Volume I - General Accounting
Chapter 05 – Management’s Responsibility for Internal Controls
Questions concerning this policy chapter should be directed to:
0501 Overview
This chapter establishes the Department of Veterans Affairs’ (VA) financial policies regarding management’s responsibility for internal controls.
Key points covered in this chapter:
- VA management is responsible for establishing and maintaining internal controls to achieve the objectives of effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations;
- Management will establish the internal control system to align with the federal internal control standards set forth by the Government Accountability Office (GAO), Standards for Internal Control in the Federal Government (Green Book);
- VA will establish a process for performing an annual assessment of internal controls to meet the statutory requirements of the Federal Managers’ Financial Integrity Act of 1982 (FMFIA); and
- VA will follow the implementation guidance set forth by Office of Management and Budget (OMB) Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control.
0502 Revisions
See changelog.
0503 Definitions
Anti-Deficiency Act (ADA) Violation – Pursuant to 31 U.S.C. § 1341, an ADA violation may occur when an obligation of funds exceeds the amount, time or purpose of such spending as approved by Congress in the form of enacted law.
Change Risk – Risk posed to the organization that results from changes in internal or external conditions. Internal conditions may include changes to the entity’s programs or activities, oversight structure, organizational structure, personnel, and technology. Changes in external conditions include changes in the governmental, economic, technological, legal, regulatory, and physical environments.
Component – Highest level of the hierarchy of federal internal control standards in the GAO Green Book’s internal control framework. There are five required internal control components: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring.
Control Activities – The policies, procedures, techniques, and mechanisms that
enforce management’s directives to achieve an entity’s objectives and address related risks.
Control Objective – The aim or purpose of specified controls. Control objectives address the risks related to achieving an entity’s objectives.
Deficiency or Control Deficiency – When the design, implementation, or operation of a control does not allow management or personnel, in the normal course of performing their assigned functions, to achieve control objectives and address related risks.
Fraud Risk – The potential that a person or organization may obtain something of value through willful misrepresentation, e.g., fraudulent financial reporting, misappropriation of assets, and corruption.
Inherent Risk – The risk to an entity in the absence of management’s response to the risk; the natural level of risk existing in a process or activity with the absence of controls.
Internal Controls Assessment Process – Annual assessment process performed to determine the effectiveness of internal controls against federal internal control standards and to identify reportable Material Weaknesses and Material Non- Compliances with Laws or Regulations at VA’s entity level.
Internal Controls – The organizational activities, plans, methods, policies, and processes used to reasonably ensure (1) programs achieve their intended results; (2) resources are used consistent with the organization/Department mission; (3) programs and resources are protected from waste, fraud, and mismanagement; (4) laws and regulations are followed; and (5) reliable and timely information is obtained, maintained, reported, and used for decision making.
Internal Control System – The collective grouping of all internal control activities established by management and built in as a continuous part of operations. The internal control system is affected by people and provides reasonable assurance, not absolute assurance, that the entity’s objectives will be achieved.
Material Weakness or Material Non-Compliance with Laws or Regulations – The most severe level of control deficiency, which is defined by management of the unit being assessed as being of sufficient importance to materially (1) impair fulfillment of the mission; (2) deprive customers and Veterans of services; (3) violate statutory or regulatory requirements; or (4) significantly weaken safeguards against waste, loss, unauthorized use, or misappropriation of assets. A material weakness in internal control over compliance (Material Non-Compliance with Laws or Regulations) is a condition where management lacks a process that reasonably ensures preventing a violation of law or regulation that has a direct and material effect on financial reporting or significant effect on other reporting or in achieving Agency objectives.
Operational Objectives – Objectives related to program operations that help achieve an entity’s mission. It is one of the three categories of objectives and related risks (along with reporting and compliance) for which federal agencies implement internal controls.
Principle – Second level of the hierarchy of federal internal control standards in the GAO Green Book’s internal control framework. There are 17 required internal control principles within the 5 components.
