Chapter 16 - Management Control Systems
Part 5 - Management Services
|Manual Exhibit 5-16-A||Management Control Review Plan|
|Manual Exhibit 5-16-B||Self-Assessment Questionnaire|
|Manual Exhibit 5-16-C||Required Elements of a Corrective Action Plan|
|Manual Exhibit 5-16-D||Area Assurance Statement|
|Manual Exhibit 5-16-E||Headquarters MCAM Assurance Statement|
- Purpose. This revised chapter establishes the Indian Health Service (IHS) policies, procedures, guidelines, and responsibilities for implementing the Federal Managers' Financial Integrity Act (FMFIA) of 1982, Public Law (P.L.) 97-255. The FMFIA requires that Federal agencies establish and maintain management control systems that meet standards set by the Comptroller General of the United States as defined in Section 5-16.3 of this chapter.
- Policy. It is the policy of the IHS to mitigate the risk of fraud, waste, and mismanagement of assets, resources, and funds. All IHS managers will take proactive measures to develop, implement, and improve management control systems. This includes performance-based reporting on all FMFIA requirements, continuous assessment of controls currently in place to identify needed improvements, and implementing remedial measures as necessary to address deficiencies.
- Background. The process for indentifying, evaluating, and reporting on management control deficiencies has changed significantly, as a result of executive initiatives and legislation passed subsequent to the FMFIA. Since the initial legislation was passed, a framework for self-assessment now exists whereby management control evaluations can and should be integrated with existing managerial efforts to meet FMFIA requirements. Managers may document management controls compliance pertinent to their respective management control areas by relying on the documentation used in the preparation of reports and information generated by other legislative and/or administrative processes. These include but are not limited to:
- Chief Financial Officers (CFO) Act of 1990 (P.L. 101-576).
- Government Performance and Results Act (GPRA) of 1993 (P.L. 103-63).
- Government Management Reform Act (GMRA) of 1994 (P.L. 103-356).
- Inspector General Act of 1978 (P.L. 95-452).
- Federal Financial Management Improvement Act (FFMIA) of 1996 (P.L. 104-208).
- Clinger-Cohen Act (formerly the Information Technology Management Reform Act of 1996) (P.L. 104-106) and the Computer Security Act of 1987 (P.L. 100-235).
- Revisions to Office of Management and Budget (OMB) Circulars:
- A-123, “Management's Responsibility for Internal Controls ”;
- A-127, “Financial Management Systems ”;
- A-130, “Management of Federal Information Resources ”; and
- A-11, Part 2, “Preparation and Submission of Budget Estimates.”
- National Performance Review/National Partnership for Reinventing Government.
The information and reports generated from meeting these requirements provide valuable data sources for improving the accountability and effectiveness of IHS programs and functions. With these alternative resources and revised guidelines from the OMB, IHS managers are afforded broad discretion in making determinations on the design and adequacy of management control systems and risk levels under their authority.
In this changing environment of fewer resources, streamlined operations, and doing more with less, IHS managers must also use their own personal knowledge of daily operations when considering alternative sources for meeting FMFIA requirements.
As a consequence of Executive Order No. 12861, “Elimination of One-Half of Executive Branch Internal Regulations,” dated September 11,1993, the Agency as a whole has reduced internal regulations by 50 percent. Outcomes to be achieved in regulations are clearly articulated, responsibilities for decision-making and action are clearly assigned, and oversight has shifted from process to outcome.
- Management Controls. The organizational structures, policies, and procedures that help program and financial managers achieve results and safeguard the integrity of their programs. Management controls are used daily by managers and employees to accomplish the identified objectives of an organization.
- Management Control System. The policies and procedures to identify, manage, and mitigate risk. A management control system identifies role-specific responsibilities; establishes schedules for monitoring, evaluations, and performance; and provides a method for tracking corrective actions.
- Management Control Area. An IHS-specific program or activity that has an inherent susceptibility to fraud, waste, abuse, and mismanagement.
- Management Control Area Manager. The individual assigned overall responsibility for a particular Management Control Area (MCA) as designated on the Management Control Plan (MCP).
- Management Control Plan. The MCP identifies high-risk MCAs that comprise the IHS MCP. In general, a MCA is identified as high-risk due to its vulnerability to fraud, waste, abuse, and mismanagement.
