Internal Control: Essential for Safeguarding Assets, Compliance With Laws
and Regulations, and Reliable Financial Reporting (Testimony, 04/01/98,
GAO/T-AIMD-98-125).

Pursuant to a congressional request, GAO discussed the subject of
internal control, focusing on: (1) what internal control is; (2) its
importance; and (3) what happens when it breaks down.

GAO noted that: (1) internal control is concerned with stewardship and
accountability of resources consumed while striving to accomplish an
agency's mission with effective results; (2) although ultimate
responsibility for internal controls rests with management, all
employees have a role in the effective operation of internal controls
established by management; (3) effective internal control provides
reasonable, not absolute, assurance that an agency's activities are
being accomplished in accordance with its control objectives; (4)
internal controls helps management achieve the mission of the agency and
prevent or detect improper activities; (5) the cost of fraud cannot
always be measured in dollars; (6) in 1982, Congress passed the Federal
Managers' Financial Integrity Act requiring: (a) agencies to annually
evaluate their internal controls; (b) GAO to issue internal controls
standards; and (c) the Office of Management and Budget to issue
guidelines for agencies to follow in assessing their internal controls;
(7) more recently, Congress has enacted a number of statutes to provide
a framework for performance-based management and accountability; (8)
weak internal controls pose a significant risk to the government--losses
in the millions, or even billions, of dollars can and do occur; (9) GAO
and others have reported that weak internal controls over safeguarding
and accounting for government property are a serious continuing problem;
and (10) GAO's 1997 high-risk series identifies major areas of
government operations where the risks of losses to the government is
high and where achieving program goals is jeopardized.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-98-125
     TITLE:  Internal Control: Essential for Safeguarding Assets, 
             Compliance With Laws and Regulations, and Reliable
             Financial Reporting
      DATE:  04/01/98
   SUBJECT:  Internal controls
             Federal agency accounting systems
             Auditing standards
             Accounting procedures
             Accountability
             Standards evaluation
             Agency missions

             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************


Cover
================================================================ COVER


Before the Subcommittee on Oversight and Investigations, Committee on
Commerce, House of Representatives

For Release on Delivery
Expected at
10:30 a.m.
Wednesday,
April 1, 1998

INTERNAL CONTROL - ESSENTIAL FOR
SAFEGUARDING ASSETS, COMPLIANCE
WITH LAWS AND REGULATIONS, AND
RELIABLE FINANCIAL REPORTING

Statement of Robert W.  Gramling
Director, Corporate Audits and Standards
Accounting and Information Management Division

GAO/T-AIMD-98-125

GAO/AIMD-98-125T


(917720)


Abbreviations
=============================================================== ABBREV

  DFAS - x
  DLA - x
  DOD - x
  FAA - x
  HCFA - x
  LSSC - x
  NRC - x
  OMB - x
  SSG - x
  VBA - x

INTERNAL CONTROL:  ESSENTIAL FOR
SAFEGUARDING ASSETS, COMPLIANCE
WITH LAWS AND REGULATIONS, AND
RELIABLE FINANCIAL REPORTING
====================================================== Chapter Summary

The importance of internal controls cannot be understated, especially
in a large, complex organization like the federal government. 
Internal control is the first line of defense against fraud, waste,
and abuse and helps agencies achieve their missions effectively and
efficiently.  My testimony discusses three questions:  (1) What is
internal control?  (2) Why is it important?  and (3) What happens
when it breaks down? 

What Is Internal Control?  Internal control is concerned with
stewardship and accountability of resources consumed while striving
to accomplish an agency's mission with effective results. 
Specifically, GAO's Standards for Internal Controls in the Federal
Government defines internal control as "the plan of organization and
methods and procedures adopted by management to ensure resource use
is consistent with laws, regulations, and policies; that resources
are safeguarded against waste, loss, and misuse; and that reliable
information is obtained, maintained, and fairly disclosed in
reports." Internal control is synonymous with management control in
that the broad objectives of internal control cover all aspects of
agency operations.  Although ultimate responsibility for internal
controls rests with management, all employees have a role in the
effective operation of internal controls established by management. 
Effective internal control provides reasonable, not absolute,
assurance that an agency's activities are being accomplished in
accordance with its control objectives. 

