Internal Control System - Revision 4
I. PURPOSE
This directive sets out the Agency’s policy for implementing an effective internal control system. It provides instruction for management to document and implement effective internal controls, as required by the Office of Management and Budget’s (OMB) Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control and the Government Accountability Office’s (GAO), Standards for Internal Control in the Federal Government (Greenbook). This directive also provides general information on how the Agency complies with the Federal Managers Financial Integrity Act (FMFIA) of 1982 (P.L. 97-255) also known as the Integrity Act, including self-assessments, internal control reviews, entity-level controls, and the annual certification statement. FSIS has rewritten this directive in its entirely to update roles and responsibilities and reflect changes to the schedule and procedures for conducting internal control activities
I. CANCELLATION
FSIS Directive 1090.1, Revision 3, Management Control Program, 1/6/11
III. BACKGROUND
A. The Integrity Act requires FSIS to establish and maintain an effective internal control system and, through the Department, annually report to the President and Congress on the effectiveness of internal control activities within FSIS. Internal control activities are meant to prevent waste, fraud, abuse, and mismanagement of Agency resources. The Office of Planning, Analysis and Risk Management (OPARM) and the Office of the Chief Financial Officer (OCFO) are responsible for managing FSIS’s internal control system. OPARM and OCFO partner with other program areas and the Department (through Department Regulation (DR) DR 1110-002, Management’s Responsibility for Internal Control) to ensure the Agency meets FMFIA, OMB, and GAO requirements.
B. FSIS managers are required to establish and maintain an internal control system for managing risks and implementing effective and efficient operations, as aligned with the goals in the FSIS Strategic Plan. The FSIS internal control system encompasses a full range of internal controls, performance measures, and monitoring and verification activities to assist managers in protecting and maximizing the use of Government resources and to achieve Agency objectives.
C. GAO identifies five components that are to be effectively designed, implemented, and operating in an integrated manner for an internal control system to be effective. The five components include:
- Control environment – the foundation that management uses for an internal control system, providing discipline and structure to help achieve objectives (e.g., integrity and ethical values);
- Risk assessment – ensures that management identifies and analyzes risks for achieving the mission or program objectives;
- Control activities – policies and procedures that ensure management’s directives are carried out to address risks for achieving the mission or program objectives (e.g., approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties);
- Information and communication – pertinent information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities and effectively manage risk; and
- Monitoring – occurs during operations by performing audits, evaluations, self-assessments, and/or internal control reviews.
D. The FSIS internal control system consists of assessments and certifications addressing the five components of internal control, including:
- Internal control matrices;
- Self-assessments;
- Internal control reviews;
- Entity-level control (ELC) assessment, and
- Annual certification statement
E. The Agency is to complete internal control assessments and certifications on an annual basis, as set out in the schedule provided in Table 1:
TABLE 1. Fiscal Year (FY) Schedule for Internal Control Activities
Activity/Schedule
- Internal control matrices reviewed and updated / FY Quarter 1
- Self-assessments/ FY Quarter 2
- Internal control reviews, ELC assessment, annual certification statement (information collection only)/ FY Quarter 3
- Annual certification statement and bridge memo (reporting and submission) / FY Quarter 4
*Schedule subject to change per Agency and Departmental guidance
IV. ROLES AND RESPONSIBILITIES
A. Table 2 provides a list of key roles and responsibilities for FSIS’s internal control system.
TABLE 2. FSIS Internal Control Roles and Responsibilities.
Role/ Internal Control Responsibility
Administrator and Deputy Administrator
- Establish and maintain an Agency-wide internal control system in accordance with GAO standards for internal control.
Chief Operating Officer
- Ensure that reasonable and adequate operational controls are in place to protect FSIS resources from fraud, waste, abuse and unauthorized use.
- Conduct internal control assessments using a risk-based approach.
- Report any potential significant control deficiencies or material weaknesses.
- Review and approve the Agency’s annual certification statement regarding the overall adequacy and effectiveness of operational internal controls.
Chief Financial Officer
- Ensure that reasonable and adequate controls are in place to protect FSIS resources from fraud, waste, abuse and unauthorized use.
