Integrating Internal Controls with Best Practices
In my previous blogs I talked about the different components that comprise the organizational environment where best practices can survive and thrive and the necessary role that leaders play in ensuring best practices are understood and followed through proper governance. In this blog I’ll address how the organization’s internal control program can ensure best practices become a vital part of the culture and management fabric in an organization.
Internal control has a rocky history in the Federal government. I can remember when it was referred to as the “internal review” program and was the sole responsibility of the Comptroller or financial manager in the military organization. I had a staff that spread out through the military command to ensure all our assets (financial and property assets) were protected from fraud, waste, and abuse. We were supposed to verify those protections were written, understood, and followed to prevent loss of resources for our military mission. In those days these internal reviewers were considered a disruption to the normal operational tempo and were met with reluctant cooperation. The people performing these reviews were mostly junior folks with no real idea how to conduct the review other than following a checklist and their own intuition. Invariably the reports were focused on compliance with various laws and regulations and not the effectiveness of actual practices in meeting mission requirements. Over the years it has matured into what OMB hopes is a vital part of managing all agencies in the Executive Branch.
In 2004 major changes were made to OMB’s Circular A-123 (update coming soon!) to make Federal managers and employees more accountable. Its name was changed to Management’s Responsibility for Internal Control and it clearly tasked “key business process owners” to step up their game with respect to non-financial processes and procedures in terms of their efficiency and effectiveness and reporting of material weaknesses. We all know that funding is the lifeblood of agency operations and most actions have a financial consequence of some type, be it major acquisition or the payroll of those civil servants performing them. But A-123 isn’t just about financial reporting, its also about ensuring accountability of Federal management. In the aftermath of The Sarbanes-Oxley Act of 2002 (SOX), the A-123 revision does incorporate many components of SOX in detailing how Federal agencies use internal controls to ensure financial reports have a “clean audit opinion.” But there is another aspect to internal controls that has everything to do with how effective and efficient an agency’s operational processes are designed, managed, and executed.
You may have heard of GAO’s “Yellow Book” that describes auditing standards, or GAO’s “Red Book” that details proper application of Appropriations Law. But, have you heard of GAO’s “Green Book?” This is a must read for any Federal supervisor, manager, executive, or employee for that matter.
The Green Book details the standards for internal control systems agencies are required to follow. Its purpose is focused on achieving an agency’s objectives effectively and efficiently. These objectives could be about operations, reporting or compliance. As Figure 2 shows, the standards are composed of five components:
- Establishing a proper control environment
- Insightful assessment of risks,
- Establishing the policies and procedures whereby the agency will achieve its objectives
- Ensuring quality information is communicated to managers and personnel
- Effective monitoring of key control activities to assess performance and resolve issues promptly as identified.
If one reads the Green Book in its entirety, it is easy to see this is not an administratively burdensome set of standards. It is simply the reasonable management activities by agency management and their effective implementation of organizational controls to ensure that operational activities are proper and effective at all levels. It is an MBA course in 79 pages – and it IS required!
Internal controls will ensure that best practices, once established, are followed and adjusted as needed. In one recent engagement, it was very revealing that what was termed “best practices” were largely what I would call “common practices.” Some practices were actually required by existing procedures or published in findings by GAO and other audit reports. The difference is that management of the organization did not ensure these practices/procedures were followed. The GAO standards require the documented periodic assessment and testing of control activities in non-financial key business processes – this is where accountability can be determined. This will also aid in the governance of best practices and ensure their longevity and effectiveness across the entire organization. In my view, integrating best practices with the internal controls program is only responsible management. Read the Green Book or attend a short course on Internal Controls to better understand how internal controls can work for you, it will make you a better manager!