Govt. Agencies Brace for Compliance Act

By Matt Kelly  |  Posted 2005-10-24

Govt. Agencies Brace for Compliance Act

Finance and IT executives at government agencies across the country are about to get their own dose of some very unpleasant private-sector medicine: the Sarbanes-Oxley Act.

With the start of fiscal 2006 this month, the federal government has adopted drastic new standards for internal controls on finance and operations, much like SarbOx and its requirement that companies document and test all internal controls to ensure accurate financial reporting. Known as Circular No. A-123, the revised measure applies to all federal agencies and governs how they account for spending.

Among the new requirements: annual reports on internal controls and assurances that all of an agencys controls have been documented and tested.

Think of it as SarbOx, gone public.

"Since Sarbanes has been released, theres been lots of debate on whether federal agencies should have the same discipline," said James Deloach, managing director at Protiviti Inc., a compliance and risk consulting company in Houston. "Clearly, this is an effort to do so."

Whether A-123s new provisions will generate as much turmoil for government financial and IT executives as SarbOx did for private industry is unclear. On one hand, the feds have long had some regulation of internal controls (albeit nowhere near as rigorous as SarbOxs and A-123s latest additions). And many have taken diligent notes as private-sector colleagues struggled through their own SarbOx projects in the last two years, consultants and government financial executives say.

On the other hand, compliance will require additional resources that cash-strapped agencies do not have. Many businesses operating in regulated industries expected to find SarbOx compliance a relatively easy next step, too—but few reportedly did. Regardless, the responsibilities of government IT and financial executives have grown considerably.

"Sarbanes wasnt going anywhere, and, eventually, it would find a way to trickle down to us. This is that way," said Felicia Farrar, an auditor with the city of Houston who oversees federal funds for a local HIV-assistance program. "This is going to be the same challenge that its been with public companies."

Forty-five percent of IT executives responding to a recent poll said their companies are unlikely to meet the second Sarbanes-Oxley deadline. Click here to read more.

One crucial question will be how new IT fits into agencies A-123 efforts. Already some software vendors and consultants, such as Paisley Consulting, ACL Services Ltd. and Virsa Systems Inc., are targeting the government as a lucrative new customer. IBM recently unveiled a new version of its Workplace for Business Controls and Reporting software suite specifically for government agencies. IBM has since signed on the National Science Foundation (with a $5.6 billion budget) as a client and said it is in talks with other agencies.

"Theyre just beginning to realize they need help," said Denise Rabun, an associate partner with IBM Business Consulting Services, in Somers, N.Y. Rabun said she sees many agencies manage their documentation in Microsoft Corp.s Excel or, worse, filing cabinets. "Its all over the place," she said. "The hard part is getting your arms around what should be tested."

IT managers can expect to spend considerable time (exactly how much might vary greatly from one agency to the next) working with managers in other departments to identify all those controls and document them in one standard format that is easily understood by outside auditors. That has been the prime challenge for the private sector: not the actual testing of controls and repairing of weaknesses but finding out what controls exist in the first place.

Next page: What comes next?

What Comes Next


At Parson Consulting, a Chicago consultancy that helps large enterprises grapple with SarbOx, Corporate Governance Director Anne Marchetti said she suspects that most government officials have largely ignored SarbOxs challenges since they didnt have to comply with SarbOx. Now, A-123 essentially means that they do. Marchetti said that Parson does not currently have any government agencies as clients, but she expects "there will be some sort of mad scramble" by government agencies in the coming months now that fiscal 2006 is upon the company.

Jim Taylor, deputy chief financial officer of the U.S. Department of Commerce, in Washington, said he does not expect the chaos that some skeptics foresee. He noted that SarbOx caught many businesses unprepared because it was the first law to address internal controls. The public sector, meanwhile, has had regulatory processes and inspectors general poring over government ledgers for decades. (Circular A-123 was adopted in 1982 and has since been amended several times.)

"Weve had a whole history of internal-controls oversight that the private sector has never experienced," Taylor said. "Its a totally different environment."

The Office of Management and Budget, also in Washington, which is ultimately responsible for the nations bookkeeping, has also tried to make the chore easier for its agencies. Since it released the new A-123 standards last December, the OMB has worked with the U.S. Chief Financial Officers Council (representing more than two dozen government departments and agencies; Taylor is a member) to provide better guidance on what controls must be documented and to avoid the improvisation that marked so much of SarbOx compliance last year.

Still, Taylor and his colleagues may face difficult times. Foremost, A-123 compliance will cost money that most agencies struggling with tight budgets cannot spare. Farrar, for example, said she expects to spend 2 to 3 percent of her total funding on compliance. That amount is in step with private-sector costs, but it will also come from cash that Taylor said her organization would have otherwise slotted to help AIDS victims.

Public companies are spending much more than originally anticipated to comply with Section 404 of the Sarbanes-Oxley Act. Click here to read more.

And will compliance projects include new IT tools that have cropped up in the last three years? Its possible, but few compliance experts seem to believe that will happen any time soon. Deloach said that rather than use A-123 as an opportunity to improve operations, most government managers will merely see it as a compliance obligation and stick with only minor improvements in IT environments they already use.

Another crucial issue will be manpower. The expectation is that government agencies will tap outside auditors and consultants for help, as corporate America did last year. But many businesses are already competing for outside help today, and there is a limited number of consultants to go around.

"Were going to have manpower issues. There already are manpower issues," warned Walter Gelnovatch, a former auditor with the Office of the Comptroller of the Currency and now managing partner of Berenfeld, Spritzer, Shechter & Sheer, an accounting firm in Miami. "Theres a real shortage of qualified people, and its a problem."

Taylor said that the project "is going to require prioritization, and, in the current environment [that is, the Bush administrations desire to suppress domestic spending in the face of high budget deficits], its very unlikely there will be new funding for this sort of thing."

Still, despite all the headaches that many government agencies are poised to experience, some auditors believe that the ultimate goal is worthwhile. "Were talking about the accountability of funds when there really had not been good accountability," Farrar said. "Even though Sarbanes has been a headache for a lot of companies, I think its one of the greatest things that ever happened."

Matt Kelly is a freelance writer based in Somerville, Mass. He can be reached at

Check out eWEEK.coms for the latest news, commentary and analysis on regulatory compliance.

Rocket Fuel