Reasonable Assurance – A satisfactory level of confidence in achieving program, administrative and financial management objectives effectively and efficiently, and safeguarding government resources under given considerations of costs, benefits and risks. The emphasis is on the term “reasonable” since “absolute” assurance can never be given for any process.
Reporting Entity – VA offices responsible for annually completing the Internal Controls Assessment Process and Statement of Assurance (SOA). Reporting Entities consist of the three Administrations and major Staff Offices, and collectively account for all activities in VA.
Residual Risk – The risk that remains after controls are implemented due to management’s response to inherent risk.
Risk – The potential for loss, harm, or missed opportunities in achieving the organization’s mission and strategic objectives due to uncertainty.
Risk Assessment – Management’s identification and evaluation of the internal and external impediments that may prevent the organization from meeting its objectives. Proper assessment includes consideration of relevant interactions within the organization as well as with outside organizations; consideration of previous findings (e.g., auditor identified, internal management reviews, or noncompliance with laws and regulations); and identifying management’s chosen response to each risk, considering impact, likelihood, and controls already in place. Risk Assessment may also refer to a tool used to document the process. Risk assessments addressed include inherent risk, residual risk, fraud risk, and change risk.
Risk Tolerance – The acceptable level of variation in performance relative to the achievement of objectives. Also referred to as risk appetite.
Separation of Duties (SOD) – A principle based on shared responsibilities of a key process that disperses the critical functions of that process to more than one person or department. SOD is also known as segregation of duties.
Service Organization – also known as a contractor or service provider. An external party that performs operational process(es) for an entity (i.e., accounting and payroll processing, security services, or health care claims processing).
Significant Deficiency – A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A Significant Deficiency should be shared internally across VA when identified by Reporting Entities because they represent significant weaknesses in the design or operation of internal controls that could adversely affect the Reporting Entity or organization’s ability to meet its internal control objectives. At the Department level, Significant Deficiencies are defined as severe enough to share across VA but not report to the President and Congress in the Secretary’s SOA.
Statement of Assurance (SOA) – The annual statement certifying that management has appropriately assessed operational activities. The statement is also management’s objective decision that a program and/or financial management systems are or are not operating in compliance with FMFIA. The statement is based on the results of internal control assessments, evaluations, and/or reviews.
0504 Roles and Responsibilities
Secretary of Veterans Affairs (SECVA) is responsible for ensuring the maintenance of a sound control environment throughout VA and providing reasonable assurance to the President, Congress, and OMB on the status of VA’s compliance with FMFIA through the signed annual SOA reported in the Agency Financial Report (AFR). SECVA reports all Material Weaknesses and instances of Material Non-Compliance with Laws and Regulations in the SOA. SECVA considers information from VA’s internal control assessment process, with input from the Chief Financial Officer (CFO) Council and has ultimate decision authority for deficiencies deemed Material Weaknesses or Material Non-Compliance with Laws and Regulations and included in the SOA.
Under Secretaries, Assistant Secretaries, and Other Key Officials are responsible for identifying control objectives and ensuring appropriate internal controls are designed and implemented within their organizations. They will ensure corrective action plans are communicated at appropriate levels, are consistent with laws, regulations, and agency policy and that performance appraisals of appropriate officials reflect internal control responsibilities. As the leaders of VA’s Reporting Entities, they are responsible for completing and ensuring the Internal Controls Assessment for their entity level is accurate, represents their entire organization, includes self-identification of deficiencies, and is provided in accordance with timelines and instructions announced by the Office of Management (OM) and coordinated through the Office of Business Oversight (OBO).
Assistant Secretary for Management/Chief Financial Officer (VA CFO) directs and evaluates FMFIA annual reporting and chairs the CFO Council as the oversight body for financial audit activities and governance over internal controls.
