OMB following a familiar path as it shapes new financial internal controls

Wednesday - 9/18/2013, 5:44am EDT

Jason Miller on the Federal Drive with Tom Temin and Emily Kopp.

Download mp3

The Office of Federal Financial Management is taking a page out of the cybersecurity reform book in how it's changing how agencies oversee spending.

OFFM is updating its Circular A-123 guidance to be more like the future vision of cybersecurity — based on risk and data, and done more than every three years.

Mike Wetklow, the chief of the accountability performance branch at OFFM in the Office of Management and Budget, said there are several guiding principles going into the revision, including integrating an internal controls framework, reducing the compliance burdens and innovation through data analysis.

"Many of these principles we are putting in practice, we're going to have examples of charge cards, improper payments and data analytics," said Wetklow during a panel discussion at the Association of Government Accountant's Internal Control and Fraud Prevention Training event Tuesday in Washington. "We have a lot of things we are trying to do differently like, for example, with Hurricane Sandy last year. There was a memo earlier in the year about internal control plans. A lot of our discussions were we didn't want to make this a new Recovery Act or have this big compliance exercise right in the middle of disaster response, but to really use the internal controls as a risk management tool. We didn't ask agencies to document their control environment, the risk assessment, the control activities, the full gauntlet of all those things. We asked them to simply do a thoughtful analysis of their risks that came about from the extra funding that went into their programs, and just work with OMB on that."

Similarities to cyber

Federal financial management and cybersecurity policy face similar challenges. Both need to keep up with the changing environment and expectations, and move from a static to a dynamic approach.

The administration is updating federal cybersecurity standards by moving toward a data analysis and risk management approach. The Homeland Security Department is leading the implementation of continuous monitoring on agency computer networks to move away from the static nature of the Federal Information Security Management Act.

Like FISMA, A-123 turned into a static process.

A-123 is a 30-plus-year-old policy from OMB regarding how agencies, and specifically CFOs and their budget staffs, handle the oversight of money, otherwise known as internal controls. Internal controls ensure agencies meet policy and legislative requirements for financial reporting and the effectiveness and efficiency of programs.

OMB last revised A-123 in 2004 after Congress passed the Sarbanes-Oxley bill.

Experts say this latest set of changes is part of the pendulum that seems to swing every decade or so between more or less reporting requirements.

"We definitely will have to beef up the existing circular because it's just too high level and doesn't really tell you how to implement an integrated risk framework, it doesn't tell you how and it's OK to integrate FISMA stuff with the system security work you do on financial reporting. We are just collecting our thoughts," Wetklow said. "We want to move away from you having to do everything over three years and have this compliance mindset to a more of a risk-based framework to allow agencies the flexibility in how they implement the circular. We are not exactly sure of the format, other than the full circular will need to be updated."

Canceling systems requirements

He said one of the biggest changes is what is being added to A-123 to meet the intent and spirit of Congress when it wrote the Federal Financial Management and Improvement Act (FFMIA).

"In the near term, and this will be literally in a couple of weeks, we plan to rescind OMB Circular A-127 and replace it with a new Appendix D to A-123," Wetklow said. "And if you ask yourself, why A-123? When you read the committee report [to FFMIA], it talks a little about financial systems. It talks more about internal controls, business processes, and visibility into government operations. Our hope in what we are doing is we are going to reduce compliance burdens by getting rid of all of these complicated checklists that only serve to drive system's costs and risks, and integrate our processes with the already existing things in A-123."

A-127 addresses financial management system requirements. OMB slowly has been moving away from strict financial management system requirements, and focusing more on standards and outcomes over the last decade.

He said A-123 also will need to be integrated with several other initiatives including new credit card abuse guidance OMB issued last week, improper payment laws that includes the Do Not Pay list and other changes to financial oversight that have come over the past 10 years.