Management Controls - General Policies and Responsibilities

290 FW 1
FWM Number
Originating Office
Branch of Risk Management

1.1 What is the purpose of this chapter? This chapter presents policies and responsibilities associated with the Service's management control program.

1.2 To whom does this chapter apply? This applies to all employees, supervisors, and managers in the Service.

1.3 What are our management control objectives? The objectives are to reasonably assure that programs achieve their intended results; resources are used consistent with the Service's mission; programs and resources are protected from waste, fraud, and mismanagement; laws and regulations are followed; and reliable and timely information is obtained, maintained, reported, and used for decision making. Management controls do not guarantee that these objectives can be reached; they are, however, a means for managing risks associated with programs and operations.

1.4 What is the scope of the management control program? Management controls apply to all Service policies, programs, and operations, both financial and programmatic.

1.5 What is the Service policy for the management control program? The Service assesses the adequacy of management controls by continuous monitoring and periodic evaluations. Available sources of information for this assessment include management knowledge gained from the daily operation of programs and systems; management control reviews; final audit reports; management reviews; program evaluations; and annual performance plans and reports. Service managers are expected to provide reasonable assurance to the Director that the objectives of management controls are met annually. As required by the Department, Senior Executive Service employee performance plans should include performance elements linked to the achievement of the Department's accountability and integrity goals.

1.6 What are the authorities that directly apply to this program?

A. Federal Managers' Financial Integrity Act of 1982.

BOffice of Management and Budget Circular No. A-123, Management Accountability and Control, revised June 21, 1995, and any subsequent publications.

C. U.S. General Accounting Office Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1, dated November 1999, and any subsequent publications.

DPart 340, Departmental Manual, Management Accountability and Control, dated February 7, 2000, and any subsequent publications.

EOMB Circular A-127, Financial Management Systems.

FOMB Circular A-130, Management of Federal Information Resources.

G. Department and Service Program Guidelines.

1.7 How are management control terms defined?

A. Accounting System Nonconformance. A situation in which the design procedures and/or the degree of operational compliance does not provide reasonable assurance that the accounting system conforms to Federal Accounting Standards Advisory Board-issued accounting standard(s) and other related requirements. (340 DM 2)

BComponent. A major program, administrative activity, organization, or functional subdivision that requires one or more separate systems of controls. Components are listed in the Service's annual Management Control Review Priorities.

CManagement Controls. The organization, policies, and procedures used to reasonably ensure that programs achieve their intended results; resources are used consistent with the Service's mission; programs and resources are protected from waste, fraud, and mismanagement; laws and regulations are followed; and reliable and timely information is obtained, maintained, reported, and used for decision making. (OMB Circular A-123)

DManagement Control Review. A systematic examination of a component to determine if adequate management controls exist and if they are effective.

E. Management Control Review Priorities. An annual compilation of components for review. Current priority ratings, previous reviews, planned reviews, and the Responsible Official are included in the document.

F. Management Control Review Process. Consists of:

(1) Establishing and updating the Management Control Review Priorities each fiscal year.

(2) Providing training to conduct management control reviews, as needed.

(3) Assessing the adequacy of management controls by continuous monitoring and periodic evaluations/reviews.

(4) Reporting the status of management control reviews and control weakness correction, and reporting results in review reports and Assurance Statements in accordance with Departmental guidelines.

(5) Monitoring corrective actions until they are completed.

G. Management Control Standards. Standards issued by GAO, OMB, and other authorities for particular functional or program activities, such as the Federal Acquisition Regulations.

H. Management Control System. Event cycles, risks, control objectives, and controls. Each component should have a control system in place prior to review.

(1) An event cycle is a significant area or a series of related steps that make up a separate process within the component. Each event cycle promotes the overall goal of the component. Each component has one or more event cycles.

(2) Risk is the probability of an unwanted occurrence within an event cycle.

(3) Control objectives are the specific ends to be achieved by controls.

(4) Controls are the techniques, management processes, and documents necessary to accomplish control objectives or to reduce risk of unwanted occurrences to acceptable levels within an event cycle. Examples of controls include work activity guidance, passwords to limit access to data, written delegations of authority, documentation of policies, processes and procedures, and segregating sensitive duties among several individuals.

IMaterial Weakness. A deficiency that would be of significance to the Secretary, and is included in management control review reports and assurance statements to the Department. The deficiency is reported through the chain of command.

(1) Supervisors should consider the following questions in determining whether or not to report the deficiency to the next management level:

     (a) Could this problem lead to a serious injury or loss of life?

     (b) If the problem is fixed in my part of the organization, is there a good possibility that the same problem may exist in other parts of the organization (office, area, Region, bureau, Department)?

     (c) Is there a likelihood that higher levels of management may get questions from Congress or the media about the problem?

     (d) Is it going to take more than 3 months to correct the deficiency (deficiencies that take longer to correct should be reported to the next management level)?

     (e) Was there a significant loss of Government resources? Is there a potential for significant resource loss?

     (f) Was there a significant financial loss either through misuse of appropriated funds or under collection of revenues? Is there a potential for a significant financial loss?

     (g) Were laws broken or regulations ignored?

     (h) Could the Department have any potential liability to employees or to third parties as a result of the deficiency?

     (i) Were there ethical violations by organizational personnel?

     (j) Was inaccurate information reported upon which management or third parties based decisions?