- Material Weakness. Any specific instance of non-compliance with the FMFIA that would significantly effect the fulfillment of the Agency's mission; deprive the public of needed services; violate statutory requirements; result in, or give the appearance of a conflict of interest; and/or significantly weaken safeguards against loss, unauthorized use, or misappropriation of assets, resources, or funds. Any IHS manager may propose an identified management control deficiency as a “material weakness,” but the Secretary of Health and Human Services (HHS) is the sole official with the authority to declare a material weakness that is reportable to the President and Congress in the Department's Annual FMFIA Assurance Statement as required by the FMFIA.
- Non-Material Weakness. Any identified noncompliance or management control deficiency that merits attention and corrective action by management, but does not conform to the definition of a material weakness as specified in this chapter.
The governance structure established by the IHS for management control includes a Senior Management Council (SMC), Senior Assessment Team (SAT), and Circular A-123 Technical Team. Collectively, these teams conduct and oversee the IHS assessment process, coordinate the completion of the OMB A-123 management responsibility for internal controls annual assurance statements, and ensure that all A-123 requirements are met. Management is responsible for establishing and maintaining internal control to achieve effective and efficient operations; reliable financial reporting; and compliance with applicable laws and regulations. These governing bodies will ensure that assessments of internal controls are adequate to support the annual FMFIA assurance statement.
- Agency Head. The Director, IHS, is responsible for the following: making final determinations on recommended non-compliance and management control deficiencies; signing the Annual FMFIA Assurance Statement for submission to the Secretary, HHS; and ensuring the annual performance plans of appropriate IHS senior managers include FMFIA and A-123 performance elements.
- Senior Management Council. The SMC provides executive leadership and oversight for the Agency's internal control program and is responsible for resolving non-compliance and management control deficiencies.
- Members. The membership of the SMC is as follows:
- Deputy Director (Chair)
- Deputy Director for Management Operations
- Chief Medical Officer
- Deputy Director for Field Operations
- Responsibilities and Duties. The SMC responsibilities and duties include:
- oversight of the SAT and accountability for the internal control assessment process within the IHS;
- working with the SAT to provide recommendations to the Director, IHS, on the annual FMFIA assurance statement;
- ensuring corrective actions relating to audit findings, material weaknesses, and system non-conformances are performed in a timely fashion;
- making the determination that sufficient action has been taken to correct a material weakness or that a weakness is no longer material; and
- ensuring adequate funding/resources to perform the assessments.
- Members. The membership of the SMC is as follows:
- Senior Assessment Team. The SAT provides oversight and accountability to the Agency's A-123 assessment process including internal control over financial reporting (ICOFR). The SAT is co-chaired by the Director, Office of Management Services (OMS) and the Director, Office of Finance and Accounting (OFA) to reflect each offic'?s functional responsibilities for FMFIA implementation and oversight and financial systems implementation.
- Members. Membership of the SAT is as follows:
- Director, OMS (Co-Chair)
- Director, OFA, CFO (Co-Chair)
- Director, Management Policy and Internal Control Staff (MPICS), OMS
- Director, Office of Resource Access and Partnerships
- Director, Office of Information Technology (Chief Information Officer)
- Director, Office of Environmental Health and Engineering
- Responsibilities and Duties. The SAT responsibilities and duties include:
- annually identifying and recommending high-risk MCAs to senior management and the respective Management Control Area Manager (MCAM) to perform the FMFIA assessment processes;
- ensuring that the FMFIA assessment objectives are clearly communicated throughout the IHS;
- ensuring that all identified management control deficiencies are reported to the Director, MPICS, and corrected by the responsible MCAM;
- integrating FMFIA assessment review with other management and internal control reviews and activities;
- making policy recommendations to the SMC regarding A-123 implementation;
- ensuring that the FMFIA assessment process is completed and documented in accordance with Part 5, Chapter 16, “Management Control Systems, ” Indian Health Manual (IHM); and
- monitoring annual FMFIA implementation efforts.
- Members. Membership of the SAT is as follows:
- Circular A-123 Technical Team. The Circular A-123 Technical Team provides staff support to the SMC and the SAT and makes policy recommendations regarding OMB Circular A-123 and Appendix A. The team monitors Appendix A efforts, i.e., assessing, documenting, and reporting on the effectiveness of ICOFR, and compiles and analyzes FMFIA and ICOFR results.
