Transmittal Notice
- Explanation of Material Transmitted: This chapter outlines NIH management officials’ responsibilities for supporting and contributing to the annual Statement of Assurance and reporting processes related to the Federal Managers’ Financial Integrity Act of 1982 (FMFIA or Integrity Act) conducted at the National Institutes of Health (NIH). This revision incorporates changes required by the Office of Management and Budget’s 2018 revisions to its Appendix A to its Circular A-123, Management of Reporting and Data Integrity Risk.
Please refer to NIH Manual 1750 to review NIH’s responsibilities related to the agency’s risk management program.
- Filing Instructions:
Remove: NIH Manual Chapter 1755, dated 2/10/2016.
Insert: NIH Manual Chapter 1755, dated 09/20/2019.
PLEASE NOTE: For information on:
- Contact the Issuing Office, listed above, for questions regarding this chapter.
- For information regarding the NIH Policy Manual, go to https://oma.od.nih.gov/DMS/Pages/Manual-Chapters.aspx
A. Purpose
This chapter outlines NIH Management Officials’ responsibilities for supporting and contributing to the annual Statement of Assurance and reporting processes conducted at the NIH relating to the Integrity Act. In accordance with the Integrity Act and the Office of Management and Budget (OMB) Circular A-123, Management’s Responsibilities for Enterprise Risk Management and Internal Control, NIH management officials are responsible for establishing and maintaining effective internal controls and management systems to support the Statement of Assurance.
B. Scope
The policy in this chapter applies to Management Officials within all NIH Institutes and Centers (IC), Office of the Director (OD) Offices, and all NIH staff.
C. Authority
- P.L. 97-255 Federal Manager’s Financial Integrity Act of 1982,
- P.L. 104-208 Federal Financial Management Improvement Act of 1996 (31 U.S.C. 3512 note) (FFMIA)
- P.L. 107-300 Improper Payments Information Act (IPIA) of 2002, as amended by Improper Payments Elimination and Recovery Act (IPERA) of 2010 and the Improper Payments Elimination and Recovery Improvement Act (IPERIA) of 2012
- P.L. 109-282 Federal Funding Accountability and Transparency Act (FFATA) of 2006, as amended
- P.L. 113-283 Federal Information Security Modernization Act (FISMA) of 2014
- P.L. 113–101 Digital Accountability and Transparency Act (DATA Act) of 2014, as amended
- P.L. 101-576 Chief Financial Officers Act of 1990 (CFO Act), as amended
D. References
- OMB Circular No. A-123: Management’s Responsibility for Enterprise Risk Management and Internal Control, Revised July 2016, including all appendices;
- Appendix A, Management of Reporting and Data Integrity Risk; revised August 2018
- Appendix B, A Risk Management Framework for Government Charge Card Programs; revised August 2019
- Appendix C, Requirements for Payment Integrity Improvement; revised June 2018
- Appendix D, Compliance with the Federal Financial Management Improvement Act of 1996; revised September 2013
- U.S. Government Accountability Office (GAO), Government Operations: Standards for Internal Control in the Federal Government (GAO-14-704G), September 2014
- NIH Manual 1750, NIH Risk Management Program
E. Definitions
Control Deficiency: Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
A design deficiency exists when a control necessary to meet the control objective is missing or an existing control is not properly designed, so that even if the control operates as designed the control objective is not always met.
An operation deficiency exists when a properly designed control does not operate as designed or when the person performing the control is not qualified or properly skilled to perform the control effectively
Corrective Action Plan: A recorded plan of action to correct or improve processes to eliminate or mitigate a weakness. A properly documented Corrective Action Plan (CAP) will typically consist of revising or enhancing an already existing internal control or implementing a new internal control. An effective CAP includes:
- Planned actions and strategies to address the root cause(s) of a deficiency, not the symptoms of a deficiency;
- Resources required for remediation; and
- Attainable, realistic, and measurable progress milestones with specific dates and remediation actions that allow stakeholders to effectively implement, monitor, and oversee the remediation process to ensure accountability over results.
Material Weakness: A deficiency or a combination of deficiencies such that there is a reasonable possibility1 that a material misstatement of the entity’s annual or interim financial statements will not be prevented or detected on a timely basis.
Significant Deficiency: A deficiency, or combination of deficiencies that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.
System Non-compliance: Instances in which financial management systems do not substantially comply to financial systems requirements. Financial management systems include both financial and financially-related (or mixed) systems.
