Lawmakers, analysts weigh new audit requirements for agencies
Sarbanes-Oxley standards for private companies would add a another layer for federal agencies, in response to corporate accounting scandals.
Federal agencies would benefit from following the financial reporting requirements that private sector companies must meet under the Sarbanes-Oxley Act, passed in 2002 in response to corporate accounting scandals, tax firm analysts said in a recent report.
To fully adhere to the Sarbanes-Oxley standards, agencies would need to receive an additional layer of annual audit opinions, assessing the adequacy of internal controls, the analysts at the accounting company KPMG LLP noted in the report. Internal controls are systems of checks and balances designed to prevent errors in financial transactions and reduce the risk of fraud.
For instance, agencies try to place separate employees in charge of authorizing transactions, processing and recording them and reviewing them. "No one individual should control all key aspects of a transaction or event," the Government Accountability Office stated in 1999 guidelines for establishing internal controls.
Federal agencies currently need not gain a formal audit opinion on internal controls, though the 23 agencies covered by the Chief Financial Officers Act are required by the Federal Managers Financial Integrity Act to "annually evaluate and report on the agency's systems of internal accounting and administrative control."
Agencies would further benefit from obtaining an audit opinion on internal controls, though the process could prove difficult for some, said John Hummel, a partner and national industry director at the federal practice of KPMG, and one of the report's authors. Such audits could "strengthen the confidence of the American taxpayers in the government, improve the effective use of federal resources, and provide more accountability."
"There's no question that if Sarbanes-Oxley were simply applied at this very moment to federal agencies, that would have a big impact, and that would be a very costly endeavor," Hummel said. Most agencies are not in compliance with FMFIA, he explained.
Before attempting an internal controls audit, agencies should get to a point where they're closer to meeting the FMFIA standards, Hummel said. Troubled agencies should first "do some internal corrective measures" he recommended.
"I think the benefits do outweigh the costs at many federal agencies, particularly those agencies that have good strong internal controls right now," Hummel said. "The question begs to be answered how the federal government can demand this type of reporting of commercial organizations, but not live up to it on its own."
Congress is considering legislation that would require the Homeland Security Department to obtain audit opinions on internal controls starting in fiscal 2006. The version passed by the House last week (H.R. 4259) also asks the CFO Council and the President's Council on Integrity and Efficiency to jointly analyze the feasibility of extending this requirement to other agencies. The Senate passed a bill (S. 1567) with similar financial management provisions in November 2003.
Homeland Security Department officials have previously expressed concern over the internal controls audit requirement, noting that compliance could prove costly, and that no other federal agencies are held to the standard.
Internal controls audits could "certainly have benefits," said Valerie Smith, a Homeland Security department spokeswoman, on Monday. Such an audit could result in "learning about more things that the department should do" to clean up financial management, she said.
But at the same time, it shouldn't be viewed as a "silver bullet," she said, adding that the federal government already has "a number of controls in place that the private sector doesn't have." For instance, congressional oversight committees and GAO keep a close watch on federal agencies, she said.
Homeland Security has taken steps to address internal weaknesses as resources permit, Smith said. The addition of an internal controls audit would initially add about $4 million per year to the department's audit expenses, according to a Congressional Budget Office estimate.
The costs would likely decrease over time as internal controls improved, said Michael Hettinger, staff director for the House Government Reform Subcommittee on Efficiency and Financial Management. The subcommittee decided to impose the requirement on Homeland Security first since the department is young and has inherited a number of internal weaknesses that should be addressed, he said.
Despite possible challenges, the subcommittee is confident that Homeland Security would benefit from the tighter standards, Hettinger said. The requirements would enhance accountability for financial transactions and help detect fraud and waste.
Problems the Pentagon has recently encountered in distributing pay to reservists, for example, could have been avoided had the department established proper internal controls, Hettinger said. Such issues could be detected in an internal control audit, he explained.
Legislation requiring the Homeland Security Department internal control audit has "strong" bipartisan support, Hettinger said. The House committee is working out a strategy to advance the legislation when Congress returns from its August recess.
Subcommittee members are interested in eventually extending the requirement to other federal agencies, but want to make sure the new standards would not impose too much of a financial hardship, especially on smaller agencies, Hettinger said. "That's part of why you need to go through and study [the feasibility of broadening the requirement] first," he explained.
In anticipation of the House bill becoming law, the CFO Council has already started a cost-benefit analysis of the internal controls audit requirement, said Linda Springer, controller of the Office of Management and Budget's Office of Federal Financial Management. "It is important to note that . . . reporting and assessment requirements exist today," she said. "The question we need to answer is whether the costs associated with expanded requirements provide justifiable benefits to the American citizen."
Requiring a full audit of internal controls is "clearly . . . not an inexpensive proposition," Springer said. "Thus, a question that must be addressed is whether taxpayers are best served by spending tens of millions of their dollars for such a requirement."
Springer said the administration is pleased that in the most recent version of the legislation, lawmakers extended the deadline for the Homeland Security Department's first internal audit opinion a year to fiscal 2006.