- Establishes, evaluates, and reports on financial controls according to OMB circular A-123, Appendix A, requirements for financial reporting.
- Report any potential significant control deficiencies or material weaknesses.
- Review and certify the Agency’s annual certification statement regarding the overall adequacy and effectiveness of operational and financial internal controls
Assistant Chief Information Officer
- Implement and maintain a positive internal control environment, including informing and training employees on the importance of internal controls.
- Establish and maintain effective internal controls.
- Ensure self-assessments are conducted per Agency guidelines.
- Assess operational risks.
- Develop and submit an annual certification statement to OPARM.
- Provide advice to the Administrator on internal control matters, risks, accomplishments, initiatives, action plans, and challenges that merit reporting in FSIS’s annual certification statement.
Office of Planning, Analysis and Risk Management
- Coordinate all activities for operational internal controls, per OMB Circular A-123 and GAO standards, including managing internal control matrices, self-assessments, internal control reviews, the entity-level control assessment, and the annual certification statement (in conjunction with OCFO).
Program Area Internal Control Liaisons
- Serve as the main point of contact between their program area and OPARM for all internal control activities, including but not limited to: internal control matrices, self-assessments, internal control reviews, annual certification statement, and bridge memo.
V. INTERNAL CONTROL MATRICES
A. Each program area is required to maintain internal control matrices to track risk assessment information and associated internal controls. At a minimum, the internal control matrices should identify:
- Key functions;
- Control activities;
- Control objectives;
- Risks;
- Risk level (e.g., low, medium, high);
- Internal controls; and
- References
B. Each program area is required to review and update the matrices the first quarter of each fiscal year. The Internal Control Liaison within each program area is responsible for coordinating the review and update for the matrices. Upon approval from the program area’s Assistant Administrator, the Internal Control Liaison is to submit updated matrices to OPARM. Even though program areas are required to review the matrices annually, they can make changes any time throughout the fiscal year. The program area is to submit an updated version of the matrices to OPARM any time changes are made.
VI. SELF-ASSESSMENTS
A. The Integrity Act requires Federal agencies to evaluate their internal control systems as prescribed by OMB guidelines. The self-assessment process is designed to assist management in gathering and analyzing information about operations and performance related to internal controls. A self-assessment consists of a detailed evaluation of internal controls conducted by the program area to determine whether they are operating as intended based on the actual testing of the control and supporting documentation. Each program area is required to assess a minimum of one-third of their controls annually (during the second quarter of each fiscal year), with the goal of having all controls tested every three years. OPARM will work with program area Internal Control Liaisons to determine which controls are to be tested and how they are to be tested, based on risk level, history of corrective action plans, and dependencies on other program areas for their success.
B. OPARM provides testing and reporting templates to the program areas for completing the self-assessments. At a minimum, the final self-assessment report is to include:
- Names and titles of the person(s) conducting the self-assessment;
- Date self-assessment was conducted;
- Risk (description);
- Risk level (e.g., low, medium, high);
- Testing methodology;
- Testing population; and
- Identified deficiencies and corrective action plans taken to eliminate or mitigate the deficiencies.
C. The Internal Control Liaison within each program area is responsible for coordinating self-assessment activities. Upon approval from their Assistant Administrator, the Internal Control Liaison is to submit all self-assessment documentation to OPARM. Self-assessment results are to be used to support the program area’s annual certification statement. The program area and OPARM are to maintain all documentation, which can be made available for third-party reviews or external audits, if needed.
D. Program areas are to develop corrective action plans for any deficiencies identified for an internal control. OPARM works with program areas to monitor the status of corrective action plans. The program area is responsible for maintaining documentation for corrective action plans, which need to be made available for OMB and any internal/external audit review, if needed. Program areas are to provide OPARM a corrective action plan status report quarterly.
VII. INTERNAL CONTROL REVIEWS
A. Internal control reviews are detailed, systematic, and comprehensive evaluations of self-assessments to determine if a program area’s internal controls are established, implemented, and effective. OPARM conducts these reviews to ensure program areas are performing the required self-assessments of their internal controls, documenting and reporting the results, and developing corrective action plans, as necessary.