CFO Council serves as an advisory committee to the VA CFO. The CFO Council is chaired by the VA CFO and consists of representatives from VA Administration and
Staff Offices at the CFO leadership level. Voting members and advisory (non-voting) members advise the VA CFO on matters related to issues of enterprise-wide importance, which helps VA integrate its efforts to meet the requirements of FMFIA and other acts. The CFO Council also addresses resolution of audit findings and integration with enterprise risk management. The CFO Council ensures efforts are ongoing throughout the year to meet internal control assessment responsibilities and provides recommendations regarding the content of the VA Secretary’s SOA.
Chief Executive Officers (e.g., CFO, Chief Information Officer (CIO), Chief Acquisition Officer) have VA-wide duties and responsibilities required by federal law and regulations, OMB guidance, or VA delegation. Chief Officers review and attest to the effectiveness of internal controls, report deficiencies, and provide an overall SOA for all responsibilities within the purview of their assigned Chief Officer function, including activities organizationally aligned outside their chain of command.
Office of Acquisition, Logistics and Construction (OALC) is responsible for establishing acquisition policy and working across the Department to make strategic sourcing decisions that maximize its purchasing authority.
Office of Business Oversight (OBO) is responsible for overseeing the process of assessing risks facing VA as it seeks to achieve its objectives, managing and implementing VA’s program for addressing risk, drafting management’s assessment and reporting on the effectiveness of the internal controls implemented to reduce risk in accordance with OMB Circular A-123 and as required by FMFIA and GAO Green Book.
Office of Enterprise Integration (OEI) is responsible for managing the portion of VA’s OMB Circular A-123 implementation related to enterprise risk management framework that provides the necessary governance, communications, training, processes, and tools to effectively identify, assess, address, and monitor risks.
Office of Information and Technology (OIT) is responsible for the evaluation of VA’s financial management systems’ conformance with FMFIA Section 4 requirements in accordance with OMB Circular A-123, Appendix D, Compliance with the Federal Financial Management Improvement Act of 1996; OMB Bulletin 21-04, Audit Requirements for Federal Financial Statements; and the Treasury Financial Manual (TFM) Volume I, Part 6, Chapter 9500, Revised Federal Financial Management System Requirements for Fiscal Reporting.
VA Managers and Supervisors at all levels are responsible for assigned activities within their purview and for designing, implementing and monitoring internal controls to achieve operational objectives.
VA Employees are responsible for participating in the internal control system designed by management by fulfilling assigned internal control responsibilities as part of day-to- day activities. Employees are responsible for reporting issues to their supervisory chain of command, including potential internal control deficiencies.
0505 Policies
050501 General Policies
- VA will establish internal controls in accordance with GAO’s Green Book standards as required by FMFIA. The GAO Green Book applies to all categories of VA’s internal control objectives: effectiveness and efficiency of operations, reliability of reporting, and compliance with laws and regulations.
- VA will use Green Book’s hierarchical structure of 5 components and 17 principles to effectively design, implement, maintain and document internal control systems that operate in an integrated manner to address identified control objectives.
Components of Internal Control | Principles |
---|---|
1. Control Environment | 1. Demonstrate Commitment to Integrity and Ethical Values 2. Exercise Oversight Responsibility 3. Establish Structure, Responsibility and Authority 4. Demonstrate Commitment to Competence 5. Enforce Accountability |
2. Risk Assessment | 6. Define Objectives and Risk Tolerances 7. Identify, Analyze, and Respond to Risk 8. Assess Fraud Risk 9. Identify, Analyze, and Respond to Change |
3. Control Activities | 10. Design Control Activities 11. Design Activities for Information System 12. Implement Control Activities |
4. Information and Communication | 13. Use Quality Information 14. Communicate Internally 15. Communicate Externally |
5. Monitoring | 16. Perform Monitoring Activities 17. Evaluate Issues and Remediate Deficiencies |
- In accordance with FMFIA and the GAO Green Book, all levels of VA management are responsible for internal control. VA managers at all organizational levels will continuously monitor, assess, and improve the effectiveness of internal controls associated with mitigating risks to achieve objectives. In addition, due to the decentralized structure of VA, managers will also be aware that their responsibility for internal control may extend beyond traditional organizational reporting lines.