     (k) Could this problem lead to an audit qualification on a financial statement?

(2) The Department's Management Control and Audit Follow-up Council uses the following criteria for reporting deficiencies as material weaknesses:

     (a) Conditions that could endanger the health or safety of employees or the public.

     (b) Conditions that could lead to substantial damage or loss of a significant public asset or natural, biological, cultural, or historical resource.

     (c) Conditions that could significantly impair the fulfillment of the Department's or Service's mission.

     (d) Conditions that indicate systemic deficiencies across bureaus or in the Department's central support systems.

     (e) Conditions that could lead to inaccurate or incomplete information being provided in areas of major importance to operations or policy.

     (f) Conditions that result in an audit qualification on a financial statement.

J. Reasonable Assurance. A satisfactory level of confidence that controls are in place and are working efficiency and effectively to achieve program objectives, and are safeguarding Government resources given considerations of costs, benefits, and risks.

K. Testing. Process of verifying compliance with existing control procedures to determine if the controls are operating as intended. Testing methods include records review, observation, tracing transactions, and interviews.

1.8 Who has responsibility for management controls?

AGeneral. Supervisors and managers are responsible for establishing, maintaining, evaluating, improving, and reporting on management controls for their assigned areas. Employees are responsible for monitoring management controls, reporting weaknesses to supervisors, and assisting as appropriate in the improvement of controls.

B. The Director is responsible for establishing and maintaining a management control review process within the Service. This includes allocating resources to evaluate management controls and providing reasonable assurance to the Assistant Secretary - Policy, Management and Budget that the objectives of management controls, as described in OMB Circular A-123 and the Federal Managers' Financial Integrity Act, are met.

C. The Assistant Director - Budget, Planning and Human Resources is responsible for designating the Service Management Control Coordinator; providing appropriate guidance to employees, supervisors, and managers on management controls; and coordinating the Service's management control review process for the Director.

D. Responsible Officials are Assistant Directors, office chiefs who report to a Director or to a Deputy Director, and Regional Directors. These officials are responsible for:

(1) Designating a management control coordinator for the Assistant Directorate or Region.

(2) Making sure that employees are knowledgeable of management controls and participate in their continuous monitoring and improvement.

(3) Participating in reviews or providing adequate resources for the conduct of reviews.

(4) Determining, on an annual basis, which programs or administrative functions should be considered priorities for control reviews, including scheduling components for review.

(5) Overseeing the control review process in their respective areas, including selecting review team members; making sure team members are trained; confirming that control systems are adequate and properly documented; approving testing plans as needed; maintaining review documentation; making sure that scheduled reviews are conducted on time; reviewing results; reporting significant and material control weaknesses to the Director; establishing and/or approving recommended corrective actions and completing them as scheduled; and submitting required reports on time.

(6) Providing Annual Assurance Statements to the Director.

E. Division and Office Chiefs and Supervisors are responsible for:

(1) Providing management control review priorities input to their Responsible Officials.

(2) Conducting or participating in management control reviews upon request of their respective Responsible Official, including preparing review reports and reporting any significant and material control weaknesses.

(3) Providing progress information during the fiscal year on management control reviews and management control weakness correction.

(4) Providing input for the Annual Assurance Statement.

(5) Completing corrective actions as scheduled.

F. The Service Management Control Coordinator, Division of Policy and Directives Management, is responsible for providing technical assistance, coordination, and review regarding the management control review process including:

(1) Coordinating the annual management control review priorities submission.

(2) Supplementing Departmental procedures when necessary and preparing Service procedures for the management control review process.

(3) Meeting with reviewers early in the annual review cycle to provide appropriate training as needed to conduct reviews.

(4) Reviewing proposed testing plans for appropriateness and adequacy of planned reviews.

(5) Monitoring completion of reviews for the Director.

(6) Reviewing control reports to ensure that reports contain adequate information and significant weaknesses and material weaknesses are reported.

(7) Performing a detailed examination of documentation and work papers for a sample of control reviews, if necessary.

(8) Advising Service management and Departmental officials on the status of management control matters.

(9) Monitoring completion of planned corrective actions, and verifying the completion of corrective actions for material weaknesses.

(10) Preparing the Director's Annual Assurance Statement to the Department.

G. Headquarters/Regional Management Control Coordinators are responsible for:

(1) Providing coordination and liaison between their Responsible Official, division and office chiefs, other coordinators, review teams, and the Service Management Control Coordinator.

(2) Knowing the Service's management control process and procedures, and advising and instructing staff in their program areas as needed.

(3) Coordinating the selection of review teams for their respective Responsible Official and providing assistance to team members regarding the conduct of the reviews.

(4) Participating in the training of review team members, as needed.

(5) Serving on review teams, as assigned.

(6) Reviewing testing plans for the Responsible Official before the plans are finalized for use by the review team.

(7) Coordinating the final review report for the Director's signature and assisting in the submission of the Responsible Official's Annual Assurance Statement.

(8) Coordinating responses to document the completion of planned corrective actions.

H. Management Control Review Teams are responsible for conducting management control reviews in accordance with Departmental and Service procedures. This includes developing review plans, data collection instruments, and testing controls over high risk areas at a sufficient number of locations that are representative of the Service. Also, these teams are responsible for preparing reports that summarize the scope of the review and review results, and identify control weaknesses and actions to be taken to correct them, and recommend potential material weaknesses for further consideration and decision.