Audits of Management Controls
I. PURPOSE
This directive describes the methodology that Office of Program Evaluation, Enforcement and Review (OPEER) auditors follow when planning and conducting audits of Agency management controls. The methodology meets the audit requirements of the Office of Management and Budget (OMB). OPEER conducts audits of FSIS management controls to ensure:
- Programs achieve the Agency’s food safety and food defense mission in compliance with applicable laws and regulations.
- Programs and use of resources comply with procedures to avoid waste, fraud, abuse, and mismanagement.
- Reliable and timely information (examples: financial, managerial, and operational) is obtained, reported, and used for decisionmaking.
- Controls are designed to prevent or promptly detect unauthorized acquisition, use, or disposition of assets.
- Program risks are appropriately identified and managed through only management controls or management controls and performance measures.
II. (RESERVED)
III. (RESERVED)
IV. REFERENCES
9 CFR Part 500, Rules of Practice
Chief Financial Officer’s Act of 1990, as amended
Clinger-Cohen Act of 1996 (formerly known as the Information Technology Management Reform Act)
Egg Products Inspection Act
Federal Financial Management Improvement Act of 1996
Federal Information Security Management Act of 2002
Federal Managers’ Financial Integrity Act of 1982
Federal Meat Inspection Act Government Performance and Results Act of 199#
Humane Methods of Slaughter Act Improper Payments Information Act of 2002
Inspector General Act of 1978, as amended
Poultry Products Inspection Act
OMB Circular A-50, Audit Follow-up
OMB Circular A-123, Management’s Responsibility for Internal Control
OMB Circular A-127, Management of Financial Management Systems
OMB Circular A-130, Management of Federal Information Resources
OMB Circular A-133, Single Audit Act of 1984
FSIS Directive 1090.1, Management Controls
FSIS Comprehensive Management Control System
USDA, Departmental Manual 1110-002, Management Control Manual
Committee of Sponsoring Organizations (of the Treadway Commission) {COSO} Internal Control – Integrated Framework, dated September 2007
U.S. Government Accountability Office, Government Auditing Standards U.S. Government Accountability Office, Standards for Internal Control in the Federal Government
V. ABBREVIATIONS AND FORMS
The following appear in their shortened form in this directive:
AA Assistant Administrator
COSO Committee of Sponsoring Organizations (of the Treadway Commission)
FMFIA Federal Managers’ Financial Integrity Act of 1982
GAAP Generally Accepted Accounting Principles
GAO Government Accountability Office
ICS Internal Control Staff, OPEER
LEARN Laboratory Electronic Application for Results Notification
MCS Management Control System
OIG Office of the Inspector General
OMB Office of Management and Budget
OPEER Office of Program Evaluation, Enforcement and Review
VI. POLICY
It is FSIS policy that:
A. Audits of management controls are conducted in accordance with the references in Part One, subparagraph IV.
B. OPEER auditors with proper authorization and security clearances have full and unrestricted access to all personnel, facilities, records, reports, databases, documents, or other FSIS information and materials for accomplishing announced and unannounced management control audits.
C. Indications of misconduct, fraud, or other criminal acts discovered during the management control audit process are referred to an appropriate investigative organization.
D. Immediate notification will be given to senior program officials if OPEER auditors observe or have evidence that a condition indicating continued production and shipment of a product can pose an imminent threat to public health. (See the Federal Meat Inspection Act, the Poultry Products Inspection Act, the Egg Products Inspection Act, and the Rules of Practice (9 CFR Part 500).
VII. DEFINITIONS
A. AssuranceNet. A web-based application that supports the monitoring, analysis, and reporting of the Agency’s MCS. The application allows supervisors and senior managers to identify where organizational performance is not meeting established performance measures, or where performance indicates a vulnerability to failure in achieving Agency objectives and mandates.
B. Audit. An examination of an organization, system, or project to ascertain the validity and reliability of information to provide an assessment of a system's management controls.
C. Audit Plan. A document that identifies the reasons for the audit, the audit objectives, methodology, and milestones.
D. Audit Findings. The results of the auditors’ data collection and analysis. Audit findings are linked to audit objectives and are developed in accordance with Government Auditing Standards. Negative findings may be linked to a recommendation to address the cause of a deficiency. Audit findings are classified as Green, Yellow, or Red using a system similar to that of the OMB, President’s Management Agenda scorecard:
- Green – Program area has adequate documentation verifying that management controls and performance measures have been established, implemented and are adequate or effective.
- Yellow – Program area has incomplete documentation verifying that management controls and performance measures have been established and implemented; or program area has documentation verifying that management controls and performance measures have been established and implemented, but documentation does not completely verify adequacy or effectiveness.
- Red – Program area does not have documentation verifying that management controls and performance measures have been established and implemented, or the program area documentation cannot be tested to determine adequacy or effectiveness.
E. Compliance Testing. Testing that determines the extent to which staff follow prescribed policies and procedures in actual practice, comparing procedures as executed against required or expected procedures. Such testing provides objective evidence on how well controls are executed.
F. Control Deficiency. A condition in which the design or operation of a control does not allow management or employees, in the course of performing their assigned functions, to prevent, detect, or correct deviations from design expectations in a timely manner.
G. COSO. A private sector organization dedicated to guiding organizations toward the establishment of more effective, efficient, and ethical operations. COSO has established a definition of management controls and standards, and has set criteria against which companies and organizations can assess their control systems.
H. Effectiveness of Systems of Control. A control evaluation designed to manage risk to a reasonable level, rather than eliminate all risk of failure to achieve policies, goals, and objectives. Therefore, it can only provide reasonable and not absolute assurance of effectiveness (example: compliance testing).