- The establishment of appropriate internal controls will be supported by higher levels of management.
- Management will view the internal control system as an integral part of the operational processes used to guide operations rather than as a separate system within VA. In this sense, internal control is built into VA as a part of the organizational structure to help managers achieve their objectives on an ongoing basis.
- VA management will comply with GAO Green Book documentation requirements and maintain documentation to demonstrate the internal control system. Specifically, management:
- Develops and maintains documentation of its internal control system. The level and nature of documentation will vary based on the size of the entity and the complexity of the operational processes the entity performs;
- May determine that a principle is not relevant and support that determination with documentation that includes the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively;
- Documents in policies the internal control responsibilities of the organization;Evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues;Evaluates and documents internal control issues and determines appropriate corrective actions for internal control deficiencies on a timely basis; and
- Completes and documents corrective actions to remediate internal control deficiencies on a timely basis.
- Management will exercise judgment in determining what documentation may be necessary for an effective internal control system. If management identifies deficiencies in achieving these documentation requirements, the effect of the identified deficiencies is considered as part of management’s summary determination as to whether the related principle is designed, implemented, and operating effectively.
050502 Internal Controls Integration and Risk
- VA’s internal control system will be a continuous, built-in component of operations, that provides reasonable assurance VA’s objectives will be achieved. Internal control is not a single event or action, but a series of events and actions that occur throughout VA’s operations.
- Management at all levels of VA will define the specific goals and priorities of the organization or controlled unit in measurable, understandable terms to enable the identification of risks and define risk tolerances (GAO Green Book, Component 2, Principle 6).
- VA management will identify risks, formulate control objectives, then design and implement internal controls for those risks/objectives (typically high and medium) for which mitigation is the desired risk response (GAO Green Book, Component 3, Principles 10-12).
- VA management will identify risks that could prevent the organization or unit under their influence from achieving its objectives, analyze those risks, and determine the appropriate risk response (GAO Green Book, Component 2, Principles 7-9).
- Types of risk include:
- Inherent and Residual Risk – VA’s lack of response to either of these two risks could cause deficiencies in the internal control system;
- Fraud Risk – Can be mitigated by making changes to the entity’s activities and processes. Changes may include stopping or reorganizing certain operations and reallocating roles among VA personnel to enhance separation of duties; and
- Change Risk – Identifying, analyzing, and responding to change is similar to, if not part of, the VA’s regular risk assessment process. Identified significant changes will be communicated across the entity through established reporting lines to appropriate personnel so that management may properly review and mitigate any change-related risk.
- Office of Business Oversight (OBO) will collaborate with Office of Enterprise Integration (OEI) on risks and internal controls for enterprise and non-enterprise risks with both offices providing operational guidance to VA management.
- VA management must have access to relevant and reliable communication related to internal as well as external events, in order to support and design effective internal controls. Communication of quality information is at the center of the cycle and is integral to effective system operation (GAO Green Book, Component 4, Principles 13-15).
Figure 1: Continuous Cycle of Internal Control
- VA management will continuously monitor controls to ensure they are designed effectively and operating as intended (GAO Green Book, Component 5, Principle 16).
- When internal control deficiencies are identified, such as when testing controls, VA management will implement necessary corrective actions to remediate the deficiencies (GAO Green Book, Component 5, Principle 17).
050503 Decentralization of Internal Control Responsibilities
- VA management’s responsibility for implementing and monitoring internal controls will not be diminished by the decentralization of operational processes. For example, the VA Chief Financial Officer (VA CFO) delegates substantial responsibility to administrations and Office of Information Technology (OIT) CFOs to carry out the financial management activities within their organizations. However, that delegation does not relieve the VA CFO from overall responsibility for all financial activities across the Department. The VA CFO is required to provide an assessment of internal controls over all Department financial activities, including those delegated responsibilities, and requires a separate CFO SOA over financial operations from Veterans Health Administration (VHA), Veterans Benefits Administration (VBA), National Cemetery Administration (NCA), and OIT CFOs.
