U.S. Department of Transportation
Federal Highway Administration
1200 New Jersey Avenue, SE
Washington, DC 20590
202-366-4000


Skip to content U.S. Department of Transportation/Federal Highway AdministrationU.S. Department of Transportation/Federal Highway Administration

Home / Resources / Legislation, Regulations and Guidance / Directives and Memorandum / Orders

FHWA Order 1300.3B

Order
Subject
Management Control Systems
Classification Code Date  
1300.3B August 3, 1992  

FHWA MANAGEMENT CONTROL SYSTEMS

1300.3B
August 3, 1992


Par.

  1. Purpose

  2. Cancellation

  3. Scope

  4. Policy

  5. References

  6. Definitions

  7. Responsibilities

  8. Management Control Evaluation, Improvement, and Reporting Process

  9. Reporting Requirements

  1. PURPOSE. To establish Federal Highway Administration (FHWA) policy on management controls, and to provide guidelines for evaluating, improving, and reporting on management controls.

  2. CANCELLATION. FHWA Order 1300.3A, "FHWA Internal Control Systems," dated July 15, 1985, is canceled.

  3. SCOPE. This Order applies to the program and administrative functions of all FHWA offices. Management control is concerned with operational procedures of a program or function; it does not encompass such matters as development or interpretation of legislation, rulemaking, or other discretionary policy making processes. Only FHWA procedures fall under the purview of this Order. It does not apply to State/local procedures or activities.

  4. POLICY. The FHWA shall maintain an effective system of management controls to provide reasonable assurance that their resources are protected against fraud, waste, abuse, or mismanagement.

  5. REFERENCES

    1. Office of Management and Budget (OMB) Circular No. A-123 (Revised), Internal Control Systems, dated August 4, 1986.

    2. DOT Order 5100.4B, Department of Transportation Management Control Systems, dated April 16, 1991.

    3. DOT H 5100.4B, Management Control Guide, dated July 1991.

    4. Title 31 United States Code (U.S.C.) 11 and 66a, Federal Managers' Financial Integrity Act (FMFIA) of 1982, dated September 8, 1982 (P.L. 97-255).

  6. DEFINITIONS

    1. The following terms are defined as they apply to this Order:

        (1) Abuse - administrative violations of general Federal, as well as departmental, agency, program, or managerial regulations which impair the effective and efficient performance of mission responsibilities. These violations may result in Federal losses or they may result in denial of Federal benefits to participants.

        (2) Component - a major program, administrative activity, organization, or functional subdivision of FHWA. (A component was formerly referred to as an assessable unit.)

        (3) Fraud - the intentional, wrongful obtaining of some unfair or dishonest advantage or benefit with regard to Government programs by Federal employees, or by non-Federal employees because of action or failure to act by Federal employees. This advantage or benefit may include benefits intended by the program but beyond the legal limitations (e.g., multiple recoveries from a single entitlement or grant), or benefits which are not intended by the program (e.g., kickbacks). Fraud embraces theft, embezzlement, false statements, illegal commissions, kickbacks, conspiracies, obtaining contracts through collusive arrangements, and similar actions.

        (4) Management Controls - the organization, methods, and procedures adopted by management to provide reasonable assurance that funds, property, and other assets are properly accounted for and safeguarded against fraud, waste, abuse, or mismanagement; and revenues and expenditures applicable to agency operations are properly recorded and accounted for to permit the proper maintenance of accounts and the preparation of reliable financial reports. A management control, formerly referred to as an internal control, pertains to program, administrative, accounting, and financial management areas.

        (5) Management Control Evaluation (MCE) - a documented evaluation of a program or administrative component to determine whether adequate control techniques exist to achieve cost-effective compliance with the FMFIA. There are two types of evaluations.

          (a) Management Control Review (MCR) - a detailed examination of a system of management controls. (A management control review was formerly referred to as an internal control review.)

          (b) Alternative Management Control Review (AMCR) - a process such as Office of Inspector General (OIG) audits, GAO audits, other management reviews conducted in-house or by contractor, Circular A-130 computer security review, and Circular A-127 financial system reviews. (An AMCR was formerly referred to as an alternative internal control review.)

