Board Report: 2013-AE-B-013 September 5, 2013
To accomplish our objective, we reviewed FMFIA and applicable guidance, including GAO's Standards for Internal Control in the Federal Government, GAO's Internal Control and Management Evaluation Tool, OMB Circular A-123, and COSO publications. We also reviewed previous audit reports issued by our office as well as by GAO.
We met with personnel in 12 of the 14 Board divisions to provide background information on internal control and the process for maintaining and monitoring internal control, and to gain a high-level understanding of administrative internal control processes in place in the divisions.6 Following the initial meetings, the divisions provided the audit team with points of contact in a variety of functional areas in each of the divisions. The audit team held over 70 meetings across the 12 divisions, including follow-up meetings with points of contact in functional areas for each division, to determine their administrative internal control processes. We then reviewed documentation of those administrative internal controls. Although we reviewed the internal control documentation, we did not test any of the controls in place nor did we make a determination on the adequacy of the controls.
We discussed the process for establishing internal control with selected functional areas. We also benchmarked with three federal agencies to gain an understanding of their processes for maintaining and monitoring their internal controls. One of these agencies is required to comply with FMFIA, while the other two follow it voluntarily.
Our audit addressed section 2 of FMFIA (internal accounting and administrative control) and not section 4 (financial accounting systems). We focused on internal control over the effectiveness and efficiency of operations and compliance with laws and regulations, i.e., administrative controls, because the Board voluntarily complies with Sarbanes-Oxley section 404, which requires management to assert that it is responsible for creating, maintaining, and assessing the effectiveness of internal control over financial reporting. Further, we did not assess internal control over information systems because the Board complies with the Federal Information Security Management Act of 2002, which requires agencies to establish and maintain an information security program and implement controls to protect information and information systems that support the operations and assets of the agency.
We conducted our audit fieldwork from March 2012 to May 2013. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.