- Members. The membership of the Circular A-I23 Technical Team is as follows:
- Director, MPICS, OMS (Chair)
- Director, Division of Audit, OFA
- All designated IHS MCAMs
- Responsibilities and Duties. The Circular A-I23 Technical Team responsibilities and duties include:
- planning and determining the scope of the FMFIA assessment;
- identifying and designating staff and/or securing contractor(s) to perform FMFIA assessment processes, including the development of control test plans and/or self-assessments;
- compiling and analyzing management controls;
- ensuring that all identified deficiencies are documented; and
- making recommendations to the SAT and SMC for inclusion in the annual FMFIA assurance statement.
- Members. The membership of the Circular A-I23 Technical Team is as follows:
- Director, Management Policy and Internal Control Staff. The Director, MPICS, has primary responsibility for coordinating all IHS management control functions. This includes developing, maintaining, and providing Agency-wide guidance policies or procedures for FMFIA processes and related matters; developing and maintaining the IHS MCP; assessing and analyzing management control reviews; clearing survey tools, questionnaires and test evaluation instruments; ensuring proper documentation of findings; preparation of reports; monitoring and ensuring the follow-up of corrective actions; and providing expert advice, technical assistance, and training as requested. The Director, MPICS, develops and maintains FMFIA liaison activities with HHS, other Federal agencies, and all IHS components as necessary.
- Management Control Area Managers-Headquarters. Each designated MCAM is responsible for planning, developing, establishing, budgeting, implementing, and maintaining cost-effective systems of management control for their respective functional areas. This includes preparing evaluation or review plans, consolidating Agency-wide data/information, reporting on high-risk MCAs, and making recommendations to the Director, MPICS, as to materiality and/or non-conformance. The MCAM is also required to submit an annual statement to the SAT (Manual Exhibit 5-16-E) through the Director, MPICS, providing assurance that high-risk MCAs comply with the FMFIA and IHS policy. The MCAM must coordinate this process with the Area Directors, ensuring that reporting mechanisms are established and inter-office communications are maintained. The MCAM develops and maintains working relationships with their field counterparts, providing expert advice and technical assistance as requested.
- Area Directors. Area Directors are responsible for managing and coordinating all FMFIA activities within their respective organizations. The FMFIA activities include responsibility for planning, developing, establishing, budgeting, implementing, and maintaining cost-effective systems of management controls. Each Area Director is responsible for identifying Area specific high-risk operations and conducting management control reviews as appropriate, evaluating the high-risk areas identified on the IHS MCP, developing methodologies and evaluation instruments as needed, and formulating and implementing corrective action plans. Area Directors must also submit an annual statement (Manual Exhibit 5-16-D) for each high-risk area to the cognizant Headquarters MCAM, providing assurance that his or her respective Area is in compliance with FMFIA requirements and that no significant weaknesses have been identified. If assurance cannot be provided, a corrective action plan must be prepared and submitted to the Director, MPICS. The statements from each Area Director forms the basis for the IHS Director's Annual FMFIA Assurance Statement to the Secretary, HHS.
Systems of management control must meet certain standards to ensure their integrity and consistency throughout the Federal Government. Most of these standards are drawn from the Government Accountability Office (GAO), "Standards for Internal Control in the Federal Government,” GAO/AIMD-00-21.3.1, November 1999. These standards are the overall guiding reference for all systems of management control. Other policy documents for governmental operations provide additional specific standards for particular functions. For example, procurement is governed by the Federal Acquisition Regulations (FAR).
- General Management Control Standards. Management must understand the importance of maintaining effective internal control.
- Compliance With Law. Agency program operations, obligations, and costs must comply with applicable laws and regulations. Resources must be efficiently and effectively allocated for duly authorized purposes.
- Reasonable Assurance and Safeguards. Management controls must provide reasonable assurance that assets are safeguarded against waste, loss, unauthorized use, and misappropriation. Management controls developed for Agency programs must be logical, applicable, reasonably complete, effective, and efficient in accomplishing management objectives.
