Financial Management: Effective Internal Control Is Key to	 
Accountability (16-FEB-05, GAO-05-321T).			 
                                                                 
Internal control is at the heart of accountability for our	 
nation's resources and how effectively government uses them. This
testimony outlines the importance of internal control, summarizes
the Congress's long-standing interest in internal control and the
related statutory framework, discusses GAO's experiences and	 
lessons learned from agency assessments since the early 1980s,	 
and provides GAO's views on the Office of Management and Budget's
(OMB) recent revisions to its Circular A- 123. GAO highlights six
issues important to successful implementation of the revised	 
Circular, specifically, the need for supplemental guidance and	 
implementation tools; vigilance over the broader range of	 
controls covering program objectives; strong support from	 
managers throughout the agency, and at all levels; risk-based	 
assessments and an appropriate balance between the costs and	 
benefits of controls; management testing of controls in operation
to assess if they are designed adequately and operating 	 
effectively; and management accountability for control		 
breakdowns. Finally, GAO discusses its views on the importance of
auditor opinions on internal control over financial reporting.	 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-05-321T					        
    ACCNO:   A17838						        
  TITLE:     Financial Management: Effective Internal Control Is Key  
to Accountability						 
     DATE:   02/16/2005 
  SUBJECT:   Accountability					 
	     Accounting systems 				 
	     Auditing procedures				 
	     Cost analysis					 
	     Financial management				 
	     Internal controls					 
	     Reporting requirements				 
	     Standards and standardization			 
	     High Risk Series 2005				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-05-321T

United States Government Accountability Office

                                 GAO Testimony

Before the Subcommittee on Government Management, Finance, and
Accountability, Committee on Government Reform, House of Representatives

For Release on Delivery
Expected at 2:00 p.m. EST FINANCIAL
Wednesday, February 16, 2005

MANAGEMENT

              Effective Internal Control Is Key to Accountability

Statement of Jeffrey C. Steinhoff Managing Director, Financial Management and
Assurance

                                       A

GAO-05-321T

[IMG]

February 16, 2005

FINANCIAL MANAGEMENT

Effective Internal Control Is Key to Improving Accountability

  What GAO Found

Internal control represents an organization's plans, methods, and
procedures used to meet its missions, goals, and objectives and serves as
the first line of defense in safeguarding assets and preventing and
detecting errors, fraud, waste, abuse, and mismanagement. Internal control
provides reasonable assurance that an organizations' objectives are
achieved through (1) effective and efficient operations, (2) reliable
financial reporting, and (3) compliance with laws and regulations.

The Congress has long recognized the importance of internal control,
beginning with the Budget and Accounting Procedures Act of 1950, which
placed primary responsibility for establishing and maintaining internal
control squarely on the shoulders of management. In 1982, when faced with
a number of highly publicized internal control breakdowns, the Congress
passed the Federal Managers' Financial Integrity Act (FMFIA). FMFIA
required agency heads to establish a continuous process for assessment and
improvement of their agency's internal control and to annually report on
the status of their efforts. In addition the act required the Comptroller
General to issue internal control standards and OMB to issue guidelines
for agencies to follow in assessing their internal controls.

GAO monitored and reported on FMFIA implementation efforts across the
government in a series of four reports from 1984 through 1989 as well as
in numerous reports targeting specific agencies and programs. With each
report, GAO noted the efforts under way, but also that more needed to be
done. In 1989, GAO concluded that while internal control was improving,
the efforts were clearly not producing the results intended. The
assessment and reporting process itself appeared to have become the
endgame, and many serious internal control and accounting systems
weaknesses remain unresolved as evidenced by GAO's high risk report which
highlights serious long-standing internal control problems.

In 1995, OMB made a major revision to its guidance that provided a
framework for integrating internal control assessments with other work
performed and relaxed the assessment and reporting requirements, giving
the agencies discretion to determine the tools to use in arriving at their
annual FMFIA assurance statements. OMB's recent 2004 revisions to the
internal control guidance are intended to strengthen the requirements for
conducting management's assessment of control over financial reporting.

