This is the accessible text file for GAO report number GAO-06-255R entitled 'Internal Control: Analysis of Joint Study on Estimating the Costs and Benefits of Rendering Opinions on Internal Control over Financial Reporting in the Federal Environment' which was released on September 6, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. September 6, 2006: The Honorable Susan M. Collins: Chairman: The Honorable Joseph I. Lieberman: Ranking Minority Member: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Thomas M. Davis: Chairman: The Honorable Henry A. Waxman: Ranking Minority Member: Committee on Government Reform: House of Representatives: Subject: Internal Control: Analysis of Joint Study on Estimating the Costs and Benefits of Rendering Opinions on Internal Control over Financial Reporting in the Federal Environment: The Department of Homeland Security (DHS) Financial Accountability Act, Public Law Number 108-330, requires DHS management to provide an assertion on the internal control that applies to financial reporting for fiscal year 2005 and to obtain an auditor's opinion on the department's internal control over its financial reporting for fiscal year 2006. The act also directs the Chief Financial Officers (CFO) Council[Footnote 1] and the President's Council on Integrity and Efficiency (PCIE)[Footnote 2] to conduct a joint study, and report to the Congress and to the Comptroller General of the United States, on the potential costs and benefits of requiring agencies subject to the Chief Financial Officers Act of 1990[Footnote 3] to obtain audit opinions of their internal control over financial reporting.[Footnote 4] The DHS Financial Accountability Act also requires that the Comptroller General of the United States review the joint study and report the results of this analysis to the Congress. In December 2005, we briefed available committee staff on our preliminary analysis of the joint study. This report provides further details on our review and on our views regarding a requirement for federal agencies to obtain audit opinions on their internal control over financial reporting. The Office of Management and Budget (OMB) revised its Circular Number A- 123[Footnote 5] in December 2004 (effective beginning with fiscal year 2006) to strengthen the requirements for conducting management's assessment of internal control over financial reporting. Major revisions contained in Appendix A of the circular include requiring CFO Act agency management to annually assess the adequacy of internal control over financial reporting, provide a report on identified material weaknesses and corrective actions, and provide separate assurance on the agency's internal control over financial reporting. In initiating the revisions to Circular No. A-123, OMB cited the new internal control requirements for publicly traded companies that are contained in section 404 of the Sarbanes-Oxley Act of 2002 (Sarbanes- Oxley).[Footnote 6] Sarbanes-Oxley was enacted in response to corporate accountability failures of the past several years and contains a provision calling for management's assessment of internal control over financial reporting similar to the long-standing requirements for executive branch agencies in 31 U.S.C. § 3512 (c),(d), commonly referred to as the Federal Managers' Financial Integrity Act (FMFIA), to issue annual statements of assurance over internal control in the agency. Opinions on internal control over financial reporting as required by the Sarbanes-Oxley Act for publicly traded companies are important to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws. Regulators, public companies, audit firms, and investors generally agree that the Sarbanes-Oxley Act of 2002 has had a positive and significant impact on investor protection and confidence. At the same time, the costs associated with the Sarbanes-Oxley Act have been significant and additional steps should be taken to improve the efficiency and cost-effectiveness of its implementation. Federal agencies also have a duty to attain and maintain the public's trust and confidence. Specifically, federal agencies have a stewardship obligation to prevent fraud, waste, and abuse; to use tax dollars appropriately; and to ensure financial accountability to the President, the Congress, and the American people. In the broadest context, internal control represents an organization's plans, methods, and procedures used to meet its missions, goals, and objectives and serves as the first line of defense in safeguarding assets and preventing and detecting errors, fraud, waste, abuse, and mismanagement. Effective internal control should provide reasonable assurance that an organization achieves the following objectives: (1) effective and efficient operations, (2) reliable financial reporting, and (3) compliance with applicable laws and regulations. Safeguarding of assets is a subset of these objectives. The scope of this report mainly deals with one objective of internal control, specifically that related to the reliability of financial reporting. Consistent with the DHS Financial Accountability Act's requirements, our objective was to review the joint study and provide our perspective on the important issues regarding a potential requirement for CFO Act agencies to obtain audit opinions on their internal control over financial reporting. Specifically, this report provides our analysis of (1) the joint study and key issues to consider in assessing the costs and benefits of obtaining an opinion on internal control over financial reporting and (2) factors to consider in establishing criteria for when such an internal control opinion is warranted. To address our objective, we reviewed and discussed the joint study's methodology, results, and conclusions with officials from OMB and members of the CFO Council and the PCIE. In conducting their joint study, the CFO Council and the PCIE obtained cost and benefit data from the CFO Act agency inspectors general (IG), but did not verify the cost data supporting the cost-benefit analysis. We reviewed the development and administration of the questionnaire, but because the scope of our work did not include independently validating the cost information reported by questionnaire respondents, we cannot comment on the reliability of its cost estimates. We reviewed numerous reports and other professional literature that contributed to the development of the joint study. These materials are referenced in Attachment A of the joint study. We obtained a copy of the questionnaire sent to the IGs of the 24 CFO Act agencies and the two additional questions that were subsequently asked of the CFOs and IGs. We also reviewed prior GAO reports; applicable federal laws and regulations; and private sector results after implementation of the Sarbanes-Oxley Act of 2002, including documents issued by the Securities and Exchange Commission and the Public Company Accounting Oversight Board (PCAOB). We performed our work from September 2005 through July 2006 in accordance with U.S. generally accepted government auditing standards. We requested comments on a draft of this report from OMB. Written comments from OMB's Deputy Director for Management are reprinted in enclosure IV. We also received several technical comments, which we have addressed as appropriate. Results in Brief: We recognize that assessing the costs and benefits of obtaining an auditor's opinion on internal control over financial reporting is difficult, and the joint study properly noted many challenges inherent in performing cost-benefit analyses on this issue. The CFO Council and the PCIE acknowledged in the joint study that estimating the costs to render an opinion on internal control over financial reporting was "challenging given the lack of hard data and the number of unknown factors that go into developing a strong estimate" and refer to their reported estimates as "not hard numbers." Of the total reported estimated costs[Footnote 7] of about $140 million, the joint study attributed about $56 million (40 percent) to internal control audits of the 23 civilian CFO Act agencies, with the balance of $84 million to cover the Department of Defense (DOD). The CFO Council and the PCIE also stated that the benefits from obtaining an opinion on internal control over financial reporting are difficult to measure, and as a result, the joint study discussed some of the potential benefits only qualitatively. Consequently, the joint study did not identify all relevant costs and benefits, which may therefore limit the usefulness of the results and conclusions of the joint study. While the study identified categories of additional work that drive the cost estimates, we believe additional factors are relevant in considering the costs of a requirement for audit opinions on internal control over financial reporting in the federal government. Factors that would likely affect an estimate of the costs of a requirement in the federal government include (1) leveraging the resources already in place in areas of the financial statement audit; (2) using an audit approach that integrates the financial and internal control audits and includes reasoned risk and experience-based auditor judgments, similar to the approach in the GAO/PCIE Financial Audit Manual (FAM); (3) setting criteria for when an agency should initially be required to obtain an audit of internal control over financial reporting; and (4) establishing criteria whereby an agency would qualify for a multiyear cycle for obtaining an audit opinion on internal control rather than an annual cycle. We also note that some of the reasons cited for higher- than-estimated costs in early implementation of the internal control provisions of Sarbanes-Oxley for publicly traded companies, should not, to nearly the same extent, be factors for incremental costs in the federal government environment. For example, auditors of federal agencies have been required for many years to test internal control to achieve a low level of assessed control risk. As a result, the FAM includes an integrated audit approach for testing internal control in connection with a financial statement audit. Similar internal control testing requirements were not in place for public companies prior to section 404 of Sarbanes-Oxley. It is important to note, however, that the standards[Footnote 8] that currently provide the basis for the FAM approach for providing an auditor's opinion on internal control over financial reporting are being revised by the Auditing Standards Board of the American Institute of Certified Public Accountants. The cost of a requirement for internal control opinions in the federal government could be impacted by any future changes to the underlying auditing standards. Additionally, as reported by the joint study, a majority of the IGs and CFOs believe that benefits would be derived from an audit of internal control over financial reporting. A majority of the IGs and CFOs cited the following as benefits that may be derived from this type of audit: (1) improved internal control and reduced material weaknesses; (2) reduced errors and improved data integrity, documentation reliability, and reporting; and (3) improved agency focus and oversight. According to the study, the true benefit of the auditor's opinion on internal control is the added independent assurance it provides that management's assessment of its internal control is reliable. We agree with the benefits identified by the IGs and CFOs, and in turn, these benefits provide additional incentives for timely identifying and correcting internal control weakness over financial reporting. In addition, we have identified several other benefits that should be considered when concluding on the merits of establishing a requirement to obtain an opinion on internal control over financial reporting. We believe independent assessments and auditor reporting can also: * strengthen the audit work done to support implementation of laws enacted to enhance internal control or reinforce the significance of effective internal control, such as FMFIA and the Government Performance and Results Act (GPRA); * help to improve other efforts, such as cost analyses, budgeting, and performance metrics, through additional assurances over the reliability of financial and relevant nonfinancial data; and: * improve monitoring of the effectiveness of an entity's risk management and accountability systems. We view auditor opinions on internal control over financial reporting as an important component of monitoring the effectiveness of an entity's risk management and accountability systems. We agree in part with the study's overall conclusion that federal agencies should first be given the opportunity to implement revised Circular No. A-123 before there is an across-the-board requirement to obtain an audit opinion on internal control over financial reporting. However, we also believe that having set criteria as to when an agency should initially be required to obtain an opinion, instead of agency or OMB discretion, would be useful. We recognize that not all agencies have the same maturity level of internal control over financial reporting and that an initial determination of an agency's readiness to undergo an audit may be appropriate. Such an approach should consider specific criteria to ascertain when an agency should initially obtain an opinion on internal control, such as whether management has properly assessed its internal control and has a reasonable basis for its statement of assurance. We also believe that criteria can be established to achieve a balance between value, risk, and cost, whereby once agency management has demonstrated a stabilized effective system of internal control over financial reporting, subsequent audits could be performed on a multiyear cycle, for instance, every 3 years. Important to this consideration is that during the years not subject to an internal control audit, agency management would still have to comply with the revised Circular No. A-123, which requires agency management to annually assess the adequacy of internal control over financial reporting by providing a report on identified material weaknesses and corrective actions and providing a separate assurance statement on the agency's internal control over financial reporting. The overarching goal of obtaining an audit opinion on internal control is to provide reasonable independent assurance that management's assessment of internal control is adequate, which significantly contributes to ongoing improvement in federal agency internal control and accountability. Any criteria used to determine when an agency should undergo initial and continual implementation of the requirement for an audit opinion on internal control audit should consider at what point the audit will contribute to this goal. To reasonably ensure that audit opinions on agency internal control over financial reporting are obtained at the proper time and for a reasonable cost, we are making two recommendations to the Director, Office of Management and Budget, as a function of OMB's financial management leadership role: (1) develop specific criteria as to when agencies should initially be required to obtain opinions on internal control over financial reporting and (2) develop criteria as to when agencies have demonstrated a stabilized, effective system of internal control over financial reporting in order to move to a multiyear cycle for obtaining subsequent opinions on internal control. During the years not subject to an internal control audit, agency management would still adhere to a comprehensive ongoing management assessment and reporting process for internal control over financial reporting, as required by the revised Circular No. A-123. In written comments on a draft of this report, OMB agreed with the ultimate goal of improving internal control in the federal government. OMB's comments also highlighted the continued cooperation of GAO and the PCIE and the CFO Council on important issues and stated that OMB looked forward to working together to achieve the joint goal of effective internal control in the federal government. (OMB's comments are reprinted in enc. IV.) Background: Federal agencies have a significant responsibility for accurate and timely accounting, controlling, and reporting of the receipts, disbursements, and applications of public moneys. The Congress has long recognized the importance of internal control, beginning with the Budget and Accounting Procedures Act of 1950,[Footnote 9] which placed primary responsibility for establishing and maintaining internal control squarely on the shoulders of agency management. In 1982, the Congress passed FMFIA, requiring agency heads to establish a continuous process for assessment and improvement of their agencies' internal control and to annually report on the adequacy of internal control. In addition, FMFIA required the Comptroller General to establish internal control standards and OMB to issue guidelines for agencies to follow in assessing their internal control. In December 1982, following FMFIA enactment, OMB issued Circular No. A-123, which included the assessment guidelines required by the act. The Comptroller General issued Standards for Internal Control in the Federal Government in 1983, which was last revised in November 1999.