DEPARTMENT OF THE NAVY Navy... · department of the navy. commander navy reserve force . 1915 forrestal drive . norfolk, virginia 23551-4615 . comnavresforinst 5200.8c . n002 . 29

DEPARTMENT OF THE NAVY COMMANDER NAVY RESERVE FORCE

1915 FORRESTAL DRIVE NORFOLK, VIRGINIA 23551-4615

COMNAVRESFORINST 5200.8C N002 29 Apr 2019 COMNAVRESFOR INSTRUCTION 5200.8C From: Commander, Navy Reserve Force Subj: NAVY RESERVE MANAGERS’ INTERNAL CONTROL PROGRAM Ref: (a) DoD Instruction 5010.40 of 30 May 2013 (b) SECNAVINST 5200.35F (c) SECNAV M-5200.35 of June 2008 (d) OPNAVINST 5200.25E (e) OPNAVINST 3500.39C (f) SECNAVINST 5210.16 Encl: (1) Department of Defense Internal Control Reporting Categories (2) COMNAVRESFORCOM Assessable Unit Inventory (3) COMNAVAIRFORES Assessable Unit Inventory (4) COMNAVIFORES Assessable Unit Inventory (5) Managers’ Internal Control Program Risk Assessment (6) Managers’ Internal Control Assessment (7) Managers’ Internal Control Corrective Action (8) Commanding Officer’s Managers’ Internal Control Program Spot Check (9) Managers' Internal Control Program Assessment 1. Purpose. This instruction reflects the requirements of references (a) through (f). It has been provided as a supplement to reference (c), in order to further delineate Navy Reserve Managers’ Internal Control Program (MICP) requirements. This instruction is a complete revision and should be read in its entirety. 2. Cancellation. COMNAVRESFORINST 5200.8B. 3. Background. The Secretary of the Navy (SECNAV) requires compliance with the Federal Managers’ Financial Integrity Act (FMFIA) of 1982 (Public Law 97-255). The FMFIA requires all executive agencies to establish internal accounting and administrative controls which provide reasonable assurance of compliance, safeguards, and accountability. 4. Scope. This instruction applies to Commander, Navy Reserve Force (COMNAVRESFOR), Commander, Navy Reserve Forces Command (COMNAVRESFORCOM), and all Navy Reserve echelon 3 commands. 5. Discussion a. The Department of the Navy (DON) MICP is the Navy’s method for demonstrating and documenting compliance with FMFIA. SECNAV expects all managers to be active participants.

COMNAVRESFORINST 5200.8C 29 Apr 2019

2

During audits and inspections, external agencies (Government Accountability Office, Department of Defense (DoD) Inspector General, Naval Inspector General, and Naval Audit Service) review command compliance with this program. b. The MICP stresses using a variety of existing methods to gauge the effectiveness, efficiency, and economy of work processes. A process is defined as the manner in which resources are employed in generating a product, performing a responsibility, or rendering a service in support of the Navy’s mission. It consists of starting and ending points that are connected by a series of decision points, which include metrics/controls and various work related steps. c. The former Command Evaluation Program has been absorbed into the MICP by Director, Navy Staff action memo of 11 January 2013. The processes and policies of former OPNAVINST 5000.52B and COMNAVRESFORINST 5232.1D are governed by references (b) and (d), and this instruction. d. The MICP encompasses three lines of effort: Internal Control over Operations (ICO), Internal Control over Financial Reporting (ICOFR), and Internal Controls over Financial Systems (ICOFS). The Navy Reserve Forces Command Inspector General (NAVRESFOR IG) will assure all three lines of effort conform to required timelines set by higher authority. The NAVRESFOR IG through the MICP coordinator will compile and submit with approval the yearly Certification Statements for ICO. The COMNAVRESFORCOM N8 Directorate will compile and submit with approval the yearly Certification Statements for ICOFR and ICOFS. 6. Policy. To ensure compliance with references (a) through (d), commands must complete the following: a. Maintain an Assessable Unit Inventory. The command will be segmented into organizational or functional units. The sum of the assessable units must equal the entire organization. The inventory shall include the name of the Assessable Unit, a list of Sub-Assessable Units, the DoD Internal Control Reporting Category associated with the Assessable Unit, and the responsible Stakeholder and Unit Manager identified by name and billet title. The MICP coordinator will maintain the inventory and make necessary changes to personnel as required. b. Maintain a MICP Plan. The MICP plan is an executive summary of a command’s MICP. The plan captures the organization’s approach to implementing an effective internal control program and serves as the first resource MICP coordinators use to understand the organization’s program. MICP plans are described in detail in reference (c). c. Perform Risk Assessments. Reference (e) outlines the DON Operational Risk Assessment process. This process will be used when performing risk assessments for work processes. Reference (c) also provides additional information to consider when performing risk assessments. One-page linear flowcharts or process mapping may assist in preparing risk assessments for major and essential operations or processes. Though each command is afforded the flexibility to produce a format of their own for conducting, producing, tracking assessments,