        (6) Management Control Plan (MCP) - an annual listing of the components within an organization, along with the risk ratings and the date of the planned evaluations for each component.

        (7) Mismanagement - managing incompetently or dishonestly, i.e., allowing funds to lapse, or not using funds to gain maximum benefit.

        (8) Organizational Unit - each Associate Administrator, Staff Office Director, Federal Lands Highway Program Administrator, and Regional Office is an organizational unit.

        (9) Risk Assessment (RA) - a documented review by management of a component's degree of susceptibility to fraud, waste, abuse, or mismanagement. (A risk assessment was formerly referred to as a vulnerability assessment.)

        (10) Waste - unnecessary costs incurred as a result of inefficient or ineffective practices, systems, or controls.

    2. The words "fraud," "waste," "abuse," and "mismanagement" as used in this Order are intended to have only the meanings listed here. They are not intended to refer to findings of "fraud," etc., under any other Federal statute or regulation. This Order is not intended to replace or limit any Federal statute or regulation with a similar focus (e.g., 18 W.S.C. 201, 371, 654, etc.; 23 CFR Part 16).

  7. RESPONSIBILITIES

    1. Each Staff Office Director, Associate Administrator, Regional Federal Highway Administrator, and the Federal Lands Highway Program Administrator shall be responsible for initiating, conducting, and approving RAs and MCEs in his/her organization, and for reporting the results and all significant breakdowns in management control to the Associate Administrator for Administration. Each of these officials shall be responsible for creating new and strengthening existing management controls in his/her organization, as necessary, based on the results of the evaluations ofmanagement controls.

    2. The Associate Administrator for Administration shall issue procedures for implementation of OMB Circular No. A-123 and the FMFIA, and submit consolidated reports to the Federal Highway Administrator, as warranted, on the results of the management control evaluation and improvement process.

    3. The Director, Office of Management Systems (HMS), shall issue guidance concerning the evaluation of management controls, monitor the evaluation process, and provide any assistance as requested by other organizational elements. In developing guidance relating to accounting controls, HMS will coordinate closely with the Office of Fiscal Services.

    4. The Office of Management Systems will provide training as requested on the A-123/FMFIA process.

    5. Program and administrative managers shall be responsible for maintaining adequate management controls within their areas of authority, and to the extent practicable, shall consider the adequacy of management control systems when developing their annual performance objectives.

    6. Nothing in this Order is intended in any way to limit managers from carrying out their responsibilities to develop and update management control procedures on any ongoing basis as they deem necessary.

  8. MANAGEMENT CONTROL EVALUATION, IMPROVEMENT, AND REPORTING PROCESS. The approach for evaluating, improving, and reporting on management controls consists of the following:

    1. Organizing the Process. This step includes all the actions required to manage the process including assignment of responsibilities for planning, directing, and controlling the process, and the development of an information system to track the status of evaluations and corrective actions.

    2. Segmentation. After the management control process has been organized, the agency is segmented intoorganizational units (i.e., Division and Regional offices, Washington Headquarters program and staff offices), and then the program and administrative functions in each unit are identified as components.

    3. Risk Assessments. For each program and administrative function identified, an RA is conducted. The RA enables the agency to determine which programs or functions are most susceptible to loss through waste, fraud, abuse, or mismanagement. The RAs are conducted on a triennial cycle. Guidelines for conducting RAs are contained in Attachment 1 to this Order.

    4. Planning Further Activities. For those functions or activities found during the RA process to be subject to significant risk, the next step in the process is to develop plans and schedules for the performance of MCEs or other activities designed to strengthen management control systems (for example, improving monitoring procedures, issuing clarifying instructions, or requesting an audit). Other factors, such as management priorities and resource constraints, are also considered in planning further activities.

    5. Management Control Evaluations. The MCEs are conducted to determine where new controls may have to be created or existing controls strengthened. Other review methodologies already employed within FHWA may also be used as long as they achieve the objectives of a MCE as defined in paragraph 6a(5). The FHWA reviews of State or local grantee operations may be used provided that related FHWA management controls are considered and documented in the review report. Guidelines on review requirements are contained in Attachment 2 to this Order.

