Time Runs Out for Financial Failures

Mandate for accurate accounting could put agencies on the path to automation.

These days, push-button auditing might sound like a far-off dream. For federal number-crunchers scrambling to certify their internal controls on financial reporting by June 30, a future of fully automated accounting software is, no doubt, enticing.

Such software would be a huge boon to the 24 agencies rounding the home stretch on a new Office of Management and Budget requirement to verify their financial reporting safeguards. In 2004, OMB tightened rules in Circular A-123 after corporate accounting scandals swept the country, following the lead of tougher commercial controls under the 2002 Sarbanes-Oxley Act.

Changes include stricter guidelines on how agencies evaluate their controls and a requirement that agency heads personally provide their "reasonable assurance" that annual financial reports are accurate for inclusion with their fiscal year Performance and Accountability Report.

Bill McCabe, acting chief financial officer at the Education Department and formerly a senior manager with global accounting giant KPMG, is heading the agency's compliance efforts. Speaking more like the CFO of a large company than a federal agency, he is well aware of the need for automation. "We have millions of transactions flying through the company daily with only 4,000 people to [stand] watch," he says.

But despite its promise, Education has held off on investing in new technology, opting to first lay the groundwork and straighten out any wrinkles by hand. "This year is very manually intensive," McCabe says of his agency's work to document and test internal processes.

OMB Controller Linda Combs says the experience is common among agencies hustling to comply. "Reviewing and updating existing documentation of the key business processes and related internal controls, or documenting new controls, has probably been the most challenging and labor-intensive for agencies over the past year," she says.

Compliance also means agencies must assess the risk associated with their processes, evaluating the likelihood of error, oversight or fraud. If potential problems are factored in-even if the error itself is minor-the process might require more attention.

In what officials hope is a final step, they must test the controls. Testing can be simple or elaborate, ranging from ensuring that documents follow the correct chain of approval to surveying employees who handle a process to observing or even rerunning a process, according to OMB guidance. Where tests indicate a problem, agencies must retool their procedures and repeat the steps, or be prepared to report a deficiency.

Some agencies have well-known shortcomings. In each of the nine years that agencies have been required to obtain financial audits, the Defense Department has flunked its review. Each time, it obtained a qualified opinion indicating that reviewers could not adequately assess its finances. Given Defense's large share of the federal budget, that amounts to an audit failure for the entire government. But there is little the administration or Congress can do, as neither has found a big enough carrot or stick to get the Pentagon to wrangle its myriad legacy financial systems into a cohesive, accountable whole.

OMB has said agencies with "pervasive material weaknesses . . . should focus on the remediation of those weaknesses rather than testing internal controls that are known to be ineffective." Agencies too large or complex to complete testing on all their systems in one year can continue to make incremental progress through 2008 without being considered out of line, as long as OMB is satisfied there is a plan and progress. "Internal control is a management issue," Combs stresses. Automation is crucial and reduces human error, she says, but it comes down to understanding how the bureaucracy works. As Danny Werfel, deputy controller of OMB's Office of Federal Financial Management, noted at a May breakfast for officials working toward the deadline, "Think of A-123 as a commitment that management knows their agency better than anyone else."

Officials stress that the "reasonable assurance" in A-123 is less demanding than the accounting standard applied in other aspects of agencies' financial obligations, which should make it easier to meet the deadline. "It will be the secretary who decides this, not our auditor, and not the inspector general," Education's McCabe says. Everyone agrees that inspectors general need to be involved in the compliance process early on, but some say managers should push back if they feel pressure from auditors, who are accustomed to stricter standards, to go beyond what OMB requires. Molly Dawson, an Education Department audit manager who was detailed to OMB, warns that the same applies to consultants peddling unneeded audit services.

McCabe thinks by next year, agencies could be a big step closer to that fantasy of one-click A-123 compliance. "I just think people are being cautious," he says. "The first thing you want to do is not rush out the door and spend a lot of money on technology." He does not know of any agencies making major IT purchases this year to meet the deadline. By this time next year, he expects technology to be a much bigger player in Education's reporting strategy.

In the meantime, McCabe hopes the review process won't just beef up controls, but also will slim down procedural layers, such as manual and automated checks and balances that duplicate each other and multiple signoffs when one would suffice. "We may find more instances where we may be overcontrolled than undercontrolled," he says.

A sleeker reporting bureaucracy? Now that sounds like a fantasy.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from GovExec.com.
We think these reports might interest you:

  • Sponsored by G Suite

    Cross-Agency Teamwork, Anytime and Anywhere

    Dan McCrae, director of IT service delivery division, National Oceanic and Atmospheric Administration (NOAA)

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Federal IT Applications: Assessing Government's Core Drivers

    In order to better understand the current state of external and internal-facing agency workplace applications, Government Business Council (GBC) and Riverbed undertook an in-depth research study of federal employees. Overall, survey findings indicate that federal IT applications still face a gamut of challenges with regard to quality, reliability, and performance management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.