3

and corrective action, a standardized “MICP Tool,” enclosures (1) to (7) are recommended. Enclosure (8) is provided to allow a commanding officer to spot check the major or essential processes within Assessable Units while enclosure (9) provides a ready format for personnel to conduct periodic “testing” of internal control effectiveness. d. Perform Internal Control Assessments. Ensure major or essential processes are examined for efficiency, effectiveness, and economy. Enclosure (6) is used to document the Internal Control Assessment. Two or three key metrics will be used to measure performance. These key metrics should provide a quick look as to how well a process is progressing in achieving its intended purpose. To be viable, internal controls must be periodically tested. Test results should be reviewed, recorded, and filed to allow for external review or audit of the process and test results. Correctly documented internal control assessments should: (1) Relate each control to a specific risk. Describe the design of the control that will be tested. (2) Identify the control test objective to validate the assumed level of control risk. (3) Describe how the operation of the control was tested. (4) State whether the design of the control is effective, based upon the testing performed. (5) State whether the operation of the control is effective based upon the testing performed. e. Submit MICP Certification Statement. COMNAVRESFOR will submit a force-wide consolidated annual MICP certification statement. The required date of submission will be determined by the immediate superior in command. Further guidance for filling out and submitting the MICP certification statement is contained in reference (c). Echelon 3 commands will submit classified risks via Secret Internet Protocol Router Network (SIPR) to the COMNAVRESFOR MICP coordinator. f. Provide Corrective Actions for Reportable Conditions and Material Weaknesses. Corrective action plans for all material weaknesses and reportable conditions shall be included as an enclosure to the MICP certification statement. Formatting instructions are outlined in reference (c) and the web-based tool. 7. Action a. COMNAVRESFOR will: (1) Assign a MICP coordinator. (2) Ensure the Navy Reserve is trained and in compliance with the DON MICP.


4

(3) Ensure subordinate commands are in compliance with the MICP for the Command Assessment Program. b. All echelon 3 commanders will: (1) Designate a command MICP coordinator in writing.

(2) Provide current MICP coordinator point of contact and phone number to respective ISIC, as directed. (3) Follow the policies and procedures set forth in this instruction. (4) Establish command instruction to define Assessable and Sub-Assessable Units, and assign stakeholders and unit managers. (5) Provide input as directed to the MICP coordinator in support of the annual MICP certification statement. (6) Ensure subordinate commands are in compliance with the MICP for the CAP.

c. MICP coordinators will: (1) Be designated in writing and complete the “Managers’ Internal Control Program for Managers,” a web-based MICP training found in Navy e-Learning (NeL). (2) Ensure the stakeholders and unit managers complete the “Managers’ Internal Control Program Training,” a web-based MICP training found in NeL. (3) Follow the policies and procedures set forth in this instruction. (4) Develop command instruction to define the Assessable and Sub-Assessable Units. (5) Coordinate managers for each Assessable and Sub-Assessable Units as required. (6) Provide quality assurance for the program for the command. (7) Maintain SIPR access to allow for the submission and/or receipt of classified risks. d. Stakeholders will: (1) Follow the policies and procedures set forth in this instruction. (2) Designate unit managers as required for Assessable and Sub-Assessable Units. (3) Manage the controls created to mitigate risks.


5

(4) Complete the “Managers’ Internal Control Program for Managers,” a web-based MICP training found in NeL. e. Unit managers will (1) Assess areas of risk for assigned Assessable and Sub-Assessable Units. (2) Develop and implement controls to mitigate known risks. (3) Complete the “Managers’ Internal Control Program training,” a web-based MICP training found in NeL. 8. Records Management. Records created as a result of this instruction, regardless of media or format, must be managed per SECNAV Manual 5210.1 of January 2012. The reporting requirements in paragraphs 6 and 7 are exempt from reports control per reference (f). 9. Review and Effective Date. Per OPNAVINST 5215.17A, COMNAVRESFOR will review this instruction annually on the anniversary of its issuance date to ensure applicability, currency, and consistency with Federal, DoD, SECNAV, and Navy policy and statutory authority using OPNAV 5215/40. This instruction will automatically expire 10 years after effective date unless reissued or canceled prior to the 10-year anniversary date, or an extension has been granted. T. W. LUSCHER By direction Releasability and distribution: This instruction is cleared for public release and is available electronically only via COMNAVRESFOR Web site, https://www.mynrh.navy.mil

https://www.mynrh.navy.mil/


Enclosure (1)