    6. Corrective Actions. Recommendations resulting from RAs, MCEs, and other activities should be considered by management on a timely basis and appropriate corrective actions should be taken as promptly as possible.

    7. Reporting. The results of the FHWA management control review process (RAs, MCEs) and the corrective action(s) make up the MCP and are input for the annual certifications to the Federal Highway Administratorstating whether or not the FHWA's systems of management accounting and administrative control comply with requirements of the FMFIA. The MCP is updated twice a year, providing status of ongoing MCEs and planned corrective actions.

  9. REPORTING REQUIREMENTS

    1. In order to comply with FMFIA provisions, each Staff Office Director, Associate Administrator, Regional Federal Highway Administrator, and the Federal Lands Highway Program Administrator must submit annual statements on the effectiveness of his/her management control systems. The annual call for these statements will specify reporting dates appropriate to permit a consolidated report to the Secretary of Transportation by November 1 of each year. The results of RAs will be reported as part of this report.

    2. The Office of Management Systems may request periodic status reports on scheduled management control activities, e.g., MCEs, planned corrective actions.

    3. Copies of management control review reports should be provided to the Office of Management Systems.

Attachments

ATTACHMENT 1

FEDERAL HIGHWAY ADMINISTRATION RISK ASSESSMENT GUIDELINES

  1. Introduction

    1. The first step in the evaluation of agency management controls is the Risk Assessment (RA). The RA is intended to determine the potential for fraud, waste, abuse, and mismanagement in agency activities. By conducting RAs of all agency components (i.e., major program, administrative activity, organization, or functional subdivision of FHWA), those requiring additional, detailed review of controls and safeguards may be identified. Thus, the RA is a management tool which allows an agency to schedule detailed and rigorous management control evaluations (MCE) only where they are needed, rather than across the board.

    2. The RAs are brief evaluations performed by individuals familiar with the activity being assessed. The RAs should focus on the environment within which the controls operate and on the risk inherent in the activity. Although brief, RAs should be thoughtfully conducted since they will be the basis for further action, i.e., MCEs and/or subsequent improvement actions. The RAs of all components are to be completed within a three-year cycle.

  2. Approach. The following procedure should be used when conducting FHWA RAs:

    1. Components. A list of components is developed covering the program and functional activities carried out in each level of the agency (Washington Headquarters, regional, and division offices). Each of these organizations must complete RAs for their assigned components.

    2. Coverage. Some components may involve FHWA monitoring of State activities. What must be assessed are the FHWA procedures which govern the monitoring of Stateactivities. This process does not involve an assessment of State vulnerability to fraud, waste, abuse, and mismanagement.

    3. Conducting RAs

        (1) The RA Process. In 1992, all RAs will be done concurrently throughout FHWA with assigned components. In the regions and divisions, the components will be assigned on a sampling basis. Starting in FY 1993, four options are available to FHWA organizational units for conducting RAs. The flexibility to select an option may provide a manager the opportunity to maximize resources, incorporate the RA process into ongoing management programs, and spread the workload over a three year period. The flexibility may allow managers to tailor the RA process making it less burdensome and more meaningful. These four options are:

          (a) Offices perform RAs once every 3 years using the 1992 modified form and reduced component list. Division offices assess 50% of the components.

          (b) An office conducts RAs of its own management controls at the same time it reviews State or FHWA programs/operations for a given component. Each office assesses less than 100 percent of the components; however adequate coverage of all applicable components must be obtained within the parent organizational unit. At the beginning of the third year, each organizational unit (e.g., region) reviews risk assessment activity to ensure adequate coverage of all components by the end of the third year.

          (c) The RAs for all components are updated each year using the 1992 revised process and forms. The annual update consists of a brief review of the most recent RA form for changes in the general control environment, inherent risk, and safeguards since the last RA.

          (d) Offices conduct RAs on one-third of the RA components each year using the 1992 process and forms. Activity is reported each year as part of annual certification.

        (2) The RA Form. The FHWA RA Form should be used to evaluate each component. The forms will be prepared at Washington Headquarters with the component name, definition, and regulations/guidance. The form consists of three sections addressing the general control environment, inherent risk, and safeguards in place. The completed form will serve as documentation of considerations used to arrive at an overall risk rating (low, medium, or high).