Why Is Internal Control Important?  Internal control helps management
achieve the mission of the agency and prevent or detect improper
activities.  The cost of fraud cannot always be measured in dollars. 
Improper activities erode public confidence in the government.  In
1982, the Congress passed the Federal Managers' Financial Integrity
Act requiring (1) agencies to annually evaluate their internal
controls, (2) GAO to issue internal controls standards, and (3) OMB
to issue guidelines for agencies to follow in assessing their
internal controls.  Agencies were required to report annually to the
President and the Congress whether their internal controls complied
with GAO's standards.  The Integrity Act was beneficial in focusing
management and employee attention on the importance of internal
control.  Although progress was made, internal control problems
continued.  More recently, the Congress has enacted a number of
statutes to provide a framework for performance-based management and
accountability.  These statutes include the Chief Financial Officers
Act of 1990, as expanded by the Government Management Reform Act of
1994 (to ensure more reliable financial reporting); the Government
Performance and Results Act of 1993 (requiring agency strategic and
annual performance planning); and the Federal Financial Management
Improvement Act of 1996 (to improve federal financial management
systems). 

What Happens When Internal Controls Are Not Effective?  Weak internal
controls pose a significant risk to the government--losses in the
millions, or even billions, of dollars can and do occur.  For
example, weak internal controls contributed significantly to the
failure of over 700 savings and loans in the 1980s, costing the
taxpayers hundreds of billions of dollars.  In the health care area,
the Health and Human Services Inspector General estimated that $23
billion of $163 billion in processed fee-for-service payments during
fiscal year 1996 were improper.  GAO and others have reported that
weak internal controls over safeguarding and accounting for
government property are a serious continuing problem.  GAO's 1997
high-risk series identifies major areas of government operations
where the risks of losses to the government is high and where
achieving program goals is jeopardized. 

Effective internal controls are essential to achieving agency
missions.  Management and employees should focus not necessarily on
more controls, but on more effective controls. 


INTERNAL CONTROL:  ESSENTIAL FOR
SAFEGUARDING ASSETS, COMPLIANCE
WITH LAWS AND REGULATIONS, AND
RELIABLE FINANCIAL REPORTING
==================================================== Chapter Statement

Mr.  Chairman and Members of the Subcommittee: 

We are pleased to be here today to discuss the subject of internal
control.  Its importance cannot be understated, especially in the
large, complex operating environment of the federal government. 
Internal control is the first line of defense against fraud, waste,
and abuse and helps to ensure that an entity's mission is achieved in
the most effective and efficient manner.  Although the subject of
internal control usually surfaces for discussion after improprieties
or inefficiencies are found, good managers are always aware of and
seek ways to help improve operations through effective internal
control.  As you requested, my testimony today will discuss the
following questions:  (1) What is internal control?  (2) Why is it
important?  and (3) What happens when it breaks down? 


   WHAT IS INTERNAL CONTROL? 
-------------------------------------------------- Chapter Statement:1

Internal control can be simply defined as the methods by which an
organization governs its activities to effectively and efficiently
accomplish its mission.  More specifically, internal control is
concerned with stewardship and accountability of resources consumed
in the process of striving to accomplish an entity's mission with
effective results.  In that respect, we have defined internal control
in our Standards for Internal Controls in the Federal Government as
follows: 

     "The plan of organization and methods and procedures adopted by
     management to ensure that resource use is consistent with laws,
     regulations, and policies; that resources are safeguarded
     against waste, loss, and misuse; and that reliable data are
     obtained, maintained, and fairly disclosed in reports."

Internal control should not be looked upon as separate, specialized
systems within an agency.  Rather, internal control should be
recognized as an integral part of each system that management uses to
regulate and guide its operations.  Internal control is synonymous
with management control in that the broad objectives of internal
control cover all aspects of agency operations.  Although ultimate
responsibility for good internal control rests with management, all
employees have a role in the effective operation of internal control
that has been set by management. 

Understanding of internal control can be enhanced by focusing on two
basic aspects of internal control:  objectives and techniques. 
Objectives are the goals or purposes to be achieved, while techniques
are the mechanisms (the procedures, processes, physical arrangements,
organizational structures, and assignments of responsibility and
authority, to name a few) that achieve the goal.  All internal
controls have objectives and techniques.  In practice, internal
control starts with defining entitywide objectives and then more
specific objectives throughout the various levels in the entity. 
Techniques are then implemented to achieve the objectives. 

In its simplest form, internal control is practiced by citizens in
the daily routine of everyday life.  For example, when you leave your
home and lock the door or when you lock your car at the mall or on a
street, you are practicing a form of internal control.  The objective
is to protect your assets against undesired access, and your
technique is to physically secure your assets by locks.  In another
routine, when you write a check, you record the check in the ledger
or on your personal computer.  The objective is to control the money
in your checking account by knowing the balance.  The technique is to
document the check amount and the balance.  Periodically, you compare
the checking account transactions and balances you have recorded with
the bank statement.  Your objective is to ensure the accuracy of your
records to avoid costly mistakes.  Your technique is to perform the
reconciliation. 

