Board Report: 2013-AE-B-013 September 5, 2013
Our objective for this audit was to determine the processes for establishing, maintaining, and monitoring internal control within the Board of Governors of the Federal Reserve System (Board). Our audit focused on the internal control over the effectiveness and efficiency of operations and compliance with laws and regulations, i.e., administrative internal control. Administrative controls address programmatic, operational, and administrative areas. Our scope does not include internal control over financial reporting or information systems because the Board issues a management assertion on internal control over financial reporting and complies with the Federal Information Security Management Act of 2002, which requires agencies to establish and maintain an information security program to protect information and information systems. Additional detail on our scope and methodology is in appendix A.
Internal control is an integral part of managing an organization and is critical to improving organizational effectiveness and accountability. It comprises the plans, methods, and procedures used to meet the organization's mission, goals, and objectives. Internal control is the first line of defense in safeguarding assets and preventing and detecting errors and fraud and, thus, helps organizations achieve desired results through effective stewardship of public resources. Internal control should provide reasonable assurance that the objectives of the organization are being achieved in the following categories: (1) effectiveness and efficiency of operations, (2) reliability of financial reporting, and (3) compliance with applicable laws and regulations.
The Board's long-standing mission is to foster stability, integrity, and efficiency in the nation's monetary, financial, and payment systems in pursuit of optimal macroeconomic performance. In carrying out its mission, the Board has stated that it is continually aware that its operations are supported primarily by public funds, it is accountable and responsive to the public, and it recognizes its obligation to manage resources efficiently and effectively while providing transparency and accountability.1
Congress has long recognized the importance that internal control plays in achieving organizational effectiveness and accountability. In 1982, when faced with several highly publicized internal control breakdowns, including disclosures of waste, loss, unauthorized use, and misappropriation of funds across a wide spectrum of government operations, Congress passed the Federal Managers' Financial Integrity Act of 1982 (FMFIA) to help reduce fraud, waste, and abuse, as well as to enhance the management of federal government operations through improved internal control.
FMFIA requires the Government Accountability Office (GAO) to establish internal control standards (Standards for Internal Control in the Federal Government) and the Office of Management and Budget (OMB) to issue guidelines (Circular A-123-Management's Responsibility for Internal Control) for agencies to follow in assessing and reporting on their internal control. In addition, FMFIA requires that each executive agency establish internal accounting and administrative controls in compliance with GAO's standards and evaluate and report annually on internal control using OMB guidelines.
Under its long-standing legal interpretation, the Board is not required to comply with FMFIA because it is a financially related statute that is made inapplicable to the Board by section 10 of the Federal Reserve Act.2 However, in 1983, shortly after the enactment of FMFIA, the Board's Controller issued a memorandum to the Board's Staff Director for Management stating that it would be in the Board's best interest to comply with the spirit and intent of FMFIA.3 The Board's approach to addressing FMFIA was described in this memorandum as well as in later correspondence in 1984 and 1988. The Board's approach to addressing FMFIA remains unchanged since the correspondence from the 1980s.
In accordance with FMFIA, GAO issued Standards for Internal Control in the Federal Government in 1983. To address changes in information technology and financial systems, GAO revised and reissued its standards in November 1999. The revised standards include five standards for internal control and provide the overall framework for establishing and maintaining internal control and for identifying and addressing major performance challenges and areas at greater risk for fraud, waste, abuse, and mismanagement (figure 1).
The revised GAO standards also incorporate the private sector's Internal Control-Integrated Framework published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).4 The COSO framework was recently updated to include enhancements and clarifications that are intended to increase ease of use and broaden application. The new COSO framework provides clarity for understanding requirements for effective internal control and expands reporting to include nonfinancial and internal reporting. It also reflects changes in the business and operating environments, including governance oversight, demands and complexities in laws and regulations, and expectations for competencies and accountabilities.
Figure 1: GAO's Standards for Internal Control in the Federal Government
Control Environment: Sets a positive and supportive attitude toward internal control and conscientious management.
Risk Assessment: Provides for an assessment of the risks the agency faces from both external and internal sources.
Control Activities: Help ensure that management's directives are carried out.
Information & Communication: Ensure that information is recorded and communicated to management and others within the entity to enable them to carry out their internal control and other responsibilities.
Monitoring: Assesses the quality of internal control performance over time and ensures that the findings of audits and other reviews are promptly resolved.
In anticipation of FMFIA's enactment, OMB issued Circular A-123, then titled Internal Control Systems, in 1981. In 1982, following FMFIA's enactment, OMB issued the assessment guidelines required by FMFIA. Circular A-123 has been periodically updated over the years and is now titled Management's Responsibility for Internal Control. The updated circular emphasizes the need for agencies to integrate and coordinate internal control assessments with other internal control-related activities. The circular provides information on improving the accountability and effectiveness of programs and operations by establishing, assessing, correcting, and reporting on internal control. Internal control guidance can be found in GAO's Standards for Internal Control in the Federal Government, OMB's Circular A-123, as well as COSO's Internal Control-Integrated Framework. Below are excerpts from those documents.
Management is responsible for developing and maintaining effective internal control. Management sets the objectives, defines organizational programs and operations, performs risk assessments to identify the most significant areas within those programs and operations, communicates the objectives of internal control to the organization, and implements the control activities to minimize risks. Some examples of internal control activities are
As part of this process, management should take systematic and proactive measures to develop and implement appropriate, cost-effective internal control.
While management is responsible for developing and maintaining effective internal control, internal control is accomplished by all personnel in an organization. Internal control recognizes that personnel do not always understand, communicate, or perform consistently. Accordingly, a clear and close linkage must exist between personnel's duties and the way in which they are carried out, as well as between personnel's duties and the organization's objectives. Personnel should know their responsibilities and the limits of their authority. Further, internal control should be clearly documented, and the documentation should be readily available for examination. All documentation and records should be properly managed and maintained.
Managers should continually assess and evaluate internal control. Once-effective procedures can become less effective over time, or the application of controls may change. Such changes can result from the arrival of new personnel, the variability of training and supervision, time and resource constraints, or other factors. Monitoring ensures that internal control continues to operate effectively and is accomplished by (1) appropriate personnel assessing the design and operation of controls on a suitably timely basis and (2) management taking necessary actions to address any issues.
Monitoring can be done through ongoing activities or separate evaluations. Ongoing monitoring occurs during the course of normal operations; separate evaluations of specific processes take place after the processes have been performed. Ongoing monitoring is effective because it is performed on a real-time basis, it reacts dynamically to changing conditions, and it is ingrained in the organization. However, separate evaluations provide an opportunity to consider the continued effectiveness of ongoing monitoring. Therefore, a combination of ongoing monitoring and separate evaluations will usually ensure that the internal control maintains its effectiveness over time.
The final stage of monitoring involves reporting findings and deficiencies on a timely basis to appropriate personnel. Reporting enables the results of monitoring to either confirm previously established expectations about the effectiveness of internal control or highlight identified deficiencies for possible corrective action. The basis for reporting on internal control can include a variety of information sources including Office of Inspector General (OIG) and GAO reports, management reviews, and annual evaluations pursuant to statutory requirements; however, management should use its own judgment to assess and report on internal control and use other sources of information as supplements.