        (3) Distribution of RA Forms. The RA forms with the preprinted information will be forwarded to the appropriate Associate Administrator, Regional Administrator, or Staff Office Director who will make further appropriate distribution (e.g., to the divisions and Washington Headquarters offices). Electronic versions of the forms will also be available on FEBBS. Motor Carrier field offices will be handled by the Associate Administrator for Motor Carriers, and the Federal Lands Highway Divisions will be handled by the Federal Lands Highway Program Administrator.

        (4) Completing the RA Form. Instructions for completing the form are contained in the RA workbook. The workbook provides instructions for each area on the form. Completion of the form will require a combination of researched information (e.g., record of previous audits and reviews) and subjective impressions (e.g., assumed effectiveness of existing controls). The forms should therefore be completed by someone with a good working knowledge of the particular activity or function as performed at that location (e.g., regional offices should assess activities only as they are carried out at the regional office). The person conducting the RA signs and dates the form at the bottom.

        (5) Approval of RAs. The management official who approves the RA should also sign and date the form. In division offices, the approving official should be the Division Administrator or Assistant Division Administrator. In regional offices, the approving official should be the Regional Administrator or Deputy Regional Administrator. In Washington Headquarters, this authority may be delegated to Office Directors. In the case of the Federal Lands Highway Program, the Federal Lands Highway Program Administrator may establish separate review and approval procedures for the Federal Lands Highway Divisions.

    4. Reporting. The RA forms, as well as support documentation, should be maintained by the assessing element (i.e., Washington Headquarters and field organizations) to serve as a record for audits by the Office of Inspector General or the General Accounting Office. These records also provide background support for the annual management controls certification to the Federal Highway Administrator required under Section 2 of the Federal Managers' Financial Integrity Act. All completed RA scores and follow-up actions should be summarized annually in a Management Control Plan. A MCP is a summary of components, RA scores, and plans for management control evaluations. This plan is required to be updated twice a year.

    5. Identifying Nationwide Management Control Evaluations. The Office of Management Systems will distribute the results of FHWA RAs to the Washington Headquarters program offices who will review the risk ratings and recommendations for MCEs within their respective functional areas. For example, the Director of Right-of-Way will review summaries of the various right-of-way RAs prepared at the Washington Headquarters, regional, and division office levels. Based on this review, the scope of required MCEs will be determined. A function identified by the Washington Headquarters and a large number of field offices as requiring an MCE might be most effectively handled as a single, coordinated review effort among the organizational elements involved. On the other hand, after discussions among the affected elements, it maybe determined that MCEs in each element should be conducted separately.

ATTACHMENT 2

FHWA MANAGEMENT CONTROL EVALUATION GUIDELINES

  1. Introduction

    1. The Risk Assessments (RAs) described in Attachment 1 to this Order represent the first step in the evaluation of management controls. The scope of the RAs encompasses virtually all activities performed by FHWA, including external monitoring (e.g., review of procedures for monitoring certification of disadvantaged businesses) as well as internal administration (e.g., imprest fund). Even though many of these activities are externally oriented, only FHWA procedures to protect against waste, fraud, abuse, or mismanagement of FHWA resources are considered management controls for purposes of OMB Circular No. A-123.

    2. The RAs may show that certain functions or programs are at risk for waste, fraud, abuse, or mismanagement. This requires further detailed examination of the management controls associated with the function or program, possibly leading to the improvement of existing safeguards or the establishment of new ones. This detailed examination, or Management Control Evaluation (MCE), represents the second step in the evaluation process. It should determine whether management controls are properly designed to be effective and if they are actually being used. It should also reveal if existing controls are excessive. If the RA of a function or program points to a low level of risk, an MCE need not be conducted.

    3. Individual managers make recommendations for or against MCEs within their areas of responsibility based on the results of the RAs. The results of all field RAs are then reviewed by the Washington Headquarters program offices to determine whether those functionsand/or programs that are deemed to be highly risky by a number of different sources should be candidates for a single, broad-scope MCE that could be coordinated at the Washington Headquarters level. The determination to conduct a national MCE will be made by the appropriate Washington Headquarters office. Field offices may choose whether to participate in the national MCE, or conduct their own.