- VA’s Executive Director for Office of Acquisitions, Logistics and Construction (OALC), in collaboration with VA CFO, will ensure controls over acquisitions are in place and integrated into the agency’s internal control review processes. Executive Director OALC will lead VA acquisition assessments, applying guidance in OMB Memorandum, “Conducting Acquisition Assessments Under Circular No. A-123,” May 21, 2008.
- All levels of the organization will communicate information not only within their chain of command but also across and around the organizational structure, to include the Chief Executive Officers with delegated agency-level responsibilities such as human capital, finance, acquisition, and information technology.
- In similar fashion, VA’s Chief Executive Officers will design, implement, and monitor internal controls for their areas of functional responsibility, regardless of the reporting lines conducting the activities. All levels of the organization will communicate information not only within their chain of command but also across and around the organizational structure, to include the Chief Executive Officers with delegated agency-level responsibilities such as human capital, finance, acquisition, and information technology.
- Management will consider how units interact to fulfill their overall responsibilities and establish reporting lines within an organizational structure that enables units to efficiently and effectively communicate the quality information necessary to comply with applicable laws and regulations while fulfilling its overall responsibilities.
050504 Service Organizations
- VA management retains responsibility for the performance of, and risks associated with, processes outsourced to service organizations.
- VA will use System and Organization Controls (SOCs) to monitor the service organizations’ activities and internal controls.
- The extent of VA’s SOCs will be dependent on the nature of the terms and conditions specified in the contract or agreement.
- Management will provide increased oversight when the activity is significant to VA’s achievement of mission objectives and/or material to VA’s financial statements.
- In accordance with the American Institute of Certified Public Accountants Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification (AT-C), management will work with assigned VA contracting officers to establish contractual requirements to obtain independent audit reports attesting to the controls of service organizations for services that are either material to VA’s financial statements or mission objectives. SOC reports most relevant to VA contracts include:
- SOC 1, Type 2 (Type 2 is review over a fixed period vs. the Type 1 single point in time review). Reports on the design and operating effectiveness of controls for a service organization relevant to VA’s internal controls over financial reporting throughout a specified period. These reports, prepared in accordance with SSAE 18, AT-C Section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, are specifically intended to meet the needs of entities that use service organizations (user entities) and the Certified Public Accountants that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements.
- SOC 2, Type 2. Reports on the design and operating effectiveness of a service organization relevant to security, availability, processing integrity, confidentiality, or privacy throughout a specified period. These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
- Beyond SOC reports, VA management can also attest to the validity of service organization controls using a variety of other methods. These include:
- Assessing service organization internal controls;
- Monitoring and regularly reporting on processes, products, or services provided by the service organization; or
- Engaging a VA entity to review SOCs.
- In all cases, VA management will maintain documentation that clearly indicates SOCs have been reviewed and provide reasonable assurance the service organization can provide the contracted or outsourced service.
050505 Governance
- The CFO Council will provide and support open communication among financial and senior management working to support VA’s mission and the Federal Government.
- The CFO Council will review financial and operational internal controls and financial audit matters and encourage continuous improvement of VA’s policies, procedures, and practices at all levels. Improving internal controls reduces audit findings, helps VA maintain clean audit opinions, and helps meet operational objectives.
- The CFO Council will review deficiencies, consider the impact to VA, and recommend the content of the VA Secretary’s SOA.
- The CFO Council will follow financial management regulations and implementing guidance including but not limited to the FMFIA, Federal Financial Management Improvement Act of 1996 (FFMIA), OMB Circular A-123, and the CFO Act of 1990.
