FISMA provides a model for agency financial compliance

Agencies to adopt Sarbanes-Oxley for government

Among activities to comply with OMB's revised Circular A-123 on internal controls, agencies need to:

  • Form a senior management council that includes the chief financial officer, CIO and representatives of major business units to determine how to implement the controls and monitor progress

  • Broaden scope beyond financial data to include internal controls at program level and performance measures

  • Test internal controls for risk

  • Document results

  • Develop corrective actions if needed

  • Retest

  • Report assessment in management assurance statement

  • Recycle useful data from other reporting requirements for Federal Information Security Management Act, Improper Payments Improvement Act, Federal Financial Management Improvement Act.

OMB's David Zavada says agencies will have to implement internal controls by Oct. 1, 2006.

Sasan Afsoosi

Agencies trying to implement internal financial controls by next October are taking a cue from the way they comply with federal security requirements.

Agencies must review their key financial activities, document the controls and test their effectiveness. The pro-cess is similar to security certification and accreditation, said David Zavada, branch chief for the Financial Standards and Grants Branch in the Office of Management and Budget's Office of Federal Financial Management.

Internal controls will let agencies produce data more quickly and accurately, which officials said will translate into savings.

To comply with the Federal Information Security Management Act, agencies must certify and accredit IT systems. FISMA compliance also includes checking systems for internal controls, said Susan Grant, Energy Department chief financial officer.

Do it with FISMA

'We'll be able to authenticate some systems (for internal controls) through FISMA reporting,' Grant said at a recent event sponsored by the Bethesda, Md., chapter of the Armed Forces Communications and Electronics Association.

An example of an internal control would be an agency performing routine reconciliation and analysis of its accounts throughout the year instead of just annually or quarterly, Zavada said.
OMB will use the President's Management Agenda scorecard to drive implementation of internal controls under its revised Circular A-123.

OMB will list milestones for establishing internal controls as part of the PMA scoring during fiscal 2006, Zavada said. Agencies must implement internal controls by Oct. 1, 2006, the start of the federal fiscal year.

OMB timetable

By next June, OMB will require agencies to submit a statement assuring the effectiveness of their internal controls. The management assurance statement, to accompany the fiscal 2006 financial report, will include a summary of major agency weaknesses and corrective actions.

OMB this month will detail best practices to help agencies put internal controls in place and start providing feedback on the plans agencies submitted in August for implementing internal controls, Zavada said.

Internal controls are not just the chief financial officer's responsibility anymore, said Linda Combs, OMB controller.

'My dream is for every program manager to be a financial manager, or act like one. With internal controls, they will be able to make use of the data on a daily basis to make good financial decisions,' she said at another recent event sponsored by Input of Reston, Va.

Controls also are not just for financial data and the systems that process and integrate the data, Energy's Grant said.

'I want business units to be responsible,' she said.

Grant is encouraging Energy's business managers to adopt internal controls as a part of their performance.

For example, the de- partment might apply a pay-for-performance system linking senior executives' pay to how well their divisions adhere to the standards, she said.

The tighter accountability fostered by internal controls should improve cost estimating and budgeting for programs, she said.

'I'm requiring quarterly as- sessments by program units starting in 2006. Plus I do monthly reviews. I don't want a herculean effort once a year,' Grant said.

To the next level

Internal controls have been part of the financial management component of the PMA, but the documentation and management assurance statement will take agencies to the next level of accountability, Zavada said.

Internal controls are the foundation of agency missions, but it will cost agencies to comply, said Robert Suda, assistant commissioner of the Office of IT Solutions in the General Services Administration's Federal Technology Service.

'There will be an increase in cost in the first-year assessment, but after that it should save money,' he said.

Energy is shifting internal funds to comply, Grant said.

The Justice Department is forming a governance structure to help push out implementation of internal controls through a senior management council made up of department senior executives and component assessment teams, said Neil Ryder, assistant director of the Justice Management Division's program review office.

The requirements have been around for several years, but now implementation is being required, Ryder said.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above