These same types of concepts form the basis for internal control in
business operations and the operation of government.  The nature of
their operations is, of course, significantly larger and more
complex, as is the inherent risk of ensuring that assets are
safeguarded, laws and regulations are complied with, and data used
for decision-making and reporting are reliable.  Focusing a
discussion on objectives and techniques, the acquisition, receipt,
use, and disposal of property, such as computer equipment, can
illustrate the practice of internal control in the operation of
government activities. 

Internal control at the activity level such as procuring equipment
should be preceded, at a higher organizational level, by policy and
planning control objectives and control techniques that govern
overall agency operations in achieving mission objectives.  Examples
of high-level control objectives that logically follow a pattern
include the following: 

  -- The mission of the agency should be set in accordance with laws,
     regulations, and administration and management policy. 

  -- Agency components should be defined in accordance with the
     overall mission of the agency. 

  -- Missions of the agency and components should be documented and
     communicated to agency personnel. 

  -- Plans and budgets should be developed in accordance with the
     missions of the agency and its components. 

  -- Policies and procedures should be defined and communicated to
     achieve the objectives defined in plans and budgets. 

  -- Authorizations should be in accordance with policies and
     procedures. 

  -- Systems of monitoring and reporting the results of agency
     activities should be defined. 

  -- Transactions should be classified or coded to permit the
     preparation of reports to meet management's needs and other
     reporting requirements. 

  -- Access to assets should be permitted only in accordance with
     laws, regulations, and management's policy. 

Examples of control techniques to help achieve the objectives include
the following: 

  -- agency and component mission statements approved by management
     and its legal counsel;

  -- training of personnel in mission and objectives;

  -- long and short-range plans developed related to budgets;

  -- monitoring of results against plans and budgets;

  -- policies and procedures defined and communicated to all levels
     of the organization and periodically reviewed and revised based
     on internal reviews;

  -- authorizations defined, controls set to ensure authorizations
     are made, and authorizations periodically reviewed;

  -- classifications of accounts set to permit the capture and
     reporting of data to prepare required reports; and

  -- physical restrictions on access to assets and records, and
     training in security provided to employees. 

The policy and planning control objectives and techniques provide a
framework to conduct agency operations and to account for resources
and results.  Without that framework, administration and legislative
goals may not be achieved; laws and regulations may be violated;
operations may not be effective and efficient and may be misdirected;
unauthorized activities may occur; inaccurate reports to management
and others may occur; fraud, waste, and abuse is more likely to occur
and be concealed; assets may be stolen or lost; and ultimately the
agency is in danger of not achieving its mission. 

Within this higher level framework for guiding and operating the
agency, specific activities take place to achieve the agency's
mission and the intended results.  The procurement and management of
computer equipment is an example of such a specific activity. 
Objectives and techniques should be established for each activity's
specific control.  As examples of control objectives, vendors should
be approved in accordance with laws, regulations, and management's
policy, as should the types, quantities, and approved purchase prices
of computer equipment.  As examples of related control techniques,
criteria for approving vendors should be established and approved
vendor master files should be controlled, and the purchase governed
by criteria, such as obtaining competitive bids and setting
specifications of the equipment to be procured.  Likewise, control
objectives should be set for the receiving process.  For example,
only equipment that meets contract or purchase order terms should be
accepted, and equipment accepted should be accurately and promptly
reported.  Related control techniques include (1) detailed comparison
of equipment received to a copy of the purchase order, (2)
prenumbered controlled receiving documents that are accounted for,
and (3) maintenance of receiving logs.  Throughout the purchasing and
receiving of equipment there needs to be appropriate separation of
duties and interface with the accounting function to achieve funds
control, timely payments, and inventorying and control of equipment
received. 

Equipment received should be safeguarded to prevent unauthorized
access and use.  For example, in addition to physical security,
equipment should be tagged with identification numbers and placed
into inventory records.  Equipment placed into service should only be
issued to authorized users and records of the issuances should be
maintained to achieve accountability.  Further, physical inventories
should be taken periodically and compared with inventory records. 
Differences in counts and records should be resolved in a timely
manner and appropriate corrective actions taken.  Also, equipment
retired from use should be in accordance with management's policies,
including establishing appropriate safeguards to prevent unauthorized
information that may be stored in the equipment from being disclosed. 

