U.S. Department of Transportation
Federal Highway Administration
1200 New Jersey Avenue, SE
Washington, DC 20590
FHWA Order 1300.3B
|Management Control Systems|
|1300.3B||August 3, 1992|
FHWA MANAGEMENT CONTROL SYSTEMS
August 3, 1992
(1) Abuse - administrative violations of general Federal, as well as departmental, agency, program, or managerial regulations which impair the effective and efficient performance of mission responsibilities. These violations may result in Federal losses or they may result in denial of Federal benefits to participants.
(2) Component - a major program, administrative activity, organization, or functional subdivision of FHWA. (A component was formerly referred to as an assessable unit.)
(3) Fraud - the intentional, wrongful obtaining of some unfair or dishonest advantage or benefit with regard to Government programs by Federal employees, or by non-Federal employees because of action or failure to act by Federal employees. This advantage or benefit may include benefits intended by the program but beyond the legal limitations (e.g., multiple recoveries from a single entitlement or grant), or benefits which are not intended by the program (e.g., kickbacks). Fraud embraces theft, embezzlement, false statements, illegal commissions, kickbacks, conspiracies, obtaining contracts through collusive arrangements, and similar actions.
(4) Management Controls - the organization, methods, and procedures adopted by management to provide reasonable assurance that funds, property, and other assets are properly accounted for and safeguarded against fraud, waste, abuse, or mismanagement; and revenues and expenditures applicable to agency operations are properly recorded and accounted for to permit the proper maintenance of accounts and the preparation of reliable financial reports. A management control, formerly referred to as an internal control, pertains to program, administrative, accounting, and financial management areas.
(5) Management Control Evaluation (MCE) - a documented evaluation of a program or administrative component to determine whether adequate control techniques exist to achieve cost-effective compliance with the FMFIA. There are two types of evaluations.
(a) Management Control Review (MCR) - a detailed examination of a system of management controls. (A management control review was formerly referred to as an internal control review.)
(b) Alternative Management Control Review (AMCR) - a process such as Office of Inspector General (OIG) audits, GAO audits, other management reviews conducted in-house or by contractor, Circular A-130 computer security review, and Circular A-127 financial system reviews. (An AMCR was formerly referred to as an alternative internal control review.)
(6) Management Control Plan (MCP) - an annual listing of the components within an organization, along with the risk ratings and the date of the planned evaluations for each component.
(7) Mismanagement - managing incompetently or dishonestly, i.e., allowing funds to lapse, or not using funds to gain maximum benefit.
(8) Organizational Unit - each Associate Administrator, Staff Office Director, Federal Lands Highway Program Administrator, and Regional Office is an organizational unit.
(9) Risk Assessment (RA) - a documented review by management of a component's degree of susceptibility to fraud, waste, abuse, or mismanagement. (A risk assessment was formerly referred to as a vulnerability assessment.)
(10) Waste - unnecessary costs incurred as a result of inefficient or ineffective practices, systems, or controls.
FEDERAL HIGHWAY ADMINISTRATION RISK ASSESSMENT GUIDELINES
(1) The RA Process. In 1992, all RAs will be done concurrently throughout FHWA with assigned components. In the regions and divisions, the components will be assigned on a sampling basis. Starting in FY 1993, four options are available to FHWA organizational units for conducting RAs. The flexibility to select an option may provide a manager the opportunity to maximize resources, incorporate the RA process into ongoing management programs, and spread the workload over a three year period. The flexibility may allow managers to tailor the RA process making it less burdensome and more meaningful. These four options are:
(a) Offices perform RAs once every 3 years using the 1992 modified form and reduced component list. Division offices assess 50% of the components.
(b) An office conducts RAs of its own management controls at the same time it reviews State or FHWA programs/operations for a given component. Each office assesses less than 100 percent of the components; however adequate coverage of all applicable components must be obtained within the parent organizational unit. At the beginning of the third year, each organizational unit (e.g., region) reviews risk assessment activity to ensure adequate coverage of all components by the end of the third year.
(c) The RAs for all components are updated each year using the 1992 revised process and forms. The annual update consists of a brief review of the most recent RA form for changes in the general control environment, inherent risk, and safeguards since the last RA.