    4. A schedule for all MCEs will be developed when the RAs are completed. The MCEs will be scheduled and conducted over a 3-year period. However, any component rated high risk must have some followup action within 1 year.

    5. As with the RAs, performance of the MCEs, implementation of improvements, and reporting of results will be the responsibility of the Staff Office Directors, Associate Administrators, Regional Administrators, and the Federal Lands Highway Program Administrator having jurisdiction over the areas being reviewed.

  2. Standards of Management Control. Office of Management and Budget (OMB) Circular A-123 has prescribed certain basic standards to which agency systems of management control must adhere. When MCEs are performed, the controls should be compared against the following standards:

    1. Documentation. Management controls, accountability for resources, and all financial transactions shall be subject to clear and readily available documentation.

    2. Recording of Transactions. The recording of transactions shall be accurate and prompt, with proper classification.

    3. Execution of Transactions. Independent evidence shall be maintained that authorizations are issued only by persons authorized to do so; transactions shall conform with the terms of the authorizations.

    4. Separation of Duties. Such duties as authorizing, approving, recording transactions, issuing or receivingassets, making payments, and reviewing or auditing shall be assigned to separate individuals. Work should be assigned in such a fashion that no one individual controls all phases of an activity or transaction, thereby creating a situation that permits errors or irregularities to go undetected.

    5. Supervision. Qualified supervision shall be provided to ensure that approved procedures are followed. Lines of personal responsibility and accountability shall be clear.

    6. Access of Resources. Only authorized personnel shall have access to resources. This includes both direct physical access (e.g., to imprest fund) and indirect access through the preparation or processing of documents that authorize the use or disposition of resources (e.g., time and attendance forms). Periodic comparison shall be made of the resources with pertinent documents to determine whether the two agree. The frequency of the comparison should be appropriate to the value and vulnerability of the asset.

    7. Competent Personnel. Personnel shall have high standards of integrity and shall accomplish their assigned duties in a competent manner.

    8. Reasonable Assurance. Management control systems shall provide reasonable, but not absolute, assurance that management control objectives will be accomplished. This standard recognizes that the cost of management controls should not exceed the benefits.

  3. Review Procedure

    1. The review and evaluation of management controls can be approached in several ways. The method detailed in paragraph 3c is a simplified version of one recommended by OMB. It is based on techniques used by financial auditors to review and evaluate the management controls associated with financial statements, but has been expanded to encompass the controls necessary for other program and administrative operations. Briefly, this MCE procedure consists of identifying and documenting the processes involved in the function/program underreview, evaluating the controls within the processes, and testing the controls.

    2. In instances where the source of risk is obvious and relatively simple, the desired improvement might be instituted without the need for a full-scale review. Such a "quick fix" could take the form of a delegation of authority, separation of duties between two or more employees, issuance of clarifying instructions, etc. No matter how management controls are evaluated and improved, the approach and results should be fully documented.

    3. There are four steps in the prescribed approach:

        (1) Identification of Processes. The first step in conducting an MCE is to break down into its constituent processes the vulnerable function/program identified by the RA. Sources of this information would be regulations, policy statements, procedures manuals, management interviews, etc.

        (2) Documentation of Processes. The next step is to document the processes in order to obtain a thorough understanding of how they operate. This is accomplished by interviewing the personnel involved in the process and observing the activity, and then preparing either a narrative explanation or a flow chart. The documentation should contain sufficient detail to permit in-depth analysis of the existence and adequacy of management controls, as discussed in the next step. It is advisable to review the completed documentation with the persons providing the information, and to track one or two events through the process. Both techniques will ensure that the documentation and the understanding of the process are accurate.

        (3) Evaluation of Management Controls Within the Processes

          (a) The next step is to evaluate thedocumentation for each process and determine what would be the objectives of any management controls associated with it. A very simple way to do this would be to decide what could go wrong with the process that could lead to waste, loss, unauthorized use, or misappropriation of funds, property, or other assets. The objectives of specific management controls would be to prevent such events from occurring.