It is important to recognize that internal controls can be designed
to provide reasonable, not absolute, assurance that an organization's
activities are being accomplished in accordance with its objectives. 
The American Institute of Certified Public Accountants--in Statement
of Auditing Standards Number 55--identified internal control
limitations, such as the possibility of errors arising from such
causes as misunderstanding of instructions, mistakes of judgment, and
personal carelessness.  Also, procedures whose effectiveness depends
on segregation of duties can be circumvented by collusion. 
Similarly, management authorizations may be ineffective against
errors or fraud perpetrated by management.  In addition, the standard
of reasonable assurance recognizes that the cost of internal control
should not exceed the benefit derived.  Reasonable assurance equates
to a satisfactory level of confidence under given considerations of
costs, benefits, and risks. 


   WHY IS INTERNAL CONTROL
   IMPORTANT? 
-------------------------------------------------- Chapter Statement:2

The cost of fraud, waste, and abuse cannot always be measured in
dollars and cents.  Such improper activities erode public confidence
in the government's ability to efficiently and effectively manage its
programs.  Management at a number of federal government agencies are
faced with tight budgets and fewer personnel.  In such an
environment, related operating factors, such as executive and middle
management turnover and the diversity and complexity of government
operations, can provide a fertile environment for internal control
weakness and the resulting undesired consequences. 

It has been almost 50 years since the Congress formally recognized
the importance of internal control.  The Accounting and Auditing Act
of 1950 required, among other things, that agency heads establish and
maintain effective internal controls over all funds, property, and
other assets for which an agency is responsible.  However, the
ensuing years up through the 1970s saw the government experience a
crisis of poor controls. 

To help restore confidence in government and to improve operations,
the Congress passed the Federal Managers' Financial Integrity Act of
1982.  The Integrity Act required, among other items, that

  -- we establish internal control standards that agencies are
     required to adhere to,

  -- the Office of Management and Budget (OMB) issue guidelines for
     agencies to follow in annually assessing their internal
     controls,

  -- agencies annually evaluate their internal controls and prepare a
     statement to the President and the Congress on whether their
     internal controls comply with the standards issued by GAO,\1 and

  -- agency reports include material internal control weaknesses
     identified and plans for correcting the weaknesses. 

OMB has issued agency guidance\2 that sets forth the requirements for
establishing, periodically assessing, correcting, and reporting on
controls required by the Integrity Act.  Regarding the identification
and reporting of deficiencies, OMB's guidance states that "a
deficiency should be reported if it is or should be of interest to
the next level of management.  Agency employees and managers
generally report deficiencies to the next supervisory level, which
allows the chain of command structure to determine the relative
importance of each deficiency." The guidance further states that "a
deficiency that the agency head determines to be significant enough
to be reported outside the agency (i.e., included in the annual
Integrity Act report to the President and the Congress) shall be
considered a 'material weakness.'" The guidance encourages reporting
of deficiencies by recognizing that such reporting reflects
positively on the agency's commitment to recognizing and addressing
management problems and, conversely, failing to report a known
deficiency reflects adversely on the agency. 

In 1983, we issued internal control standards as required by the
Integrity Act.  In developing the standards, we drew on our
previously issued guidance and experts throughout the government,
private sector, and academic communities.  The internal control
standards consist of five general standards, six specific standards,
and one audit resolution standard.\3 The five general standards
require (1) a supportive attitude toward controls by managers and
employees, (2) competent personnel, (3) internal controls that
provide reasonable assurance that objectives are achieved, (4) the
development of internal control objectives for each agency activity,
and (5) control techniques that are effective and efficient in
accomplishing internal control objectives.  The six specific control
standards identify basic techniques to help achieve control
objectives.  The standards address

  -- documentation of control objectives and techniques and all
     pertinent aspects of transactions;

  -- required prompt and proper recording of all transactions;

  -- executing transactions and events according to management's
     directives;

  -- separation of duties between authorizing, processing, recording,
     and reviewing transactions;

  -- qualified and continuous supervision to ensure that control
     objectives are achieved; and

  -- limiting access to resources and records to authorized persons
     to provide accountability for the custody and use of resources. 

Finally, the audit resolution standard requires managers to promptly
evaluate findings, determine proper resolution, and establish
corrective action or otherwise resolve audit findings.  Attachment I
provides a complete definition of the standards and Standards for
Internal Controls in the Federal Government provides additional
explanation of the standards. 