- Integrity. Managers and employees must demonstrate personal integrity and adhere to the “Standards of Ethical Conduct for Employees of the Executive Branch,” 5 Code of Federal Regulations §2635.
- Competence. Managers must:
- demonstrate their commitment to maintain a level of competence that allows personnel to accomplish their assigned duties.
- uphold the need for personnel to possess and maintain the proper knowledge and skills to perform their assigned duties.
- Communication. Encourage effective communication within and between offices.
- Specific Management Control Standards.
- Delegation of Authority and Organization. Managers must ensure that appropriate authority, responsibility, and accountability are defined and delegated to accomplish the Agency's mission and that an appropriate organizational structure is established to perform program responsibilities effectively. To the extent possible, management controls and related decision-making authority should be assigned to line managers.
- Separation of Duties and Supervision. Key duties and responsibilities in authorizing, processing, recording, and reviewing official Agency transactions must be separated among individuals. Managers shall exercise appropriate oversight to ensure individuals do not exceed or abuse their assigned authorities.
- Access to and Accountability for Resources. Access to resources and records shall be limited to authorized individuals, and accountability for the custody and use of resources shall be assigned and maintained.
- Recording and Documentation. To maintain accountability over assets, transactions shall be promptly recorded, properly classified, and accounted for. This permits financial and statistical reports to be prepared accurately and reliably. The documentation for transactions, management controls, and other significant events must be clear and readily available for examination.
- Resolution of Audit Findings/Deficiencies. Managers should promptly evaluate and determine proper actions in response to known deficiencies, reported audit and other findings, and related recommendations. Managers shall complete, within established time-frames, all actions that correct or otherwise resolve the appropriate matters brought to management's attention.
The MCP identifies IHS administrative and programmatic functions that are vulnerable to waste, fraud, and mismanagement. The criteria for determining areas that are at high-risk have been modified over the past several years to meet a changing Federal environment. The MCP is updated each year to add high-risk MCAs and delete those MCAs that are relatively less vulnerable or no longer meet the criteria. The MCP is a dynamic document that can be modified as warranted by changing conditions, and it provides the basis for planning, scheduling, tracking, and improving management control operations. The following information is included in the MCP:
- Management Control Area. The MCA and the responsible organization is determined by IHS managers with input from all levels of management, including Area Directors. Many programs are unique to the IHS and require development of IHS-specific evaluation criteria to assist managers in identifying subject areas that should receive a focused approach and reflecting the areas considered as having the highest management control risk. As programs/functions qualify or disqualify under these categories, they will be added/deleted from the MCP. This approach will allow managers to intensify their efforts where they are most needed and to improve the IHS's accountability and effectiveness in meeting FMFIA requirements. The MCA's risk rating must be reviewed annually and a determination made by the SAT in consultation with IHS managers and directors as to its inclusion or exclusion from the MCP in accordance with the following criteria:
Criterion 1. Programs/Processes that Comprise a Significant Percent of the IHS Budget. Criterion 2. Sensitive Programs/Functions. Criterion 3. Material Weaknesses Identified in a Prior Year Audit. Criterion 4. Significant Deficiencies Indentified in a Prior Year Audit. Criterion 5. Newly Authorized Programs and Demonstration Projects. Criterion 6. Newly Assigned or Reassigned Organizational Responsibility/Authority.
- Management Control Review Plan. After the annual MCP review and update, MCAMs must prepare a schedule and review plan for their respective area of responsibility. The review plan is a 1-page description of the evaluation method/tool to be used (i.e., questionnaire or program review) and the related time-frame or schedule. The review plan shall reference laws, regulations, and policies that apply to the subject area and the goals of the review. Manual Exhibit 5-16-A outlines the items to include when developing a review plan. The plan is prepared in consultation with the Director, MPICS. The management control review plan is due to the SAT through the Director, MPICS, in accordance with the management control time-line established each fiscal year.
Although resource and time constraints are often cited as limiting factors to performing assessments, it is widely accepted that inadequate control systems typically result in higher costs, greater downtime, and lower morale. The utilization of a results-oriented methodology focused on program adequacy and appropriateness is now the overriding principle in management control assessments.
