The Office of Federal Financial Management is taking a page out of the cybersecurity reform book in how it’s changing how agencies oversee spending.
OFFM is updating its Circular A-123 guidance to be more like the future vision of cybersecurity — based on risk and data, and done more than every three years.
Mike Wetklow, the chief of the accountability performance branch at OFFM in the Office of Management and Budget, said there are several guiding principles going into the revision, including integrating an internal controls framework, reducing the compliance burdens and innovation through data analysis.
“Many of these principles we are putting in practice, we’re going to have examples of charge cards, improper payments and data analytics,” said Wetklow during a panel discussion at the Association of Government Accountant’s Internal Control and Fraud Prevention Training event Tuesday in Washington. “We have a lot of things we are trying to do differently like, for example, with Hurricane Sandy last year. There was a memo earlier in the year about internal control plans. A lot of our discussions were we didn’t want to make this a new Recovery Act or have this big compliance exercise right in the middle of disaster response, but to really use the internal controls as a risk management tool. We didn’t ask agencies to document their control environment, the risk assessment, the control activities, the full gauntlet of all those things. We asked them to simply do a thoughtful analysis of their risks that came about from the extra funding that went into their programs, and just work with OMB on that.”
Similarities to cyber
Federal financial management and cybersecurity policy face similar challenges. Both need to keep up with the changing environment and expectations, and move from a static to a dynamic approach.
The administration is updating federal cybersecurity standards by moving toward a data analysis and risk management approach. The Homeland Security Department is leading the implementation of continuous monitoring on agency computer networks to move away from the static nature of the Federal Information Security Management Act.
Like FISMA, A-123 turned into a static process.
A-123 is a 30-plus-year-old policy from OMB regarding how agencies, and specifically CFOs and their budget staffs, handle the oversight of money, otherwise known as internal controls. Internal controls ensure agencies meet policy and legislative requirements for financial reporting and the effectiveness and efficiency of programs.
OMB last revised A-123 in 2004 after Congress passed the Sarbanes-Oxley bill.
Experts say this latest set of changes is part of the pendulum that seems to swing every decade or so between more or less reporting requirements.
“We definitely will have to beef up the existing circular because it’s just too high level and doesn’t really tell you how to implement an integrated risk framework, it doesn’t tell you how and it’s OK to integrate FISMA stuff with the system security work you do on financial reporting. We are just collecting our thoughts,” Wetklow said. “We want to move away from you having to do everything over three years and have this compliance mindset to a more of a risk-based framework to allow agencies the flexibility in how they implement the circular. We are not exactly sure of the format, other than the full circular will need to be updated.”
Canceling systems requirements
He said one of the biggest changes is what is being added to A-123 to meet the intent and spirit of Congress when it wrote the Federal Financial Management and Improvement Act (FFMIA).
“In the near term, and this will be literally in a couple of weeks, we plan to rescind OMB Circular A-127 and replace it with a new Appendix D to A-123,” Wetklow said. “And if you ask yourself, why A-123? When you read the committee report [to FFMIA], it talks a little about financial systems. It talks more about internal controls, business processes, and visibility into government operations. Our hope in what we are doing is we are going to reduce compliance burdens by getting rid of all of these complicated checklists that only serve to drive system’s costs and risks, and integrate our processes with the already existing things in A-123.”
A-127 addresses financial management system requirements. OMB slowly has been moving away from strict financial management system requirements, and focusing more on standards and outcomes over the last decade.
He said A-123 also will need to be integrated with several other initiatives including new credit card abuse guidance OMB issued last week, improper payment laws that includes the Do Not Pay list and other changes to financial oversight that have come over the past 10 years.
OFFM will be paying close attention to the Government Accountability Office’s work on the Green Book. GAO released its draft update earlier this month detailing new plans, methods, policies and procedures for the effective implementation of internal controls.
OFFM also plans on expanding A-123 to incorporate as appendices several new financial management initiatives that came to the forefront over the last 10 years.
Improper payments is one of those new requirements. There have been at least three new laws passed since the Sarbanes-Oxley update in 2004, and the Obama and George W. Bush administrations have spent a lot of resources on reducing and recovering incorrect payments.
Flavio Menasce, a senior policy analyst in OFFM’s accountability, performance and reporting branch, said Appendix C of A-123 will address improper payments.
He said it will have three parts:
Implementing the latest improper payments laws;
Focusing on the work done by agency inspectors general to track, analyze and recover improper payments;
Implementing President Obama’s 2009 executive order.
“A complete overhaul,” said Menasce referring to changes to Appendix C of A-123. “First of all, we have to reconcile the Payments Elimination and Recovery Improvement Act of 2012 (IPERIA) executive order type of requirements with what’s in the new law. One of the things we are doing is taking the 60 pages and trying to cut it down by a lot. One of the things that when you look at the guidance now as it is, there are a lot of one-time requirements especially from the executive order, things that had to be done within 180 days of November 2009. Those things are past and gone, we don’t need them. So we are looking at them and seeing if we can streamline all of that.”
Menasce said OFFM also wants to consolidate reporting requirements required under the laws and policies. He said the goal is to have a streamlined Appendix C that integrates with A-123.
OFFM also wants to add an internal control framework to address improper payments. The goal of the framework is to more clearly establish a link between having strong internal controls and limiting or reducing improper payments.
Menasce said too often agencies have strong internal controls, but send out billions of dollars in improper payments so how can the internal controls really be that strong?
The answer, of course, is the same way agencies could get an “A” on the FISMA scorecard, but have a computer network full of vulnerabilities.
He said OFFM will share the draft with IGs, GAO and agencies to get comments in the coming months.
Do Not Pay portal to grow
Treasury also is expanding its use of the Do Not Pay portal. A-123 will include the requirements in the improper payment law to use the portal.
The Do Not Pay program makes available six databases for agencies to check against before making a payment for a contract, grant or other assistance program to ensure the person getting the money is entitled to it.
David Saltiel, the director of data management reporting and analytics for Debt management services in the Do No Pay Business Center in Treasury, said his office met several of the June 1 deadlines, including issuing privacy guidance.
“It gives agencies the ability to continuously monitor their payments through those data sources,” he said. “We are making some significant improvements to that portal to give you not only more data, but also being able to start transforming that data into information you can use, and putting you in a position to start seeing some of the trends and even perhaps investigating potential the improper payments through that venue.”
He said the new analytical tools will make a huge difference for agencies because it will help them make the move from data to information so they can make better decisions and see where the money is going in a near real time basis.
Saltiel said the end goal is to help agencies build better internal controls and take necessary actions should they have paid someone improperly to recover the money.