The Integrity Act was beneficial in focusing management and employee
attention on the importance of internal control to achieving an
agency's mission.  However, agency reports required under the
Integrity Act disclosed so many internal control weaknesses that
additional measures were needed to provide for effective program
management and accountability.  Since the Integrity Act, the Congress
has enacted a number of statutes to provide a framework for
performance-based management and accountability.  These statutes
include the following: 

  -- The Chief Financial Officers Act of 1990, as expanded by the
     Government Management Reform Act of 1994, laid the foundation
     for government to better ensure reliable financial information
     through audited financial statements. 

  -- In response to the savings and loan crisis and the growing list
     of bank failures in the early 1990s, the Federal Deposit
     Insurance Corporation Improvement Act of 1991 required
     depository institutions whose assets exceeded certain amounts to
     prepare an annual statement of management's responsibility for
     establishing and maintaining adequate internal controls,
     including an assessment of the effectiveness of the controls. 
     Also, the institution's independent auditors are required to
     attest to the fair presentation of management's assertion on
     internal control effectiveness. 

  -- The Government Performance and Results Act of 1993 requires,
     among other items, that agencies identify their missions,
     strategic goals, and approaches (strategies) for achieving the
     goals.  The act also requires agencies to report on their
     performance, using performance measures, in meeting the goals. 

  -- The Federal Financial Management Improvement Act of 1996
     requires that auditors auditing financial statements pursuant to
     the expanded Chief Financial Officers Act report whether each
     agency is maintaining financial management systems that comply
     substantially with federal financial management systems
     requirements, federal accounting standards, and the government's
     standard general ledger at the transaction level. 

Our report, The Statutory Framework for Performance-Based Management
and Accountability (GAO/AIMD-98-52, January 28, 1998) provides more
detailed information on the purpose, requirements, and implementation
status of these acts.  In addition, that report refers to a number of
other critically important statutes that address debt collection,
credit reform, prompt pay, inspectors general, and information
resources management.  Although these acts address specific problem
areas, sound internal controls are an essential factor in the success
of these statutes.  For example, the Results Act focuses on results
through strategic and annual planning and performance reporting. 
Sound internal control is critical to effectively and efficiently
achieving management's plans and for obtaining accurate data to
support performance measures. 


--------------------
\1 The Integrity Act also requires each agency's annual statement to
include a separate report on whether the agency's accounting system
conforms to principles, standards, and related requirements
prescribed by GAO.  OMB Circular A-127, Financial Management Systems,
revised July 23, 1993, prescribes policies and standards for agencies
to follow in reporting on financial management systems. 

\2 OMB Circular A-123, Management Accountability and Control, revised
June 21, 1995. 

\3 Although the standards issued in 1983 remain conceptually sound,
we are revising them to recognize current terminology developed by
the private sector with assistance from GAO and others and to give
greater recognition to the ever increasing use of information
technology.  (Internal Control:  Standards for Internal Control in
the Federal Government - Exposure Draft (GAO/AIMD-98-21.3.1, December
1997)). 


   WHAT HAPPENS WHEN INTERNAL
   CONTROLS ARE NOT EFFECTIVE? 
-------------------------------------------------- Chapter Statement:3

Weak internal controls pose a significant risk to government
agencies.  History has shown that serious neglect will result in
losses to the government that can total millions, and even billions,
of dollars over time.  As previously mentioned, the loss of
confidence in government that results can be equally serious. 
Although examples of poor internal controls could be drawn from many
federal programs, three key areas illustrate the extent of the
problems--health care, banking, and property. 


      HEALTH CARE
------------------------------------------------ Chapter Statement:3.1

The Department of Human and Human Services Inspector General reported
this past year\4

that out of $163.6 billion in processed fee-for-service payments
reported by the Health Care Financing Administration (HCFA) during
fiscal year 1996--the latest year for which reliable numbers were
available--an estimated $23.2 billion, or about 14.6 percent of the
total payments, were improper.  Consequently, the Inspector General
recommended that HCFA implement internal controls designed to detect
and prevent improper payments to correct four weaknesses where (1)
insufficient or no documentation supporting claims existed, (2)
medical necessity was not established, (3) incorrect classification
(called coding) of information existed, and (4)
unsubstantiated/unallowable services were paid. 


--------------------
\4 Report on the Financial Statement Audit of the Health Care
Financing Administration for Fiscal Year 1996, Department of Health
and Human Services, Inspector General (A-17-95-0096, July 1997). 


