421 (Supersedes 290 FW 2, 04/29/03, FWM 082, and
Date: April 3,, 2003
Series: Management Improvement
Part 290: Management Control Systems
Originating Office: Division of Policy and Directives Management
A. General Standards
(1) Compliance with Law. All program operations, obligations, and costs must comply with applicable law and regulation. Resources should be efficiently and effectively allocated for duly authorized purposes.
(2) Reasonable Assurance and Safeguards. Management controls must provide reasonable assurance that assets are safeguarded against waste, loss, unauthorized use, and misappropriation. Management controls developed for agency programs should be logical, applicable, reasonably complete, and effective and efficient in accomplishing management objectives.
(3) Integrity, Competence, and Attitude. Managers and employees must have personal integrity and are obligated to support the ethics programs in their agencies. The spirit of the Standards of Ethical Conduct requires that they develop and implement effective management controls and maintain a level of competence that allows them to accomplish their assigned duties. We encourage effective communication within and between offices.
B. Specific Standards
(1) Delegation of Authority and Organization. Managers should ensure that appropriate authority, responsibility, and accountability are defined and delegated to accomplish the mission of the organization, and that an appropriate organizational structure is established to effectively carry out program responsibilities. To the extent possible, controls and related decisionmaking authority should be in the hands of line managers and staff.
(2) Separation of Duties and Supervision. Key duties and responsibilities in authorizing, processing, recording, and reviewing official agency transactions should be separated among individuals. Managers should exercise appropriate oversight to ensure individuals do not exceed or abuse their assigned authorities.
(3) Access to and Accountability for Resources. Access to resources and records should be limited to authorized individuals and accountability for the custody and use of resources should be assigned and maintained.
(4) Recording and Documentation. Transactions should be promptly recorded, properly classified, and accounted for in order to prepare timely accounts and reliable financial and other reports. The documentation for transactions, management controls, and other significant events must be clear and readily available for examination.
(5) Resolution of Audit Findings and Other Deficiencies. Managers should promptly evaluate and determine proper actions in response to known deficiencies, reported audit and other findings, and related recommendations. Managers should complete, within established time frames, all actions that correct or otherwise resolve the appropriate matters brought to management's attention.
(6) Other policy documents such as OMB Circular No. A-127 (Financial Management Systems) and A-130 (Management of Federal Information Resources) may contain additional specific standards for particular functional or program activities.
2.3 What are the U.S. General Accounting Office's internal control standards issued in 1999?
A. Control Environment. Management and employees should establish and maintain an environment throughout the organization that sets a positive and supportive attitude toward internal control (same as management control) and conscientious management.
B. Risk Assessment. Internal control should provide for an assessment of the risks the agency faces from both external and internal sources.
C. Control Activities. Internal control activities help ensure that management's directives are carried out. The control activities should be effective and efficient in accomplishing the agency's control objectives. Examples are:
(1) Top level reviews of actual performance.
(2) Reviews by management at the functional or activity level.
(3) Management of human capital.
(4) Controls over information processing.
(5) Physical control over vulnerable assets.
(6) Establishment and review of performance measures and indicators.
(7) Segregation of duties.
(8) Proper execution of transactions and events.
(9) Accurate and timely recording of transactions and events.
(10) Access restrictions to and accountability for resources and records.
(11) Appropriate documentation of transactions and internal control.
D. Control Activities Specific for Information Systems
(1) General Control. Applies to all information systems-- mainframe, minicomputer, network, and end-user environments.
(a) Data center and client-server operations controls include backup and recovery procedures, and contingency and disaster planning. Data center operations controls also include job set-up and scheduling procedures and controls over operator activities.
(b) System software control includes control over the acquisition, implementation, and maintenance of all system software including the operating system, data-based management systems, telecommunications, security software, and utility programs.