050506 Reporting Entities’ Internal Controls Assessments
- OBO will coordinate the annual Internal Controls Assessment and SOA official announcement from OM, typically made in a memorandum to heads of the Reporting Entities. The annual notice will include information regarding instructions, required templates, and due dates for conducting the assessment and submitting the SOA. When VA uses a combination of interim and final Statements of Assurance to cover the entire year, OBO will coordinate all related announcements from OM.
- OBO’s intranet site maintains the most current Internal Controls Assessment process template, guidebooks, reference documents, policies, training materials, and editable SOA templates.
- OBO will ensure VA’s annual Internal Controls Assessment process conforms to the most recent federal internal control framework issued by GAO Green Book, including any changes that are published and effective for the current fiscal year.
- OBO will ensure the Internal Controls Assessment, SOA templates, tools, and training are compliant with OMB Circular A-123.
- OBO will determine VA’s designated Reporting Entities required to complete annual assessments of the effectiveness of the entity’s internal controls.
- Each year, OBO will provide Reporting Entities instructions on how to submit their Internal Controls Assessment, SOA, and supporting documentation (e.g., secure folders on SharePoint).
- Each of VA’s designated Reporting Entities will complete an annual assessment of the effectiveness of internal controls and submit the assessment to OBO. The assessment, referred to as the Internal Controls Assessment, requires Reporting Entities to:
- Evaluate the internal control system against the 5 Components and 17 Principles of internal control specified in GAO’s Green Book:
- Describe how the Reporting Entity meets the principle;
- Identify deficiencies and their severity;
- Report internal control deficiencies;
- Describe corrective action plans for Material Weaknesses and Material Non- Compliance with Laws and Regulations; and
- Conclude on the effectiveness of each principle.
- Evaluate the internal control system against the 5 Components and 17 Principles of internal control specified in GAO’s Green Book:
- Reporting Entities will provide supporting documentation to substantiate the statements contained in their Internal Controls Assessment and demonstrate the internal control system is documented as required by the Green Book.
- Deficiencies will be described with enough detail for people outside the Reporting Entity to understand the nature of the deficiency. The Reporting Entity will consider the magnitude of impact and the likelihood of the deficiency to conclude on the appropriate severity level.
- Magnitude of impact considers the effect the deficiency had or could have on the Reporting Entity’s ability to achieve its objectives. In other words, could the deficiency have a severe impact on meeting objectives;
- Likelihood considers how likely it is the deficiency will impact the objectives. In other words, what is the chance the deficiency will impact effectiveness and efficiency of operations, reliability of reporting, or compliance with laws and regulations.
- After assessing each principle within the component, the Reporting Entity will conclude on the effectiveness of the component. The effectiveness of the component is directly related to the effectiveness of each principle. If any principle within a control component is deemed ineffective, the entire control component is ineffective. The Internal Controls Assessment provides space for the Reporting Entity management to document its conclusion for each principle, followed by the relevant component. Reporting Entities complete an assessment for each of the first 5 principles and then conclude on the effectiveness of Component 1.
- Reporting Entity management will identify and select the appropriate severity rating for each deficiency. The Internal Controls Assessment categorizes deficiencies in four severity levels:
- Material Weaknesses (the most severe);
- Significant Deficiencies;
- Control Deficiencies; and
- Material Non-Compliance with Laws and Regulations.
- The severity rating should not conflict with the identified magnitude of impact and likelihood. For example, if a deficiency has a low impact and is considered unlikely, it should typically not be considered a Material Weakness. By assigning the highest severity level, management is recommending the Material Weakness be reported external to the Reporting Entity and considered by the oversight body for reporting outside VA.
- The Internal Controls Assessment requires information about planned corrective actions for deficiencies identified as Material Weaknesses and Material Non- Compliance with Laws and Regulations. The Reporting Entity will provide a copy of the corrective action plan to OBO. The corrective action plan can be the most recent version of a corrective action plan already being tracked by another organization (e.g., OIG, GAO, OM, or established by the Reporting Entity). Once identified, Material Weaknesses will be reported in subsequent fiscal years until the Reporting Entity can demonstrate the deficiency was resolved or lessened.