DEPARTMENT OF DEFENSE INTERNAL CONTROL REPORTING CATEGORIES

1. Detailed Department of Defense (DoD) internal controls reporting category descriptions are contained within enclosure (5) of reference (a). The DoD will designate each operational internal control deficiency into one of the following reporting categories: a. Communications.

b. Intelligence.

c. Security.

d. Comptroller and Resource Management.

e. Contract Administration.

f. Force Readiness.

g. Information Technology.

h. Acquisition.

i. Manufacturing, Maintenance and Repair.

j. Other (Primarily Transportation).

k. Personnel and Organizational Management.

l. Procurement.

m. Property Management.

n. Research, Development, Test and Evaluation.

o. Security Assistance.

p. Supply Operations.

q. Support Services.

2. Managers’ Internal Control Program coordinators shall create assessable units tied to the list above. It is not required to use all of the categories above; only use those categories which apply to the efforts conducted by the respective command structure. Assessable units shall also reflect the Command Assessment Guide.


2 Enclosure (1)

3. When reporting financial reporting or financial system internal control material weakness according to evaluations conducted, the DoD and Office of the Secretary of Defense component will classify the end-to-end business processes affected by the control weakness. The following IC categories will be used to classify the material weakness: a. Budget-to-Report. b. Hire-to-Retire. c. Order-to-Cash. d. Procure-to-Pay. e. Acquire-to-Retire. f. Plan-to-Stock.


Enclosure (2)

COMNAVRESFORCOM ASSESSABLE UNIT INVENTORY

# Assessable Unit Sub-Assessable Unit DoD Functional Categories Stakeholder

1 Command Master Chief

Command Master Chief Command Assessment Program Force Readiness N00

2 Human Resources HR Programs Assessment Personnel and Organization Management N00CP

Labor/Employee Relations Management/Advice

Personnel and Organization Management N00CP

Awards Personnel and Organization Management N00CP

Mandatory Training Personnel and Organization Management N00CP

Civilian Personnel Performance Personnel and Organization Management N00CP

Equal Employment Opportunity Programs


Drug Free Workplace Programs Personnel and Organization Management N00CP

Request for Personnel Actions Validation


DCPDS/TFMMS Data Integrity Personnel and Organization Management N00CP

Civilian Wage and Classification Personnel and Organization Management N00CP

3 Force Judge Advocate

Ethics/Standards of Conduct Training Support Services N00J

Administrative Separation-Military Support Services N00J

Ethics/Standards of Conduct Advice Support Services N00J

Freedom of Information/Privacy Act Support Services N00J

Courts Martial Support Services N00J

Non-Judicial Punishment Support Services N00J

JAGMAN Investigations Support Services N00J

Article 138, UCMJ Article 1150, Navy Regulations, Complains of Wrongdoing

Support Services N00J

Detachment for Cause Support Services N00J

Federal or U.S. Government Inspector General (IG) Investigations Support Services N00J


2 Enclosure (2)


Federal or U.S. Government fiscal and comptroller law Support Services N00J

General business and commercial law Support Services N00J

Legal Training/Oversight (U.S. Navy Reserve Component/Force) Support Services N00J

4 Inspector General Audit Follow-Up Liaison Other N002 Command Evaluation Program Other N002 Command Inspection Program Other N002 Investigations (i.e., Hotlines) Other N002 IG Command Assessment programs Other N002 Manager's Internal Control Program Other N002

5 Public Affairs Office

Provide PAO Support to Echelon 2, 3, 4 Staffs, Echelon 5 Commands, and SELRES

Support Services N00P

Publish, Distribute "TNR" Support Services N00P

Manage, Coordinate Naval Reserve Force Page on the Navy NewsStand Web site

Support Services N00P

Oversee, Manage Content for All Reserve Force Public Web Sites Support Services N00P

Research and Coordinate Response to External Information Queries Support Services N00P

Assist in Coordinating Local Community Relations Events Support Services N00P

Coordinate Speakers and Speeches for External Community Groups Support Services N00P

