[NASA Logo]

NASA Procedures and Guidelines

This Document is Obsolete and Is No Longer Used.
Check the NODIS Library to access the current version:
http://nodis3.gsfc.nasa.gov


NPR 9010.3
Effective Date: September 30, 2008
Cancellation Date:
Responsible Office: IA

Financial Management Internal Control


Table of Contents

Preface

P.1 Purpose
P.2 Applicability
P.3 Authority
P.4 Applicable documents
P.5 Measurement/verification
P.6 Cancellation

Chapter 1. Financial Management Internal Control Program

1.1 Overview
1.2 Agency Requirements
1.3 Roles and Responsibilities
1.4 Internal Control Requirements
1.5 Financial Management System Controls
1.6 Internal Control Standards
1.7 Control Objectives for Accounting Transactions.
1.8 Internal Control Approach

Chapter 2. Internal Control and Quality Assurance Reviews

2.1 Overview
2.2 Agency Requirements
2.3 Internal Control Reviews
2.4 Quality Assurance Reviews

Chapter 3. Risk Assessment of Financial Operations

3.1 Overview
3.2 Agency Requirements
3.3 Roles and Responsibilities
3.4 Risk Assessment of Financial Operations

Chapter 4. Improper Payments and Recovery

4.1 Overview
4.2 Agency Requirements
4.3 IPIA Requirements
4.4 Recovery Auditing Act Requirements

Chapter 5. Audit Liaison and Financial Information Requests

5.1 Overview
5.2 Agency Requirements
5.3 Roles and Responsibilities

Appendix A. Definitions

Appendix B. Description of Authority and Applicable Documents


Preface

P.1 Purpose

This NASA Procedural Requirements (NPR) document provides the financial management requirements for the financial management internal control program.

P.2 Applicability

This NPR is applicable to NASA Headquarters and NASA Centers, including Component Facilities and Technical and Service Support Centers. This language applies to Jet Propulsion Laboratory, a Federally Funded Research and Development Center (FFRDC), other contractors, grant recipients, or parties to agreements only to the extent specified or referenced in the appropriate contracts, grants, or agreements.

P.3 Authority

a. Accounting and Auditing Act of 1950, Public Law 97-258 (31 U.S.C. º 3512)

b. Chief Financial Officers (CFO) Act of 1990, Public Law 101-576

c. Clinger-Cohn Act of 1996, Public Law 104-106 (formerly the Information Technology Management Reform Act)

d. Computer Security Act of 1987, Public Law No. 100-235

e. Federal Financial Management Improvement Act (FFMIA) of 1996, Public Law 104-208, Title VIII

f. Federal Information Security Management Act of 2002 (FISMA), Public Laws 107-296, Title X, & 107-347, Title III

g. Federal Managers' Financial Integrity Act (FMFIA) of 1982, Public Law 97-255 (31 U.S.C. º 3512)

h. Government Performance and Results Act (GPRA) of 1993, Public Law 103-62 (31 U.S.C. 1115-1119; 39 U.S.C. 2801-2805)

i. Improper Payments Information Act of 2002, Public Law 107-300

j. Inspector General (IG) Act of 1978, Public Law 95-452, as amended (IG Act); 5 U.S.C. App.

k. Recovery Auditing Act (National Defense Authorization Act for FY 2002, Section 831), Public Law 107-107 (31 U.S.C. ºº 3561-3567)

l. Single Audit Act of 1984, Public Law 98-502; Single Audit Act Amendments of 1996, Public Law 104-156 (31 U.S.C. º 7501)

m. OMB Circular No. A-11, Preparation, Submission, and Execution of the Budget, Part 4

n. OMB Circular No. A-50, Audit Followup

o. OMB Circular No. A-123, Management's Responsibility for Internal Control

p. OMB Circular No. A-127, Financial Management System

q. OMB Circular No. A-130, Management of Federal Information Resources

r. OMB Circular No. A-136, Financial Reporting Requirements

s. Standards for Internal Control in the Federal Government, Government Accountability Office (GAO) Report GAO/AIMD-00-21.3.1

t. NASA Policy Directive (NPD) 9010.2, "Financial Management"

P.4 Applicable Documents

a. NPD 1200.1, "NASA Internal Control"

b. NPD 1210.2, "NASA Surveys, Audits, and Reviews Policy"

c. NPD 9910.1, "Government Accountability Office/NASA Office of Inspector General Audit Liaison, Resolution, and Followup"

d. NPR 9700.1, "Travel"

P.5 Measurement/Verification

Quality assurance and internal control reviews and analysis of financial and budgetary reports and data submitted through the continuous monitoring program will be used to measure compliance with this NPR.

P.6 Cancellation

None.

/S/
Terry Bowie
NASA Deputy Chief Financial Officer


Chapter 1. Financial Management Internal Control Program

1.1 Overview.

1.1.1 Internal controls are an integral part of NASA's programmatic, institutional, and financial management operations and consist of all the measures taken by the Agency to safeguard resources against fraud, waste, and abuse; ensure accuracy and reliability of financial information; ensure efficient and effective operations; and ensure compliance with Federal laws, regulations, and Agency policy.