GAO supports OMB's recent changes to Circular A-123 and in particular the
principles-based approach for establishing and reporting on internal
control. GAO also noted six specific issues that are important to
successful implementation of OMB's revised guidance and discusses its
views on the importance of auditor opinions on internal control over
financial reporting.

                 United States Government Accountability Office

Mr. Chairman and Members of the Subcommittee:

I am pleased to be here today to discuss the importance of sound internal
control as the foundation of accountability and the recent revisions by
the Office of Management and Budget (OMB) to its Circular A-123,
Management's Responsibility for Internal Control.

Today, I would like to

o  highlight the key concepts underlying internal control;

o 	summarize the Congress's long-standing interest in internal control and
the related statutory framework;

o 	outline early experiences and lessons learned from implementation of 31
U.S.C. 3512 (c), (d), commonly known as the Federal Managers' Financial
Integrity Act of 1982 (FMFIA);

o 	provide our views on the recent revisions to Circular A-123 and the
issues critical to effectively implementing these changes; and

o  discuss our views on the auditor's role in reporting on internal
control.

  The Key Concepts Underlying Internal Control

Internal control represents an organization's plans, methods, and
procedures used to meet its missions, goals, and objectives and serves as
the first line of defense in safeguarding assets and preventing and
detecting errors, fraud, waste, abuse, and mismanagement. Internal control
is to provide reasonable assurance that an organization's objectives are
achieved through (1) effective and efficient operations, (2) reliable
financial reporting, and (3) compliance with laws and regulations.
Safeguarding of assets is a subset of all these objectives. The term
"reasonable assurance" is important because no matter how well-designed
and operated, internal control cannot provide absolute assurance that
agency objectives will be met. Cost-benefit is an important concept to
internal control considerations. Internal control is very broad and
encompasses all controls within an organization, covering the entire
mission and operations, not just financial operations.

One need only to look at GAO's January 2005 High-Risk Series: An Update,1
in which we identify 25 areas of high risk for fraud, waste, abuse, and
mismanagement, to see the breadth of internal control. While these areas
are very diverse in nature, ranging from weapon systems acquisition to
contract management to the enforcement of tax laws to the Medicare and
Medicaid programs, all share the common denominator of having serious
internal control weaknesses. In addition, as the Comptroller General
testified2 before the House Committee on Government Reform last week,
certain material weaknesses in internal control have contributed to our
inability to provide an opinion on whether the consolidated financial
statements of the U.S. government are fairly stated in conformity with
U.S. generally accepted accounting principles. Internal control weaknesses
are also at the heart of the over $45 billion in improper payments
reported by the federal government in fiscal year 2004 across a range of
programs. Further, internal control includes things such as screening of
air passengers and baggage to help address the risks associated with
terrorism, network firewalls to keep out computer hackers, and credit
checks to determine the creditworthiness of potential borrowers.

  The Congress Has Long Recognized the Importance of Internal Control

The Congress has long recognized the importance of internal control,
beginning with the Budget and Accounting Procedures Act of 1950,3 over 50
years ago. The 1950 act placed primary responsibility for establishing and
maintaining internal control4 squarely on the shoulders of agency
management. As I will discuss later, the auditor can serve an important
role by independently determining whether management's internal control is
adequately designed and operating effectively and making recommendations
to management to improve internal control where needed. However, the
fundamental responsibility for establishing and maintaining effective
internal control belongs to management.

1GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: January
2005).

2GAO, Fiscal Year 2004 U.S. Government Financial Statements: Sustained
Improvement in Federal Financial Management Is Crucial to Addressing Our
Nation's Future Fiscal Challenges, GAO-05-284T (Washington, D.C.: Feb. 9,
2005).

3Budget and Accounting Procedures Act of 1950, ch. 946, 64 Stat. 832
(1950).

4The act used the phrase "systems of accounting and internal control."