(c) Access security control protects the systems and network from inappropriate access and unauthorized use by hackers and other trespassers or inappropriate use by agency personnel. Specific control activities include frequent changes of dial-up numbers; use of dial-back access; restrictions on users to allow access only to system functions that they need; software and hardware "firewalls" to restrict access to assets, computers, and networks by external persons; and frequent changes of passwords and deactivation of former employees' passwords.
(d) Application system development and maintenance control provides the structure for safely developing new systems and modifying existing systems. Included are documentation requirements, authorizations for undertaking projects; and reviews, testing, and approvals of development and modification activities before placing systems into operation. Controls over commercial software are necessary to ensure that the software meets user's needs and that it is properly placed into operation.
(2) Application Control. Covers the processing of data within the application software. Helps ensure completeness, accuracy, authorization, and validity of all transactions during application processing. Control should be installed at an application's interfaces with other systems to ensure that all inputs are received and are valid, and outputs are correct and properly distributed. An example is computerized edit checks built into the system to review the format, existence, and reasonableness of data.
E. Information and Communications. Information should be recorded and communicated to management and others within the entity who need it, and in a form and within a time frame that enables them to carry out their internal control and other responsibilities.
F. Monitoring. Internal control monitoring should assess the quality of performance over time and ensure that the findings of audits and other reviews are promptly resolved.
2.4 How does the Service update its Management Control Review (MCR) Priorities? Service managers participate in updating the Management Control Review Priorities on an annual (fiscal year) basis. The Review Priorities include components that are financial in nature or have significant assets, priority ratings, previous reviews, planned reviews, and responsible officials. The Division of Policy and Directives Management (PDM) issues annual instructions for updating the Review Priorities based on Departmental guidance. The Service's Review Priorities are usually determined by January and submitted to the Department. Reviews (except substitute reviews) are normally conducted between January and July.
A. How do Responsible Officials assign priority ratings? Carefully compare program operations against management control standards and determine the extent to which controls are consistent with those standards. The higher the inconsistency, the higher the rating (High, Medium or Low) for the component. Keep in mind that components with reported material weaknesses should be rated High until corrective actions have been implemented.
B. How do Responsible Officials select components for review? Responsible officials may review a program at any time and should schedule a review if there is a susceptibility to waste, loss, unauthorized use and/or misappropriation. Also consider the following in determining whether or not a control review should be conducted in any given year:
(1) A new law, policy, or procedure being implemented.
(2) An increase in a program's assets.
(3) New functions handling finances.
(4) If there has been an indication of a management control problem from other sources.
C. Why do we conduct management control reviews? We are required to conduct sufficient control reviews which, in conjunction with audits of controls by GAO and the Office of Inspector General or other evaluations, will provide an adequate basis for the Director to provide reasonable assurance to the Assistant Secretary--Policy, Management and Budget that controls are in place and working.
D. What are the types of management control reviews that offices can conduct?
(1) Management Control Review. A comprehensive review of all high risk areas within a component, which must be conducted as a separate review. Another review cannot be used as a substitute. MCR's are recommended when components show high risks diffused throughout the component, are crucial to an important Service mission, or have complex relationships that could severely impact other components.
(2) Alternative Management Control Review (AMCR). A review of controls over areas or activities of a component that have the highest potential for ineffective or inefficient operation or loss of Government resources. It may be conducted as a separate review or through existing review processes such as program evaluations, audits, and other management reviews. This type of review is recommended whenever high risks are concentrated in certain component activities, the component rating is medium or low, or previous control reviews identified no significant weaknesses.
(3) Departmental Functional Review (DFR). One type of an AMCR. The Department issues specific guidelines for conducting these reviews and may determine when a DFR is conducted. Examples are Acquisition Management, Personal Property Management, and information technology system reviews.
(4) Automated Assessment. An AMCR that uses electronic mail to distribute self-assessment questionnaires that cover general management control areas and may include specific program areas. The results are tabulated electronically, thus saving staff time.