1.1.2 Internal controls are used to facilitate reaching objectives and to mitigate risks in an effort to prevent undesired results or to ensure desired outcomes and are every employee's responsibility. However, it is the managers who are held accountable for establishing and maintaining a sound system of internal control within their respective area of responsibility.

1.1.3 This chapter describes the internal control requirements as they apply to financial management. Management shall establish a positive internal control environment; identify risks to achieving the mission and goals; implement control activities to mitigate risks; perform continuous monitoring of control activities; and ensure good communication throughout the organization to sustain an effective internal control environment.

1.2 Agency Requirements.

1.2.1 NASA shall establish, implement, and maintain internal controls for all financial activities.

1.2.2 NASA shall conduct an annual review/assessment of internal controls over financial reporting as prescribed by Office of Management and Budget (OMB) Circular No. A-123, Appendix A, Management's Responsibility for Internal Control: Implementation Guide.

1.2.3 NASA shall report annually to the President, Congress, and OMB on the effectiveness of the Agency's financial management internal controls in compliance with the Federal Managers' Financial Integrity Act of 1982.

1.3 Roles and Responsibilities.

1.3.1 NASA Administrator. Shall serve as the highest authority for reasonable assurance of internal control throughout the Agency in accordance with NPD 1200.1 and NPD 9910.1.

1.3.2 NASA Deputy Administrator. Shall serve as the NASA Audit Followup Official (AFO) in accordance with NPD 1200.1 and NPD 9910.1.

1.3.3 Assistant Administrator, Office of Internal Control and Management Systems (OICMS). Shall serve as the functional owner of the Agency's internal control program in accordance with NPD 1200.1.

1.3.4 Agency CFO/Agency Deputy CFO. Shall implement and maintain a sound system of internal controls over financial operations and reporting.

1.3.5 Director, Quality Assurance Division (QAD), Office of the CFO (OCFO). Shall oversee the management of the financial management internal control program, including:

a. Conducting detailed reviews of NASA's internal controls over financial reporting and improper payments pursuant to OMB Circular No. A-123.

b. Conducting detailed reviews of NASA's accounting systems pursuant to OMB Circular No. A-127.

c. Providing support for the annual statement of assurance as it pertains to financial operations and financial reporting, including whether NASA's financial management systems comply with OMB Circular No. A-127 requirements and reporting plans to correct any non-conformance in the area of financial management.

d. Recommending Agency policy and establishing guidance pertaining to the financial management internal control program.

e. Advising on internal audit and assessment with regard to financial management operations

1.3.6 Center Directors/Center CFOs/Executive Director, NASA Shared Services Center/Manager, Business Process and Application Support Office, Integrated Enterprise Management Program (IEMP) Competency Center/Officials-in-Charge (OICs) of Headquarters Offices. Shall conduct internal control assessments of financial management activities under their control, as prescribed in this volume; develop and implement corrective action plans for identified deficiencies; and provide quarterly reports on non-material weaknesses and monthly reports on material weaknesses (including actions taken to remedy the deficiencies) to the QAD.

1.3.7 Center CFOs and program managers with fiscal management responsibility. Shall establish, implement, and maintain internal controls for all financial activities under their direction.

1.3.8 All managers and employees with financial responsibilities. Shall ensure that internal controls are embedded throughout their financial management operations and processes and that NASA resources are used efficiently and effectively to achieve intended program results.

1.4 Internal Control Requirements.

1.4.1 Internal Control over Financial Reporting. NASA is required to provide an annual Statement of Assurance for Internal Control over Financial Reporting. This statement is a subset of the overall Statement of Assurance and is based on management's assessment of financial reporting internal control effectiveness. In order to be able to provide this assurance, the Agency CFO shall:

a. Determine scope of significant financial reports and materiality for financial reporting.

b. Document the key processes (i.e., cycles) and controls over financial reporting.

c. Assess the design of internal controls over financial reporting.

d. Test the operational effectiveness of internal controls as of June 30.

e. Integrate internal control throughout the entire agency and through the entire cycle of planning, budgeting, accounting, audit liaison, and reporting.

f. Report annually in the Agency Financial Report on the effectiveness of internal control over financial reporting.

g. Establish processes to ensure prompt and proper resolution of material weaknesses.

1.4.2 NASA Travel Card. The Agency CFO serves as the Agency-wide functional lead for NASA travel cards in accordance with OMB Circular No. A-123, Appendix B; NPR 9700.1, and NPD 1200.1, and shall:

a. Coordinate audits of travel cards by the OIG, the Government Accountability Office (GAO) and other external entities, and OCFO internal control reviews.

b. Review/concur on required reports to OMB on NASA travel card statistics, deficiencies, corrective actions, and improvements.

c. Conduct periodic reviews of the travel card process internal controls to ensure controls are designed appropriately and operate effectively to safeguard against waste, fraud, abuse and mismanagement.