          (b) After evaluating the management control objectives, determine whether controls to achieve them are actually in place. Each control should be in writing. If it is not, it should be made a part of the process documentation.

          (c) Identify whether there are any controls that are excessive, thereby creating inefficiencies and unnecessary costs.

          (d) The step described above can be summarized in the following example. In the payroll process, there is the risk of people not working the time for which they are paid.

          Thus an appropriate management control objective would be "payments are made only in return for services." Time sheets requiring supervisor approval would provide a sufficient management control.

        (4) Testing the Management Controls. The final step in an MCE is the testing of the identified necessary controls to determine whether such controls are functioning as intended. The best way to do this is to select a sample of transactions and to then review the documentation for those transactions (as well as make other observations and inquiries) and determine whether the specified controls are in fact employed. Sampling procedures may be useful for enhancing the effectiveness of this process. Controls not being employed should be noted.

  4. Alternative Review Procedures. In order to avoid duplication, the MCE procedure detailed above may be conducted along with any existing review program currently employed by FHWA (e.g., Washington Headquarters Right-of-Way Review Program, other program/process reviews, etc.) as long as it results in adequate documentation and analysis of management controls, management control weaknesses, and appropriate recommendations for improvement. For example, the review of management controls may be part of a larger scheduled review such as a review of right-of-way acquisition. The MCE portion of the review would consider the management controls in FHWA's procedures for monitoring right-of-way acquisition by the States, whereas the rest of the review would look at State compliance with requirements and State procedures. In applying any review methodology, the OMB standards for management control described in paragraph 2 of this attachment should be taken into consideration.

  5. Reporting Results

    1. The results of each MCE or other corrective action should be documented in a written report to the appropriate Staff Office Director, Associate Administrator, or Regional Administrator. These officials should forward a copy to the Director, Office of Management Systems (HMS), who is responsible for monitoring and providing direction to the management control improvement process. The report should contain an identification of weaknesses within the system and recommendations as to how they can be corrected. Recommendations for possible improvements in the economy and efficiency of the management controls should also be made, if appropriate. More specifically, attention should be given to the following:

        (1) In what areas are controls nonexistent, inadequate, or not functioning as intended?

        (2) Are any controls excessive, thereby fostering a lack of economy or creating inefficiencies?

        (3) In what ways are executive, legislative, or other management requirements excessive, thereby creating inefficiencies?

    2. The report should be structured to correspond to the MCE steps detailed in paragraph 3 of this Attachment (i.e., identification and documentation of processes, evaluation of controls within the processes, and results of testing the controls). Following these sections, the report should include recommendations for improvement. In evaluating possible options, consideration should be given to the costs and expected benefits of changes in order that cost-effective controls are achieved. While it is sometimes difficult to determine the exact costs of and benefits to be derived from suggested improvements, it is necessary to at least make an estimate of these amounts so that controls are not put into place that cost more than they save.

    3. Recommendations should be within the authority of the reviewing office to implement. If, however, certain improvements are needed that can only be brought about by higher authority or by some other office (e.g., a Washington Headquarters office that issues policy and procedural direction), the recommendations should be forwarded to the appropriate source for consideration.

    4. If an MCE is conducted as part of an alternative review procedure, the review methodology should be described. Preexisting descriptions, review outlines, etc., are acceptable, but the manner in which management control matters are addressed should be highlighted.

  6. Followup Actions

    1. The testing, implementation, and monitoring of recommended improvements is the final sequence of actions in the management control evaluation process. These actions are the responsibility of the manager having jurisdiction over the program or function that has been reviewed.

    2. The OMB Circular A-123 requires a formal followup system that records and tracks recommended correctiveactions, and monitors whether the corrective actions have been taken. To satisfy the A-123 monitoring requirements, the Department has established the Corrective Actions Tracking System (CATS). The HMS will request semiannual updates from Washington Headquarters and field locations on the status of reported deficiencies, corrective actions, and MCEs. Each FHWA organizational element should establish a continuing record of documented actions taken to correct deficiencies and implement needed improvements, to be used in reporting into the CATS.
Federal Highway Administration | 1200 New Jersey Avenue, SE | Washington, DC 20590 | 202-366-4000