6 Safety Safety Policy Development Support Services N00S Safety Training Support Services N00S

Investigation of Employee Reports of Unsafe/Unhealthful Working Conditions

Support Services N00S

Unsafe/Unhealthful Working Conditions Support Services N00S

NAVOSH Inspection Support Services N00S

NAVOSH Self-Assessment (PR&MS) Support Services N00S

Mishap Ivestigation/Reporting (WESS2) and ESAMS Support Services N00S

Record keeping Support Services N00S

OSHA Inspection/Liaison Support Services N00S

Oversight/Guidance/Command support of all Mission-Oriented Support Services N00S


3 Enclosure (2)


NAVOSH Programs at Lower Echelons

7 Command Services Correspondence Support Services N01A

Officer Fitness Reports/Enlisted Evaluations Support Services N01A

Directives Management Support Services N01A

Congressional Inquiries Support Services N01A

Personnel Identifiable Information Manager Support Services N01A

MWR Support Services N00

8 Force Chaplain Chaplain/Religious Program Specialists Assignments Support Services N01G

Fund Management and Execution Support Services N01G

Chaplain/Religious Program Specialists Mobilization Sourcing Support Services N01G

Chaplain/Religious Program Specialists Mobilization Processing Support Services N01G

9 Security Manager Information Security Program (Including Classified Material) Security N01S

Personnel Security Program Security N01S

10 Equal Opportunity Equal Employment Opportunity Programs

Personnel and Organization Management N00EEO

Command Managed EEO-Military Personnel and Organization Management N01E

11 Manpower and Personnel Management (N1)

Shore Manpower and Requirement Determination Program

Personnel and Organization Management N1

Billet Authorizations Personnel and Organization Management N1

Manning Control Personnel and Organization Management N1

Pay/Personnel System Change Management


Officer/Enlisted Incentive Programs Personnel and Organization Management N1

Reserve Pay and Assistance Team (RPAT)


New Accession Training (NAT) Program


Officer/Enlisted Assignments Personnel and Organization Management N1


4 Enclosure (2)


Unit Action/Billet Management Personnel and Organization Management N1

Strategic Sealift Officer Program Personnel and Organization Management N1

MGIB-SR Personnel and Organization Management N1

Post 9-11 Transferability Personnel and Organization Management N1

Fleet Ride Reserve Component Personnel and Organization Management N1

12 Intelligence (N2) Intelligence Intelligence N2

13 Operations (N3) RC Resources and Fund Management Force Readiness N3

Force Travel Force Readiness N3 Force Protection Security N3

Mobilization Sourcing and Readiness Force Readiness N3

Mobilization Advertising Force Readiness N3 Mobilization Cancellation Force Readiness N3

14 Logistics Management (N4) GCPC Program Supply Management N4

GTCC Program Supply Management N4

Supply Management (Including Material Requisitioning, Issue, and Receipt)

Supply Management N4

Duty/Staff Vehicle Management Supply Management N4 Berthing Program Management Supply Management N4 Clothing Program Management Supply Management N4 Subsistence Program Management Supply Management N4 Facilities Management Supply Management N4

Fleet Fuel Card Program Management Supply Management N4

15 Policy and Plans (N5) Policy Board Issues Force Readiness N5

Program Shore Installation Management Requirements Supply Management N5

Execute Reserve Shore Installation Management Supply Management N5

Organizational Change Requests (OCR) Support Services N5

Warrior and Family Support, CIAC, Yellow Ribbon Programs Support Services N5


5 Enclosure (2)


16 Information Technology (N6) Information Security Information Technology N6

Cybersecurity Management Information Technology N6

Key Management Infrastructure (KMI) Program Information Technology N6

Wi-Fi Program Information Technology N6 Information Technology Tracking Information Technology N6

Information Technology Procurement Information Technology N6

Information Technology Support Services Information Technology N6

Information Technology Policy and Procedures Information Technology N6

Information Technology Administration Information Technology N6

Information Technology Change Management Information Technology N6

Information Technology Certification and Accreditation Information Technology N6

17 Training (N7) General Military Training Force Readiness N7

NROWS Orders Processing (ADT Schools) Force Readiness N7

Auxiliary Craft Unit Programs Force Readiness N7 18 SAPR SAPR Support Services N00S 19 Comptroller (N8) Budget Formulation/Justification Procurement N8 Budget Execution Procurement N8 Funds Receipt Distribution (FDR) Procurement N8 Reimbursables Grantor/Performer Procurement N8 Civilian Pay and Time Keeping Procurement N8