In 1982, when faced with a number of highly publicized internal control
breakdowns, the Congress passed FMFIA5 with a goal of strengthening
internal control and accounting systems. This two-page law, a copy of
which is in appendix I, defined internal control6 broadly to include
program, operational, and administrative controls as well as accounting
and financial management, and reaffirmed that the primary responsibility
for adequate systems of internal control rests with management. Under
FMFIA, agency heads are required to establish a continuous process for
assessment and improvement of their agency's internal control and to
publicly report on the status of their efforts by signing annual
statements of assurance as to whether internal control is designed
adequately and operating effectively. Where there are material weaknesses,
the agency heads are to disclose the nature of the problems and the status
of corrective actions in an annual assurance statement. Today, agencies
are generally meeting their FMFIA reporting requirement by including this
information in their Performance and Accountability reports, which also
include their audited financial statements. The act also required that the
Comptroller General establish internal control standards and that OMB
issue guidelines for agencies to follow in assessing their internal
control against the Comptroller General's standards.

OMB first issued Circular A-123, then entitled Internal Control Systems,
in October 1981, in anticipation of FMFIA becoming law. In December 1982,
following FMFIA enactment, OMB issued the assessment guidelines required
by the act. OMB's Guidelines for the Evaluation and Improvement of and
Reporting on Internal Control Systems in the Federal Government detailed a
seven-step internal control assessment process targeted to an agency's
mission and organizational structure. The Comptroller General issued
Standards for Internal Control in the Federal Government in 1983.7 These
standards apply equally to financial and

5Pub. L. No. 97-255, 96 Stat. 814 (Sept. 8, 1982). FMFIA was repealed as
part of the general revisions to title 31, U.S. Code. The key provisions
of FMFIA were codified at 31 U.S.C. S: 3512 (c), (d).

6FMFIA used the term "internal accounting and administrative controls."
OMB initially used the term "management control." In revising Circular
A-123 in 2004, OMB replaced the term management control with internal
control, to better align with the Comptroller General's internal control
standards. Management control and internal control are synonymous.

7The Comptroller General revised the standards in 1999, based on
developments in internal control theory, the effects of information
technology, and the passage of a series of landmark reforms. GAO,
Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).

nonfinancial controls.8 In August 1984, OMB issued a question and answer
supplement to its assessment guidelines, intended to clarify the
applicability of the Comptroller General's internal control standards and
to assist agencies in assessing risk and correcting weaknesses.

The 1990s brought additional legislation that reinforced the significance
of effective internal control. The Chief Financial Officers (CFO) Act,9
which among other things provided for major transformation of financial
management, including the establishment of CFOs, called for financial
management systems to comply with the Comptroller General's internal
control standards. The Government Performance and Results Act of 199310
required agencies to clarify missions, set strategic and performance
goals, and measure performance toward those goals. Internal control plays
a significant role in helping managers achieve their goals. The Government
Management Reform Act of 199411 expanded the CFO Act by establishing
requirements for the preparation and audit of agencywide financial
statements and consolidated financial statements for the federal
government as a whole. The 1996 Federal Financial Management Improvement
Act12 identified internal control as an integral part of improving
financial management systems. These are just a few of the legislative
initiatives over the years aimed at improving government effectiveness and
accountability. The Congress has been consistent over the years in
demanding that agencies have effective internal control and accounting
systems.

  Early Experiences and Lessons Learned from Agency FMFIA Implementation

From the outset, agencies faced major challenges in implementing FMFIA.
The first annual assessment reports were due by December 31, 1983. This
time frame gave agencies a little over a year to develop and implement an
agencywide internal control assessment and reporting process to provide
the information needed to support the first agency head assurance

8The five standards for internal control are (1) control environment, (2)
risk assessment, (3) control activities, (4) information and
communications, and (5) monitoring.

9Pub. L. No. 101-576, 104 Stat. 2838 (Nov. 15, 1990).

10Pub. L. No. 103-62, 107 Stat. 285 (Aug. 3, 1993).