[Footnote 10] We monitored and reported on FMFIA implementation efforts across the government in a series of four reports[Footnote 11] from 1984 through 1989, as well as in numerous reports targeting specific agencies and programs. With each report, we noted the efforts under way, but also emphasized that more needed to be done. In 1989, we concluded that while internal control was improving, the efforts were clearly not producing the results intended. The management assessment and reporting process itself appeared to have become the objective of the annual efforts rather than actually improving internal control, and many serious internal control and accounting systems weaknesses remain unresolved. We have highlighted these long-standing weaknesses in our series of high-risk reports starting in 1990, the most recent of which we issued in January 2005.[Footnote 12] In 1995, OMB made a major revision to its Circular No. A-123 guidance that provided a framework for integrating internal control assessments with other work performed and relaxed the management assessment and reporting requirements, giving the agencies discretion to determine the tools to use in arriving at their annual FMFIA assurance statements. OMB's December 2004 revisions (effective beginning with fiscal year 2006) to Circular No. A-123 are intended to strengthen the requirements for conducting management's assessment of internal control over financial reporting at CFO Act agencies. Major revisions include requiring CFO Act agency management to annually provide a separate assurance statement on internal control over financial reporting in its performance and accountability report, along with a report on identified material weaknesses and corrective actions. The revision also establishes that OMB may, at its discretion, require a CFO Act agency to obtain an opinion on internal control over financial reporting if the agency is not meeting its deadlines as outlined in its corrective action plans. In general, we supported the revisions to Circular No. A-123 as they recognize that effective internal control is critical to improving federal agencies' effectiveness and accountability and to achieving the goals that the Congress established for them.[Footnote 13] The recent revisions to Circular No. A-123 were initiated in response to the new internal control requirements for publicly traded companies that are contained in Sarbanes-Oxley. Under section 404 of Sarbanes- Oxley, management of a publicly traded company is required to (1) annually assess internal control over financial reporting at the company and (2) issue an annual statement on the effectiveness of internal control over financial reporting. The company's auditors are then required to attest to management's assessment as to the effectiveness of its internal control over financial reporting and issue an auditor's opinion as to the effectiveness of internal control over financial reporting. The Joint Study and Key Issues to Consider in Assessing Costs and Benefits: The CFO Council and the PCIE joint study transmits the results obtained from a questionnaire of the IGs for the 24 CFO Act agencies with additional input from the CFO Council's Policies and Practice Committee. A copy of the joint study report is reprinted in enclosure I. The CFO Council and the PCIE acknowledged inherent limitations in conducting the joint study and noted that "performing any sort of meaningful cost/benefit analysis has proven elusive." Specifically, the joint study faced numerous challenges, including (1) identifying and estimating all relevant costs and benefits and (2) a lack of historical data from the agencies on the costs and benefits of implementing the requirement. Because only a few agencies have experience with obtaining audit opinions on internal control over financial reporting, there is limited specific information about the trade-offs between the costs of obtaining an opinion and the benefits provided. The joint study identified general categories of the additional work that it stated drive the cost estimates, along with a qualitative discussion of some benefits. We believe additional factors related to both costs and benefits are also relevant and should be included in considering the cost-benefit of the audit requirement. Methodology, Results, and Conclusion of the Joint Study: To accomplish their objective, the CFO Council and the PCIE, under the leadership of OMB, which chairs both councils, gathered information from the IGs and the CFOs about the costs and benefits of the proposed requirement. The PCIE Audit Committee coordinated the collection of cost and benefit information from the IGs. The Audit Committee Chair sent a questionnaire to the IGs at the 24 CFO Act agencies to gather data on the estimated audit costs and the benefits of performing an examination under the standards of AT§501, Reporting on an Entity's Internal Control Over Financial Reporting,[Footnote 14] which are issued by the American Institute of Certified Public Accountants and incorporated by reference as part of U.S. generally accepted government auditing standards. Enclosure II contains a copy of the PCIE questionnaire used to gather estimated costs and benefits of opining on internal control over financial reporting. The CFO Council and the PCIE acknowledged some limitations in the joint study. For example, they acknowledged that they did not validate the cost estimates submitted by the 24 CFO Act agency IGs. In addition, the study noted that the estimates are "not hard numbers," meaning that they were only overall estimates that were not necessarily based, for example, on the potential number of hours and labor rates that would be included by a contracted auditor in a formal contract proposal. The PCIE Audit Committee summarized the responses from each of the IGs at the 24 CFO Act agencies, and then shared the summary with the respondents to ensure they had accurately captured their comments. The PCIE Audit Committee also shared the results with the CFO Council's Financial Management Policies and Practices Committee[Footnote 15] and incorporated its comments. The draft study was then shared with both the full CFO Council and the PCIE, whose comments were also incorporated. During the final comment period, two additional questions were asked of the CFOs and IGs about the expected benefits of the revised Circular No. A-123 and on obtaining opinions on internal control over financial reporting. Enclosure III contains the two additional questions that were asked of the CFOs and IGs. The CFO Council and PCIE also considered the experiences of publicly traded companies by reviewing numerous articles, surveys, and statements made before regulatory bodies relating to the implementation of section 404 of the Sarbanes-Oxley Act. Of the total reported estimated costs of about $140 million, the joint study attributed about $56 million (40 percent) to internal control audits of the 23 civilian CFO Act agencies, with the balance of $84 million to cover DOD. The joint study notes that driving the cost estimates are the additional work that the auditor would need to perform beyond the requirements of OMB Bulletin No. 01-02, Audit Requirements for Federal Financial Statements,[Footnote 16] and the GAO/PCIE FAM in order to render an opinion on an agency's internal control over financial reporting. The joint study also noted that the benefits of obtaining an opinion on internal control are difficult to measure. The joint study stated that "benefits can only be described in general terms, making a cost/benefit analysis difficult." Some of the benefits cited were (1) improved internal control and reduced material weaknesses; (2) reduced errors and improved data integrity, documentation reliability, and reporting; and (3) improved agency focus and oversight. The joint study did not quantify these benefits, but noted that these benefits should largely be achieved when agencies effectively implement the revisions to Circular No. A-123. The joint study concluded that (1) most industry experts agree that there are significant incremental costs to obtaining an opinion on internal control over financial reporting; (2) before incurring the additional costs, it would be prudent to see how federal managers implement the revised Circular No. A-123 and to evaluate the private sector's implementation of the internal control provisions of Sarbanes- Oxley when additional information becomes available; and (3) the decision on whether to obtain an opinion needs to be decided on an agency-by-agency basis, depending on the condition of an agency's financial management program. The CFOs and the IGs recommended that all CFO Act agencies should not be required to conduct such an audit at this time. Rather, agencies should be given the opportunity to implement the revised Circular No. A-123, and obtain an internal control audit only where particular circumstances warrant such an audit. Certain Factors That Could Influence Costs and Benefits Not Included in the Joint Study: We view auditor opinions on internal control over financial reporting as an important component of monitoring the effectiveness of an entity's risk management and accountability systems. We agree in part with the study's overall conclusion that agencies should first be given the opportunity to implement the revised Circular No. A-123 before there is an across-the-board requirement to obtain an audit opinion on internal control over financial reporting. Internal control is a fundamental management responsibility. Management, not the auditor, should be the first line of defense and be held accountable for establishing a continuous evaluation process to ensure the adequacy of internal control. However, as discussed later, we also believe that there should be specific criteria for ascertaining when an agency should initially be required to obtain an opinion on internal control. We also recognize that assessing the costs and benefits of obtaining an opinion is difficult and agree there are many challenges inherent to performing cost-benefit analyses on this issue. While the joint study identified categories of additional work that drive the cost estimates along with key benefits, we believe additional factors that could influence costs and benefits are relevant in considering a requirement for audit opinions on internal control. Additional Factors That Could Influence Costs: We identified five additional factors that could influence costs and should be considered: (1) leveraging resources, (2) using an efficient auditor approach, (3) using a staggered implementation approach, (4) implementing a multiyear cycle for an audit opinion on internal control over financial reporting, and (5) applying Sarbanes-Oxley lessons learned. Leveraging resources. In developing cost estimates to obtain an opinion on internal control over financial reporting, consideration needs to be given to fully leveraging the resources already deployed as part of the financial statement audits. For example, it may be possible to leverage the resources deployed to determine compliance with laws and regulatory requirements that were enacted to strengthen internal control or reinforce the significance of effective internal control, such as the following: * OMB Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, which requires auditors of federal financial statements to test and report on agencies' internal control over financial reporting in connection with the audit of the financial statements; * FMFIA, which since its passage in 1982 has called for a continuous process for assessment and improvement of internal control, including control over financial reporting, and an annual assessment and statement of assurance by agency heads; * revised Circular No. A-123, which is intended to strengthen the requirements for conducting management's assessment of internal control over financial reporting; and: * revised Circular No. A-127, which is intended to highlight internal control requirements unique to financial management systems. Leveraging the resources already deployed in other areas of the financial statement audit would help reduce the additional work needed to opine on internal control over financial reporting and therefore decrease the incremental cost. For example, OMB Bulletin 01-02 requires auditors to (1) gain an understanding of internal control over financial reporting, (2) obtain an understanding of the process by which the agency identifies and evaluates weaknesses required to be reported under FMFIA, (3) determine if internal control has been properly designed and placed in operation, (4) assess control risk, (5) perform tests of internal control to determine whether it is effective, and (6) report any identified deficiencies. In meeting the requirements of OMB's Bulletin No. 01-02, auditors are already performing steps that could be leveraged for opining on internal control over financial reporting. As noted in the FAM, audit work performed in connection with OMB Circular No. 01-02 may be sufficient to provide an opinion on internal control over financial reporting. The CFO Council and the PCIE requested and received from the IG community cost estimates to obtain an opinion on internal control over financial reporting. The guidance given to the IG community was to exclude management's cost to support the audit effort or to implement the new requirements of Appendix A to Circular No. A-123.