Managers shall avoid duplicating efforts by using data generated through existing evaluations mandated by other legislative/administrative processes, or the findings of continuous monitoring activities conducted by program or functional managers. Managers will coordinate their efforts with these other evaluation processes to the extent practicable while evaluating IHS management control systems.
- Data/Information Sources. Managers are encouraged to use data gathered from the following alternative sources and their own judgment in evaluating and monitoring management controls. These include the following:
- Audits of financial statements conducted pursuant to the Chief Financial Officers (CFO) Act of 1990 (P.L. 101-576), as amended. This includes all information collected in preparing the financial statements and the auditor's report on internal controls and compliance with laws and regulations.
- Office of Inspector General (OIG) and GAO reports, that provide internal/external audits, investigations, inspections, reviews, and results of hotline complaints. Most OIG and GAO audits include a report on the management controls related to the program/function under review.
- Reviews of financial systems resulting from meeting requirements of the FFMIA of 1996 and OMB Circular No. A-127 (Financial Management Systems). Financial statements prepared from these reviews identify management controls and must include performance measures necessary to evaluate program and financial management performance.
- Reviews of systems and applications conducted pursuant to the Computer Security Act of 1987 and OMB Circular No. A-130 (Management of Federal Information Resources).
- Program evaluations conducted to meet specific legislative or administrative requirements. These reviews are typically program-specific but they usually include a report on the administrative system of management controls.
- Congressional committee reports and other oversight review findings, such as those prepared by The Joint Commission.
- Annual performance plans and reports pursuant to the GPRA and GMRA. The OMB Circular A-11,Part 2, (Preparation and Submission of Budget Estimates) specifically defines the requirements for strategic plans, annual performance plans, and annual performance reports. These documents provide a comprehensive framework for IHS operations and a very useful source of data for making determinations related to the management control environment.
- Management knowledge gained from observation and the daily operation of Agency programs or systems.
- Scope of Assessment. The scope and type of review performed is determined by the relative risk and potential vulnerability of the control area. The location and depth of the assessment are determined by the cognizant manager in accordance with these factors.
- Resources. Managers must budget for related costs and provide the time and staff necessary to perform the assessments to ensure that management controls are in place and functioning properly.
- Evaluation Instruments. The content/source of all survey tools, questionnaires, test evaluation instruments, etc., is determined by the cognizant manager but must be cleared through the Director, MPICS. Items and criteria to include when developing a self-assessment questionnaire (the preferred method of review) are outlined in Manual Exhibit 5-16-B.
- Records and Documents. Managers must have the following records and documents available to properly assess their internal operations and management control systems:
- pertinent laws and regulations;
- IHS manual issuances and operating procedures;
- internal guidelines;
- accounting records/budgetary documents and related financial information;
- transaction records;
- operating reports and correspondence;
- current validation and testing of internal operations, including interviews and observation of MCA staff; and
- current statistical data/related numeric reports.
- Documentation. Sufficient documentation must exist to support the findings or conclusions of the management control review and to ensure that the evaluation or self-assessment was adequately planned and coordinated. The documentation shall be maintained in accordance with the IHS records management policy and procedures found in Part 5, Chapter 15, “Records Management,” IHM. The management control review documentation will normally include the names and titles of the personnel directly involved with the evaluation; summaries of all briefings and conferences; description of the review methodology used; completed evaluation instruments, including those generated from interviews, testing, and validation; and all pertinent reports, working papers, correspondence, and related memoranda generated during the review cycle.
- Management Control Self-Assessments. Questions on the self-assessment should be based on the laws, regulations, and policies applicable to each MCA. Area Directors are responsible for completing and submitting the self-assessments to the cognizant MCAM for each MCA identified on the MCP. Since the scope of the MCAM assurance statement is Agency-wide, it may be appropriate to address a self-assessment to Headquarters Divisions. The MCAM prepares and submits a summary report to the Director, MPICS, based on Area Office management control reviews and other Agency-wide data. The summary report must draw conclusions based on the results of the reviews and is subject to review and approval by the Director, MPICS, to ensure a consistent application of the Management Control Standards and to provide a means for quality control throughout the IHS.
- Findings and Recommendations. All findings and recommendations must be supported by information gathered in the management control reviews, (i.e., data from questionnaires, interviews, testing of transactions, and other related review or validation activities). Major findings and recommendations must be stated in terms of the Management Control Standards identified in Section 5-16.3 and include any emerging issues that may warrant immediate attention.
