Getting a grip on internal controls
Internal controls are fundamentals of accounting, but that doesn't make it easy for agencies to implement them under Circular A-123.
It's a relatively new thing for IT divisions to address internal controls for quarterly financial reporting, just as it was for financial divisions to consider IT issues in developing financial management systems, said Jerry Wil- liams, deputy CIO for the Agriculture Department.
And although the Office of Management and Budget lets agencies recycle their internal controls documentation from other re- quired reporting, inconsistencies occur in timing and definition, making it hard to coordinate, he said.
'We have to figure out how to tie together statutory requirements,' Williams said.
For example, agencies must certify and accredit IT systems under the Federal Information Security Management Act, which covers access controls in IT systems as well. But the timing for A-123 and FISMA reporting is not synchronized; A-123 reporting is due in June, FISMA in September, Williams said.
Definitions can differ with various reporting requirements, as well, Commerce deputy CFO James Taylor said.
For example, deficiencies in internal controls reported under the Federal Financial Management Improvement Act do not correspond with what OMB considers deficiencies in Commerce's financial management systems under the President's Management Agenda, Taylor said. As a result, OMB rated Commerce a green in financial management on the PMA despite its FFMIA weaknesses.
'Eventually we'll have the same vocabulary across different reporting,' Taylor said.
Agencies also can reuse internal-control documentation reported for the Improper Payments Improvement Act, the Federal Managers' Financial Integrity Act and the remediation component of the FFMIA.
Mary Mosquera is a reporter for Federal Computer Week.