11Pub. L. No. 103-356, 108 Stat. 3410 (Oct. 13, 1994).

12Pub. L. No. 104-208, div. A S:101(f), title VIII, 110 Stat. 3009,
3009-389 (Sept. 30, 1996).

statement to the President and the Congress. OMB assembled an interagency
task force called the Financial Integrity Task Force and visited all
federal departments and the 10 largest agencies to foster implementation
of its internal control assessment guidelines. Starting in 1983, GAO
monitored and reported on FMFIA implementation efforts across the
government in a series of four reports from 1984 through 1989 as well as
in numerous reports targeting specific agencies and programs.

In our first governmentwide report,13 issued in 1984, we noted that
although early efforts were primarily learning experiences, agencies had
demonstrated a commitment to implementing FMFIA with a good start at
assessing their internal control and accounting systems. We found agencies
had established systematic processes to assess, improve, and report on
their internal control and accounting systems, and we observed that
federal managers had become more aware of the need for good internal
control and improved accounting systems. OMB played an active role,
providing guidance and central direction to the program. Though the nature
and extent of participation varied, most inspectors general also played a
major role in the first year. Our 1984 report outlined key steps to
improve implementation, including adequate training and guidance, the
importance of a positive attitude and a mind-set to hold managers
accountable for results, and the need for more internal control testing.

Our second governmentwide report in 198514 noted that FMFIA had provided a
significant impetus to the government's attempts to improve internal
control and accounting systems by focusing attention on the problems.
Agencies continued to identify material internal control and accounting
system weaknesses with a number of major improvement initiatives under
way. We identified needed improvements to FMFIA implementation similar to
those in our 1984 report, but also identified the need to reduce the
paperwork associated with agency assessment efforts. In particular,
vulnerability assessments aimed at identifying the areas of highest risk
in order to prioritize more detailed internal control reviews were widely
criticized by agencies as paperwork exercises. It was widely thought that
while agencies had devoted considerable resources assessing the
vulnerability of thousands of operations and functions, these efforts did

13GAO, Implementation of the Federal Managers' Financial Integrity Act:
First Year, GAO/OCG-84-3 (Washington, D.C.: Aug. 24, 1984).

14GAO, Financial Integrity Act: The Government Faces Serious Internal
Control and Accounting Systems Problems, GAO/AFMD-86-14 (Washington, D.C.:
Dec. 23, 1985).

not provide management with a whole lot of reliable and useful
information.

Our third governmentwide report was issued in 1987.15 We noted that an
important step in strengthening internal control is verifying that planned
corrective actions have been implemented as envisioned and that the
completed corrective actions have been effective. We found instances where
(1) corrective measures taken had not completely corrected the identified
weaknesses and (2) actions to resolve weaknesses had been delayed, in some
cases for years.

Our fourth governmentwide report,16 issued in 1989 for which the title,
Ineffective Internal Controls Result in Ineffective Federal Programs and
Billion in Losses, is still appropriate in today's environment, concluded
that while internal control was improving, the efforts were clearly not
producing the results intended. We noted continuing widespread internal
control and accounting system problems and the need for greater top-level
leadership. We reported that what started off as a well-intended program
to foster the continual assessment and improvement of internal control
unfortunately had become mired in extensive process and paperwork.
Significant attention was focused on creating a paper trail to prove that
agencies had adhered to the OMB assessment process and on crafting
voluminous annual reports that could exceed several hundred pages. It
seemed that the assessment and reporting processes had, at least to some,
become the endgame.

At the same time, there were some important accomplishments coming from
FMFIA. Thousands of problems were identified and fixed along the way,
especially at the lower levels where internal control assessments were
performed and managers could take focused actions to fix relatively simple
problems. Unfortunately, many of the more serious and complex internal
control and accounting system weaknesses remained largely unchanged and
agencies were drowning in paper.

15GAO, Financial Integrity Act: Continuing Efforts Needed to Improve
Internal Control and Accounting Systems, GAO/AFMD-88-10 (Washington, D.C.:
Dec. 30, 1987).

