GAO, 
Standards for Internal Control in the Federal Government, GAO/AIMD-00- 
21.3.1 (Washington, D.C.: November 1999).

[8] The five standards for internal control are (1) control 
environment, (2) risk assessment, (3) control activities, (4) 
information and communications, and (5) monitoring.

[9] Pub. L. No. 101-576, 104 Stat. 2838 (Nov. 15, 1990).

[10] Pub. L. No. 103-62, 107 Stat. 285 (Aug. 3, 1993).

[11] Pub. L. No. 103-356, 108 Stat. 3410 (Oct. 13, 1994).

[12] Pub. L. No. 104-208, div. A ß101(f), title VIII, 110 Stat. 3009, 
3009-389 (Sept. 30, 1996).

[13] GAO, Implementation of the Federal Managers' Financial Integrity 
Act: First Year, GAO/OCG-84-3 (Washington, D.C.: Aug. 24, 1984).

[14] GAO, Financial Integrity Act: The Government Faces Serious 
Internal Control and Accounting Systems Problems, GAO/AFMD-86-14 
(Washington, D.C.: Dec. 23, 1985). 

[15] GAO, Financial Integrity Act: Continuing Efforts Needed to Improve 
Internal Control and Accounting Systems, GAO/AFMD-88-10 (Washington, 
D.C.: Dec. 30, 1987).

[16] GAO, Financial Integrity Act: Inadequate Controls Result in 
Ineffective Federal Programs and Billions in Losses, GAO/AFMD-90-10 
(Washington, D.C.: Nov. 28, 1989).

[17] PCIE was established to address integrity, economy, and 
effectiveness issues that transcend individual government agencies.

[18] CFOC is an organization of the CFOs and deputy CFOs of the largest 
federal agencies, and senior officials of OMB and the Department of the 
Treasury who work collaboratively to improve financial management in 
the U.S. government. 

[19] Both PCIE and CFOC are chaired by OMB's Deputy Director for 
Management.

[20] Pub. L. No. 107-204, 116 Stat. 745 (July 30, 2002).

[21] See Management's Reports on Internal Control Over Financial 
Reporting and Certification of Disclosure in Exchange Act Periodic 
Reports, 68 Fed. Reg. 36635 (June 18, 2003) (codified at scattered 
sections of title 17, Code of Federal Regulations).

[22] Currently, we perform financial statement audits at the Federal 
Deposit Insurance Corporation, the Internal Revenue Service, the Bureau 
of the Public Debt, and the Securities and Exchange Commission.

[23] If the auditor follows the joint GAO/PCIE Financial Audit Manual 
(FAM), as is expected for federal financial statement audits, the work 
performed should be adequate to render an opinion on internal control.

[24] Pub. L. No. 108-330, 118 Stat. 1275 (Oct. 16, 2004).

[25] Since passing the legislation, the Senate Committee on 
Governmental Affairs changed its name to the Senate Committee on 
Homeland Security and Governmental Affairs.