1.4.3 Improper Payment Information Act (IPIA). The Agency CFO shall implement an Agency-wide IPIA and Recovery audit program in accordance with OMB Circular No. A-123, Appendix C, and shall:

a. Conduct risk assessment for all agency programs to determine programs susceptible to significant erroneous payments.

b. Conduct sufficient review of program payments to obtain a statistically valid estimate of the annual improper payments.

c. Implement a plan to reduce erroneous payments to a level above the OMB threshold.

d. Implement a recovery audit program to prevent, detect, and recover overpayments.

e. Report annually in the Agency Financial Report on the results of improper payment activities.

1.5 Financial Management System Controls.

1.5.1 The Joint Financial Management Improvement Program (JFMIP), Framework for Federal Financial Management Systems, defines financial management systems as core financial systems, other financial and mixed systems, shared systems, and departmental executive information, and OMB prescribes policies and standards for developing, operating, evaluating, and reporting on financial management systems in order to produce accurate and timely financial reports. NASA's policy to meet these requirements is provided below.

a. IEMP. NASA's core financial system shall be a module of IEMP. The IEMP Competency Center is responsible for ensuring that NASA's core financial management system and all associated systems provide reliable data in a usable format that enables the Agency to accomplish its mission, improve financial management, and integrate budget and performance. The IEMP Competency Center is responsible for ensuring that adequate internal controls are in place and working effectively to meet all requirements.

b. Financial Information Classification Structure. All IEMP systems shall reflect an Agency-wide financial information classification structure that is consistent with the United States Standard General Ledger (USSGL), provides for tracking of specific program expenditures, and covers financial and financially related information.

c. Integration. All IEMP systems shall be designed and operate in a manner that provides effective and efficient interrelationships among software, hardware, personnel, procedures, controls, and data contained within systems.

d. USSGL Application. All IEMP systems shall apply USSGL requirements at the transaction level and follow the definitions and defined uses of the general ledger accounts as described in the USSGL.

e. Federal Accounting Standards. All IEMP systems shall maintain accounting data to permit reporting in accordance with accounting standards recommended by Federal Accounting Standards Advisory Board (FASAB) and issued by the Director of OMB and/or the Secretary of Treasury.

f. Financial Reporting. All IEMP systems shall meet all of NASA's financial reporting requirements, including NPR 9310.1 and 9311.1 on External Reporting.

g. Budget Reporting. All IEMP systems shall enable the Agency to prepare, execute, and report on the agency's budget in accordance with requirements of OMB Circular No. A-11, Preparation, Submission and Execution of the Budget, Agency policy, and other legal, regulatory, and policy requirements.

h. Functional Requirements. All IEMP systems shall conform to GAO's functional requirements for the design, development, operation, and maintenance of financial management systems. This includes such areas as ensuring that internal system edits are in place to control fund availability and account structure between related transactions.

i. Computer Security Act Requirements. All IEMP systems shall incorporate security controls in accordance with the Computer Security Act of 1987 and OMB Circular No. A-130, Management of Federal Information Resources, for those systems that contain "sensitive information" as defined by the Computer Security Act.

j. Documentation. All IEMP systems shall have clear instructions documented in both hard copy and electronic version in accordance with the requirements contained in Federal Financial Management System requirements.

k. Compliance. All IEMP systems shall be in compliance with applicable laws, regulations, and policies.

l. Training and User Support. The IEMP Competency Center shall provide training and user support for all users of the systems to enable users to fully understand, operate and maintain the relevant financial management systems.

m. Maintenance. All IEMP systems shall have received on-going maintenance to ensure that systems continue to operate in an effective and efficient manner.

n. Access. All IEMP systems shall provide appropriate access to authorized users but shall not permit access to unauthorized users. This shall include appropriate system role assignments to safeguard segregation of duty issues.

o. Requirements Checklist. GAO issued the Checklist for Reviewing Systems under the Federal Financial Management Improvement Act (GAO-04-763G) that should be used to assist appropriate organizations in designing, developing, implementing, operating, maintaining, and reviewing financial management systems.

1.6 Internal Control Standards.

1.6.1 As prescribed by the GAO Standards for Internal Control in the Federal Government, the standards listed below define the minimum level of quality assurance for NASA's financial management internal control program and form the basis of the entity-level self assessment tool.

a. Control Environment. The control environment sets the tone of the organization by influencing the control conscience of its employees. Control environment factors include the integrity, ethical values, and competence of the employee; management's philosophy and operating style; the manner by which management assigns authority and responsibility, and organizes and develops its employees; and the attention and direction provided by NASA management. NASA managers shall establish and maintain an environment throughout the Agency that sets a positive and supportive attitude toward financial management internal controls and conscientious management.

b. Risk Assessment. Risk assessment is the identification, measurement, and analysis of risks or vulnerabilities, internal and external, controllable and uncontrollable, at individual business levels and for NASA as a whole. Risk assessment forms the basis for determining how the financial management risks shall be mitigated, and what type, quality, and quantity of financial management internal controls shall be implemented to reasonably assure that NASA's goals are achieved.