16GAO, Financial Integrity Act: Inadequate Controls Result in Ineffective
Federal Programs and Billions in Losses, GAO/AFMD-90-10 (Washington, D.C.:
Nov. 28, 1989).

In March 1989, GAO, along with representatives of seven agencies, OMB, and
the President's Council on Integrity and Efficiency (PCIE),17 reviewed
aspects of FMFIA implementation as part of a subcommittee of the Internal
Control Interagency Coordination Council. The subcommittee's report
highlighted the following seven issues as requiring action:

o 	Link the internal control assessment and reporting process with the
budget to assist the Congress and OMB in analyzing the impact of
corrective actions on agency resources.

o 	Emphasize the early warning capabilities of the internal control
process to ensure timely actions to correct weaknesses identified.

o 	Consolidate the review processes of various OMB circulars to eliminate
overlapping assessment requirements, improve staff utilization, and reduce
the paper being generated.

o 	Provide for and promote senior management involvement in the internal
control process to ensure more effective and lasting oversight and
accountability for FMFIA activities.

o 	Highlight the most critical internal control weaknesses in the FMFIA
assurance statements to increase the usefulness of the report to the
President and the Congress.

o 	Report on agency processes to validate actions taken to correct
material weaknesses, ascertain that desired results were achieved, and
reduce the likelihood of repeated occurrences of the same weaknesses.

o 	Improve management awareness and understanding of FMFIA to provide for
more consistent program manager interpretation and acceptance of the act.

Too much process and paper continued to be a problem, and in 1995 OMB made
a major revision to Circular A-123 that relaxed the assessment and
reporting requirements. The 1995 revision integrated many policy issuances
on internal control into a single document and provided a framework for
integrating internal control assessments with other reviews

17PCIE was established to address integrity, economy, and effectiveness
issues that transcend individual government agencies.

being performed by agency managers, auditors, and evaluators. In addition,
it gave agencies the discretion to determine which tools to use in
arriving at the annual assurance statement to the President and the
Congress, with the stated aim of achieving a streamlined management
control program that incorporated the then administration's reinvention
principles.

  Revised OMB Circular A-123 Marks an Important Step toward Achieving FMFIA
  Objectives

And this brings us to the present. The recent December 2004 update to
Circular A-123 reflects policy recommendations developed by a joint
committee of representatives from the CFO Council (CFOC)18 and PCIE. 19
The changes are intended to strengthen the requirements for conducting
management's assessment of internal control over financial reporting. The
December 2004 revision to the Circular also emphasizes the need for
agencies to integrate and coordinate internal control assessments with
other internal control-related activities.

We support OMB's efforts to revitalize FMFIA through the December 2004
revisions to Circular A-123. These revisions recognize that effective
internal control is critical to improving federal agencies' effectiveness
and accountability and to achieving the goals that the Congress
established in 1950 and reaffirmed in 1982. The Circular correctly
recognizes that instead of considering internal control an isolated
management tool, agencies should integrate their efforts to meet the
requirements of FMFIA with other efforts to improve effectiveness and
accountability. Internal control should be an integral part of the entire
cycle of planning, budgeting, management, accounting, and auditing. It
should support the effectiveness and the integrity of every step of the
process and provide continual feedback to management.

In particular, we support the principles-based approach in the revised
Circular for establishing and reporting on internal control that should
increase accountability. This type of approach provides a floor for
expected behavior, rather than a ceiling, and by its nature, greater
judgment on the part of those applying these principles will be necessary.

18CFOC is an organization of the CFOs and deputy CFOs of the largest
federal agencies, and senior officials of OMB and the Department of the
Treasury who work collaboratively to improve financial management in the
U.S. government.

19Both PCIE and CFOC are chaired by OMB's Deputy Director for Management.