[Footnote 17] Costs incurred to comply with Circular No. A-123 will be incurred irrespective of a requirement to obtain an opinion on internal control over financial reporting. We agree that these costs do not add to the incremental cost of obtaining an opinion on internal control over financial reporting and should not be included in the estimate to perform the opinion-level work. Instead, these activities can be leveraged by the auditors to reduce internal control audit costs. The activities that must be performed for agency compliance with the revised Circular No. A-123 include identifying, documenting, and testing internal control over financial reporting. These are the same types of activities that would have to be performed in conducting an audit of internal control over financial reporting and would offer the auditor the ability to consider the work of management in evaluating the effectiveness of internal control over financial reporting and deciding on the level of audit evidence needed to support an opinion. Specifically, the auditor might decide to consider the work of management as part of the process of gaining an understanding of internal control over financial reporting and in determining the nature, timing, and extent of the auditor's tests. Preparation of such information by management reduces the costs for the auditor to gather the information. This requires close coordination and up-front planning so that the auditor is in a position to leverage management's work. Efficient auditor approach. An audit approach that uses reasoned risk and experience-based auditor judgments in areas such as designing efficient internal control testing and additional flexibility in using the work of others, similar to the approach in the FAM, would provide an efficient and cost-effective means to accomplish audits of internal control. These flexibilities in audit approaches would also help reduce the additional audit work needed to opine on internal control and thus decrease the incremental cost. It is important to note, however, that the standards[Footnote 18] that currently provide the basis for the FAM approach for providing an auditor's opinion on internal control over financial reporting are being revised by the Auditing Standards Board of the American Institute of Certified Public Accountants. The cost of a requirement for internal control opinions in the federal government could be impacted by any future changes to the underlying auditing standards. Staggered implementation approach. Having set criteria as to when an agency should initially be required to obtain an opinion on internal control over financial reporting would be an important cost consideration. As discussed later, not all agencies will be in a position to have efficient internal control audits at this time. For example, in our view, under most circumstances, it would not be prudent for agencies with extensive known internal control weaknesses to pay for opinions on internal control over financial reporting, assuming that an agency acknowledges the seriousness of its problems and is working to remediate those weaknesses. However, in the case of DHS, where the Congress has particular oversight concerns because it is a new agency comprising numerous entities, auditor involvement in overseeing management's efforts to evaluate and report on internal control should be beneficial to both management and congressional oversight. In addition, if management of an agency, such as DHS, which has a significant number of material weaknesses,[Footnote 19] either decides to or is required to report on internal control over financial reporting and is willing to acknowledge the agency's weaknesses in its assurance statement, then there should be very minimal costs for the auditor to issue an adverse opinion on internal control. Multiyear audit cycle. Once agency management has demonstrated effective internal control over financial reporting as evidenced by unqualified opinions issued by an independent external auditor, we believe establishing a multiyear audit cycle could be appropriate. Important to this consideration is that during the years not subject to audit, agency management would still have to comply with the revised Circular No. A-123, which requires agency management to annually assess the adequacy of internal control over financial reporting, provide a report on identified material weaknesses and corrective actions, and provide separate assurance on the agency's internal control over financial reporting. On a multiyear cycle, the audit of internal control over financial reporting would provide independent assurance that management's assessment of its internal control is reliable. This would be a similar quality control practice much like that used in the peer review requirements for audit organizations, which occur every 3 years. Sarbanes-Oxley lessons learned. According to the joint study report, some of the agencies pointed to the higher-than-estimated cost of implementing section 404 of Sarbanes-Oxley as a deterrent to requiring an opinion on internal control over financial reporting in the federal government. However, the private sector internal control environment differs from that of federal agencies. Although many companies in the private sector have been required to maintain effective internal control under the Foreign Corrupt Practices Act of 1977,[Footnote 20] there was no management assessment or reporting requirement until passage of Sarbanes-Oxley. On the other hand, federal managers have been subject to statutory internal control assessment and reporting similar to the requirements of Sarbanes-Oxley since 1982, as well as other numerous legislative and regulatory requirements that promote and support effective internal control. Although these laws and regulatory requirements have not proven fully effective in establishing a strong system of internal control by themselves, taken as a whole, they have long created an environment that has demanded and promoted effective control and management accountability. In November 2005, PCAOB, which, among other things, is charged by Sarbanes-Oxley to issue auditing, quality control, and ethics standards for public company audits, issued a report on the first-year implementation of Sarbanes-Oxley requirement for an audit of internal control over financial reporting performed in conjunction with an audit of financial statements.[Footnote 21] The board's monitoring focused on whether public accounting firms' audit methodologies, as well as firms' execution of those methodologies, have resulted in audits of internal control that are effective and efficient. PCAOB found that both public accounting firms and public companies faced enormous challenges in the first year of implementation, arising from the limited time frame that firms and public companies had to implement the new requirements; a shortage of staff with prior training and experience in designing, evaluating, and testing control; and related strains on available resources. These challenges were compounded in those companies that needed to make significant improvements in their internal control systems to make up for deferred maintenance of those systems. In our review of the lessons learned from the private sector first-year implementation of section 404 of Sarbanes-Oxley, we noted that some of the issues identified that affected the efficiency of the audit and, therefore, the cost of the audit, should not affect CFO Act agencies to the same extent. Proper implementation of the FAM integrated audit approach, which uses reasoned risk, efficient internal control testing, additional flexibilities in using the work of others, as well as other measures, would to a large extent mitigate the inefficiencies noted in the lessons learned for first-year section 404 implementation. Based on the PCAOB report, the following is a summary of the audit lessons learned as a result of the implementation of section 404 of Sarbanes- Oxley. * Some independent public accountants (IPA) did not integrate their audits of internal control with their audits of financial statements. In an integrated audit of the financial statements and internal control, the auditor designs and simultaneously executes procedures that accomplish the objectives of both audits. These objectives are not identical but are interrelated. By not integrating both audits, the auditors may perform additional audit work than would otherwise be necessary, therefore increasing the costs of the audits. * Some IPAs did not effectively apply a preferred top-down approach. To varying degrees, auditors often approached the audit of internal control from the bottom up. Using a top-down approach, the auditor would instead begin by evaluating company-level control and significant accounts at the financial statement level and then work down to relevant individual control at the process, transaction, or application levels. The results of the auditors' testing at each level help the auditor tailor the remainder of the work. Therefore, auditors may be able to reduce tests of internal control, which should result in reduced audit costs. * Some IPAs performed inefficient, and sometimes ineffective, walk- throughs of major classes of transactions because they used different transactions to test each control separately rather than walking a single transaction through the entire process. * Some IPAs did not use the work of others to the extent permitted by PCAOB Auditing Standard No. 2.[Footnote 22] Auditors that more effectively use the work of others as permitted will likely be able to make more efficient use of their own time in performing the audits of internal control. Additionally, in the report, PCAOB noted that the most common reasons why audits were not as effective as expected include the following: * In the face of identified control deficiencies, often discovered late in the audit process, some auditors failed to sufficiently evaluate the adequacy of compensating controls. For example, in some cases, auditors relied on management assertions about compensating controls without testing those controls in operation. * Some IPAs did not perform sufficient testing of the controls over preparing financial statement disclosures. The controls in this area are among the most important in the financial reporting process because of the relatively high risk of material misstatement or omission due to fraud or error. Sufficient testing of controls in this area also can make the auditors' substantive testing of financial statement disclosures more efficient. Further, implementing the requirements of section 404 of Sarbanes-Oxley has put tremendous pressure on the availability of resources in the accounting and auditing profession. For instance, the four largest accounting firms have reported that they have significantly increased their assurance staff in the past 5 years and are expected to continue to experience a significant strain on resources to supply their need for assurance staff in the next 5 years. Additional Benefits: The CFO Council and PCIE joint study identified several important benefits of obtaining an opinion on internal control over financial reporting, such as independent assurance, improved internal control, reduced material weaknesses, reduced errors and improved data integrity, improved documentation reliability and reporting, and improved agency focus and oversight, with which we agree. We believe that there are additional benefits that should also be considered when concluding on the merits of such a requirement. Some of the benefits we identified are not direct benefits of having an opinion on internal control, but they are important indirect benefits that should be considered in concluding on the merits of this requirement. We believe annual independent assessments and audit reporting can also: * Strengthen the work done to support implementation of other laws enacted to enhance internal control or reinforce the significance of effective internal control. Examples include (1) FMFIA, which calls for a continuous process for assessment of internal control, and (2) GPRA, which requires agencies to set strategic and performance goals and measure performance toward those goals. Internal control plays a significant role in helping managers achieve their goals. * Help to improve other efforts, such as cost analyses, budgeting, and performance metrics, through assurances over the reliability of financial and relevant nonfinancial data. For example, the internal control audit would provide additional assurances about internal control over the accuracy of management's estimates of improper payments (over $38 billion reported by the federal government for fiscal year 2005) across federal programs. Identifying improper payments and accurately measuring them over time is an important factor in eventually addressing and reducing them. * Improve monitoring of the effectiveness of an entity's risk management and accountability systems. An audit requirement would not only provide assurance, but would also provide a mechanism for reporting on the extent to which management is carrying out its fundamental responsibilities in establishing and maintaining internal control. Factors to Consider in Establishing Criteria for an Internal Control Audit Requirement: We view auditor opinions on internal control over financial reporting as an important component of monitoring the effectiveness of an entity's risk management and accountability systems. In putting this concept into practice at GAO, we not only issue an opinion on internal control over financial reporting at the federal entities where we perform the financial statement audit,[Footnote 23] including the consolidated financial statements of the U.S. government, but since the early 1990s, we have also obtained an auditor's opinion on internal control over financial reporting in conjunction with the audit of our own annual financial statements. Other agencies have also exhibited such initiative. For example, the Social Security Administration (SSA) and the Nuclear Regulatory Commission received opinions (unqualified and qualified, respectively) on their internal control over financial reporting for fiscal year 2005 from their respective independent auditors. We agree in part with the study's conclusion that CFO Act agencies should first be given the opportunity to implement the revised OMB Circular No. A-123 before there is an across-the-board requirement to obtain an audit opinion on internal control over financial reporting. At the same time, we also believe that specific criteria should be established as to when such an audit initially would be warranted and, therefore, required. Establishing specific criteria will help ensure that current efforts are sustained over time and with changes in administrations. As discussed previously, while management already has the fundamental responsibility to maintain and assess internal control as a key element of properly managing a federal agency, history has shown that sustained financial management progress requires ongoing, active congressional oversight. A requirement for an auditor's opinion on internal control over financial reporting would help ensure that the intended benefits of management's assertion are fully realized and that the Congress, through an independent set of eyes, has an important tool for oversight. Additionally, once effective internal control over financial reporting has been established, as evidenced by an unqualified opinion, the cost of the requirement may be mitigated by implementing