I. External Audits. Audits conducted by independent auditors not affiliated with FSIS (examples: OIG and GAO).
J. Internal Audits. Audits conducted by independent auditors affiliated with, but separate from, the program area being audited.
K. Management Controls. The organization, policies, and procedures used to ensure that business is conducted as expected; programs achieve their intended results; resources are used consistent with Agency mission; programs and resources are protected from waste, fraud, and mismanagement; laws and regulations are followed; and reliable and timely information is obtained, maintained, reported, and used for decisionmaking.
L. Material Weakness or System Nonconformance. A major deficiency in Agency management controls when:
- There is not reasonable assurance that management controls are achieving their objectives (see FMFIA, Section 2).
- Management controls do not comply with financial systems requirements (see FMFIA, Section 4).
M. Performance Measures. A management tool for enhancing decisionmaking and accountability that is in addition to management controls. Performance measures consist of ways to objectively assess or measure the degree of success an organization has had in achieving its strategic objectives, goals, and planned program activities.
N. Program Area Management Control Liaison. A representative who facilitates the communication of the program area’s management control activities, oversees the monitoring function from the program area’s perspective, and keeps program area management current on all Agency management control issues.
O. Reasonable Assurance. A management concept whereby managers rely on operational information and experience to know whether risks are acceptable or effectively managed. Reasonable assurance recognizes that no system of management control is perfect and any efforts to reduce risk must be tempered by the cost of a control not exceeding the benefit derived.
P. Significant Control Deficiency. A control deficiency that has a moderate or high inherent risk which is not mitigated by adequate controls, warrants reporting to the next level of management, and merits the attention of the Secretary of Agriculture.
VIII. BACKGROUND
A. FSIS MCS.
- Early in fiscal year 2005, the FSIS Administrator directed the Agency to design and implement a comprehensive MCS to support Agency programs and interdependencies.
- The FSIS MCS complies with requirements in USDA Management Control Manual, DM 1110-002; OMB revised Circular A-123, Management’s Responsibility for Internal Control; and the FMFIA, Title 31, U.S.C. 3512, which require agencies to establish and maintain management controls, conduct ongoing audits and evaluations, and report the adequacy of internal accounting and administrative control systems.
- Management controls, also known as internal controls, include processes for planning, organizing, directing, and controlling Agency operations and resources. The controls should include systems for measuring, reporting, and monitoring performance.
B. FMFIA and the Chief Financial Officer’s Act
- The FMFIA is the central authority for establishing and maintaining Agency controls. It requires the head of each agency to establish and maintain management controls for all Agency programs, organizations, and functions. The Act also stipulates that accounting systems should conform to Federal accounting standards and related requirements.
- The Chief Financial Officer’s Act of 1990 (Public Law 101-576) identifies management control-related activities as a primary responsibility of the Department’s Chief Financial Officer (CFO). The FSIS CFO has primary responsibility for Agency financial and accounting management control reviews.
C. COSO.
FSIS has adopted COSO components in auditing Agency management controls. The five components are control environment, risk assessment, control activity, information and communication, and monitoring (see Attachment 1-1, Auditing Internal Controls: COSO-Based Approach).
IX. ROLES AND RESPONSIBILITIES
The following describes the roles and responsibilities of key personnel during audits of management controls:
A. Office of the Administrator and the FSIS Management Council.
- Provide leadership in the implementation of management controls in all FSIS programs to achieve the Agency’s mission effectively and efficiently.
- Ensure that management controls are an integral part of the Agency’s entire cycle of planning, budgeting, program delivery and operations, accounting, and auditing processes.
- Ensure program monitoring, ongoing audits, and corrective actions in implementing appropriate and cost-effective management controls for all processes that support the delivery of Agency programs and operations.
B. AAs and Division and Staff Directors.
- Ensure the availability of program information and cooperation of program personnel during audits of management controls.
- Ensure that management controls are implemented, maintained, and monitored within each program or functional area.
C. OPEER AA
- Provides Agencywide leadership and guidance related to the management control program and related audit activities.
- Provides periodic updates to the FSIS Management Council regarding new requirements and management control audit findings.
D. ICS Director (or designee).
- Ensures planning and implementation of the Agencywide management control audit program.
- Ensures that audit teams are properly staffed and trained to conduct audits of management controls.
- Ensures that management control audits are planned and performed in accordance with this directive and related standards, guidelines, and procedures.
- Ensures the quality control of the final audit reports and transmittal to OPEER and program area AAs.
E. Audit Team Leader.
- Ensures that management control audits are planned and performed in accordance with this directive and related standards, guidelines, and procedures.
- Provides first-level review in directing management control audit planning, monitoring onsite activities, and reviewing work papers, tentative findings, and report preparation.
- Serves as the primary point of contact during the management control audit.
- Ensures that the management control audit reports are reviewed, finalized, and transmitted to the appropriate ICS Branch Chief (or designee).
F. Audit Team.
- Performs management control audits in accordance with this directive and related standards, guidelines, and procedures.
- Prepares the audit plan under the team leader’s direction to include defined scope, staff requirements, milestones, and audit steps.
- Performs all management control audit fieldwork needed to gather relevant evidence for measurement and evaluation.
- Develops findings and recommendations from evidence collected.
- Develops the management control audit report for submission to the audit team leader
See full PDF for attachments
- AUDITING INTERNAL CONTROLS: COSO-BASED APPROACH
- PART TWO – CONDUCTING AUDITS OF MANAGEMENT CONTROLS
- MANAGEMENT CONTROL AUDIT PROCESS FLOWCHART