      BANKING
------------------------------------------------ Chapter Statement:3.2

During the 1980s, the savings and loan industry experienced severe
financial losses.  Extremely high interest rates caused institutions
to pay high costs for deposits and other funds while earning low
yields on their long-term portfolios.  Many institutions took
inappropriate or risky approaches in attempting to increase their
capital.  These approaches included accounting methods to
artificially inflate the institutions' capital position and
diversifying their investments into potentially more profitable, but
riskier, activities.  The profitability of many of these investments
depended heavily on continued inflation in real estate values to make
them economically viable.  In many cases, weak internal controls at
these institutions and noncompliance with laws and regulations
increased the risk of these activities and contributed significantly
to the ultimate failure of over 700 institutions.  This crisis cost
the taxpayers hundreds of billions of dollars.\5

Making profitable loans is the heart of a successful savings and loan
institution.  Boards of directors and senior management did not
actively monitor the loan award and administrative processes to
ensure excessive risks in making loans were not taken.  In fact,
excessive risk-taking in making loans was encouraged, resulting in a
lack of effective monitoring of loan performance that allowed poorly
performing loans to continue to deteriorate.  Also, loan
documentation was a frequent problem that further evidenced weak
internal supervision of loan officers and created difficulties in
valuing and selling loans after the institutions failed. 


--------------------
\5 Financial Audit:  Resolution Trust Corporation's 1995 and 1994
Financial Statements (GAO/AIMD-96-123, July 2, 1996). 


      PROPERTY
------------------------------------------------ Chapter Statement:3.3

Poor internal controls in the area of government property has existed
for decades.  For example, in 1988, we reported that the Defense
Logistics Agency recorded losses of about $23 million for materials
because of poor internal controls.\6 In 1985, we reported that for
the prior 16 years, the Department of State had long-standing
internal control weaknesses in managing an estimated $250 million of
personal property.\7 In 1987, we reported that the National
Aeronautics and Space Administration had poor internal controls over
$500 million of property at Goddard Space Flight Center.  We noted
that not all property was tagged or recorded in the accounting
records and that property no longer needed by particular units was
not made available for reuse or effectively controlled against misuse
or theft.\8

More recently, we reported that breakdowns exist in the Department of
Defense's (DOD) ability to protect its assets from fraud, waste, and
abuse.  We disclosed that the Army did not have accurate records for
its reported $30 billion in real property or the $8.5 billion
reported as government furnished property in the hands of
contractors.\9 Further, we reported that pervasive weaknesses in
DOD's general computer controls place it at risk of improper
modification; theft; inappropriate disclosure; and destruction of
sensitive personnel, payroll, disbursement, or inventory
information.\10


--------------------
\6 Financial Management:  Examples of Weaknesses (GAO/AFMD-88-35BR,
February 25, 1988). 

\7 Financial Integrity Act:  The Government Faces Serious Internal
Control and Accounting Systems Problems (GAO/AFMD-86-14, December 23,
1985). 

\8 Financial Integrity Act:  Continuing Efforts Needed to Improve
Internal Control and Accounting Systems (GAO/AFMD-88-10, December 30,
1987). 

\9 Financial Management:  Challenges Facing DOD in Meeting the Goals
of the Chief Financial Officers Act (GAO/T-AIMD-96-01, November 14,
1995). 

\10 DOD High-Risk Areas:  Eliminating Underlying Causes Will Avoid
Billions of Dollars in Waste (GAO/NSIAD/AIMD-97-143, May 1, 1997). 


      HIGH-RISK AREAS
------------------------------------------------ Chapter Statement:3.4

Beginning in 1990, we began a special effort to review and report on
the federal program areas our work had identified as high risk
because of vulnerabilities to waste, fraud, abuse, and mismanagement. 
This effort brought a much-needed central focus on problems that were
costing the government billions of dollars.  Our most recent
high-risk series issued focuses of six categories of high risk:  (1)
providing for accountability and cost-effective management of defense
programs, (2) ensuring that all revenues are collected and accounted
for, (3) obtaining an adequate return on multibillion dollar
investments in information technology, (4) controlling fraud, waste,
and abuse in benefit programs, (5) minimizing loan program losses,
and (6) improving management of federal contracts at civilian
agencies.  See attachment II for a listing of the high-risk reports
and our most recent reports and testimony on the Year 2000 computing
crisis. 


   CONCLUSION
-------------------------------------------------- Chapter Statement:4

In conclusion, effective internal controls are essential to achieving
agency missions and the results intended by the Congress and the
administration and as reasonably expected by the taxpayers.  The lack
of consistently effective internal controls across government has
plagued the government for decades.  Legislation has been enacted to
provide a framework for performance-based management and
accountability.  Effective internal controls are an essential
component of the success of that legislation.  However, no system of
internal control is perfect, and the controls may need to be revised
as agency missions and service delivery change to meet new
expectations.  Management and employees should focus not necessarily
on more controls, but on more effective controls. 