(d) Offices conduct RAs on one-third of the RA components each year using the 1992 process and forms. Activity is reported each year as part of annual certification.
(2) The RA Form. The FHWA RA Form should be used to evaluate each component. The forms will be prepared at Washington Headquarters with the component name, definition, and regulations/guidance. The form consists of three sections addressing the general control environment, inherent risk, and safeguards in place. The completed form will serve as documentation of considerations used to arrive at an overall risk rating (low, medium, or high).
(3) Distribution of RA Forms. The RA forms with the preprinted information will be forwarded to the appropriate Associate Administrator, Regional Administrator, or Staff Office Director who will make further appropriate distribution (e.g., to the divisions and Washington Headquarters offices). Electronic versions of the forms will also be available on FEBBS. Motor Carrier field offices will be handled by the Associate Administrator for Motor Carriers, and the Federal Lands Highway Divisions will be handled by the Federal Lands Highway Program Administrator.
(4) Completing the RA Form. Instructions for completing the form are contained in the RA workbook. The workbook provides instructions for each area on the form. Completion of the form will require a combination of researched information (e.g., record of previous audits and reviews) and subjective impressions (e.g., assumed effectiveness of existing controls). The forms should therefore be completed by someone with a good working knowledge of the particular activity or function as performed at that location (e.g., regional offices should assess activities only as they are carried out at the regional office). The person conducting the RA signs and dates the form at the bottom.
(5) Approval of RAs. The management official who approves the RA should also sign and date the form. In division offices, the approving official should be the Division Administrator or Assistant Division Administrator. In regional offices, the approving official should be the Regional Administrator or Deputy Regional Administrator. In Washington Headquarters, this authority may be delegated to Office Directors. In the case of the Federal Lands Highway Program, the Federal Lands Highway Program Administrator may establish separate review and approval procedures for the Federal Lands Highway Divisions.
FHWA MANAGEMENT CONTROL EVALUATION GUIDELINES
(1) Identification of Processes. The first step in conducting an MCE is to break down into its constituent processes the vulnerable function/program identified by the RA. Sources of this information would be regulations, policy statements, procedures manuals, management interviews, etc.
(2) Documentation of Processes. The next step is to document the processes in order to obtain a thorough understanding of how they operate. This is accomplished by interviewing the personnel involved in the process and observing the activity, and then preparing either a narrative explanation or a flow chart. The documentation should contain sufficient detail to permit in-depth analysis of the existence and adequacy of management controls, as discussed in the next step. It is advisable to review the completed documentation with the persons providing the information, and to track one or two events through the process. Both techniques will ensure that the documentation and the understanding of the process are accurate.
(3) Evaluation of Management Controls Within the Processes
(a) The next step is to evaluate thedocumentation for each process and determine what would be the objectives of any management controls associated with it. A very simple way to do this would be to decide what could go wrong with the process that could lead to waste, loss, unauthorized use, or misappropriation of funds, property, or other assets. The objectives of specific management controls would be to prevent such events from occurring.
(b) After evaluating the management control objectives, determine whether controls to achieve them are actually in place. Each control should be in writing. If it is not, it should be made a part of the process documentation.
(c) Identify whether there are any controls that are excessive, thereby creating inefficiencies and unnecessary costs.
(d) The step described above can be summarized in the following example. In the payroll process, there is the risk of people not working the time for which they are paid.
Thus an appropriate management control objective would be "payments are made only in return for services." Time sheets requiring supervisor approval would provide a sufficient management control.
(4) Testing the Management Controls. The final step in an MCE is the testing of the identified necessary controls to determine whether such controls are functioning as intended. The best way to do this is to select a sample of transactions and to then review the documentation for those transactions (as well as make other observations and inquiries) and determine whether the specified controls are in fact employed. Sampling procedures may be useful for enhancing the effectiveness of this process. Controls not being employed should be noted.
(1) In what areas are controls nonexistent, inadequate, or not functioning as intended?
(2) Are any controls excessive, thereby fostering a lack of economy or creating inefficiencies?
(3) In what ways are executive, legislative, or other management requirements excessive, thereby creating inefficiencies?