a multiyear cycle for the audit opinion on internal control over financial reporting, as noted previously. As we stressed in our February 2005 testimony,[Footnote 24] the auditor's role, similar to its opinion on the financial statements issued by management, would be to state whether the auditor agrees with management's assertion about the effectiveness of its internal control so that the reader has independent assurances about management's assertion. This is especially important when management asserts its internal control is adequate. The following are some key factors to consider when establishing criteria for when to require an auditor opinion on internal control over financial reporting at each entity. * Is management providing an unqualified assurance statement? If so, an auditor opinion can be cost effective and would serve as an independent validation of the reliability of management's conclusions. * What is the effectiveness of management's process for assessing internal control? Even though internal control weaknesses may be reported, an opinion can add value to the reliability of management's process. Further, if there are indications that management's process for assessing internal control is not effective, a targeted, limited scope review of the process could be performed to identify deficiencies in management's process. * What is the current condition of internal control over financial reporting? The condition can be assessed by a number of factors, including: - recent audit opinion findings; - nature of material weaknesses over financial reporting, if any; - reported weaknesses or noncompliance under FMFIA and the Federal Financial Management Improvement Act; - results of OMB Circular No. A-123 assessments; - the President's Management Agenda "Report card" status; and: - percentage or amount of improper payments reported under the Improper Payments Information Act. * Is the agency demonstrating measurable improvements in its internal control? If not, OMB may encourage progress by requiring an audit on internal control over financial reporting, as it may assist agencies to identify and prioritize solutions to long-standing internal control weaknesses. As stated previously, set criteria for when an agency should initially require audits of internal control over financial reporting would be more cost effective and efficient in many cases. For example, DOD has many known material internal control weaknesses. Of the 25 areas on GAO's high-risk list, 14 relate to DOD, including DOD financial management. DOD management is currently working on a long-term plan to remediate its weaknesses, and today it is clearly not even close to being in a position to state that the department has effective internal control over financial reporting. Therefore, little, if any, additional work would be needed for an auditor to render an opinion that internal control over financial reporting was not effective. Thus, the joint study's reported estimate of about $84 million for a DOD internal control opinion does not appear to reflect a reasonable approach to DOD's current situation, and the DOD Inspector General would likely not even contemplate undertaking such an effort at this time. On the other hand, for fiscal year 2005, SSA management reported that SSA had adequate internal control over financial reporting. The auditor's unqualified opinion on internal control over financial reporting at SSA for fiscal year 2005 provided an independent assessment of management's assertion about internal control, which we believe by its nature adds value and credibility similar to the auditor's opinion on the financial statements and provides an external check on the effectiveness of internal control and accountability at SSA. As noted in the joint study, in deciding when to require an opinion on internal control over financial reporting, the facts and circumstances of individual agencies should be considered on a case-by-case basis. For example, as in the case of the recently enacted internal control audit requirement at DHS, the Congress may have particular oversight concerns that could be addressed by an internal control audit. As discussed earlier, because DHS is a new agency comprising numerous entities, the requirement for an internal control audit at this time should be beneficial to both management and congressional oversight. Similar to DOD, DHS has many documented internal control weaknesses, the number and nature of which are so serious they should minimize any additional work and incremental cost necessary to issue an adverse opinion on internal control over financial reporting. On the other hand, it is likely that the requirement for an internal control audit has expedited DHS management's development of remediation plans to correct DHS's internal control weaknesses. In any event, while DHS continues toward remediation of its internal control weaknesses, the current incremental cost to render an opinion on DHS's internal control over financial reporting should be minimal. Conclusions: As the Congress and the American public have increased demands for accountability, the federal government must respond by having a high standard of accountability for its programs and activities. We view auditor opinions on internal control over financial reporting as an important component of monitoring the effectiveness of an entity's risk management and accountability systems. OMB's efforts to enhance Circular No. A-123 through the December 2004 revision and its continued efforts to improve the quality of internal control in the federal government financial management environment reflect substantial progress in both the criteria and expectations for this issue. History, though, has proven that the execution of laws and regulations needs to be monitored to effectively implement and maintain financial management improvement in the federal government. To that end, specific criteria to ascertain when an agency should initially be required to obtain an audit opinion on its internal control over financial reporting are critical to ensuring that the internal control audits fully contribute to the overarching goal of ongoing improvement in federal agency internal control and accountability. Additionally, implementing a multiyear cycle for an opinion on internal control over financial reporting could assist in mitigating the cost of the requirement while still providing an effective quality control mechanism for ascertaining that management's assessment of its internal control is reliable. The benefits identified in the joint study along with the additional benefits we identified, although not quantifiable in monetary terms, clearly indicate that having set criteria as to when an agency should initially be required to obtain an auditor opinion on internal control over financial reporting would be a key oversight mechanism for the Congress and ultimately the American taxpayer. Recommendations for Executive Action: To ensure that audit opinions on agency internal control over financial reporting are obtained at the proper time and for a reasonable cost, we recommend that the Director, Office of Management and Budget, as a function of OMB's financial management leadership role, (1) develop specific criteria related to when an agency should initially be required to obtain an opinion on internal control over financial reporting and (2) consider establishing criteria whereby an agency would qualify for a multiyear cycle for obtaining an audit opinion on internal control over financial reporting, rather than an annual cycle. Such criteria should address the overarching goal of ongoing improvements in federal agency internal control and also consider the facts and circumstances of individual agencies and oversight needs. Agency Comments and Our Evaluation: In comments on a draft of this report, reprinted in enclosure IV, OMB's Deputy Director for Management agreed with the ultimate goal of improving internal control in the federal government. While not specifically addressing our two recommendations, OMB indicated that the most effective and efficient path toward the goal is to give agencies reasonable time to fully implement the requirements of the revised OMB Circular No. A-123 before considering additional requirements. As noted in our report, we agree that agencies should be given the opportunity to implement the revised Circular No. A-123 before there is an across- the-board requirement to obtain an audit opinion on internal control over financial reporting. OMB also provided technical comments, which we reviewed and incorporated as appropriate. We are sending copies of this report to other interested congressional committees and to the Deputy Director of the Office of Management and Budget, who chairs both the CFO Council and the PCIE. Copies will be made available to others upon request. In addition, this report will also be available at no charge on GAO's home page at [Hyperlink, http://www.gao.gov]. If you or your staffs have any questions regarding this report, please contact me at (202) 512-9095 or at williamsm1@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Major contributors to this report include Casey Keplinger, Assistant Director; Cherry Clipper; Francine DelVecchio; Gabrielle Fagan; and Tim Guinane. Signed by: McCoy Williams: Director, Financial Management and Assurance: Enclosures - 4: Enclosure I: Joint Study by the Chief Financial Officers Council and the President's Council on Integrity and Efficiency on Estimating the Costs and Benefits of Rendering an Opinion on Internal Control over Financial Reporting: Estimating the Costs and Benefits of Rendering an Opinion on Internal Control over Financial Reporting: A Joint Study by the Chief Financial Officers' Council and the President's Council on Integrity and Efficiency: Table of Contents: Reason for Survey and Recommendations: Executive Summary: Introduction: Where We Are Today: The Federal Environment: New Efforts to Improve Internal Control: Survey Results: Estimating the Cost to Render an Opinion on Internal Control: Identifying the Benefits of Rendering an Opinion on Internal Control: Experiences of Publicly-Traded Companies: Experience Estimating the Cost: First Year Benefits Realized: Conclusion: Objectives, Scope, and Methodology: Attachment A: Table A: Estimated Audit Costs of Opining on Internal Control over Financial Reporting: Table B: Additional Work Required to Render an Opinion on Internal Control over Financial Reporting: Table C: Disadvantages of Opinion on Internal Control over Financial Reporting: Table D: Benefits of Opining on Internal Control over Financial Reporting: Reason for Survey and Recommendations: The Department of Homeland Security Financial Accountability Act, P.L. 108-330, directs the Chief Financial Officers Council (CFOC) and the President's Council on Integrity and Efficiency (PCIE) to conduct a joint study on the potential costs and benefits of requiring the Chief Financial Officers (CFOs) Act agencies to obtain audit opinions on internal control over financial reporting. This report contains the results of that joint study. Because the estimates to render an opinion on internal control are so substantial, both CFOs and Inspectors General (IGs) recommend that all CFO Act agencies should not be required to conduct such an audit at this time. Rather, agencies should be given the opportunity to implement the revised Office of Management and Budget (OMB) Circular A-123, Management's Responsibility for Internal Control, (A-123) and obtain an internal control audit only where particular circumstances warrant such an audit. Executive Summary: Much of the debate on the internal control provisions of Section 404 of the Sarbanes-Oxley Act (Section 404) (which requires management to provide an assessment on the effectiveness of internal control and the auditor to attest to, and report on, the assessment made by management) centers around the costs and related benefits of the additional audit assurance. The value and benefit of rendering a separate opinion on internal control over financial reporting must be balanced against the added costs. Estimating these added costs, however, is challenging given the lack of hard data and the number of factors that go into developing a reliable estimate. Similarly, measuring the benefits of the independent audit assurance is equally difficult since ongoing and new management initiatives and existing audit coverage also contribute to strengthening internal control in the Federal Government. Chief among the management initiatives expected to significantly contribute to improved internal control are the recent revisions to A-123. The cost information provided in this report was developed using estimates and should not be considered "hard" numbers. Moreover, quantifying the incremental benefits of obtaining an audit opinion on the internal control over financial reporting, and hence performing any sort of meaningful cost/benefit analysis, has proven elusive. How does one, for example, assign a dollar value to preventing a misstatement or fraud of an unknown amount that may or may not occur, or may occur with unknown frequency? Federal IGs estimate that the incremental costs of the audit work needed to render an opinion on internal control for all 24 CFO Act agencies would be more than $140.6 million. Approximately 60 percent of this total, or $84.4 million, is the estimate to render an opinion on internal control for the Department of Defense (DoD). For the 24 CFO Act agencies, the average estimated incremental audit cost is approximately 51 percent of the financial statement audit costs, or more than $5.8 million per reporting entity. Excluding the costs to audit DoD's internal control, the average estimated incremental audit cost is reduced to $2.4 million per reporting entity. Although these estimates are not hard numbers and could be less over time as auditors gain more experience developing a fully integrated audit approach, these costs are significant. These numbers also represent only the increased costs directly attributable to the requirement to render an opinion on internal controls. Several Offices of the Chief Financial Officers (OCFOs) believe they also will incur additional costs to support the audit effort. The additional costs that management must incur to support this effort are not part of this report. A majority of the OIGs and OCFOs believe that some benefits may be derived from this type of audit. They cited (1) improved internal control and reduced material weaknesses, (2) reduced errors and improved data integrity, documentation reliability and reporting, and (3) improved agency focus and oversight as the top three potential benefits that may be gained from an opinion on internal control. They also believe that identifying new material weaknesses and reportable conditions are possible benefits. Both groups, however, believe that these benefits should largely be achieved when agencies effectively implement the revisions to A-123. The revisions strengthened the requirements for management's assessment of internal control over financial reporting. Because the IGs assisted OMB in revising A-123, along with the CFOs, there is a level of confidence that, if agencies properly implement A-123, the result should be an effective internal control review and testing program. Therefore, except for the additional assurance provided by an opinion on internal