Accordingly, clear articulation of objectives, the criteria for measuring
whether the objectives have been successfully achieved, and the rigor with
which these criteria are applied will be critical. Providing agencies with
supplemental guidance and implementation tools is particularly important,
in light of the varying levels of internal control maturity that exist
across government as well as the expected divergence in implementation
that is typically found when a range of entities with varying capabilities
apply a principles-based approach.

I would now like to highlight what I think will be the six issues critical
to effectively implementing the changes to Circular A-123 based on the
lessons learned over the past 20 years under FMFIA.

First, OMB indicated that it plans to work with the CFOC and PCIE to
provide further implementation guidance. For the reasons I just
highlighted, we support the development of supplemental guidance and
implementation tools, which will be particularly important to help ensure
that agency efforts are properly focused and meaningful. These materials
should demand an appropriate rigor to whatever assessment and reporting
process management adopts as well as set the bar at a level to ensure that
the objectives of FMFIA are being met in substance, with a caution to
guard against excessive focus on process and paperwork. Supplemental
guidance and implementation tools should be aimed at helping agency
management achieve the bottom-line goal of getting results from effective
internal control.

Second, while the revised Circular A-123 emphasizes internal control over
financial reporting, it will be important that proper attention also be
paid to the other two internal control objectives covered by FMFIA and
discussed in the Circular, which are (1) achieving effective and efficient
operations and (2) complying with laws and regulations. Also, as I
mentioned earlier, safeguarding assets is a subset of all three
objectives.

Third, managers throughout an agency and at all levels will need to
provide strong support for internal control. As I discussed earlier, the
responsibility for internal control does not reside solely with the CFO. A
case in point is internal control over improper payments, which is the
responsibility of a range of agency officials outside of the CFO
operation. Also, with respect to financial reporting, which the revised
OMB Circular A123 specifically refers to as a priority area, the CFO
generally does not control all of the needed information and often depends
on other business systems for much of the financial data. For example, at
the Department of

Defense (DOD), about 80 percent of the information needed to prepare
annual financial statements comes from other business systems, such as
logistics, procurement, and personnel information systems, that are not
under the CFO.

Fourth, agencies must strike an appropriate balance between costs and
benefits, while at the same time achieving an appropriate level of
internal control. Internal controls need to be designed and implemented
only after properly identifying and analyzing the risks associated with
achieving control objectives. Agencies need to have the right controls, in
the right place, at the right time, with an appropriate balance between
related costs and benefits. In this regard, the revisions to Circular
A-123 outline the concept of risk assessment for internal control over
financial reporting by laying out an assessment approach at the process,
transaction, and application levels. A similar approach needs to be
applied as well to the other business areas and the range of programs and
operations as envisioned in FMFIA.

Fifth, management testing of controls in operation to determine their
soundness and whether they are being adhered to and to assist in the
formulation of corrective actions where problems arise will be essential.
This is another area covered by the revised Circular A-123. Testing can
show whether internal controls are in place and operating effectively to
minimize the risk of fraud, waste, abuse, and mismanagement and whether
accounting systems are producing accurate, timely, and useful information.
Through adequate testing, agency managers should know what is working well
and what is not. Management will then be able to focus on corrective
actions as needed and on streamlining controls if testing shows that
existing controls are not cost-effective.

Sixth, personal accountability for results will be essential, starting
with top agency management and cascading down through the organization.
Regular oversight hearings, such as this one, will be critical to keeping
agencies accountable and expressing the continual interest and
expectations of the Congress. Independent verification and validation
through the audit process, which I will talk about next, is another means
of providing additional accountability. There should be clear rewards
(incentives) for doing the right things and consequences (disincentives)
for doing the wrong things. If a serious problem occurs because of a
breakdown in internal control and it is found that management did not do
its part to establish a proper internal control environment, or did not
act expeditiously to fix a known problem, those responsible need to be
held

accountable and face the consequences of inaction. The revised Circular
A-123 encourages the involvement of senior management councils in internal
control assessment and monitoring, which can be an excellent means of
establishing accountability and ownership for the program.