- Material and Non-Material Weaknesses. Deficiencies must be identified and reported as either non-material or potentially material to HHS. Potential material weaknesses must be clearly cited in the summary report from the MCAM and supported with substantive data from the function or program under review. The SAT must be immediately notified when a potential material weakness is discovered. For a deficiency that is declared an HHS material weakness by the Secretary, HHS, a follow-up evaluation is required to validate that all corrective actions have been completed and to ensure that the material weakness has been resolved. This review must be completed by the cognizant MCAM within 12 months after the material weakness has been reported as corrected.
- Approval and Distribution. Once the summary MCAM report has been approved by the SAT and SMC, the information will be used to prepare the Annual FMFIA Assurance Statement from the IHS Director to the Secretary, HHS. The original signed summary MCAM report is maintained by the Director, MPICS.
- Corrective Action Plan. All reported weaknesses will be monitored through a time-phased Corrective Action Plan (CAP) in the format identified in Manual Exhibit 5-16-C. The cognizant manager must develop and submit the CAP to the SAT through the MCAM, and the Director, MPICS, with the related self-assessment. The CAP must include the following information:
- Narrative. A narrative section that cites the weaknesses.
- Action Items. A description of the planned actions to correct the weakness and a schedule for completion. Each cited weakness must be linked to a specific CAP.
- Schedule or Resources. Identification of the resources and projected time-frames that will be required to complete each corrective action. An effort should be made to complete all corrective actions within 12 months of the approved CAP.
- Signature. The cognizant manager must sign the CAP and submit it for approval, through the MCAM and the Director, MPICS, to the SAT.
- Status of a Prior Year's CAP. A follow-up question regarding the status of a prior year's CAP must be included in subsequent year's self-assessment questionnaires. The responses provided should describe the major accomplishments during this reporting period, indicate whether or not the CAP met scheduled time-frames for completion, explain revisions to the CAP, and if completed, describe how the corrective action resolved the deficiency. Also, periodic follow-up will be made by the Director, MPICS, to the MCAMs regarding the status of a prior year's CAP.
- Internal Assurance Statements. Area Directors and MCAMs are required to submit a separate assurance statement for each MCA in the format identified on Manual Exhibits 5-16-D and 5-16-E. These formal assurance statements are due annually with the submission of the self-assessments. The Area assurance statement indicates whether the Area can or cannot provide the required assurances. The MCAM assurance statement indicates Agency-wide compliance with the FMFIA. These statements form the basis for the IHS Director's Annual Statement of Assurance to the Secretary, HHS.
- Agency Annual Statement of Assurance. The Director, IHS, is required by the FMFIA to submit an annual report to the Secretary, HHS, which is then submitted to the President and the Congress. This report is usually due to the Secretary by October 15, after the close of the fiscal year, and is prepared by the Director, MPICS, with input from senior program managers, directors, and administrative officials. All self-assessments conducted and completed during the current calendar year will be considered for disclosure in the Annual Statement of Assurance.
- Reporting Pursuant to Section 2 - Federal Managers' Financial Integrity Act. This section of the report provides a statement as to whether or not there is reasonable assurance that the management controls are achieving their objectives. The section describes the analytical basis for the report and the extent to which IHS activities were assessed. If a material weakness has been declared by the Secretary, HHS, this section includes the IHS corrective actions planned and the progress made toward implementing those plans.
- Reporting Pursuant to Section 4 - Federal Managers' Financial Integrity Act. This section of the report provides a statement as to whether or not IHS financial management systems conform to Government-wide requirements identified in OMB Circular No. A-127, Section 7. If the IHS does not conform to these requirements, the Agency must develop and submit plans for bringing its financial systems into compliance.
- Program Support Center. The Program Support Center, HHS, prepares the Agency's quarterly financial statements through an agreement with the IHS. However, the IHS is responsible for providing assurance under Section 4 of the FMFIA and reporting to the Secretary on the adequacy or inadequacy of financial systems that are in place. Any deficiencies found and determined by the Secretary, HHS, to be material, must be disclosed in the Annual FMFIA Assurance Statement and addressed in the same manner as other material weaknesses.