Reduce Compliance Costs and Gain Efficiencies
by Isabelle Dikland, Wendy Morris, and Linda Rookard, MorganFranklin
Compliance is a constant and evolving requirement for both the public and private sectors. In 2011, MorganFranklin conducted a survey during the AGA PDC to learn more about government agencies and their compliance costs, coordination, and implementation efforts. Of the 409 respondents, 70% indicated that they were involved in their agencies' compliance efforts. The results indicate that meeting compliance requirements is an ongoing challenge for federal managers. The private sector is deriving value from streamlining compliance activities, yet the survey results indicate that in the federal space, costs continue to increase in order to meet compliance requirements. In addition, the results indicate a lack of efficiency. The following is a discussion of the survey results, as well as recommendations for reducing costs and increasing efficiencies in existing programs.
In an ideal situation, process owners and stakeholders assess their internal controls, using independent parties to test and validate operating effectiveness. There is a movement within the U.S. government to reduce reliance on contractors and transfer work to federal employees. Our survey indicated that government agencies are already in the position of utilizing federal employees to perform internal control assessments and meet compliance requirements. A majority of respondents (52%) indicated that employees conduct internal control assessment programs, while 32% utilize a mix of employees and contractors to conduct internal control assessment and compliance efforts. Only 12% indicated that contractors conduct the internal control assessment program.
Compliance is an area that lends itself well to performance by employees. In order to successfully transition compliance efforts from contractors to employees, government agencies should develop transition plans that detail the timeline and necessary steps of a changeover. In addition, formal training programs are necessary to complete knowledge transfer. Contractors who perform internal control assessments should be involved in the knowledge transfer, as they will know the nuances of the programs.
Current Internal Control Program Environment
When an internal control program is initially implemented by an agency, the focus is typically on control deficiency identification and remediation. As an agency's internal control program matures, there should be a shift to process improvement, which will lead to a reduction in the cost of compliance. Of those surveyed:
- 29% indicated that their agencies had mature, risk-based programs with balanced focus on compliance and process improvements.
- 25% indicated that their internal controls programs were focused solely on compliance with OMB Circular A-123, particularly Appendix A.
- 22% indicated a mixture of compliance and process improvement.
- 13% indicated that their compliance programs were coordinated agency-wide.
- 2% indicated that their programs was siloed and redundant across the component agencies.
One advantage of a mature program is that an agency has the opportunity to leverage the control methodologies through sharing best practices across the agency. A mature program also addresses root causes rather than symptoms, and evaluates both manual and automated controls simultaneously. This usually occurs with the goals of: (1) automating controls as often as possible; and (2) replacing downstream detective controls with upstream preventive controls in order to more proactively identify and remediate errors and omissions. It also evaluates the value and appropriateness of compensating controls and workarounds that may outlive their usefulness and could be updated or eliminated.
A more mature program incorporates all component agencies into the departmental agency's internal control program to ensure consistency in the control environment, achievement of the entire agency's program missions, and transparency of transactions. Siloed risk assessments can mask controls that are poorly designed or not operating effectively across the organization as a whole, thus depriving the agency of the ability to manage the associated risks.
There is a general expectation that compliance costs will decrease as an internal control program matures. Factors that would contribute to a reduction in compliance costs include but are not limited to: a decline in the number of control deficiencies, efficiency gains in control testing as a result of improvements in the balance of manual and automated controls, and an agency's ability to address root causes of control deficiencies rather than symptoms.
Despite the fact that nearly 30% of respondents indicated they had mature, risk-based programs, 52% reported swelling compliance costs while 33% indicated no change or a constant in their compliance costs. Only 7% indicated that their agencies' compliance costs were decreasing.
It is clear from the survey responses that the expected decrease in compliance costs has not yet been realized. Federal managers should examine all existing compliance programs in their agencies and determine where there is overlap and redundancy among varying compliance assessment programs. By streamlining and combining various programs, the same compliance goal will be reached without duplicating efforts.
Compliance Approach for IPERA
New legislation related to improper payments was signed into law by President Obama in 2010 with the goal of reducing improper payments by $50 billion by 2012. The OMB IPERA guidance gave agencies flexibility in how they choose to implement IPERA. However, survey results indicate that some agencies implemented the IPERA requirements separately from their existing internal control programs, which would not help in reducing costs and gaining efficiencies.
Of the respondents, 43% stated that their agencies had integrated the IPERA requirements into existing A-123 programs. Another 14% indicated that their agencies had established separate task forces to perform the IPERA assessment, 22% stated that they were not required to comply with IPERA, and 22% did not answer the question.
In essence, IPERA compliance requirements and internal controls are a subset of A-123 compliance requirements and internal controls. However, the 14% of respondents who had established separate and new tasks to implement the new IPERA legislation are incurring additional burden and costs. Coordination with existing assessments could lower costs and gain efficiencies. Several of the previous recommendations also apply to IPERA. For example, implementing more preventive controls would strengthen an agency's' ability to prevent improper payments. Also, addressing the root causes for improper payments rather than correcting the symptoms that indicate they exist would correct the underlying issues and control deficiencies that result in improper payments. As with existing A-123 programs, agencies have made progress in implementing the IPERA process, but there is still room for improvement. IPERA will be an ongoing issue for the government in the coming years. In order to meet requirements for transparency while facing budget cuts, it makes sense to combine the IPERA process into an agency's overall internal controls program.
Implement business process improvements
Agencies should re-evaluate existing controls to: (1) determine whether agency-wide duplicative controls can be eliminated; (2) identify opportunities to implement preventive controls earlier in the business process and eliminate downstream detective controls; and (3) where possible, automate controls and eliminate manual controls.
Agencies should merge internal control processes into day-to-day operations.
Conduct root cause analysis
As internal control programs mature, agencies should focus on root cause analysis, the elimination of siloed risk assessments, and consistency of controls across all component agencies.
Merge new compliance requirements into existing programs
Agencies should combine the IPERA process with existing compliance/business process improvement efforts.
Complete knowledge transfer
In preparation for employees assuming responsibility for performing assessments of internal controls, agencies should establish training programs to ensure the appropriate transfer of knowledge from contractors to federal employees.
Who is MorganFranklin?
MorganFranklin is an execution-oriented business consulting and technology solutions company. We deliver financial management, performance improvement, and national security solutions to industry and government clients. Our professionals work hard to help clients achieve peak performance and mission success.