control, the benefits can already be realized from an internal control review program implemented by management (similar to Section 404). An effective and meaningful cost/benefit analysis should not compare the incremental audit costs to all of the benefits that could be achieved through a process similar to that under Section 404. The true benefit of the auditor's opinion on internal control is the added independent assurance it provides that management's assessment of its internal control is fairly presented. It is difficult, if not impossible, to determine the incremental benefit of the auditor's opinion without first knowing how well management does in performing its assessment under the revised A-123. That knowledge will come, at least in part, through the financial statement audit process, as auditors are required to report on an agency's compliance with laws and regulations. While not a formal opinion, it will be a useful tool in helping OMB and other stakeholders assess the implementation effort on the part of federal managers. Based on cost data currently available from the private sector (which is significantly higher than originally projected) and the estimates that are beginning to be developed for the public sector, most industry experts agree that there are significant incremental costs associated with obtaining an opinion on internal control over financial reporting. In addition, there is a general consensus that, at least in the early stages of implementing Section 404, it is difficult to determine the incremental benefits that might be gained from the additional work. Before incurring these additional costs in the Federal sector, the OIGs and OCFOs believe that it would be prudent to take a less costly approach and allow Federal managers to first implement the revised A- 123, and then evaluate that effort, along with the private sector's implementation of Sarbanes-Oxley, as additional information becomes available. And even then, given the inherent differences between agencies, it might be judicious to follow the same logic that forms the basis for A- 123, and implement any incremental work on a case-by-case basis. The decision to obtain an audit opinion must be decided initially by each agency, and other knowledgeable parties, based on the condition of its financial management program. Agencies that already have problems obtaining a clean opinion on their financial statements do not need to obtain an opinion on internal control to tell them they have material weaknesses. On the other hand, some agencies may want the added assurance that is achieved by obtaining an opinion on internal control. Introduction: The Department of Homeland Security Financial Accountability Act, P.L. 108-330, directs the CFOC and the PCIE to conduct a joint study, and to report to the Congress and to the Comptroller General of the United States, on the potential costs and benefits of requiring agencies subject to the CFO Act to obtain audit opinions of their internal control over financial reporting. This report contains the results of that joint effort. Working under the leadership of OMB who chairs both councils, we surveyed the IGs for their estimate of the costs of the incremental audit work and asked the IGs and the CFOs for their input on the challenges and benefits of obtaining an opinion on internal control. In addition, we looked at the experiences of publicly-traded companies which, at this point, have had a year of experience implementing Section 404 of the Sarbanes-Oxley Act. We also considered the environment in which the Federal Government operates which differs considerably from the one in which publicly-traded companies operate. Finally, we considered the anticipated benefits that are expected to be achieved through the revisions to A-123 which become effective in fiscal year 2006. Where We Are Today: The Federal Environment: Unlike the private sector, the Federal Government operates in an environment that is subject to more legislative and regulatory requirements designed to promote and support effective internal control. Although these laws and regulatory requirements have not proven fully effective in establishing a strong system of internal control by themselves, taken as a whole, they have created an environment in which accuracy, timeliness, and accountability have become a maxim for many Federal agencies. Also contributing to this robust control environment are the rigorous existing auditing requirements relating to internal control and the many initiatives implemented by the Administration through the President's Management Agenda (PMA). While the Sarbanes-Oxley Act created a new requirement for managers of publicly-traded companies to report on internal controls over financial reporting, Federal managers have been subject to similar internal control reporting requirements for many years as well as other numerous legislative and regulatory requirements that promote and support effective internal control. The Federal Managers' Financial Integrity Act (FMFIA) of 1982 provides the statutory basis for management's responsibility for and assessment of internal control. In addition, the CFO Act, which was passed in 1990, requires agency CFOs to, "develop and maintain an integrated agency accounting and financial management system, including financial reporting and internal controls, which . complies with applicable . internal control standards." The Federal Financial Management Improvement Act (FFMIA) of 1996 and OMB Circular No. A-127, Financial Management Systems, instructed agencies to maintain an integrated financial management system that complies with Federal system requirements, Federal accounting standards, and the U.S. Standard General Ledger at the transaction level. The Federal Information Security Management Act of 2002 requires agencies to provide information security controls proportionate with the risk and potential hann of not having those controls in place. The Improper Payments Information Act of 2002 requires agencies to review and ".identify programs and activities that may be susceptible to significant improper payments." The Inspector General Act (IG Act) of 1978, as amended, requires that IGs submit semiannual reports to the Congress on significant abuses and deficiencies identified in their audits, and to recommend actions to correct those deficiencies. Just as Federal agency management has been subject to more stringent internal control requirements than private sector entities, auditors of Federal entity financial statements have traditionally been subject to more rigorous auditing requirements relating to internal control than their counterparts in the private sector. Before the passage of the Sarbanes-Oxley Act and its increased audit requirements, auditing standards in the private sector did not require auditors to test internal control if they did not plan to rely on the internal control in performing their audit. These standards also did not require auditors to publicly report, in writing, internal control deficiencies found during the audit. In contrast, the auditing requirements issued by OMB for audits of agency-wide financial statements under the CFO Act have always required the auditor to perform sufficient tests of internal control to support a low assessed level of control risk for those internal controls that have been properly designed and placed in operation. And since 1981, Government Auditing Standards have required auditors to publicly report, in writing, deficiencies in internal control found during financial statement audits. In addition to legislative and regulatory requirements, initiatives implemented by the Administration have also strongly impacted the Federal control environment. Under the PMA, OMB monitors internal control weaknesses regularly. To receive green, or a successful rating, on the PMA scorecard, agencies must eliminate all internal control weaknesses. Quarterly, OMB monitors agency performance in meeting corrective action plan targets established under the PMA scorecard. Agencies are required to submit corrective action plans to OMB to resolve internal control weaknesses reported. Quarterly, agencies are graded on their progress in achieving the corrective action milestones contained in their plans. Across the government, a total of 13 new weaknesses were reported in FY 2004 - a net increase of two new weaknesses from FY 2003. This increase, albeit small, may be attributed to the accelerated reporting requirement mandated by OMB, which placed greater emphasis on the need for effective financial reporting controls. However, as internal control is strengthened at agencies to routinely meet accelerated reporting dates, internal control weaknesses should be reduced. Total FMFIA material weaknesses and nonconformances decreased by nearly 11 percent. New Efforts to Improve Internal Control: In light of the new requirements for publicly-traded companies contained in the Sarbanes-Oxley Act, OMB re-examined the existing internal control requirements for Federal agencies. As a result, A-123, which implements FMFIA, has been revised to strengthen the requirements for conducting management's assessment of internal control over financial reporting. The circular is effective beginning in fiscal year 2006. A-123 recognizes that there is an appropriate balance between controls and risk in an agency's programs and operations. Too many controls can result in inefficient and ineffective government. The benefit should outweigh the cost. Under A-123, agencies are required to integrate their internal control efforts to meet the requirements of FMFIA with other efforts to improve effectiveness and accountability. Internal control should be an integral part of the entire cycle of planning, budgeting, management, accounting, and auditing. It should support the effectiveness and the integrity of every step of the process and provide continual feedback to management. Thus the revisions to A-123 require management to strategically evaluate internal control risks and directly test, document, and report on the effectiveness of financial controls. Additionally, existing audit requirements in OMB Bulletin 01- 02, Audit Requirements for Federal Financial Statements, require the auditor to obtain an understanding of the process by which the agency identifies and evaluates weaknesses reported under FMFIA, and to report instances where the agency's FMFIA process failed to detect and report material weaknesses. In keeping with the balance between controls and risk, under A-123 agencies may, at their discretion, elect to receive an audit opinion on internal control over financial reporting. Also, if an agency cannot meet the deadlines outlined in its approved corrective action plan, OMB may, at its discretion, require the agency to obtain an independent audit opinion of the agency's internal control over financial reporting as part of its financial statement audit. Today, three[Footnote 25] of the 24 CFO Act agencies have subjected their internal control over financial reporting to examination. In the most recent report on internal control over financial reporting, one agency received an unqualified opinion, and the other two received qualified opinions because of material weaknesses. The agency that received an unqualified opinion identified reportable conditions. Survey Results: Estimating the Cost to Render an Opinion on Internal Control: Given the IGs' responsibility to audit the financial statements, or to determine the independent external auditor, we asked them to provide an estimate of the cost to render an opinion on internal control over financial reporting. It is important to recognize, however, that estimating the cost to render an internal control opinion is challenging given the lack of hard data and the number of unknown factors that go into developing a strong estimate. While we provide estimated cost information in this report, these estimates should not be considered hard numbers. In a number of responses, the OIGs reported a range for the cost estimate rather than a single dollar amount. In these cases, the cost estimate that we included in our totals and averages reflects the middle of the range provided by the OIGs. These estimates are only for the incremental cost of the additional internal control work required to render an opinion on internal control. They exclude management's cost to support the audit effort, or to implement the new requirements in A- 123, Appendix A. Although we did not collect cost estimates for management's activities, some CFOs believe that additional costs would be incurred. See Table A for information on the estimated incremental audit costs. In addition, to avoid skewing the overall and agency totals, we also provide estimates that exclude the audit costs for DoD. These alternative numbers are useful since there may be limited utility in obtaining an opinion on internal control given the material weaknesses at DoD, and the great uncertainty in developing a cost estimate for a department that has not yet established a baseline cost to audit its financial statements. The estimated costs to render an audit opinion on internal control for all 24 CFO Act agencies is more than $140.6 million, of which $56.2 million, or 40%, is for the 23 civilian CFO Act agencies. The average estimated incremental audit costs are estimated to be approximately 51 percent of the financial statement audit costs, or more than $5.8 million per reporting entity. Excluding DoD, the cost per reporting entity is $2.4 million. The incremental cost estimates ranged from as low as 6.5 percent to more than 100 percent of the cost of the financial statement audit. In dollar terms, these costs ranged from $38,000[Footnote 26] to $84.4 million. The wide range of costs reflects the relative size and complexity of the entity being audited. Driving these costs are the additional work that the auditor would need to perform beyond the requirements of OMB Bulletin 01-02, Audit Requirements for Federal Financial Statements, and the PCIE/Government Accountability Office Financial Audit Manual. in order to render an opinion on an agency's internal control. In general, OIGs believe a substantial amount of additional work would need to be performed in order to render an opinion on internal control, but noted that the extent of additional testing necessary is subject to auditor judgment. Additional or different controls would have to be tested based on management's assessment of those controls and risk factors associated with the entity. In this regard, the auditor would need to evaluate management's own testing and documentation of the controls, assess the criteria used, review the internal control documentation, identify missing controls, test the identified controls, and report on the effectiveness of those controls. See Table B for OIG responses on the additional work needed to render an opinion on internal control. Observation: A number of OIGs and CFOs believe that significant audit costs are a major deterrent to requiring an opinion on internal control. This is especially true when one considers A-123 since the benefits realized by the Federal sector after implementing the revised circular may not be as dramatic as in the private sector, where companies have gone from virtually no internal control reporting to the requirements of Section 404. See Table C for disadvantages reported by the OIGs. Many OIGs and