1 A “reasonable possibility” exists when the likelihood of the event is “reasonably possible” or “probable” as those terms are used in Statement of Auditing Standards (SAS) No. 115 (AU 325), Communicating Internal Control Related Matters Identified in an Audit.
F. Background
In 1982, Congress enacted FMFIA to require ongoing evaluations and reports of the adequacy of the systems of internal accounting and administrative control of each executive agency. FMFIA also requires executive agency heads to submit an annual statement of assurance.
OMB published Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, to enumerate the expectations of agencies with respect to these evaluations. Circular A-123 requires each agency to establish and maintain internal control systems to achieve the objectives of (1) effective and efficient operations (FMFIA Section 2 and 4), (2) reliable reporting (Circular A-123, Appendix A, and FMFIA Section 2), and (3) compliance with applicable laws and regulations (FMFIA Section 2 and 4). The safeguarding of assets is a subset of all these objectives. A system of internal control should be designed to provide reasonable assurance that the unauthorized acquisition, use, or disposition of assets will be prevented or detected timely. The expansion from Internal Control Over Financial Reporting (ICOFR) to include Internal Control Over Reporting (ICOR) was already accomplished through the 2016 update to OMB Circular No. A-123, which introduced Enterprise Risk Management. Agencies must manage risk to reporting objectives. Management has discretion to determine how and when to assess, test, document and correct deficiencies in order to provide reasonable assurances over ICOR objectives.
OMB Circular A-123 requires NIH to evaluate its internal controls and financial management systems annually. As such, Institute and Center (IC) and Office of the Director (OD) offices shall provide annual assurance to the NIH Director on the state of their internal controls.
G. Policy
The NIH is required to:
- Provide management's assessment of the ability of its internal controls to support effective and efficient programmatic and administrative operations, reliable reporting, and compliance with applicable laws and regulations (FMFIA Section 2), and whether financial management systems conform to financial system requirements (FMFIA Section 4);
- Provide a separate assessment of the effectiveness of internal control over reporting (ICOR) as a subset (i.e., a separate paragraph within the Statement of Assurance) of the overall FMFIA assurance statement; and
- Include a summary of material weaknesses (FMFIA Section 2) and system nonconformances (FMFIA Section 4), as well as a summary of corrective actions to resolve the material weaknesses and non-conformances.
H. Roles and Responsibilities
- Director, NIH, shall:
- Annually, certify and sign the Final NIH Integrity Act Statement of Assurance.
- Deputy Director for Management (DDM) and NIH Chief Financial Officer (CFO) shall:
- Determine, with input from accountable senior management officials set forth in this policy, whether NIH has material weaknesses or any system non-conformance.
- Ensure that NIH officials act to remediate control deficiencies or document the risk acceptance of the deficiency.
- Annually certify and sign the Preliminary NIH Integrity Act Statement of Assurance and Systems Compliance Certification.
- Report to the HHS Risk Management and Financial Oversight Board (RMFOB), as requested.
- Director, Office of Management Assessment (OMA), within the Office of Management (OM), shall:
- Ensure that reasonable and adequate controls are in place to protect NIH resources from fraud, waste, abuse, unauthorized use and mismanagement in compliance with the Integrity Act and OMB Circular A-123 requirements.
- Lead and coordinate processes supporting NIH’s annual FMFIA Statement of Assurance.
- Serve as the NIH Internal Control Officer, to fulfill the responsibilities outlined in the HHS Integrity Act Guidelines.
- Serve as the single point of contact to receive and transmit HHS Integrity Act-related communications to and from HHS and NIH officials.
- Submit required deliverables to the HHS Integrity Act Technical Team.
- Track the progress of corrective action plan (CAP) Executive Sponsors who resolve material weaknesses, significant deficiencies, and control deficiencies.
- Organize Integrity Act agency records provided by Program areas.
- Develop and maintain Integrity Act training as needed for multiple key positions across the agency.
- Coordinate agency comments on Integrity Act-related guidance issued by outside organizations, including HHS and OMB.
- Director, Office of Financial Management (OFM), and Deputy CFO, within the Office of Management, shall:
- Ensure that reasonable and adequate controls are in place to protect NIH resources from fraud, waste, abuse, unauthorized use and mismanagement in compliance with the Integrity Act and OMB Circular A-123 requirements.
- Complete and sign the HHS Integrity Act and FFMIA System Compliance Checklists for line items related to Financial Management.
- Provide the DDM a recommendation as to whether the NIH should report a modified or unmodified statement of assurance.
- Conduct A-123, Appendix A, Internal Control over Reporting assessments utilizing a risk-based approach.
- Report any potential material weakness, system non-conformance, and significant deficiency to DDM and OMA.
- Provide process owners with information describing the deficiencies noted and recommend the type of evidence or improvement needed for remediation of the weakness.
- Update the CAP status.
- Perform follow-up testing to close out findings related to ICOR deficiencies.
- Serve as the Executive Sponsor for A-123, Appendix A weaknesses assigned to OFM.
- Ensure process owners are held accountable for developing and executing corrective actions to resolve deficiencies and material weaknesses.
- Consistently manage milestones and progress updates until weakness remediation concludes.
- Report status updates to the DDM on corrective actions assigned to OFM.
- Conduct training on the topic of financial reporting.
- Provide status updates to the DDM whenever OFM is involved in preparing information requested by HHS (e.g. the RMFOB). Debrief OMA on the results of the RMFOB meeting, including ICOR findings and outcomes.
- Serve as liaison, or designate staff to serve as liaison, to respond to OMA’s requests for Integrity Act-related information and submit deliverables to OMA by the established due dates.
- Director, Office of the Chief Information Officer (OCIO), within the Office of the NIH Director (OD), shall:
- Ensure that reasonable and adequate controls are in place to protect NIH resources from fraud, waste, abuse, unauthorized use and mismanagement in compliance with the Integrity Act and OMB Circular A-123 requirements.
- Complete and sign the HHS Integrity Act and FFMIA System Compliance documentation and other required deliverables for line items related to Information Technology (IT).
- Conduct A-123, Appendix A, IT internal control and management system assessments utilizing a risk-based approach.
- Report any potential material weakness, system non-conformance, and significant deficiency to DDM and OMA.
- Provide process owners with information describing the deficiencies noted and recommend the type of evidence or improvement needed for remediation of the weakness.
- Update the CAP status.
- Perform follow-up testing to close out findings related to IT deficiencies.
- Serve as the Executive Sponsor for weaknesses assigned to IT.
- Ensure process owners are held accountable for developing and executing corrective actions to resolve deficiencies and material weaknesses.
- Consistently manage milestones and progress updates until weakness remediation concludes.
- Report status updates to the DDM on corrective actions assigned to OCIO.
- Provide status updates to the DDM whenever OCIO is involved in preparing information requested by HHS (e.g. the RMFOB). Debrief OMA on the results of the RMFOB meeting, including IT findings and outcomes.
- Serve as liaison, or designate staff to serve as liaison, to respond to OMA’s requests for Integrity Act-related information and submit deliverables to OMA by the established due dates.
- Director, Office of Budget (OB), within the Office of Management, shall:
- Ensure that reasonable and adequate controls are in place to protect NIH resources from fraud, waste, abuse, unauthorized use and mismanagement in compliance with the Integrity Act and OMB Circular A-123 requirements.
- Complete and sign the HHS Integrity Act and FFMIA System Compliance Checklists line items related to Budget.
- Serve as the Executive Sponsor for A-123, Appendix A weaknesses assigned to OB.
- Ensure process owners are held accountable for developing and executing corrective actions to resolve deficiencies and material weaknesses.
- Consistently manage milestones and progress updates until weakness remediation concludes.
- Report status updates to the DDM on corrective actions assigned to OB.
- Conduct training on the topic of the Anti-Deficiency Act.
- Serve as liaison, or designate staff to serve as liaison, to respond to OMA’s requests for Integrity Act-related information and submit deliverables to OMA by the established due dates.
- Director, Office of Acquisition Logistics and Management (OALM), within the Office of Management, shall:
- Ensure that reasonable and adequate controls are in place to protect NIH resources from fraud, waste, abuse, unauthorized use and mismanagement in compliance with the Integrity Act and OMB Circular A-123 requirements.
- Complete and sign the HHS Integrity Act Checklist and other required deliverables related to the Acquisitions.
- Serve as the Executive Sponsor for A-123, Appendix A weaknesses assigned to OALM.
- Ensure process owners are held accountable for developing and executing corrective actions to resolve deficiencies and material weaknesses.
- Consistently manage milestones and progress updates until weakness remediation concludes.
- Report status updates to the DDM on corrective actions assigned to OALM.
- Serve as liaison, or designate staff to serve as liaison, to respond to the Integrity Act-related requests for information from OMA and submit deliverables to OMA by the established due dates.
- Deputy Director, Office of Extramural Research (OER), within the Office of the NIH Director, shall:
- Ensure that reasonable and adequate controls are in place to protect NIH resources from fraud, waste, abuse, unauthorized use and mismanagement in compliance with the Integrity Act and OMB Circular A-123 requirements.
- Complete and sign the HHS Integrity Act and FFMIA System Compliance Checklists line items related to the Extramural Program. Provide information to OCIO relating to weaknesses for systems owned and managed by OER.
- Serve as the Executive Sponsor for A-123, Appendix A weaknesses assigned to OER.
- Ensure process owners are held accountable for developing and executing corrective actions to resolve deficiencies and material weaknesses.
- Consistently manage milestones and progress updates until weakness remediation concludes.
- Report status updates to the DDM on corrective actions assigned to OER.
- Serve as liaison, or designate staff to serve as liaison, to respond to the Integrity Act-related requests for information from OMA and submit deliverables to OMA by the established due dates.
- Deputy Director, Office of Intramural Research (OIR), within the Office of the NIH Director, shall:
- Ensure that reasonable and adequate controls are in place to protect NIH resources from fraud, waste, abuse, unauthorized use and mismanagement in compliance with the Integrity Act and OMB Circular A-123 requirements.
- Complete and sign the HHS Integrity Act Checklist line items related to the Intramural Program and submit to OMA by the established deadlines.
- Serve as the Executive Sponsor for A-123, Appendix A weaknesses assigned to OIR.
- Ensure process owners are held accountable for developing and executing corrective actions to resolve deficiencies and material weaknesses.
- Consistently manage milestones and progress updates until weakness remediation concludes.
- Report status updates to the DDM on corrective actions assigned to OIR.
- Serve as liaison, or designate staff to serve as liaison, to respond to the Integrity Act-related requests for information from OMA and submit deliverables to OMA by the established due dates.
- Director, NIH Business System (NBS) Office, within the Office of Management, shall:
- Ensure that reasonable and adequate controls are in place to protect NIH resources from fraud, waste, abuse, unauthorized use and mismanagement in compliance with the Integrity Act and OMB Circular A-123 requirements.
- Complete and sign the HHS Integrity Act and FFMIA System Compliance Checklists line items related to the NBS system controls. Provide information to OCIO relating to NBS weaknesses.
- Serve as the Executive Sponsor for A-123, Appendix A weaknesses assigned to NBS.
- Ensure process owners are held accountable for developing and executing corrective actions to resolve deficiencies and material weaknesses.
- Consistently manage milestones and progress updates until weakness remediation concludes.
- Report status updates to the DDM on corrective actions assigned to NBS.
- Serve as liaison, or designate staff to serve as liaison, to respond to the Integrity Act-related requests for information from OMA and submit deliverables to OMA by the established due dates.
- IC Directors, shall:
- Ensure that reasonable and adequate controls are in place to protect NIH resources from fraud, waste, abuse, unauthorized use and mismanagement in compliance with the Integrity Act and OMB Circular A-123 requirements.
- Certify, sign, and provide to OMA the annual IC Statement of Assurance and supporting information by the established due date.
- Emphasize the importance of the Integrity Act processes to staff, including holding staff accountable and ensuring support of the Integrity Act.
- Ensure staff members participate in and are responsive to due dates for NIH-wide internal control assessments conducted by internal and external review officials; such as, but not limited to, the OCIO/OFM A-123 team, or external auditors from the U.S. Government Accountability Office (GAO) or the HHS Office of the Inspector General (OIG).
- IC Executive Officers, shall:
- Ensure that reasonable and adequate controls are in place to protect NIH resources from fraud, waste, abuse, unauthorized use and mismanagement in compliance with the Integrity Act and OMB Circular A-123 requirements.
- Prepare and submit the annual IC Statement of Assurance signed by the IC Director and supporting information to OMA by the due date.
- Maintain documentation to support the annual IC Statement of Assurance.
- Conduct internal control reviews within their organization to ensure internal controls are designed and operating effectively and efficiently.
- NIH Managers (at all levels), shall:
- Ensure that reasonable and adequate controls are in place to protect NIH resources from fraud, waste, abuse, unauthorized use and mismanagement in compliance with the Integrity Act and OMB Circular A-123 requirements.
- Continuously monitor and improve the effectiveness and efficiency of internal controls associated with their programs and operations. Leverage continuous monitoring, along with results from other periodic assessments to provide the basis for the NIH-level annual assessment and reporting on internal controls.
- Ensure that programs are managed with integrity and in compliance with applicable laws and regulations.
- All employees are responsible for executing processes and controls in compliance with laws, regulations, and policies.