c. Control Activities. Control activities include policies, procedures, and mechanisms in place to help ensure that agency objectives are met. Policies and procedures should be formalized and made available and accessible to employees. When determining whether a particular control should be implemented, agencies should consider the risk and potential consequences of failure as well as the likely benefit and cost (in resources) of establishing the control.

d. Information and Communications. Communication allows employees to identify, capture, and exchange pertinent information in a form and timeframe that enable people to perform their duties. This not only includes information systems reports but it also includes the day-to-day communication among employees, organizations, supervisors, and senior management. Information and communication shall flow up and down the organization and flow across departments and divisions.

e. Monitoring. Continuous monitoring of control activities allows management to ensure that they are effective and adequate. In addition to ongoing monitoring activities, separate evaluations of financial management internal controls are conducted. Together, monitoring and corrective actions produce sufficient evidence that the financial control systems are effective. Monitoring is performed at a higher level than the routine checks built into the day-to-day routine and involves a greater degree of independence from those who perform the work.

1.7 Control Objectives For Accounting Transactions.

1.7.1 The requirements for internal control of accounting transactions are listed below following the internal control objective. The accounting transactions to which these control objectives apply are outlined in NPRs in the 9200 series.

a. Validity. Internal controls shall be implemented to reasonably assure all recorded transactions are valid to prevent erroneous transactions from being introduced into official accounting records.

b. Authorization. Internal controls shall be implemented to reasonably assure appropriate documentation is on hand before any transactions are entered into financial management systems to prevent fraudulent or inaccurate use of resources.

c. Completeness. Internal controls shall be implemented to reasonably assure the prevention of omissions and facilitation of timely postings of all relevant data to the finance and accounting records.

d. Valuation. Internal controls shall be implemented to reasonably assure transactions are valued and posted correctly and data entries (dollar amounts) are entered accurately.

e. Classification. Internal controls shall be implemented to reasonably assure transactions are posted accurately and in accordance with the NASA General Ledger Chart of Accounts maintained in the IEMP system.

1.8 Internal Control Approach.

1.8.1 Financial management internal control shall be consistent with the OMB Circular No. A-123 and the implementation guide issued by the CFO Council. The approach used for documenting, assessing, testing, improving, and reporting on internal controls shall include planning the assessment by organizing the business processes, conducting the assessment to evaluate controls, reporting on the assessment results, and monitoring financial operations on an ongoing basis.


Chapter 2. Internal Control and Quality Assurance Reviews

2.1 Overview.

2.1.1 NASA conducts financial management internal control reviews to assess the design and operation of internal controls. As a result of the reviews, Corrective Action Plans (CAPs) are developed to identify the actions necessary to resolve the finding and are monitored to completion. The internal control review process supports the financial management internal control program in compliance with OMB Circular No. A-123, Management's Responsibility for Internal Control; Federal Managers' Financial Integrity Act of 1982; and the Government Accountability Office's (GAO's) Standards for Internal Control in the Federal Government.

2.1.2 Financial management internal control reviews provide benefits by: (1) identifying and eliminating excess controls that may have accumulated over the years, identifying and correcting control gaps or weaknesses to establish the optimum internal control system; (2) requiring management consideration of risks in relation to the cost of instituting or maintaining management controls and ensuring that operational risks that remain do so based on a considered decision rather than oversight; (3) providing managers with a reasonable degree of confidence that their financial management internal controls are being implemented and carried out as directed; (4) implementing a systematic approach toward ensuring that the financial management internal control program is executed according to legal, regulatory, and policy requirements; and (5) supporting the Agency Chief Financial Officer's (CFO's) annual Statement of Assurance for Internal Control over Financial Reporting.

2.1.3 NASA conducts quality assurance reviews in order to evaluate compliance with generally accepted accounting principles, other Federal requirements, and Agency policy. Special reviews of financial management operations and processes may be conducted as directed by OCFO management.

2.2 Agency Requirements.

2.2.1 NASA shall conduct internal control reviews to assure compliance with the requirements of the Federal Managers' Financial Integrity Act (FMFIA) and OMB Circular No. A-123.

2.2.2 NASA shall conduct quality assurance reviews of financial operations to ensure compliance with financial, legal, regulatory, policy, and control monitoring program requirements and to identify the root cause of process deficiencies, resolve those deficiencies, and promote sound financial management practices.

2.3 Internal Control Reviews.

2.3.1 Annually, the Director, QAD, in coordination with Agency CFO, Center CFOs, OICs, the IEMP Competency Center, and the NSSC, shall select the specific areas for which financial management internal control reviews will be conducted. Selection will be based on prior internal control evaluation information such as risk assessments or areas of concern identified by management or the Office of the Inspector General (OIG). Based on the selected review areas, a review plan will be developed at the beginning of each fiscal year, and the OIG will be notified of the areas to be reviewed. The Director, QAD, shall then oversee the internal control review process throughout the year.

2.4 Quality Assurance Reviews.

2.4.1 Annually, the Director, QAD, in coordination with Agency DCFO, Center CFOs, OICs, the IEMP Competency Center, and the NSSC, shall establish the schedule for quality assurance reviews to be conducted during that year. The Director, QAD, shall then oversee the quality assurance review process throughout the year.