B. The reviews are based on the self-assessments conducted by the program areas in FY Quarter 2 each year, using one or more of several approaches:
- Directly observing;
- Filing and documenting analysis;
- Sampling (statistical sample of the internal control population);
- Re-performing (duplication of activity or process);
- Reviewing operational records or logbooks;
- Reviewing program policies and procedures ;
- Observing performance of control procedures;
- Reviewing approval procedures and signature requirements;
- Observing transactions through the system of controls;
- Interviewing individuals responsible for operation of the controls; and
- Reviewing security precautions used to create data before its formal release.
C. OPARM conducts internal control reviews in FY Quarter 3. OPARM summarizes all findings in an internal control review report and provides it to respective program areas. Information from each program area’s review is used to support the Agency’s annual certification statement. The program area and OPARM are to maintain all documentation, which can be made available for third-party reviews or external audits, if needed.
VIII. ENTITY-LEVEL CONTROLS
A. ELCs are the policies (e.g., directives, Departmental regulations), procedures, and practices established by management to create an internal control-conscious environment within an organization. ELCs have a pervasive effect on the internal control system and pertain to multiple components. ELCs are based on GAO’s five components for an effective internal control system (control environment, risk assessment, control activities, information and communication, and monitoring). Through the ELC assessment process, FSIS identifies Agency directives and Departmental regulations for each of the five components that ensure management’s policies, procedures, and practices are implemented.
B. FSIS is required to annually assess the effectiveness of ELCs. OPARM is responsible for facilitating the assessment. OPARM works with subject-matter experts throughout the Agency to gather the following information for each directive and Departmental regulation that has been identified to support ELCs:
- Design and implementation status;
- Operating status;
- Assessment activity;
- Update status; and
- Identified deficiencies.
C. OPARM collects information for the ELC assessment in FY Quarter 2 and FY Quarter 3. OPARM and the Agency leadership review and approve the final assessment before it is submitted to the Department. OPARM submits the final assessment in FY Quarter 3, as set out in Departmental guidelines.
IX. ANNUAL CERTIFICATION STATEMENT
A. The annual certification statement represents the Administrator’s judgement about the overall adequacy and effectiveness of internal controls within FSIS to prevent waste, fraud, abuse, and mismanagement of Agency resources (in accordance with FMFIA, OMB Circular A-123, and GAO).
B. Assistant Administrators are responsible for submitting a certification statement for their program area. The certification statement ensures the following:
- Functions and processes within their program area are working as intended. If they are not working as intended, Assistant Administrators are to provide a statement regarding why the program could not ensure they worked; and
- There are no major weaknesses that would require reporting to the Secretary
C. Assistant Administrators are to make conclusions for the annual certification statement based on the following information:
- Understanding and adhering to GAO standards;
- Being held accountable for the effectiveness of their internal controls;
- Timeliness, adequacy, and results of self-assessments, including corrective actions;
- Assessments from other sources (e.g., audits, studies, and investigations), and direct management reviews or assessments by management; and
- Supporting certification statements from other program areas.
D. Understanding and adhering to GAO standards; 2. Being held accountable for the effectiveness of their internal controls; 3. Timeliness, adequacy, and results of self-assessments, including corrective actions; 4. Assessments from other sources (e.g., audits, studies, and investigations), and direct management reviews or assessments by management; and 5. Supporting certification statements from other program areas certification statements, OPARM reviews other available information to inform the Agency’s certification statement. Sources of other information may include:
- Office of the Inspector General and GAO audits;
- Internal/administrative audits;
- ELC assessment;
- Evaluations;
- Surveys;
- Policies;
- Operational reports; and
- Performance measures.
E. OPARM submits the Agency certification statements to the Department in FY Quarter 4, pending Departmental guidance. OPARM submits the bridge memo for the certification statement in FY Quarter 1 of the following fiscal year. The bridge memo serves the same purpose as the broader annual certification statement; however, the memo covers the gap from the time the certification statement is submitted (June 30) to end of the fiscal year (September 30).
X. QUESTIONS
Refer questions regarding this directive to the OPARM internal control email box at ERMandIC@usda.gov.