OCFOs commented that the costs associated with obtaining the audit opinion may exceed the benefit that would be derived from the process. As reported above, the OIGs estimated that the additional work could increase the audit fees by more than 50 percent. Although the costs in the later years may drop, the incremental audit costs are expected to be substantial, costing an estimated average of more than $2.4 million. It is questionable whether the benefits from obtaining an audit opinion are substantial enough, beyond those derived from implementing the revised A-123, to justify the incremental audit cost and the costs to support the audit. The OIGs also identified budget constraints as another disadvantage to requiring an opinion on internal control. OIGs commented that some agencies may not be able to obtain the resources, both staff and funding, needed to prepare for a successful audit, let alone the resources needed to perform the audit. One OIG noted that strong performance measures, such as a reduction in financial management costs and improved reporting, be in place to ensure the efficient use of resources before an opinion on internal control is required. Some OIGs commented that their budgets barely cover their costs to meet existing audit requirements. These OIGs felt that if an opinion on internal control is mandated, it must also be funded. They noted that unfunded mandates would be difficult to absorb and would require them to divert resources and fiends from other audit areas that could provide far greater benefits than what an opinion on internal control over financial reporting would provide. Some OIGs and OCFOs also questioned the need to obtain an opinion on internal control in certain circumstances. For example, if an agency is reporting material weaknesses through its financial statement audit process, there is a high likelihood that the auditors would issue a qualified, or disclaimer of, opinion on internal control, adding little benefit for an opinion. Also, if an agency effectively implements the revised requirements of A-123, there may be little value in requiring an opinion on internal control. Several OIGs commented that any new requirements to obtain an opinion on internal control over financial reporting should be implemented gradually, if at all. It should not be a "one size fits all." Any requirement to obtain an opinion on internal control should strike a reasonable balance between the costs and benefits, recognizing the strengthened controls and oversight that already exist in the Federal Government. Identifying the Benefits of Rendering an Opinion on Internal Control: Unlike costs, which to some degree can be estimated, benefits can only be described in general terms, making a cost/benefit analysis difficult. The most easily identifiable benefit is the further independent assurance. Specific OIG responses on the benefits of obtaining an opinion varied, and not all benefits identified are captured in this report. For purposes of effectively analyzing and reporting on the OIG responses, we summarized their responses into seven categories. The seven categories and OIG responses are included in Table D. The OIGs for the three agencies that already provide an opinion on internal control over financial reporting identified several benefits to obtaining an opinion on internal control over financial reporting. Specifically, all three reported (1) improved internal control and reduced material weaknesses, and (2) reduced errors and improved data integrity, documentation reliability and reporting as benefits of the additional work. Two of the OIGs also reported identifying new material weaknesses and reportable conditions as benefits from this process. One OIG reported improved agency focus and oversight as an additional benefit. None of the three OIGs could quantify the benefits realized. Most of the OIGs of agencies that do not provide an opinion on internal control over financial reporting believe that benefits may be derived from this type of audit. Their answers were similar to answers provided by their counterparts at agencies that do provide an opinion on internal control. They also cited a third benefit --improved agency focus and oversight. Six OIGs also reported the detection of new material weaknesses and reportable conditions as possible benefits. Four OIGs reported that there is little or minimal benefit in obtaining an opinion on internal control over financial reporting. For example, if an agency receives a clean opinion, has no material weaknesses or reportable conditions, and actively corrects the identified internal control deficiencies; new material weaknesses may not be identified. Conversely, in situations where an agency has existing material weaknesses, it may not be an efficient use of resources to require an opinion on internal control over financial reporting until the material weaknesses are resolved. Observation: The benefits identified above should largely be achieved by a number of management and audit initiatives that are currently underway, and cannot be attributed solely to an opinion on internal control. Specifically, many of these benefits should be achieved when agencies effectively implement the revisions to A-123[Footnote 27] which strengthened the requirements for management's assessment of internal control over financial reporting. Because the IGs assisted OMB in revising A-123, along with the CFOs, there is a level of confidence that, if agencies properly implement A-123, the result should be an effective internal control review and testing program. Therefore, except for the additional assurance provided by an opinion on internal control, the benefits can already be realized from an internal control review program implemented by management (similar to Section 404). In addition, the financial statement audits as currently conducted include tests of compliance with laws and regulations, which will provide an independent check on agencies' A-123 implementation efforts. In addition, as part of the financial statement audit, the auditor must already (1) obtain an understanding of the process by which the agency identifies and evaluates weaknesses required to be reported under FMFIA and related agency implementing procedures, and (2) compare material weaknesses disclosed during the audit with those material weaknesses reported in the agency's FMFIA report that relate to the financial statements and document material weaknesses disclosed by the audit that were not reported in the agency's FMFIA report. The auditor must also consider whether the failure to detect and report material weaknesses constitutes a reportable condition or material weakness in the entity's internal control. Other initiatives currently underway that contribute to the achievement of the above benefits include the process and control improvements resulting from accelerated reporting, and the focus on internal control in the Executive Scorecard that rates agencies' performance in meeting the PMA initiative on improving financial management. An effective and meaningful cost/benefit analysis should not compare the incremental audit costs reported above to all of the benefits that could be achieved through a process similar to that done under Section 404. The real benefit of the auditor's opinion on internal control is the added independent assurance it provides that management's assessment of its internal control is fairly presented. It is difficult, if not impossible, to determine the incremental benefit of the auditor's opinion without first knowing how effectively management performs on its assessment under the revised A-123. To some extent, this assessment will be done under the current requirements for Federal financial statements since the auditor must obtain an understanding of the process by which the agency identifies and evaluates weaknesses required to be reported under FMFIA and to report instances where the reporting entity's FMFIA process failed to detect and report material weaknesses. Beginning in fiscal year 2006, this process will be done using the revised A-123 which strengthened management's assurance statements process. Experiences of Publicly-Traded Companies: In addition to surveying the OIGs and OCFOs, we also reviewed information about the private sector to provide additional insight on the costs, benefits, and challenges of obtaining an opinion on internal control over financial reporting. The information is drawn from articles on the costs, and associated benefits, of complying with the Sarbanes-Oxley Act and statements made by representatives of public companies, members of audit committees, and auditors who testified before the Securities and Exchange Commission on their experiences implementing the Act. We did not corroborate this information. Experience Estimating the Cost: Initial cost estimates to comply with the Sarbanes-Oxley Act were low. Studies conducted by an association for financial executives[Footnote 28] found that total costs, including the costs of management's assurance assessment, averaged $4.36 million. These costs were up 39 percent from the $3.14 million they expected to pay initially. Total cost of compliance averaged $1.34 million for internal control, $1.72 million for external costs, and $1.30 million for auditor fees. The auditor fees are in addition to companies' financial statement audit fecs, on average 57 percent higher. Data in another study[Footnote 29] from 90 Fortune 1000 companies [Footnote 30] who are audited by the nation's four largest accounting firms[Footnote 31] shows that issuers spent substantial stuns to comply with the new reporting requirements. On average, the companies in the sample each spent $7.8 million to implement Section 404 overall. Audit fees accounted for approximately one quarter of the total compliance costs, or an average of $1.9 million. Some have suggested that Section 404 compliance costs will decline over time, pointing to one-time start-up expenditures and "learning curve" costs that typically occur with any new reporting requirement. Others have suggested that first year costs include deferred maintenance of internal control systems that have been allowed to degrade. If these views are correct, compliance costs would be expected to decline over time. Survey responses by audit firms support this hypothesis. On average, audit firm respondents believe that the total 2005 compliance costs of the clients in the sample, including Section 404 audit fees, will average $4.2 million - 46 percent less than the estimated 2004 costs. First Year Benefits Realized: A primary benefit cited by many observers is that the heightened attention to internal control will enhance the reliability of financial statements by helping companies to identify internal control deficiencies and remediate these deficiencies in a timer manner. To assess the full effects of the new reporting requirement, Charles River Associates[Footnote 32], a consulting firm, sampled 90 Fortune 1000 companies to gather information about the total number of deficiencies identified by the issuer or the auditor in the Section 404 process regardless of whether the deficiency was remediated prior to the year- end assessment date.[Footnote 33] On average, for year-end 2004, management and the independent auditor identified 348 deficiencies per company. Of these, management remediated an average of 271 deficiencies prior to their year-end assessment date. The remaining 77 deficiencies are expected to be remediated in the future. Of the unremediated deficiencies, almost 96 percent were classified as control deficiencies not rising to the level of a significant deficiency or material weakness. The data showed an average of 74 control deficiencies and three significant deficiencies per company still existed at year-end. A total of five material weaknesses were unremediated as of the year-end assessment date across the 90 companies for which data was available.[Footnote 34] Observation: Recognizing that the number of the findings per company is quite substantial, the number of material weaknesses for 90 companies was low, with only five unremediated material weaknesses at the end of the assessment period. The cost for 90 companies to identify these material weaknesses, however, was significant, totaling $702 million.[Footnote 35] Also, on the whole, it is difficult to imagine that Federal agencies would identify the same number of deficiencies that publicly-traded companies identified in their first year of implementing Section 404. Although companies in the private sector have been required to maintain effective internal controls under the Foreign Corrupt Practices Act of 1977, many behavioral changes did not occur until the Sarbanes-Oxley Act. The same cannot be said of the Federal Government, which has seen tremendous improvements in financial management practices in the past 15 years. Passage of key legislation, more congressional oversight on financial management matters, hiring highly recognized CFOs from the corporate world, and the PMA have all contributed toward creating an environment that supports strong internal control. Many of the articles and links that we used in conducting this study are included in Attachment A. Conclusion: Based on data currently available from the private sector and the estimates that are beginning to be developed for the public sector, most industry experts agree that there are significant incremental costs to obtaining an opinion on internal control over financial reporting. In addition, there is a general consensus that, at least in the early stages of implementing Section 404, it is difficult to determine the incremental benefits that might be gained from the additional work. The critical question which needs to be addressed in assessing the benefits of obtaining an audit opinion on internal controls is whether the benefits derived significantly exceed the results of agencies' implementation of the revised A-123. Before incurring these additional costs, it would be prudent to see how Federal managers implement the revised A-123 and evaluate the private sector's implementation of Sarbanes-Oxley when additional information becomes available. And even then, given the inherent differences between agencies, it would be judicious to implement the incremental work on a case-by-case basis. The decision on whether to obtain an opinion needs to be decided by each agency, and other knowledgeable parties, depending on the condition of its financial management program. Agencies that already have problems obtaining a clean opinion on their financial statements do not need to obtain an opinion on internal control to tell them they have material weaknesses. On the other hand, agencies that believe they are leading organizations may want the added assurance that can be achieved by obtaining an opinion on internal control. Objectives, Scope, and Methodology: The objective of our study was to gather information on the potential costs and benefits of requiring the CFO Act agencies to obtain audit opinions on internal control over financial reporting. To accomplish this objective, the CFOC and the PCIE, under the leadership of OMB, who chairs each council, canvassed the Federal community for their input. OMB requested that the PCIE Audit Committee coordinate the collection of cost and benefit information from the IG community. The Audit Committee Chair sent a questionnaire to the IG community to gather data on the estimated audit costs and the benefits of performing an examination under the standards of AT § 501, Reporting on an Entity's Internal Control Over Financial Reporting. The Audit Committee received responses from each of the IGs at the 24 CFO Act agencies and then summarized the information. We shared the summary with the respondents to ensure that we had accurately captured their comments. To gather input from the CFOs on the challenges and benefits of obtaining an opinion on internal control, we shared the results of the IG survey with the CFOC's Policies and Practices Committee and incorporated their comments. We then shared the draft study with the full PCIE and CFOC whose comments and insights were also subsequently incorporated. During this final comment period, we also asked the members to respond to two questions about the expected benefits of A- 123 and obtaining an opinion on internal control. Because publicly-traded companies had one year of experience implementing Section 404, we also looked at their experiences. We considered these experiences in light of the different environments in which the Federal Government and publicly-traded companies operate. We also considered the revisions to A-123, effective beginning in fiscal year 2006, which has many similarities to Sarbanes-Oxley. We did not ask for supporting documentation on how the OIGs developed the cost estimates and we made some interpretation in analyzing the results. We reviewed numerous articles, surveys, and statements made before regulatory bodies relating to the implementation of Section 404 of the Sarbanes-Oxley Act. We did not, however, review all statements made before regulatory bodies. Attachment A: Below are some of the links to articles or studies that we used that provide cost/benefit information related to implementation of Sarbanes- Oxley or similar requirements related to reporting on internal control over financial reporting. 