Chapter 3. Risk Assessment of Financial Operations

3.1 Overview.

3.1.1 This systematic analysis identifies a program's or function's susceptibility to failing to achieve its objectives or goals, to producing erroneous reports or data, to allowing unauthorized use of resources, to permitting illegal or unethical acts, and to receiving an adverse or unfavorable financial statement audit opinion.

3.1.2 A risk assessment is conducted in order to identify, measure, and analyze, risks, internal and external, controllable and uncontrollable, so that steps toward mitigation may be taken, particularly in those areas identified as having the greatest risk. It is also a useful tool to ensure that proper internal controls are in place to manage identified risks. Risk assessments can provide reasonable assurance that the internal control structure is well designed and operational, timely, updated to meet changing conditions, and that NASA's objectives are being achieved.

3.2 Agency Requirements.

3.2.1 NASA shall conduct annual risk assessments of financial management cycles where the level of risk is unknown. Once a baseline risk level is determined a formal risk assessment is required every three years. If a process undergoes significant re-design, legislation or requirement changes, or change in personnel performing the activities a formal risk assessment must be undertaken prior to the next three year cycle. At least annually management shall update/review existing risk assessment documentation.

3.2.2 NASA shall conduct the additional risk assessments required by the Improper Payments Information Act in accordance with Chapter 4 of this NPR.

3.3 Roles and Responsibilities.

3.3.1 Agency Chief Financial Officer (CFO). Shall assure that risk assessments are conducted at least once every three years on all Agency financial management programs.

3.3.2 Director, Quality Assurance Division (QAD), OCFO. Shall oversee the entity- level assessment for all Agency financial management programs, develop an assessment tool to provide to those areas being assessed, and ensure corrective actions are taken as appropriate.

3.3.3 Center CFOs/NASA Shared Services Center/Manager, Business Process and Application Support Office, Integrated Enterprise Management Program (IEMP) Competency Center/ Officials-in-Charge (OICs) of Headquarters Offices. Shall conduct risk assessments in accordance with QAD guidance, and submit the completed assessments in the format specified by QAD.

3.3.4 Points of Contact for Areas to Be Assessed. Maintain the completed risk assessment documentation, including supporting information, and monitor and document progress toward resolving recommendations on Corrective Action Plans.

3.4 Risk Assessment of Financial Operations.

3.4.1 Financial managers and program managers with financial management responsibilities shall ensure risk assessments on their financial processes are conducted in accordance with QAD guidance and the authorities and references listed in Section 4.3 and take steps toward mitigation may be taken, particularly in those areas identified as having the greatest risk. Documentation of the risk assessments shall be maintained by the Center's Financial Quality Assurance Office and shall be available to QAD upon request.


Chapter 4. Improper Payments and Recovery

4.1 Overview.

4.1.1 An improper payment occurs when Federal funds go to the wrong recipient, the recipient receives an incorrect amount of funds, or the recipient uses the funds in an improper manner. Agency managers are held accountable for strengthening financial management controls to detect and prevent improper payments and ensure that taxpayer dollars are spent wisely and efficiently. The Improper Payments Information Act (IPIA) of 2002 emphasized improper payment requirements and accountability.

4.1.2 The quality assurance program covering improper payments is intended to ensure that assessments and remediation comply with the Improper Payments Information Act (IPIA) of 2002, Office of Management and Budget (OMB) Circular A-123, Appendix C, and Recovery Auditing Act. This Chapter provides policy for the effective measurement and remediation of improper payments.

4.2 Agency Requirements.

4.2.1 NASA shall ensure compliance with the requirements of the IPIA, OMB Circular No. A-123, and the Recovery Auditing Act through an integrated quality assurance program and shall report to the President and Congress, through the Performance and Accountability Report, an estimate of the annual amount of improper payments for all programs and activities, regardless of the annual amount of the estimate.

4.2.2 NASA shall conduct an annual risk assessment of all Agency programs where the level of risk is unknown until the risk level is determined and baseline estimates are established in accordance with IPIA.

4.2.3 NASA shall report Recovery Audit information in the annual Performance and Accountability Report in accordance with OMB Circular No. A-136.

4.3 IPIA Requirements.

4.3.1 Conduct annual risk assessments on all programs and activities where the level of risk is unknown risk.

4.3.2 Review all programs and activities and estimate the risk of erroneous payments for those which are susceptible to significant erroneous payments, defined as annual erroneous payments in the program exceeding 2.5 percent of program payments and $10 million.

4.3.3 Obtain a statistically valid estimate of the annual amount of improper payments in programs and activities susceptible to significant improper payments. The estimate is a gross total of both over- and under- payments and is based upon statistical random sampling to yield a 90 percent confidence interval of plus or minus 2.5 percent of points around the estimated percentage of erroneous payments.

4.3.4 Implement a plan to reduce erroneous payments. NASA shall identify the reasons programs and activities are at risk of significant erroneous payments and enact a corrective action plan to reduce their occurrence.

4.4 Recovery Auditing Act Requirements.

4.4.1 Carry out a cost-effective program for identifying errors made in paying contractors and recovering amounts erroneously paid to the contractors. Recovery audits may be performed by employees of the agency, by any other department or agency of the United States Government acting on behalf of the executive agency, or by contractors performing recovery audit services under contracts awarded by the executive agency. However, the Inspector General and other agency external auditors are normally precluded from carrying out management's recovery audit program due to independence considerations. NASA may enter into any appropriate type of contract, including a contingency contract, for recovery audit services.

a. All classes of contracts and contract payments should be considered for recovery audits. NASA may exclude classes of contracts and contract payments from recovery audit activities if the agency head determines that recovery audits are inappropriate or are not a cost-effective method for identifying and recovering erroneous payments.

b. Recovery auditing contractors may, with the consent of NASA, communicate with vendors for the purpose of identifying the validity of potential payment errors they have identified. However, the recovery auditing contractor may not maintain a presence on the property of the vendors that are the subject of recovery auditing.

c. The recovery auditing contractor itself may not perform the collection activity, unless it meets the definition of a private collection agency, and NASA has statutory authority to utilize private collection agencies. If private collection agencies are used, they shall follow all applicable laws and regulations governing collection of amounts owed to the Federal Government.

d. All funds collected and all direct expenses incurred as part of the recovery audit program shall be accounted for specifically. The identity of all funds recovered shall be maintained as necessary to facilitate the crediting of recovered funds to the correct appropriations and to identify applicable time limitations associated with the appropriated funds recovered.

e. Funds collected under a recovery audit program less any amounts needed to make payments under the related contract(s) shall be available to reimburse the actual expenses incurred for the administration of the program and to pay contractors for recovery audit services.

f. Except as provided in paragraph G below, any amounts erroneously paid by NASA that are recovered under a recovery audit program that are not used to reimburse expenses or pay recovery audit contractors shall be credited to the appropriations from which the erroneous payments were made, shall be merged with other amounts in those appropriations, and shall be available for the purposes and period for which such appropriations are available, or if no such appropriations remain available, the funds recovered shall be deposited to the Treasury as miscellaneous receipts.

g. Contingency fee contracts shall preclude any payment to the recovery audit contractor until the recoveries are actually collected by the agency. h. NASA shall submit a Recovery Audit report in accordance with OMB Circular A-136.


Chapter 5. Audit Liaison and Financial Information Requests

5.1 Overview.

5.1.1 The audit liaison function assists and supports management in responding effectively and efficiently to audits, evaluations, assessments, and reviews and facilitates the audit process. At NASA, the financial audit liaison function is also used to respond to other types of financial information requests. This chapter details the roles and responsibilities involved in the financial audit liaison function within the Office of the Chief Financial Officer (OCFO).

5.2 Agency Requirements.

5.2.1 NASA shall have an established audit liaison function for financial management operations. Financial managers and program managers with financial management responsibilities shall perform the audit liaison functions of those functions consistent with Agency-wide policy outlined in NPD 9910.1 and as specified in this NPR, adhering to guidance and deadlines that may be established by the OCFO for each audit, or information request.

5.3 Roles and Responsibilities.

5.3.1 The responsibilities for the NASA Administrator, Audit Followup Official (AFO), Office of Internal Controls and Management Systems (OICMS), Officials-in-Charge (OICs) of Headquarters Offices, and Center Directors are outlined in NPD 9910.1.

5.3.2 Director, QAD, OCFO. The Director, QAD, shall serve as the OCFO focal point for all financial management audits, reviews, evaluations, and assessments, and financial information requests submitted by audit organizations, coordinating with all parties to ensure requirements are met in a complete and timely manner.

5.3.3 OCFO Audit Liaison Representative (ALR). The OCFO ALR, as a representative of the Director, QAD, shall provide day-to-day coordination of audit liaison efforts for the financial management community.

5.3.4 NASA Organizations Receiving Requests by Audit Organizations. Any NASA organization receiving inquiries and requests from audit organizations for financial information shall forward them to the QAD.

5.3.5 Center CFOs. Each Center CFO shall assign a Center POC to be the focal point for all financial audits and informational requests and ensure that the Center POC understands and carries out the responsibilities associated with audit liaison. These responsibilities may be held by the Center ALR, and the Center CFO may assign more than one POC if deemed necessary. NASA Shared Services Center (NSSC) is considered a Center in the context of this chapter.

5.3.6 Manager, Business Process and Application Support Office, Integrated Enterprise Management Program (IEMP) Competency Center. The Manager, Business Process and Application Support Office, IEMP Competency Center shall assist the OCFO ALR and other ALRs as requested or approved by QAD and ensure that all financial management audit activities involving the Competency Center are cleared by QAD.


Appendix A. Definitions

A.1 Deficiencies.

a. Control Deficiency. An identified weakness in the design or operation of a control that precludes management or employees, in the normal course of operations, from preventing or detecting misstatements on a timely basis. Control deficiencies are categorized as material and reportable or non-reportable depending upon the severity and potential impact if the control fails.

(1) Design Deficiency. A control deficiency that results when a control necessary to meet the control objectives is missing or an existing control is not properly designed, so that even if the control objective operates as designed, the objective may not be met.

(2) Operation Deficiency. A control deficiency that results when a properly designed control does not operate as designed or when the person performing the control is not qualified or properly skilled to perform the control effectively.

b. Simple Deficiency. A deficiency in the design or operation of a control that is not considered to be a reportable deficiency or a material weakness.

c. Reportable Deficiency (also called Significant Deficiency). A control deficiency, or combination of control deficiencies, that adversely affects NASA's ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement in the financial statements, or other significant financial reports, will not be detected or prevented.

d. Material Weakness. A reportable condition, or combination of reportable conditions, that results in more than a remote likelihood that a material misstatement of the financial statements, or other significant financial reports, will not be prevented or detected.

A.2 Entity-level Assessment. A self-assessment questionnaire based upon the internal control standards completed by selected NASA management and staff on the five standards for internal control: control environment, risk assessment, control activities, information and communications, and monitoring. The questionnaire is intended to assist management in identifying areas of potential internal control weakness for further review.

A.3 Financial Management Cycles. The major business processes of an organization that have been established for internal control review and evaluation purposes and that define the complete process to ensure a common understanding and the work activities involved in accomplishing the function through the process.

A.4 Financial Reporting. An Agency's annual financial statements and other significant internal and external financial reports that could have a material effect on significant spending, budgetary, or other financial decision of the Agency or that are used to determine compliance with laws and regulations.

A.5 Improper Payment Information Act (IPIA) Review. A review of Agency disbursements for a defined period to determine whether payments are in compliance with rules, regulations, and federal requirements.

A.6 Internal Control (also referred to as management internal control). Policies and procedures instituted by management to provide reasonable assurance of the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.

A.7 Internal Control Review. An in-depth examination of an entity's system of internal controls at the transaction or process-level that documents, assesses, and tests the operational effectiveness of internal controls over operations to identify internal control gaps or deficiencies that could adversely impact the ability of the organization to achieve mission or goals.

A.8 Quality Assurance Review. A review conducted to evaluate compliance with financial, legal, regulatory, policy; and control monitoring program requirements, and special reviews directed by OCFO management.

A.9 Recovery Audit. An assessment of payments for a defined period conducted to identify and collect erroneous payments (i.e., duplicate payments or overpayments) as prescribed by OMB Circular No. A-123.

A.10 Reportable Deficiency. A significant deficiency.

A.11 Risk Assessment. The identification, measurement, and analysis of risks or vulnerabilities, internal and external, controllable and uncontrollable, at individual business levels and for NASA as a whole.

A.12 Statement of Assurance. A certification included in the annual Performance and Accountability Report (PAR) that represents the Administrator's informed judgment as to overall adequacy and effectiveness of internal control. The Administrator will provide either an unqualified (an effective and efficient system of internal controls exists) or a qualified (an overall sound system of internal control exists but one or more material weaknesses have been identified) statement of assurance, or a statement of no assurance on the system of internal control.


Appendix B. Description of Authority and Applicable Documents

B.1 Authority

B.1.1 Accounting and Auditing Act of 1950, Public Law 97-258 (31 U.S.C. º 3512). The budget provisions of this Act provide the basis for a better evaluation of Government programs and activities in terms of fund sources, the purposes to which they are to be applied, and the costs involved.

B.1.2 Chief Financial Officers (CFO) Act of 1990, Public Law 101-576. The CFO Act requires agencies to establish and assess internal control related to financial reporting and to audit financial statements, during which auditors report on internal controls and compliance with laws and regulations.

B.1.3 Clinger-Cohn Act of 1996, Public Law 104-106 (formerly the Information Technology Management Reform Act). This Act requires that agencies use a disciplined capital planning and investment control (CPIC) process to maximize the value of and assess and manage the risks of the information technology acquisitions.

B.1.4 Computer Security Act of 1987, Public Law No. 100-235. This Act requires agencies to improve the security and privacy of sensitive information in Federal computer systems by establishing minimally acceptable security practices for such systems, including a requirement for computer security plans and training for system users or owners where the systems house sensitive information.

B.1.5 Federal Financial Management Improvement Act (FFMIA) of 1996, Public Law 104-208, Title VIII. This Act requires agencies to have financial management systems that substantially comply with the Federal financial management system requirements, standards promulgated by the Federal Accounting Standards Advisory Board (FASAB) and the U.S. Standard General Ledger (USSGL) at the transaction level and requires that the systems have controls to support management decisions by providing timely and reliable data.

B.1.6 Federal Information Security Management Act of 2002 (FISMA), Public Laws 107-296, Title X, & 107-347, Title III. This Act establishes requirements regarding electronic Government services and processes, including cost control, and provides details on the resources utilized for information technology security at government agencies.

B.1.7 Federal Managers' Financial Integrity Act (FMFIA) of 1982, Public Law 97-255 (31 U.S.C. º 3512). This Act requires agencies to establish and maintain internal control and serves as an umbrella under which other reviews, evaluations, and audits should be coordinated and considered to support management's assertion regarding the effectiveness of internal control over operations, financial reporting, and compliance with laws and regulations.

B.1.8 Government Performance and Results Act (GPRA) of 1993, Public Law 103-62 (31 U.S.C. 1115-1119; 39 U.S.C. 2801-2805). GPRA requires agencies to develop strategic plans, set performance goals, and report annually on actual performance compared to goals to assess program effectiveness and improve program performance.

B.1.9 Improper Payments Information Act of 2002, Public Law 107-300. This Act requires that agencies identify programs and activities that may be susceptible to significant improper payments, an area which shall be considered when assessment the effectiveness of internal control.

B.1.10 Inspector General (IG) Act of 1978, Public Law 95-452, as amended (IG Act); 5 U.S.C. App. This act provides for independent reviews of agency programs and operations and semiannual reports to Congress on significant abuses, deficiencies, and recommended actions identified during the reviews.

B.1.11 Recovery Auditing Act (National Defense Authorization Act for FY 2002, Section 831), Public Law 107-107 (31 U.S.C. ºº 3561-3567). This Act requires agencies that enter into contracts with a total value in excess of $500 million in a single fiscal year to carry out a cost-effective program for identifying errors made in paying contractors and for recovering amounts erroneously paid to the contractors.

B.1.12 Single Audit Act of 1984, Public Law 98-502; Single Audit Act Amendments of 1996, Public Law 104-156 (31 U.S.C. º 7501). This Act promotes sound financial management, including effective internal controls, with respect to Federal awards administered by non-Federal entities; establishes uniform requirements for audits of Federal awards administered by non-Federal entities; promotes the efficient and effective use of audit resources; reduces burdens on State and local governments, Indian tribes, and nonprofit organizations; and ensures that Federal departments and agencies, to the maximum extent practicable, rely upon and use audit work done pursuant to Chapter 75 of Title 31, United States Code (as amended by this Act).

B.1.13 OMB Circular No. A-11, Preparation, Submission, and Execution of the Budget, Part 4. This Circular provides guidance on budget execution and outlines specific requirements for the agency's fund control regulations.

B.1.14 OMB Circular No. A-50, Audit Followup. This Circular provides the policies and procedures for use by executive agencies when considering reports issued by the Inspectors General (IGs), other executive branch audit organizations, the Government Accountability Office (GAO), and non-Federal auditors where follow-up is necessary.

B.1.15 OMB Circular No. A-123, Management's Responsibility for Internal Control. This Circular, its appendices, and the guide for conducting acquisition assessments provide guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by establishing, assessment, correcting, and reporting on internal control and specifies that internal control should be an integral part of the entire financial cycle, including auditing.

B.1.16 OMB Circular No. A-123, Appendix C, Management's Responsibility for Internal Control: Requirements for Effective Measurement. This Circular appendix requires an annual Statement of Assurance signed by the Administrator on the effectiveness of internal control.

B.1.17 OMB Circular No. A-127, Financial Management System. This Circular sets forth policies and standards for executive departments and agencies to follow in developing, operating, evaluating, and reporting on financial management systems.

B.1.18 OMB Circular No. A-130, Management of Federal Information Resources. This Circular establishes policy and provides procedural and analytic guidelines for the management of Federal information resources.

B.1.19 OMB Circular No. A-136, Financial Reporting Requirements. This Circular provides guidance relating to agency and Governmentwide financial reporting.

B.1.20 Standards for Internal Control in the Federal Government, Government Accountability Office (GAO) Report GAO/AIMD-00-21.3.1. These standards define the minimum level of quality acceptable for internal control in the Federal Government and provide the basis against which internal control is to be evaluated.

B.1.21 NPD 9010.2, "Financial Management." This NPD directs that the Agency CFO and Agency Deputy CFO provide financial management policy.

B.2 Applicable Documents

B.2.1 NPD 1200.1, "NASA Internal Control." This NPD establishes NASA's policy regarding the Agency's internal control program and delegates management responsibilities for the development, implementation, and effectiveness of internal controls, as well as the annual assessment of and reporting on the effectiveness.

B.2.2 NPD 9910.1, "Government Accountability Office/NASA Office of Inspector General Audit Liaison, Resolution, and Followup." This NPD provides agency policy concerning the establishment of processes to ensure prompt and proper management decisions and implementation of GAO/IG audit recommendations.

B.2.3 NPD 1210.2, "NASA Surveys, Audits, and Reviews Policy." This NPD establishes the minimum criteria for the conduct of Headquarters-initiated surveys, audits, and reviews (SARs) of NASA activities in such a way that the SARs are value-added and effective in support of the Agency's mission.

B.2.4. NPR 9700.1, "Travel." This NPR sets forth the requirements for travel and travel card management.



DISTRIBUTION:
NODIS


This Document is Obsolete and Is No Longer Used.
Check the NODIS Library to access the current version:
http://nodis3.gsfc.nasa.gov