------------------------------------------------ Chapter Statement:4.1

Mr.  Chairman, this concludes my statement.  I would be happy to
respond to any questions that you or other Members of the
Subcommittee may have at this time. 


STANDARDS FOR INTERNAL CONTROLS IN
THE FEDERAL GOVERNMENT
=========================================================== Appendix I

Internal control standards define the minimum level of quality
acceptable for internal control systems to operate and constitute the
criteria against which systems are to be evaluated.  These internal
control standards apply to all operations and administrative
functions but are not intended to limit or interfere with duly
granted authority related to the development of legislation, rule
making, or other discretionary policy-making in an agency. 


   GENERAL STANDARDS
--------------------------------------------------------- Appendix I:1

1.  Reasonable Assurance:  Internal control systems are to provide
reasonable assurance that the objectives of the systems will be
accomplished. 

2.  Supportive Attitude:  Managers and employees are to maintain and
demonstrate a positive and supportive attitude toward internal
controls at all times. 

3.  Competent Personnel:  Managers and employees are to have personal
and professional integrity and are to maintain a level of competence
that allows them to accomplish their assigned duties, and understand
the importance of developing and implementing good internal controls. 

4.  Control Objectives:  Internal control objectives are to be
identified or developed for each agency activity and are to be
logical, applicable, and reasonably complete. 

5.  Control Techniques:  Internal control techniques are to be
effective and efficient in accomplishing their internal control
objectives. 


   SPECIFIC STANDARDS
--------------------------------------------------------- Appendix I:2

1.  Documentation:  Internal control systems and all transactions and
other significant events are to be clearly documented, and the
documentation is to be readily available for examination. 

2.  Recording of Transactions and Events:  Transactions and other
significant events are to be promptly recorded and properly
classified. 

3.  Execution of Transactions and Events:  Transactions and other
significant events are to be authorized and executed only by persons
acting within the scope of their authority. 

4.  Separation of Duties:  Key duties and responsibilities in
authorizing, processing, recording, and reviewing transactions should
be separated among individuals. 

5.  Supervision:  Qualified and continuous supervision is to be
provided to ensure that internal control objectives are achieved. 

6.  Access to and Accountability for Resources:  Access to resources
and records is to be limited to authorized individuals, and
accountability for the custody and use of resources is to be assigned
and maintained.  Periodic comparison shall be made of the resources
with the recorded accountability to determine whether the two agree. 
The frequency of the comparison shall be a function of the
vulnerability of the asset. 


   AUDIT RESOLUTION STANDARD
--------------------------------------------------------- Appendix I:3

Prompt Resolution of Audit Findings:  Managers are to (1) promptly
evaluate findings and recommendations reported by auditors, (2)
determine proper actions in response to audit findings and
recommendations, and (3) complete, within established time frames,
all actions that correct or otherwise resolve the matters brought to
management's attention. 


GAO'S FEBRUARY 1997 HIGH-RISK
SERIES REPORTS AND RECENT GAO
REPORTS AND TESTIMONY ON THE YEAR
2000 COMPUTING CRISIS
========================================================== Appendix II


   HIGH-RISK SERIES REPORTS
-------------------------------------------------------- Appendix II:1

High-Risk Series:  An Overview (GAO/HR-97-1, February 1997). 

High-Risk Series:  Quick Reference Guide (GAO/HR-97-2, February
1997). 

High-Risk Series:  Defense Financial Management (GAO/HR-97-3,
February 1997). 

High-Risk Series:  Defense Contract Management (GAO/HR-97-4, February
1997). 

High-Risk Series:  Defense Inventory Management (GAO/HR-97-5,
February 1997). 

High-Risk Series:  Defense Weapons Systems Acquisition (GAO/HR-97-6,
February 1997). 

High-Risk Series:  Defense Infrastructure (GAO/HR-97-7, February
1997). 

High-Risk Series:  IRS Management (GAO/HR-97-8, February 1997). 

High-Risk Series:  Information Management and Technology
(GAO/HR-97-9, February 1997). 

High-Risk Series:  Medicare (GAO/HR-97-10, February 1997). 

High-Risk Series:  Student Financial Aid (GAO/HR-97-11, February
1997). 

High-Risk Series:  Department of Housing and Urban Development
(GAO/HR-97-12, February 1997). 

High-Risk Series:  Department of Energy Contract Management
(GAO/HR-97-13, February 1997). 

High-Risk Series:  Superfund Program Management (GAO/HR-97-14,
February 1997). 

High-Risk Program Information on Selected High-Risk Areas
(GAO/HR-97-30 May 1997). 


   YEAR 2000 COMPUTING CRISES
   REPORTS AND TESTIMONY
-------------------------------------------------------- Appendix II:2

Year 2000 Computing Crisis:  Business Continuity and Contingency
Planning (GAO/ AIMD-10-1.19, Exposure Draft, March 1998). 

Year 2000 Readiness:  NRC's Proposed Approach Regarding Nuclear
Powerplants (GAO/AIMD-98-90R, March 6, 1998). 

Year 2000 Computing Crisis:  Federal Deposit Insurance Corporation's
Efforts to Ensure Bank Systems Are Year 2000 Compliant
(GAO/T-AIMD-98-73, February 10, 1998). 

Year 2000 Computing Crisis:  FAA Must Act Quickly to Prevent Systems
Failures (GAO/ T-AIMD-98-63, February 4, 1998). 

FAA Computer Systems:  Limited Progress on Year 2000 Issue Increases
Risk Dramatically (GAO/AIMD-98-45, January 30, 1998). 

Defense Computers:  Air Force Needs to Strengthen Year 2000 Oversight
(GAO/ AIMD-98-35, January 16, 1998). 

Year 2000 Computing Crisis:  Actions Needed to Address Credit Union
Systems' Year 2000 Problem (GAO/T-AIMD-98-48, January 7, 1998). 

Veterans Health Administration Facility Systems:  Some Progress Made
In Ensuring Year 2000 Compliance, But Challenges Remain
(GAO/AIMD-98-31R, November 7, 1997). 

Year 2000 Computing Crisis:  National Credit Union Administration's
Efforts to Ensure Credit Union Systems Are Year 2000 Compliant
(GAO/T-AIMD-98-20, October 22, 1997). 

Social Security Administration:  Significant Progress Made in Year
2000 Effort, But Key Risks Remain (GAO/T-AIMD-98-6, October 22,
1997). 

Defense Computers:  Technical Support Is Key to Naval Supply Year
2000 Success (GAO/AIMD-98-7R, October 21, 1997). 

Defense Computers:  LSSC Needs to Confront Significant Year 2000
Issues (GAO/ AIMD-97-149, September 26, 1997). 

Veterans Affairs Computer Systems:  Action Underway Yet Much Work
Remains To Resolve Year 2000 Compliance (GAO/T-AIMD-97-174, September
25, 1997). 

Year 2000 Computing Crisis:  Success Depends Upon Strong Management
and Structured Approach (GAO/T-AIMD-97-173, September 25, 1997). 

Year 2000 Computing Crisis:  An Assessment Guide (GAO/AIMD-10.1.14,
September 1997). 

Defense Computers:  SSG Needs to Sustain Year 2000 Progress
(GAO/AIMD-97-120R, August 19, 1997). 

Defense Computers:  Improvements to DOD Systems Inventory Needed for
Year 2000 Effort (GAO/AIMD-97-112, August 13, 1997). 

Defense Computers:  Issues Confronting DLA in Addressing Year 2000
Problems (GAO/AIMD-97-106, August 12, 1997). 

Defense Computers:  DFAS Faces Challenges in Solving the Year 2000
Problem (GAO/AIMD-97-117, August 11, 1997). 

Year 2000 Computing Crisis:  Time Is Running Out for Federal Agencies
to Prepare for the New Millennium (GAO/T-AIMD-97-129, July 10, 1997). 

Veterans Benefits Computer Systems:  Uninterrupted Delivery of
Benefits Depends on Timely Correction of Year-2000 Problems
(GAO/T-AIMD-97-114, June 26, 1997). 

Veterans Affairs Computer Systems:  Risks of VBA's Year 2000 Efforts
(GAO/AIMD-97-79, May 30, 1997). 

Medicare Transaction System:  Success Depends Upon Correcting
Critical Managerial and Technical Weaknesses (GAO/AIMD-97-78, May 16,
1997). 

Medicare Transaction System:  Serious Managerial and Technical
Weaknesses Threaten Modernization (GAO/T-AIMD-97-91, May 16, 1997). 

Year 2000 Computing Crisis:  Risk of Serious Disruption to Essential
Government Functions Calls for Agency Action Now (GAO/T-AIMD-97-52,
February 27, 1997). 

Year 2000 Computing Crisis:  Strong Leadership Today Needed To
Prevent Future Disruption of Government Services (GAO/T-AIMD-97-51,
February 24, 1997). 


*** End of document. ***