2.5 What does a management control review involve? The Division of Policy and Directives Management prepares annual guidelines for conducting management control reviews. Generally, a control review requires:
A. Quality Assurance. The Service must have a quality assurance process to make certain that management control systems are properly defined, reviews are properly performed, and review results are accurately reported. Responsible officials (with the help of their management control coordinators) review testing plans for comprehensive MCRs. The Service Management Control Coordinator (MCC) also monitors the review process during the year.
B. Control Tests. Testing consists of verifying compliance with existing control procedures to determine if the controls are operating as intended. Testing should include the appropriate Headquarters Office organization(s) and a representative sampling of Regional and field offices. Test methods include reviewing records, observing performance of a control, tracing transactions, and interviewing persons responsible for operation of the controls.
C. Review Documentation. Responsible officials maintain sufficient documentation to demonstrate that a review has been conducted, and to provide a basis for the results and conclusions reached. Documentation includes: participants in the review, risks reviewed, controls examined, extent and type of control tests performed, analyses of the tests conducted, a description of any weaknesses found, and the corrective actions for the identified weaknesses. Part 283, Records Disposition, Fish and Wildlife Service Manual, authorizes cutoff of these documentation records when corrective action is completed. Disposition is authorized 5 years after cutoff.
2.6 How do we take corrective action? The primary purpose of the management control review process is to assist managers in identifying and correcting control weaknesses (see 290 FW 3), thus improving programs. Whenever a review identifies a weakness, a corresponding planned corrective action is determined along with the title of the person responsible for completing the corrective action, and the title of a higher-level manager to certify that the action is completed and such actions taken were sufficient to correct the weakness. Offices report completion of corrective actions using FWS Form 3-2147 (Certification of Completed Corrective Action). Offices must provide supporting documentation for material weakness corrective actions; offices are encouraged to provide supporting documentation for nonmaterial corrective actions as well. Responsible officials correct weaknesses as scheduled, and any revision to either corrective actions or completion dates needs the approval of the Director. We expect Service managers at all levels to be actively involved in correcting weaknesses and in evaluating the progress of corrective actions.
2.7 What are the reporting requirements for the management control program?
A. Status Reports. As required by the Department, the Service provides periodic status reports on the progress of reviews and correction of material weaknesses and accounting nonconformances. PDM and other offices, as appropriate, attend meetings with the Office of Financial Management and the Department's Management Control and Audit Follow-up Council regarding management control matters.
B. Management Control Review Reports. Usually by July, offices complete summary reports for the Director on the results of the control reviews. These reports are addressed to the appropriate policy office in the Department. If a report contains one or more material weaknesses, the report is transmitted from the Director, through the Assistant Secretary for Fish and Wildlife and Parks, to the Department. These reports meet Department and Service requirements. The report includes the component reviewed; scope, date and location of the review; reviewer or responsible official, results, identified control weaknesses, and planned corrective actions. Any material weaknesses found must be clearly described. The Service MCC and MCC for the Assistant Secretary for Fish and Wildlife and Parks receive an information copy of the report.
C. Corrective Action Tracking System (CATS). PDM monitors the progress of corrective action for management control weaknesses until completion. CATS is used to record progress and is maintained by the Service MCC. In addition, the Office of Financial Management and the Management Control and Audit Follow-up Council monitor completion of corrective actions for material weaknesses.
D. Federal Managers' Financial Integrity Act Report. Senior managers prepare annual statements on the adequacy of management controls. These statements, along with the results of management control reviews and completed audits, provide the basis for the Director's Annual Assurance Statement to the Department on the status of the Service's management controls and corrective action for material weaknesses. The statement includes conclusions about the Service's systems of management, administrative, and financial controls, information systems, and financial systems. The Chief, Division of Financial Management, and the Chief, Division of Information Technology Management, assist PDM in the preparation of the Service's statement. The Director's statement is considered by the Department when the Accountability Report is prepared for the Secretary, the President, and the Congress.
For additional information regarding this Web page, contact Krista Holloway , Division of Policy and Directives Management.