1. http://www.nysscpa.org/cpajournal/2004/1104/perspectives/p6.htm 2. http://www.404institute.com/docs/SOXSurveyJuly.pdf: 3. http://www.managementconsultancy.co.uk/news/1137963: 4. http://www.usatoday.com/money/companies/regulation/2003-10-19- sarbanes_x.htm: 5. http://www.auditnet.org/articles/Sarbanes- Oxley_Implementation_Costs.pdf 6. http://www.cfo.com/index.cfm/1_emailauthor/3661477/c_3661527/2984986 7. http://www.cfo.com/article.cfm/3010299/l/c_3046597?f=TIFarticle021105: 8. http://searchcio.techtarget.com/originalContent/0,289142,sid19_gci103135 7,00.html 9. http://www.404institute.com/archived_results.aspx 10. Word document: Sarbanes-Oxley for Feds.doc: PDF: SO Act Section 404 Practical Guide July 2: PDF: Federal Agencies - Will Sarbanes-Oxley: Word Document: SOX 404.doc: Word Document: Audit Fees Double Due to Sarbox.doc: 11. http://accounting.smartpros.com/x46291.xml: 12. http://accounting.smartpros.com/x42491.xml: 13. http://www.eweek.com/article2/0,4149,1238790,00.asp 14. http://techupdate.zdnet.com/techupdate/stories/main/Sarbanes_Oxley_Compl iance_Spending.html?tag=tu.fd.css.link 15. http://www.cfodirect.com/: 16. http://www.amrresearch.com/content/resourcecenter.asp?id=429# 17. http://www.fei.org (numerous Sarbanes-Oxley articles and resources) 18. http://www.sec.gov/spotlight/soxcomp.htm: Supporting Tables: Table A: Estimated Audit Costs of Opening on Internal Control Over Financial Reporting: [See PDF for Image] Total Cost for 24 CFO Act Agencies: $140,637,980: Total Cost for 23 Civilian CFO Act Agencies: $56,287,980: Average Cost per Agency to Render an Opinion on Internal Control: 24 CFO Act Agencies: $5,859,916: 23 Civilian CFO ACt Agencies: $2,447,303: * = Agency previously has obtained an opinion on internal controls. ** = Audit Costs include significant OIG and/or independent Public Accountant costs to conduct the financial statement audit but exclude CFO preparation costs related to the audits. *** = When an agency provided a range of the cost estimate or percent, the mid-level range was used to calculate the cost or the percent amounts. [End of Table] Table B: Additional Work Required to Render an Opinion on Internal Control Over Financial Reporting: Agency: AID; Test Additional/Different Controls Based On Management's Assessments: More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: X; Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: X; Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: X; Minimal additional testing/or no answer: Agency: DHS; Test Additional/Different Controls Based On Management's Assessments: More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: X; Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: X; Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: X; Minimal additional testing/or no answer: Agency: DOC; Test Additional/Different Controls Based On Management's Assessments: More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: Minimal additional testing/or no answer: X. Agency: DOD; Test Additional/Different Controls Based On Management's Assessments: More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: X; Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: Minimal additional testing/or no answer: Agency: DOE; Test Additional/Different Controls Based On Management's Assessments: More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: X; Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: X; Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: Minimal additional testing/or no answer: Agency: DOI; Test Additional/Different Controls Based On Management's Assessments: More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: X; Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: X; Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: Minimal additional testing/or no answer: Agency: DOJ; Test Additional/Different Controls Based On Management's Assessments: More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: X; Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: X; Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: X; Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: Minimal additional testing/or no answer: Agency: DOL; Test Additional/Different Controls Based On Management's Assessments: X; More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: X; Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: Minimal additional testing/or no answer: Agency: DOT; Test Additional/Different Controls Based On Management's Assessments: More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: X; Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: Minimal additional testing/or no answer: Agency: ED; Test Additional/Different Controls Based On Management's Assessments: X; More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: X; Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: X; Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: X; Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: X; New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: X; Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: X; Minimal additional testing/or no answer: Agency: EPA; Test Additional/Different Controls Based On Management's Assessments: X; More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: X; Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: X; Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: Minimal additional testing/or no answer: Agency: GSA*; Test Additional/Different Controls Based On Management's Assessments: X; More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: Minimal additional testing/or no answer: Agency: HHS; Test Additional/Different Controls Based On Management's Assessments: X; More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: X; Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: X; New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: X; Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: Minimal additional testing/or no answer: Agency: HUD; Test Additional/Different Controls Based On Management's Assessments: X; More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: X; Minimal additional testing/or no answer: Agency: NASA; Test Additional/Different Controls Based On Management's Assessments: X; More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: X; Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: Minimal additional testing/or no answer: Agency: NRC*; Test Additional/Different Controls Based On Management's Assessments: X; More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: X; Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: X; Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: Minimal additional testing/or no answer: Agency: NSF; Test Additional/Different Controls Based On Management's Assessments: More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: Minimal additional testing/or no answer: X. Agency: OPM; Test Additional/Different Controls Based On Management's Assessments: X; More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: Minimal additional testing/or no answer: Agency: SBA; Test Additional/Different Controls Based On Management's Assessments: More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: X; Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: X; Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: X; Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: X; Minimal additional testing/or no answer: Agency: SSA*; Test Additional/Different Controls Based On Management's Assessments: More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: X; Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: X; New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: X; Minimal additional testing/or no answer: Agency: State; Test Additional/Different Controls Based On Management's Assessments: X; More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: X; Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: Minimal additional testing/or no answer: Agency: Treasury; Test Additional/Different Controls Based On Management's Assessments: X; More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: X; Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: X; Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: Minimal additional testing/or no answer: Agency: USDA; Test Additional/Different Controls Based On Management's Assessments: X; More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: X; Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: Minimal additional testing/or no answer: Agency: VA; Test Additional/Different Controls Based On Management's Assessments: X; More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: Minimal additional testing/or no answer: Sum Totals; Test Additional/Different Controls Based On Management's Assessments: 18; More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: 13; Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: 6; Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: 2; New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: 9; Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: 5; Minimal additional testing/or no answer: 2. Opinion; Test Additional/Different Controls Based On Management's Assessments: 2; More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: 2; Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: 0; Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: 1; Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: 0; New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: 2; Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: 0; Minimal additional testing/or no answer: No Opinion; Test Additional/Different Controls Based On Management's Assessments: 16; More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: 11; Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: 6; Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: 1; Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: 2; New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: 7; Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: 5; Minimal additional testing/or no answer: 2. All 24; Test Additional/Different Controls Based On Management's Assessments: 75%; More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: 54.2%; Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: 25%; Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: 8.3%; Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: 8.3%; New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: 37.5%; Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: 20.8%; Minimal additional testing/or no answer: 8.3%. Opinion; Test Additional/Different Controls Based On Management's Assessments: 8.3%; More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: 8.3%; Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: 0.0%; Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: 4.2%; Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: 0%; New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: 8.3:; Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: 0%; Minimal additional testing/or no answer: 0%. No Opinion; Test Additional/Different Controls Based On Management's Assessments: 66.7%; More Planning and Coverage Of Cycles, Understanding, Identifying, Documenting, Reviewing, Internal Control and Activities/Other Components of Internal Control: 45.8% Management Must document/Test Internal Control; Inadequate Documentation/ Testing May Cause Rework or Increase in Scope: 25%; Number/Severity of Control Deficiencies and Evaluation and Classification of Control Deficiencies Will increase level of work: 4.2%; Won't be Able to Rotate Testing of Controls or Totally rely on Other Firm's Work, thus Increasing the Amount of testing: 8.3%; New or Modified systems Processes; Controls can increase the scop of work; Will have to document/test IT/ General and Application Controls Testing Increase: 29.2%; Reporting- Extra Time needed to Complete Auditor's Report, including Consultation of Wording of report: 20.8%; Minimal additional testing/or no answer: 8.3%. * Agency previously has obtained an opinion on internal control. [End of Table] Table C: Disadvantages of Opining on Internal Control Over Financial Reporting: [See PDF for Image] [End of Table] Table D: Benefits of Opining on Internal Control Over Financial Reporting: [See PDF for Image] [End of Table] To access the Joint Study, see www.ignet.gov/randp/rpts1.html#2005. [End of Section] Enclosure II: PCIE Survey - "Estimated Audit Costs of Opining on Your Agency's Internal Control over Financial Reporting in Accordance with AT§501 of the Professional Standards and Related Information" Estimated Audit Costs of Opining on Your Agency's Internal Control over Financial Reporting In Accordance with AT §501 of the Professional Standards And Related Information: Costs: 1. Have you been providing an opinion on your agency's internal control over financial reporting? If so, for how long. What opinion(s) was rendered? 