- When requested, Reporting Entities will each complete a comprehensive Internal Controls Assessment at the Reporting Entity level, including providing documentation to support all assertions and narratives in the Internal Controls Assessment and signing an SOA. To the greatest extent possible, documentation provided will consist of the detailed results of transactional level testing of internal controls.
- Reporting Entities will identify and obtain appropriate input from sub-offices and programs covering every level of their organization when completing their Internal Controls Assessment and SOA.
- Entities with Chief Officers (VA officials with Department-wide duties and responsibilities) will encompass all Chief Officer responsibilities in Internal Controls Assessment responses.
- Information on how the Reporting Entity monitors service organization controls for outsourced processes is required for a complete Internal Controls Assessment.
- Internal Controls Assessment responses must include self-identified deficiencies from throughout the organization and address deficiencies identified by all other sources, including auditor findings.
- Entities will provide corrective action plans for deficiencies in accordance with instructions. All internal control deficiencies rising to the severity of a material weakness or significant deficiency must be accompanied by a detailed, fully developed corrective action plan that clearly addresses the root causes of the deficiency and provides a path to correct them.
- In addition to the assessments for the Green Book’s 17 Principles and 5 Components of internal control, the Internal Controls Assessment may contain additional sections addressing or adding emphasis to requirements that intersect with FMFIA, OMB Circular A-123, and the Green Book. For example, Public Law 112-194, The Government Charge Card Abuse Prevention Act of 2012, mandates that each executive agency that issues and uses charge cards (purchase cards, convenience checks, fleet cards, and travel cards) will establish and maintain safeguards and internal controls. OMB Memorandum M-13-21, Implementation of the Government Charge Card Abuse Prevention Act of 2012, requires agencies to provide a certification about the use of charge cards in the annual FMFIA SOA. To help management reach a conclusion regarding internal controls over charge cards and to support the certification statement, the Internal Controls Assessment contains a Charge Card Assessment. Reporting Entities will complete the Charge Card Assessment and ensure any internal control deficiencies related to charge cards are included in the appropriate principle within the Internal Controls Assessment.
- Depending on management’s conclusions in the Internal Controls Assessment and the existence of Material Weaknesses and Material Non-Compliance with Laws and Regulations, Reporting Entities will submit one of the following types of SOAs:
- Unmodified SOA. The Reporting Entity will prepare an Unmodified SOA when management concluded in the Internal Controls Assessment that the overall system of internal controls was effective and there were no Material Weaknesses or Material Non-Compliance to report;
- Modified SOA. The Reporting Entity will prepare a Modified SOA when management concluded in the Internal Controls Assessment that the overall system of internal controls was effective and identified one or more Material Weaknesses or Material Non-Compliances; or
- Statement of No Assurance. The Reporting Entity will prepare a Statement of No Assurance when management cannot attest to the effectiveness of internal controls because an assessment was not performed, the extent of Material Weaknesses or Material Non-Compliance are pervasive, or the activities being assessed have been established less than 6 months.
- Reporting Entities will provide supporting documentation to substantiate the statements contained in their Internal Controls Assessment and demonstrate the internal control system is documented as required by the Green Book.
- Entity Internal Controls Assessments and SOAs will be submitted to OBO who will analyze each report and review them for completeness, (i.e., ensure proper supporting documentation is provided). OBO will apply reasonableness testing and inform Reporting Entities of any apparent conflicts between deficiencies reported and conclusions reached by management within the Internal Controls Assessment. OBO will require Reporting Entities to make corrections for missing or conflicting information.
