​In December 2002, President Bush signed into law the E-Government Act (Public Law 107-347). The E-Gov Act directs federal agencies' management of electronic government services and processes. Several initiatives established under the E-Gov Act mandate management of security controls and security and financial reporting.

One initiative published in OMB Circular A-123, Management's Responsibility for Internal Control, directs federal executive agencies to provide assurance of internal control over their financial reporting as part of their annual Performance and Accountability Report (PAR). In December 2004, Appendix A, Internal Control over Financial Reporting, was added to OMB Circular A-123 and specifically directed 24 agencies (identified in the Chief Financial Officers Act (CFO Act)) to provide a separate annual Statement of Assurance with their PAR, documenting the process and methodology they use in assessing internal controls.

Another initiative, published in OMB Circular A-130, Management of Federal Information Resources, mandates federal agencies and departments to implement the requirements of the Computer Security Act of 1987 and the Federal Information Security Management Act of 2002 (FISMA). A-130 calls for federal agencies to plan for security, ensure appropriate responsibility for security, and periodically review their security controls of information and information systems.

Many federal agencies are challenged with scheduling enough time and staff, identifying roles and allocating sufficient resources to meet the requirements of OMB Circulars A-123 and A-130. To comply with A-123, they must take into consideration that assessment and monitoring will require independent testing, self-assessment and continual agency-level and process-level monitoring. Estimating effort and the cost of compliance with A-123 involves scoping the process and developing a project plan that will evaluate the usefulness and application of current policies, identify control and resource gaps and incorporate applicable strategies for an effective project plan. Furthermore, meeting the requirements of A-130 poses other challenges such as maintaining compliance with evolving regulations, ensuring the integrity of system information, and upholding security in the face of new threats.

A-123 compliance includes creating a project plan that is both comprehensive and dynamic. It requires the development of compliant processes and methodologies to address the impact of cost; identifying current procedures, gaps and resources; ensuring consistent, complete and accurate system data; and providing staff and resources with appropriate skills and expertise to make decisions and ensure timely completion of activities and meeting key reporting milestones.

In addition, FISMA requires that federal agencies produce and maintain a complete and accurate inventory of all systems across the agency and report on security status, linking budget allowances to agency scores.

Often, because of the demands of developing and maintaining a complete security solution (as required by A-123 and A-130) that handles financial reporting and ongoing audits, the burdens of regulatory compliance, and staffing and budget constraints, the federal government employs organizations with proven expertise in performance management to develop sound methodologies for assessment, monitoring and maintenance processes across their agencies.

Protiviti Related Solutions:

1. Governance, Risk & Compliance
2. Litigation, Restructuring & Investigative Services
3. Enterprise Risk Management 
4. Governance, Risk & Compliance Services
   - OMB A-123 - Internal Controls
   - OMB A-130 - FISMA
5. Information Assurance