2. For agencies already engaged in opining on internal control over financial reporting, what was the estimated total dollar cost of performing the work to obtain the opinion? Include only the cost to the OIG, not management's costs to support the audit effort or to implement the new requirements of Appendix A to Circular A-123. Please provide only the incremental costs of the additional internal control work required to render an opinion over the internal control work required by OMB Bulletin 01-02, for the first year the opinion was rendered. If the costs are inseparable from the overall financial statement audit costs, please provide an estimate of the incremental cost. 3. For those agencies that have not previously performed opinion level work, please provide the best estimate of cost that you can. Include only the estimated cost to the OIG, not management's estimated costs to support the audit effort or to implement the new requirements of Appendix A to Circular A-123-For those agencies contracting for the financial statement audits, you probably need to seek the input of your engagement partner. You may provide a range of the estimated cost or state it as a percentage of the financial statement audit costs, if that is more reasonable. Also, please provide any assumptions made and any other contextual basis for your estimate. 4. What is the total cost of the annual financial statement audit for the years for which you provided an estimate of the cost of an opinion on internal control over financial reporting? This will help provide context for the cost of the additional internal control work. Additional Work Required: For those agencies that already render opinions on their agencies' internal control, please answer questions 5 and 6 based on your actual experience. For those agencies that do not render opinions on their agencies internal control, please provide your thoughts on the additional work you believe would be needed for your agency. 5. What additional work beyond what is currently performed to meet the requirements of OMB Bulletin 01-02 and the PCIE/GAO Financial Audit Manual (FAM) do you believe would need to be performed, in order to render an opinion on your agency's internal control? For example, would you need to consider additional or different control activities? Would you need to increase the extent of your testing of internal control? Other? 6. How would you characterize the extent of additional work required to render an opinion on internal control over what is currently required by Circular 0 1-02 and the FAM? (Please select from the following choices: Substantial, Moderate or Minimal/None.) Benefits: 7. For those agencies that have already provided an opinion on internal control over financial reporting, what benefits to your agency have you observed from the process? Have you observed any disadvantages? If so, please describe. This should be based on your observations and experiences. For example, did you identify additional material weaknesses and / or reportable conditions not previously identified? Are there other benefits to you or your agency in doing this work? Please provide some context concerning the state of internal controls prior to performing work to render an opinion on controls over financial reporting. 8. For those agencies that have not been performing the work for an opinion on internal control over financial reporting, what do you believe would be the perceived benefits to your agency of obtaining an opinion on internal control? For example, do you believe additional material weaknesses or reportable conditions would be identified? Other benefits? Please provide some context concerning the current state of internal controls over financial reporting. 9. What would be the disadvantages to obtaining an opinion on internal control in your agency? 10. Please provide copies of any articles / studies or links to web sites that you are aware of that provide cost / benefit type information related to implementation of Sarbanes Oxley or similar requirements related to reporting on internal control over financial reporting. 11. Please feel flee to provide any other input or comment regarding the cost and benefits of obtaining an opinion on internal control over financial reporting: [End of Section] Enclosure III: Two Additional Questions Asked of the CFOs and IGs about the Expected Benefits of Circular A-123 and Obtaining an Opinion on Internal Control: Two Additional Questions Asked of the CFOs and IGs about the Expected Benefits of Circular A-123 and Obtaining an Opinion on Internal Control: 1. The study observes that many of the identified benefits of an audit opinion on internal control will be achieved if agencies effectively implement the revisions to Circular A-123. In addition to the revised A- 123, many existing management and audit activities contribute to these same benefits. The real benefit of the auditor's opinion on internal control is the added independent assurance it provides that management's assessment is fairly presented. Do you agree with these statements? 2. Do you believe that the additional costs associated with going beyond the requirements of the revised Circular A-123 to render an opinion on internal control are commensurate with the added benefits that would be a gained? [End of Section] Enclosure IV: Comments from the Office of Management and Budget: Executive Office Of The President: Office Of Management And Budget: Washington, D.C. 20503: Deputy Director For Management: August 23, 2006: Mr. McCoy Williams: Director, Financial Management and Assurance: United States Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Williams: Thank you for the opportunity to review and comment on the Government Accountability Office (GAO) draft report GAO-06-2558, Cost and Benefit Review of Internal Control Audits. Overall, the Office of Management and Budget (OMB) agrees that our ultimate goal is to improve the internal control within the Federal government. We continue to believe the most effective and efficient path toward this goal is to give agencies a reasonable time to fully implement the requirements of the OMB Circular No. A-123, Management's Responsibility for Internal Control. We also believe it is prudent to further observe the implementation of the Sarbanes-Oxley Act in the private sector. This will allow time for the auditing standards surrounding an opinion on internal control over financial reporting to stabilize before considering additional requirements within the Federal government. We appreciate the continued cooperation between GAO, the President's Council on Integrity and Efficiency (PCIE) and the Chief Financial Officers Council (CFOC) on important issues such as the topic of this report and the related cost/benefit study conducted by the PCIE and CFOC. We look forward to working together to achieve our joint goal of maintaining effective internal control within the Federal government. If you have any additional questions or comments, please feel free to contact Danny Werfel in the Office of Federal Financial Management at 202-395-3993. Signed by: Clay Johnson III: Deputy Director for Management: [End of Section] (195089): FOOTNOTES [1] The CFO Council is an organization comprised of the CFOs and Deputy CFOs of the 24 CFO Act agencies, senior officials in the Office of Management and Budget (OMB), and the Department of the Treasury who work collaboratively to improve financial management in the U.S. government. [2] The PCIE was established in May 1992 to (1) address integrity, economy, and effectiveness issues that transcend individual government agencies and (2) increase the professionalism and effectiveness of inspector general personnel throughout the government. The PCIE is composed primarily of the presidentially appointed inspectors general. Officials from OMB and the Federal Bureau of Investigation, Office of Government Ethics, Office of Special Counsel, and Office of Personnel Management serve on the PCIE as well. [3] See 31 U.S.C. § 901(b)(1) for a list of agencies. [4] Both the PCIE and the CFO Council are chaired by OMB's Deputy Director for Management. [5] OMB Circular No. A-123, Management's Responsibility for Internal Control (revised December 2004). [6] Pub. L. No. 107-204, § 404, 116 Stat. 745, 789 (July 30, 2002). [7] In conducting the joint study, the CFO Council and the PCIE did not verify the cost data included in the report and our scope of work did not include independent validation of the cost information. [8] "Reporting on an Entity's Internal Control over Financial Reporting," AT Section 501, Codification of Statements on Auditing Standards, American Institute of Certified Public Accountants. [9] Pub. L. No. 81-784, 64 Stat. 832 (Sept. 12, 1950). [10] The Comptroller General revised the standards in 1999, based on developments in internal control theory, including the internal control framework recommended in the report of the Committee on Sponsoring Organization of the Treadway Commission, the effects of information technology, and the passage of a series of landmark reforms. GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00- 21.3.1 (Washington, D.C.: November 1999). [11] See (1) GAO, Implementation of the Federal Managers' Financial Integrity Act: First Year, GAO/OCG-84-3 (Washington, D.C.: Aug. 24, 1984); (2) GAO, Financial Integrity Act: The Government Faces Serious Internal Control and Accounting Systems Problems, GAO/AFMD-86-14 (Washington, D.C.: Dec. 23, 1985); (3) GAO, Financial Integrity Act: Continuing Efforts Needed to Improve Internal Control and Accounting Systems, GAO/AFMD-88-10 (Washington, D.C.: Dec. 30, 1987); and (4) GAO, Financial Integrity Act: Inadequate Controls Result in Ineffective Federal Programs and Billions in Losses, GAO/AFMD-90-10 (Washington, D.C.: Nov. 28, 1989). [12] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: January 2005). [13] GAO, Financial Management: Effective Internal Control Is Key to Accountability, GAO-05-321T (Washington, D.C.: Feb. 16, 2005). [14] This section of the Attestation Standards, issued by the American Institute of Certified Public Accountants, provides the standards for the practitioner who is engaged to issue or does issue an examination report on the effectiveness of an entity's internal control over financial reporting. This section is currently under revision. [15] The CFO Council's Financial Management Policies and Practices Committee is comprised of representatives from federal agencies who work collaboratively to identify and address emerging issues. [16] OMB Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, was recently superseded by the updated audit requirements included in OMB Bulletin No. 06-03, Audit Requirements for Federal Financial Statements (Aug. 23, 2006). [17] Appendix A to Circular No. A-123 provides a methodology for agency management to assess, document, and report on internal control over financial reporting. [18] See footnote 14. [19] In the case of DHS, as part of the audit of its fiscal year 2005 financial statements, the auditor in disclaiming its opinion on the financial statements reported 10 material weaknesses and 2 reportable conditions. Individually and collectively, these problems are very serious. [20] Pub. L. No. 95-213, 91 Stat. 1494 (Dec. 19, 1977). [21] Public Company Accounting Oversight Board, Report of the Initial Implementation of Auditing Standard No. 2, "An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements," PCAOB Release No. 2005-023 (Washington, D.C.: Nov. 30, 2005). [22] Pursuant to 15 U.S.C. §7213, PCAOB issued Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit on Financial Statements, PCAOB Release No. 2003-017 (Washington, D.C.: Oct. 7, 2003). PCAOB has recently announced that it is considering amending this standard. [23] Currently, we perform financial statement audits at the Federal Deposit Insurance Corporation, the Internal Revenue Service, the Securities and Exchange Commission, and the American Battle Monuments Commission. [24] GAO, Financial Management: Effective Internal Control Is Key to Accountability, GAO-05-321T (Washington, D.C.: Feb. 16, 2005). [25] The General Services Administration (GSA), the Nuclear Regulatory Commission, and the Social Security Administration have obtained an opinion on internal control over financial reporting for 12 years, 10 years, and 8 years, respectively. GSA, however, has not subjected its internal control over financial reporting to an audit since fiscal year 2003. [26] The actual costs, however, could be higher than the estimates which were reported. One agency reported a cost of $38,000 but they qualified the amount, noting that it was the amount bid five years ago before the Sarbanes-Oxley Act was implemented. The agency believes that these costs would be significantly higher in the outgoing years. [27] The revised A-123 now requires Federal managers, as a subset of FMFIA Section 2 reporting, to provide an assurance statement on internal control over financial reporting. To make this assurance statement, the agency must establish a senior assessment team to ensure that staff or contractors carry out the assessment in a thorough, effective, and timely manner. If A-123 is effectively implemented, the assessment team will be able to conclude whether the design and operation of the internal controls over financial reporting were effective or whether material weaknesses exist in the design or operation of internal control over financial reporting. To evaluate internal control at the process, transaction or application level, the assessment team must: (1) determine significant accounts; (2) identify and evaluate major classes of transactions; (3) understand the financial reporting process; (4) gain an understanding of control design to achieve management's assertions; and (5) test controls and assess compliance to support management's assertions. [28] Financial Executives International (FEI) Survey: Section 404 Costs Exceed Estimates. Copyright 2005 FEI. http://www.fei,org/ 404_survey_3_21_05.cfm. 3 21: [29] Charles River Associates, Sarbanes-Oxley Section 404 Costs and Remediation of Deficiencies: Estimates From a Sample of Fortune 1000 Companies, CRA No. D06155-00. http://www.sec.gov/spotlight/soxcomp/ soxcom-all-attach.pdf. [30] The average company revenues were $8.1 billion. [31]Deloitte & Touche LLP, Ernst & Young LLP, KPMG LLP, and PricewaterhouseCoopers LLP. [32] Charles River Associates, Sarbanes-Oxley Section 404 Costs and Remediation of Deficiencies: Estimates From a Sample of Fortune 1000 Companies, CRA No. D06155-00. http://www.sec.gov/spotlight/soxcomp/soxcom-all-attach.pdf. [33] For Section 404 purposes, management and the independent auditor are required to disclose in their public reports only material weaknesses that exist as of the year-end assessment date. Whether deficiencies are identified by management or the auditor, management may implement new controls or strengthen existing procedures to correct deficiencies before the company's year-end assessment date, in effect remediating these potential problems. By identifying and remediating control deficiencies during the year, fewer material weaknesses are likely to be reported. [34] If a deficiency was remediated prior to the year-end assessment date, management and the auditors would not necessarily have evaluated whether it would have been a significant deficiency or a material weakness as defined by the Public Company Accounting Oversight Board Auditing Standard No. 2. Therefore, the number of deficiencies remediated prior to the year-end assessment date was collected in the aggregate without determination as to whether some would have been classified as significant deficiencies or material weaknesses. [35] Charles River Associates, Sarbanes-Oxley Section 404 Costs and Remediation of Deficiencies: Estimates From a Sample of Fortune 1000 Companies, CRA No. D06155-00. http://sec.gov/spotlight/soxcomp/soxcom- all-attach.pdf. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: