Public Documents

Nancy Roberts, Editor

Philip J. Candreva
Naval Postgraduate School

Public Controlling Internal Controls

Philip J. Candreva is a lecturer in financial Two recent examinations of management practices in (American Institute of Certified Public Accountants,
management at the Naval Postgraduate three federal departments provide contemporary evidence 1988). The GAO uses a similar definition: “An integral
School (NPS). He has broad experience in
defense financial management, is a
of the need to incorporate procedures like those of the component of an organization’s management that pro-
distinguished graduate of NPS, and is now Sarbanes-Oxley Act in the public sector. Although each vides reasonable assurance that the following objectives
a doctoral student. His research interests department established what appeared to be well- are being achieved: effectiveness and efficiency of opera-
are public management and budgeting. His
work has appeared in the International
designed internal controls, all lacked sufficient monitor- tions, reliability of financial reporting, and compliance
Public Management Review, Public ing and assessment of the efficacy of those controls. By with applicable laws and regulations” (GAO 1999).
Budgeting and Finance, and Armed Forces requiring senior management to attest to the strength of
& Society.
E-mail: pjcandre@nps.edu.
their control mechanisms, as required by the newly The revised OMB Circular A-123 took effect at the
revised OMB Circular A-123, the quality of this beginning of the 2006 federal fiscal year on October 1,
monitoring should improve. Findings from a recent study 2005. This revision incorporated an essential require-
of private-sector implementation of these reforms are ment of the Sarbanes-Oxley Act, which was enacted in
described, along with suggestions for public administra- 2002 in response to scandals among publicly traded
tion research and practice at all levels of government. corporations. Section 404 of the act requires auditors
of companies to include in their annual reports an
Public documents discussed: assessment of internal controls that (1) states the re-
sponsibility of management for establishing and main-
● Primary: Revisions to OMB Circular A-123, taining an adequate internal control structure and
“Management’s Responsibility for Internal Controls,” procedures for financial reporting; and (2) contains an
issued December 21, 2004, effective October 1, 2005. assessment, as of the end of the issuer’s fiscal year, of
● Secondary: U.S. Government Accountability the effectiveness of the internal control structure and
Office, “Managerial Cost Accounting Practices: procedures of the issuer for financial reporting.
Leadership and Internal Controls are Key to Suc-
cessful Implementation” (GAO-05-1013R) and Similarly, a fundamental purpose of the revision to
“Defense Management: DOD Needs to Demon- OMB Circular A-123 was to “emphasize manage-
strate that Performance-Based Logistics Contracts ment’s responsibility for assessing and documenting
are Achieving Expected Benefits” (GAO-05-966) internal control over financial reporting” (Bolton
2004). Financial reporting is broadly defined to in-
It is not enough for agencies to have internal controls clude not only the financial statements required under
over their critical processes; the new standard for federal the Chief Financial Officers Act but also any “reports
agencies under OMB (Office of Management and Bud- that could have a material effect on a significant
get) Circular A-123 (2004) is to ensure that those con- spending, budgetary or other financial decision” at
trols are effective. Recent audits by the Government multiple levels of the organization (Bolton 2004).
Accountability Office (GAO) provide some insight into Management must be able to document the assess-
how well the federal government is controlling its internal ment process and methodology used to support its
controls. Likewise, a recent assessment of publicly traded assertion about the effectiveness of the internal con-
firms provides helpful insights for public managers. trols. Incorporating the broadest interpretation, not
only is management responsible for implementing
Internal controls are defined by the American Institute of internal controls to provide reasonable assurance
Certified Public Accountants, in its Statement of Audit- the agency meets its intended objectives, it is also
ing Standards No. 55, as the policies and procedures responsible for self-assessing, correcting, and reporting
promulgated by management to provide reasonable on the efficacy of those controls. In short, controlling
assurance that specific entity objectives will be achieved the internal controls is the new standard.
Controlling Internal Controls 463
 The revision of OMB Circular A-123 provides the The Department of Labor implemented a new mana-
framework for those tasks. It not only states the objec- gerial cost-accounting system in September 2004. Its
tives of internal control, it also defines management’s strategy was to employ a commercial software tool at
responsibility to develop and maintain control activi- the departmental level and to have each subordinate
ties that comply with five standards: (1) control envi- agency fashion models using the tool. The system
ronment, (2) risk assessment, (3) control activities, (4) integrates performance and financial data, bench-
information and communication, and (5) monitoring. marks performance, provides trend analysis, and al-
The circular integrates the related legislative and regu- lows for sensitivity analysis. Policies and procedures
latory requirements and issues guidance on assessing, are being updated and training conducted, and refine-
correcting, and reporting on internal controls. ments are planned. The implementation plans are
laudable, but again, the GAO cited the department’s
Recently, the GAO issued two reports that provide lack of postimplementation review as a weakness. The
some insight into how well the federal government is GAO also applauded the quality of the financial data
doing on this front. Although these reports do not audits but also found weakness in the reliability of
directly address agencies’ reporting on the efficacy of controls over nonfinancial data, as in the VA findings.
their controls, by serving as examples of the practice
of controlling controls, they provide a preview of In the second GAO report, performance-based logis-
federal government activity in this area. tics contracts in the U.S. Department of Defense were
assessed to determine whether they are achieving their
In the first report, the GAO reviewed the federal expected benefits (GAO 2005a). Since the late 1990s,
Departments of Labor and Veterans Affairs (VA) to Defense Department leadership has increasingly advo-
determine how cost-accounting information is gener- cated the use of performance-based contracts for
ated and how that information is used to support weapons system logistics support. The 2001 Quadren-
managerial decision making and provide accountabil- nial Defense Review validated the approach on the
ity (GAO 2005b). According to the GAO report, such grounds performance-based contracts lead to com-
accounting “involves the accumulation and analysis of pressed supply chains, streamlined processes, reduced
financial and non-financial data, resulting in the allo- inventory levels, and reduced cost while improving
cation of costs to organizational pursuits such as per- readiness. Again, if we define internal controls as the
formance goals, programs, activities, and outputs.” policies and procedures effected by management to
Clearly, then, management cost accounting itself is an provide reasonable assurance that specific entity objec-
internal control device. tives will be achieved, performance-based contracts
serve as a mechanism for control.
One sees in the report that although the two depart-
ments employ different strategies to implement The GAO assessed 15 performance-based logistics
cost-accounting systems, both (plan to) use programs from a list provided by the Defense Depart-
cost-accounting data for budgetary and resource- ment of those it considered successful. To ensure the
allocation decisions. What the GAO found is that effectiveness of the arrangements, the department
controls on cost-accounting practices should be issued guidance to the services that recommended a
strengthened in both departments. The VA, by policy business-case analysis be prepared before adopting a
and by design, does not direct managerial cost activi- performance-based logistics approach in order to
ties at the departmental level; it delegates that respon- justify the decision and to establish cost and perfor-
sibility to the heads of the three subordinate agencies. mance goals. Furthermore, the guidance recom-
Those agencies, in turn, supply cost information for mended that program offices update the analysis at
department-wide reporting. appropriate decision points after implementation to
validate assumptions and assess actual performance
Though the financial data feeding the cost-accounting and costs. These ex poste analyses were to use data
systems is sound, the GAO had concerns about the from the monitoring strategy for the performance-
reliability of the nonfinancial data in the cost- based contract.
accounting system used by the Veterans Health
Administration (VHA), evidenced by prior audits and The GAO found that only one of the 15 programs
inspector general findings. Nonfinancial data are actually completed an ex poste business-case analysis
crucial to the decision-support information provided consistent with the guidance. According to the report,
by managerial cost-accounting systems; unreliability “In general, program offices had not updated their
could skew management decision making. The VHA business case analysis . . . because they assumed that
noted that it had disseminated audit guides for nonfi- the costs for weapon system maintenance incurred
nancial data to its agencies, but the GAO stated that under a fixed-price, performance-based logistics con-
although promulgation of policy is a critical step, there tract would always be lower . . . and because they
was insufficient documentation that the audits were lacked reliable cost and performance data needed to
conducted, and the risk of inaccurate data remains. validate assumptions” (GAO 2005a). Senior Defense
464 Public Administration Review • May | June 2006
Department leadership had not established procedures the internal control standards identified by the OMB.
to monitor compliance with the guidance. Future researchers may replicate Boyne using the
OMB standards as variables.
These two GAO examinations of management prac-
tices in three federal departments provide contempo- Those whose interests lie outside the federal
rary evidence of the need to incorporate procedures government should note that the OMB’s standards
like those of the Sarbanes-Oxley Act in the public are identical to those used by COSO, the Committee
sector. Although each department established what of Sponsoring Organizations of the Treadway
appeared to be well-designed internal controls, all Commission.1 The OMB does not fail to cite the
lacked sufficient monitoring and assessment of the importance of control and security over information
efficacy of those controls. By requiring senior man- technology, similar to the open-source COBIT
agement to attest to the strength of their controls, standards promulgated by the Information Systems
the quality of the monitoring should improve. Audit and Control Association.2 Further, Appendix A
to OMB Circular A-123 contains an implementation
These rules are now being applied in the public sector, guide that practitioners at any level of government
just a few years after they were applied in the com- will find helpful in controlling their internal controls.
mercial sector. Since the passage of the Sarbanes-
Oxley Act in 2002, publicly traded firms have been
Notes
required to make such attestations. In the first survey
1. See www.coso.org.
of the state of affairs among publicly traded firms, Ge
2. COBIT is an acronym for Control Objectives
and McVay (2005) sampled 261 companies that dis-
for Information and Related Technology; see
closed weaknesses in their internal controls. They
www.iasaca.org.
found that “inadequate accounting resources under-
pin the majority of internal control weaknesses.”
Complex firms were more likely to have material References
weaknesses in their controls than relatively simple American Institute of Certified Public Accountants.
ones. The most frequently cited problem was em- 1988. Consideration of the Internal Control
ployee training. In order of decreasing frequency, Structure in Financial Statement Audit. Statement
specific issues included period-end accounting proce- on Auditing Standards No. 55. New York: AICPA.
dures and revenue recognition—weak controls in Bolton, Joshua B. 2004. OMB Circular A-123:
these areas increase the risk of misstating crucial per- Management’s Responsibility for Internal Control.
formance information (earnings)—account reconcilia- Washington, DC: U.S. Office of Management and
tion, and segregation of duties. Budget.
Boyne, George A., Julian S. Gould-Williams, Jennifer
Ge and McVay’s findings are consistent with the two Law, and Richard M. Walker. 2004. Toward the
recent (and many prior) GAO audits described here. Self-Evaluating Organization? An Empirical Test of
Whether the employees who implemented the de- the Wildavsky Model. Public Administration
signed controls were using them effectively was a con- Review 64(4): 463–73.
sistent theme of the GAO audits. Although revenue Ge, Weili, and Sarah E. McVay. 2005. The Disclosure
recognition does not have the same import in the of Material Weaknesses in Internal Control after
public sector, solid internal control programs should the Sarbanes-Oxley Act. Accounting Horizons
target the most significant areas, whatever they are, and 19(3): 137–58.
the Defense Department audit clearly cited a weakness U.S. Government Accountability Office (GAO).
in a significant area. Likewise, period-end accounting 1999. Standards for Internal Control in the Federal
procedures and account reconciliation were both cited Government. Washington, DC: Government
in the cost-accounting audits of the VA and Labor Printing Office. GAO/AIMD-00-21.3.1.
Departments. Government managers and executives ———. 2005a. Defense Management: DOD Needs to
would do well to learn from the four-year head start Demonstrate that Performance-Based Logistics
that publicly traded companies have had in this area. Contracts Are Achieving Expected Benefits.
Washington, DC: Government Printing Office.
What are the implications for public administration? GAO-05-966.
A repeat of the Ge and McVay study among federal ———. 2005b. Managerial Cost Accounting Practices:
agencies should reveal important information for Leadership and Internal Controls Are Key to
public managers. Readers of PAR are reminded of an Successful Implementation. Washington, DC:
article written last year by George Boyne and col- Government Printing Office. GAO-05-1013R.
leagues on self-evaluating organizations (Boyne et al. U.S. Office of Management and Budget (OMB).
2004). These GAO audits highlight the need for 2004. Circular A-123: Management’s Responsibility
introspection to properly control internal controls. for Internal Controls. Washington, DC: U.S. Office
The six variables in that Boyne et al. cite are similar to of Management and Budget.

Controlling Internal Controls 465