Reviving Management Controls

Congress had straightforward and reasonable expectations in passing the 1982 Federal Managers Financial Integrity Act (FMFIA). The goal of the law was to guard against the kinds of fraud, waste and abuse that seem to crop up all too regularly in government by requiring agencies' management staffs to review and strengthen management controls.

It seemed a simple step, but 13 years later the law still is neither well-understood nor followed conscientiously in many agencies. Agencies have assured the President and Congress their controls were adequate even when waste and theft could not be detected until after major scandals had developed.

Still, there is reason to hope the picture will brighten and that, with a nudge from the Office of Management and Budget (OMB), program managers will take their obligations under the act more seriously.

Problems With the Act

There are reasons why the straightforward FMFIA has been ignored and improperly implemented in many agencies.

The FMFIA requires government agencies annually to assess the adequacy of their management controls to assure that obligations and costs are in compliance with applicable law; that assets are safeguarded against fraud, loss and unauthorized use or misappropriation; and that revenues and expenditures are properly recorded to ensure accurate and reliable financial and statistical reports and to maintain accountability over assets.

The act is directed at program managers, and it's clear that Congress wanted them to assert greater responsibility over the resources entrusted to them. But the misleading title of the law has given rise to misunderstandings. The phrase "federal managers financial" has been improperly interpreted as meaning federal financial managers. Thus, many program and administrative employees thought they were exempt from responsibility under the act.

Also, the phrase "financial integrity" has been interpreted to connote ethical issues. Thus a host of operational concerns that the law was supposed to cover have been excluded from consideration by reporting agencies because the issues had nothing to do with ethical behavior.

Finally, the act's financial terminology reinforced the view that the law applied principally to financial matters. Phrases such as "obligations and costs, assets, preparation of accounts, and accountability over assets" are not the usual language of program and operating staff.

Despite these limitations, avoidance and misunderstandings, the requirement to report annually on agency management controls has resulted in a process at most agencies for complying, or at least giving the appearance of compliance.

Agencies have defined management controls as the plan of organization, methods and procedures adopted to ensure that program goals are being met. Examples include direct supervision, delegation of authority, written responsibility assignments and written procedures.

Agencies have had to decide how their activities fit into assessable units, which are generally defined as an activity or set of activities under a manager's supervision. The manager should be able to review and report on the effectiveness of management controls within each assessable unit.

Schedules for conducting risk assessments have been set for each unit to evaluate whether control mechanisms are adequate to guard against unwanted occurrences. The rule of thumb has been that all units should be reviewed at least once every five years, and that higher risk areas should be reviewed every two or three years. Units undergoing significant changes in their work structure may need more frequent review.

Reviews can assess whether policies are being followed and identify weak spots that should be remedied. A weakness could be a breakdown in accuracy, timeliness, compliance or protection of due process. In other cases, controls may be missing, weak or inappropriate to the activity being controlled.

Weaknesses need to be tracked in order to be fixed. And more robust action is required for significant "material" weaknesses-those which impair the fulfillment of an agency mission; deprive the public of needed service; violate statutory or regulatory requirements; or do not provide safeguards against waste, loss, unauthorized use or misappropriation of funds, property or other assets. Such material weaknesses are to be reported to top managers, who then may inform the President as well as Congress. For several years, a list of "high-risk" material weaknesses has been included in the President's budget request to Congress.

Some agencies take the FMFIA process seriously, but too many merely give it lip service. And too many fail to integrate FMFIA concerns in operational processes for planning work, allocating resources, and tracking whether and how well the work has been done. These processes generally produce reports which contain the information needed to replan, reprogram or rebudget work. Unfortunately, in many departments, the FMFIA process and these other management systems operate independently of one another. They tend to be driven by different schedules, perhaps are performed by different staffs and serve different requirements.

More significantly, most operating employees do not even perceive their management systems and agency control processes are in any way related. Consequently, the following attitudes about FMFIA persist among many operating managers in many departments and agencies: "It's the CFO's job, not mine;" "It's just another report;" "It's more work for managers on top of too much already;" "We use FMFIA for financial/administrative issues . . . we report operational concerns through other reporting mechanisms."

Thus, FMFIA has been only marginally useful in identifying and addressing serious agency problems. The process in some agencies cannot be relied upon to give top managers assurances that serious operating problems are being routinely surfaced short of a scandal or a crisis.

New Commitment Needed

A major change in attitude and a new commitment to the concepts behind FMFIA are required today. Agencies' management control requirements have been expanded substantially by recent laws, notably the 1993 Government Performance and Results Act and the 1994 Government Management Reform Act. These laws place a premium on program performance and accountability, requirements that cannot be fulfilled without very strong and effective management controls.

The Office of Management and Budget has recognized the problem and has begun to change the way FMFIA is perceived and implemented throughout government. OMB has revised Circular A-123 to refocus management controls on:

  • Having programs achieve intended results.
  • Having reliable information available to support decision making.
  • Making sure the public is not deprived of a needed service.

The reach of FMFIA has been expanded to address whether programs are functioning as planned as well as being administered without fraud, waste or abuse. OMB is promoting integration of FMFIA with other operational controls. Separate processes are not needed to satisfy reporting and operating management requirements when management evaluations are integral to day-to-day operations.

OMB is endorsing alternative ways of meeting control review requirements, such as adapting routine audits, inspections and evaluations to meet the reporting requirements of management control reviews. OMB says these other sources of information should be initially relied upon in assessing the effectiveness of management controls. Only when information from these other sources is insufficient should a separate management control review be conducted.

This shift in the OMB view of FMFIA is constructively disruptive. It forces management to reconsider the purpose of control reviews, thus addressing the obsolescence and resistance that has overcome the FMFIA process for the last 13 years.

The shift elevates program delivery and the role of program employees in the management control review process and de-emphasizes the "accounting" orientation that has dogged the law and has permitted operating personnel to shunt responsibility to financial staff.

OMB is declaring clearly that management controls are the responsibility of operating managers and that ineffective controls are the responsibility of the program staff to find and fix.

Implementing the Change

Though the change could have dramatic results, it should not be difficult for agencies that take operational management seriously. Outside help in making the conversion might be helpful, but is not essential.

A four-step program for making the shift-in part by having many of the day-to-day activities of operating managers qualify as control reviews-is outlined below. The process starts with a survey of current operations reports, inspections, reviews and evaluations. It then addresses these questions:

  • Are all operations being covered? Which are not and how can they be?
  • Do the current reports identify and elevate serious operating problems to management's attention? If not, why not?
  • To what extent, if at all, do these reports address the adequacy of controls in the areas they cover?
  • Can any reports be abolished because they are useless or redundant?
  • Do all operations need to be covered? Controls cost time and money, and in some areas agencies may be willing to risk having less control.

In well-managed agencies, 75 percent or more of operations may already be covered by routine reports-significantly reducing the need for classic management control reviews.

When management control reviews are required, managers should concentrate on areas of known problems and risks.

A final critical step is to make sure resources are budgeted to fix control deficiencies. Failure to budget for such measures is a common mistake.

These measures will go far in meeting OMB's goal of moving responsibility for management controls back to the operating manager. This "added" responsibility should not require much extra time, since in most operations, reports and evaluations already exist and can easily be converted to control reviews. The original intent of the law is within easy reach for most federal managers.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Sponsored by G Suite

    Cross-Agency Teamwork, Anytime and Anywhere

    Dan McCrae, director of IT service delivery division, National Oceanic and Atmospheric Administration (NOAA)

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.


When you download a report, your information may be shared with the underwriters of that document.