050507 Statement of Assurance (SOA) Process
- The SOA provides an informed judgement of the overall adequacy and effectiveness of the Reporting Entity’s internal controls. It should be prepared after completion of the Internal Controls Assessment by Reporting Entities and viewed as the means of applying management’s signature to the assertions in the Internal Controls Assessment about the effectiveness of the internal controls system and the existence of Material Weakness and Material Non-Compliance with Laws and Regulations.
- Per the timelines set annually by OBO, VA may use a phased approach to obtain management’s assurance over the full fiscal year by using interim and final Statements of Assurance.
- Each Reporting Entity will prepare a SOA using templates provided by OBO. The SOA will list all Material Weaknesses and Material Non-Compliance with Laws and Regulations identified in the Internal Controls Assessment, provide corrective action plans, and report on any ADA violations. The head of the Reporting Entity will sign the Entity SOA.
- The Reporting Entity will ensure the Internal Controls Assessment and SOA are updated to reflect changes in deficiencies (adding newly identified deficiencies or removing remediated deficiencies) that impact the fiscal year being assessed.
- The results of continuous monitoring and reviews should be reported to leadership as part of the SOA. The SOA should include a:
- Report of Internal Control Deficiencies: VA managers and staff will identify and report deficiencies, and all levels of leadership will support a culture of openness. Managers can inform the chain of command of the perceived significance of deficiencies by designating the severity level using the definitions in this policy (i.e., material weakness, significant deficiency, control deficiency). Sharing deficiencies with the next level of supervision allows the VA chain of command to determine the relative importance of each deficiency.
- Corrective Action Plan (CAP) for noted deficiencies: Correcting control deficiencies is an integral part of management accountability and is a priority in VA. VA’s ability to correct control deficiencies is an indicator of the strength of its internal control environment. Effective remediation of control deficiencies is essential to achieving the objectives of FMFIA, and uncorrected or longstanding control deficiencies will be considered in determining the overall effectiveness of internal control.
050508 VA’s Consolidated Internal Controls Assessment and SOA
- The Internal Controls Assessment and resulting SOA completed by the Reporting Entities are vital in providing the basis for the overall VA Internal Controls Assessment. When OBO deems all assessments and statements for Reporting Entities are complete, OBO will consolidate all identified control deficiencies submitted into VA’s annual Internal Controls Assessment.
- OBO will present deficiencies from the Reporting Entity Internal Controls Assessments to the CFO Council and prepare the VA Secretary’s SOA based on recommendations from the CFO Council or as directed by OM. OBO will include Material Weaknesses and Material Non-Compliance with Laws and Regulations recommended by the CFO Council, with deviations only as directed by OM. The Secretary will ultimately decide the final contents of the Departmental SOA and will submit the Statement to Congress by November 15 in the Agency Financial Report (AFR).
0506 Authorities and References
- 31 U.S.C. § 1341, Limitations on expending and obligating amounts
- American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification
- Chief Financial Officers (CFO) Act of 1990, P.L. 101-576
- Federal Financial Management Improvement Act of 1996 (FFMIA), P.L. 104-208, Title VIII
- Federal Managers’ Financial Integrity Act of 1982 (FMFIA), P.L. 97-255
- GAO Standards for Internal Control in the Federal Government (GAO Green Book)
- Government Charge Card Abuse Prevention Act (GCCAPA) of 2012, P.L. 112-194
- OMB Bulletin 21-04, Audit Requirements for Federal Financial Statements
- OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control
- OMB Memorandum, “Conducting Acquisition Assessments Under Circular No. A-123,” May 21, 2008
- OMB Memorandum M-13-21, Implementation of P.L. 112-194 (GCCAPA)
- TFM Volume I, Part 6, Chapter 9500, Revised Federal Financial Management System Requirements for Fiscal Reporting
0507 Rescissions
Volume I, Chapter 5 – Management’s Responsibility for Internal Controls, dated February 2019.
0508 Questions
Questions concerning this financial policy should be directed to the following points of contact:
Appendix A: Previous Revision Table
See changelog.