  The Auditor's Role in Evaluating Management's Internal Control Efforts

In initiating the revisions to Circular A-123, OMB cited the new internal
control requirements for publicly traded companies that are contained in
the Sarbanes-Oxley Act of 2002.20 Sarbanes-Oxley was born out of the
corporate accountability failures of the past several years.
Sarbanes-Oxley is similar in concept to the long-standing requirements for
federal agencies in FMFIA and Circular A-123. Under Sarbanes-Oxley,
management of a publicly-traded company is required to (1) annually assess
the internal control over financial reporting at the company and (2) issue
an annual statement on the effectiveness of internal control over
financial reporting.21 The company's auditors are then required to attest
to and report on management's assessment as to the effectiveness of its
internal control. This is where Sarbanes-Oxley differs from FMFIA. FMFIA
does not call for an auditor opinion on management's assessment of
internal control over financial reporting nor does it call for an auditor
opinion on the effectiveness of internal control. Likewise, Circular A-123
does not adopt these requirements, although the Circular does recognize
that some agencies are voluntarily getting an audit opinion on internal
control over financial reporting.

Our position is that an auditor's opinion on internal control over
financial reporting is similarly important in the government environment.
We view auditor opinions on internal control over financial reporting as
an important component of monitoring the effectiveness of an entity's risk
management and accountability systems. In practicing what we preach, we
not only issue an opinion on internal control over financial reporting at
the federal entities where we perform the financial statement audit,22
including

20Pub. L. No. 107-204, 116 Stat. 745 (July 30, 2002).

21See Management's Reports on Internal Control Over Financial Reporting
and Certification of Disclosure in Exchange Act Periodic Reports, 68 Fed.
Reg. 36635 (June 18, 2003) (codified at scattered sections of title 17,
Code of Federal Regulations).

22Currently, we perform financial statement audits at the Federal Deposit
Insurance Corporation, the Internal Revenue Service, the Bureau of the
Public Debt, and the Securities and Exchange Commission.

the consolidated financial statements of the U.S. government, but we also
obtain an auditor's opinion on internal control on our own annual
financial statements. On their own initiative, the Social Security
Administration (SSA) and Nuclear Regulatory Commission also received
opinions on internal control over financial reporting for fiscal year 2004
from their respective independent auditors.

In considering when to require an auditor opinion on internal control, the
following four questions can be used to frame the issue.

1.	Is this a major federal entity, such as the 24 departments and agencies
covered by the CFO Act? There would be different consideration for small
simple entities versus large complex entities.

2. What is the maturity level of internal control over financial
reporting?

3.	Is the agency currently in a position to attest to the effectiveness of
internal control over financial reporting and subject that conclusion to
independent audit?

4. What are the benefits and costs of obtaining an opinion?

What underlies these questions is whether management has done its job of
assessing its internal control and has a firm basis for its assertion
statement before the auditor is tasked with performing work to support an
opinion on internal control over financial reporting. As I have stressed
throughout my testimony today, internal control is a fundamental
responsibility of management, including ongoing oversight. The auditor's
role, similar to its opinion on the financial statements issued by
management, would be to state whether the auditor agrees 23 with
management's assertion that its internal control is adequate so that the
reader has an independent view.

As an example, consider DOD which has many known material internal control
weaknesses. Of the 25 areas on GAO's high-risk list, 14 relate to DOD,
including DOD financial management. Given that DOD management is clearly
not in a position to state that the department has effective internal
control over financial reporting, there would be no need for the auditor
to

23If the auditor follows the joint GAO/PCIE Financial Audit Manual (FAM),
as is expected for federal financial statement audits, the work performed
should be adequate to render an opinion on internal control.

do additional audit work to render an opinion that internal control was
not effective. On the other hand, as I just mentioned for fiscal year
2004, SSA management reported that it does not have any material internal
control weaknesses over financial reporting. The auditor's unqualified
opinion over financial reporting at SSA provided an independent assessment
of management's assertion about internal control, which we believe by its
nature adds value and creditability similar to the auditor's opinion on
the financial statements.

As you know, Mr. Chairman, recent legislation24 making the Department of
Homeland Security (DHS) subject to the provisions of the CFO Act, which
this Subcommittee spearheaded, requires DHS management to provide an
assertion on the effectiveness of internal control over financial
reporting for fiscal year 2005 and to obtain an auditor's opinion on its
internal control over financial reporting for fiscal year 2006. In
addition, the CFO Council and PCIE are required by the DHS legislation to
jointly study the potential costs and benefits of requiring CFO Act
agencies to obtain audit opinions on their internal control over financial
reporting, and GAO is to perform an analysis of the information provided
in the report and provide any findings to the House Committee on
Government Reform and the Senate Committee on Homeland Security and
Governmental Affairs.25 We believe that the study and related analysis are
important steps in resolving the issues associated with the current
reporting on the adequacy of internal control. In addition, this issue is
being discussed by the Principals of the Joint Financial Management
Improvement Program-the Comptroller General, the Director of OMB, the
Secretary of the Treasury, and the Director of the Office of Personnel
Management.

In closing, as the Congress and the American public have increased demands
for accountability, the federal government must respond by having a high
standard of accountability for its programs and activities. Areas
vulnerable to fraud, waste, abuse, and mismanagement must be continually
evaluated to ensure that scarce resources reach their intended
beneficiaries; are used properly; and are not diverted for inappropriate,
illegal, inefficient, or ineffective purposes.

24Pub. L. No. 108-330, 118 Stat. 1275 (Oct. 16, 2004).

25Since passing the legislation, the Senate Committee on Governmental
Affairs changed its name to the Senate Committee on Homeland Security and
Governmental Affairs.

I want to emphasize our commitment to continuing our work with the
Congress, the administration, the federal agencies, and the audit
community to continually improve the quality of internal control
governmentwide, and to help ensure that action is taken to address the
internal control vulnerabilities that exist today. To that end, as I said
earlier, the leadership of this Subcommittee will continue to be an
important catalyst for change, and I again thank you for the opportunity
to participate in this hearing.

Mr. Chairman, this completes my prepared statement. I would be happy to
respond to any questions you or other Members of the Subcommittee may have
at this time.

Contacts and	For information about this statement, please contact Jeffrey
C. Steinhoff at (202) 512-2600 or McCoy Williams, Director, Financial
Management and

Acknowledgments	Assurance, at (202) 512-6906 or at [email protected].
Individuals who made key contributions to this testimony include Mary
Arnold Mohiyuddin, Abe Dymond, and Paul Caban. Numerous other individuals
made contributions to the GAO reports cited in this testimony.

Appendix I

Federal Managers' Financial Integrity Act of
1982

Appendix I
Federal Managers' Financial Integrity Act of
1982

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

GAO's Mission	The Government Accountability Office, the audit, evaluation
and investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of The fastest and easiest way to obtain copies of GAO
documents at no cost

is through GAO's Web site (www.gao.gov). Each weekday, GAO postsGAO
Reports and newly released reports, testimony, and correspondence on its
Web site. To Testimony have GAO e-mail you a list of newly posted products
every afternoon, go to

www.gao.gov and select "Subscribe to Updates."

Order by Mail or Phone	The first copy of each printed report is free.
Additional copies are $2 each. A check or money order should be made out
to the Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are discounted 25
percent. Orders should be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone:	Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

  To Report Fraud, Contact:
  Waste, and Abuse in Web site: www.gao.gov/fraudnet/fraudnet.htm

E-mail: [email protected] Programs Automated answering system: (800)
424-5454 or (202) 512-7470

Congressional	Gloria Jarmon, Managing Director, [email protected] (202)
512-4400 U.S. Government Accountability Office, 441 G Street NW, Room 7125

Relations Washington, D.C. 20548

Public Affairs	Paul Anderson, Managing Director, [email protected] (202)
512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548
*** End of document. ***