20 Force Medical (N9) Medical/Dental Readiness Management Support Services N9

Medical Policy Development Support Services N9 MEDHOLD Support Services N9 Suicide Prevention Support Services N9

Line of Duty Claims/Incapacitation Pay Support Services N9

21 Command DAPA Drug/Alcohol Program-Military Force Readiness N9 Urinalysis Force Readiness N9


Enclosure (3)

COMNAVAIRFORES ASSESSABLE UNIT INVENTORY

Assessable Unit DoD Functional Categories Stakeholder

1 Aviation Safety Support Services N00AS

2 Command Investigation Processing Support Services N00J

3 Ethics Support Services N00J

4 Freedom of Information Act (FOIA) Support Services N00J

5 Military Justice Processing Support Services N00J

6 Personally Identifying Information (PII) Support Services N00J

7 Privacy Act Support Services N00J

8 Officer FITREP/Enlisted EVAL Support Services N01A1

9 Defense Travel Processing Force Readiness N01A1

10 National Guard and Reserve Equipment Appropriation (NGREA) & OMNR/Expense Unfunded Requirements

Procurement

N01A1

11 Government Commercial Purchase Card (GCPC) Supply Management N414D

12 Base, Station, and Installation Physical Security Security N3

13 Data Protection Information Technology N6

14 Managers’ Internal Control Program Support Services CNAP OSO

15 Military Pay Personnel and Organization Management N01A2

16 Protection of controlled Unclassified info Security N3

17 Training Force Readiness N7

18 SAPR Support Services N00S CNRFC


Enclosure (4)

COMNAVIFORES ASSESSABLE UNIT INVENTORY


1 Command Programs

Command Master Chief Command Assessment Program Force Readiness N00C

"Private Mess" Administration Support Services N03 Personal Financial Management Support Services N01SEL

Family Care Program Force Readiness N01SEL

Family Advocacy Program Support Services N01SEL

Urinalysis Program Coordinator (UPC) Support Services N03

Drug and Alcohol Program Advisor (DAPA) Support Services N03

Sexual Assault Prevention and Response (SAPR) Support Services N1H

2 Human Resources HR Programs Assessment Personnel and Organization Management N1

Awards Personnel and Organization Management N1

Mandatory Training Personnel and Organization Management N1

Civilian Personnel Performance Personnel and Organization Management N1

Equal Employment Opportunity Programs


Drug Free Workplace Programs Personnel and Organization Management N1

DCPDS Data Integrity Personnel and Organization Management N1

Civilian Pay and Time Keeping/SLDCADA Procurement N1

3 Force Judge Advocate Legal Matters Support Services N00J

Freedom of Information/Privacy Act Support Services N00J

Detachment for Cause Support Services N00J Congressional Inquiries Support Services N00J

Legal Training/Oversight (U.S. Navy Reserve Component/Force) Support Services N00J

4 Inspector General Audit Follow-Up Liaison Other N01I


2 Enclosure (4)


Command Evaluation Program Other N01I

Command Inspection Program Other N01I Investigations (i.e., Hotlines) Other N01I

IG Command Assessment Programs Other N01I

Manager's Internal Control Program Other N01I

5 Public Affairs Office Public Affairs Program Support Services N01P

6 Safety Safety Program Support Services N4 Safety Training Support Services N4

Investigation of Employee Reports of Unsafe/Unhealthful Working Conditions

Support Services N4

Unsafe/Unhealthful Working Conditions Support Services N4

NAVOSH Inspection Support Services N4

NAVOSH Self-Assessment (PR&MS) Support Services N4

Mishap Ivestigation/Reporting (WESS2) and ESAMS Support Services N4

OSHA Inspection/Liaison Support Services N4

Oversight/Guidance/Command support of all Mission-Oriented NAVOSH Programs at Lower Echelons

Support Services N4

7 Command Services Correspondence Support Services N01C

Officer Fitness Reports/Enlisted Evaluations Support Services N01C

Directives Management Support Services N01C

Person Identifiable Information Manager Support Services N6

MWR Support Services N01C

Military Awards and Recognition Support Services N01C

Command Fitness Program Support Services N01SEL

Victim and Witness Assistance Program (VWAP) Support Services N03

Education Services Officer Support Services N03

Official Mail Control Support Services N01C

Command PASS Coordinator (CPC) Support Services N01C

8 Security Manager Information Security Program (Including Classified Material) Security N01S

Personnel Security Program Security N01S


3 Enclosure (4)


Special Security Administration Security N01S

Operational Security Security N01S Industrial Security Security N01S

Force Protection Security N01S

9 Manpower & Personnel Management (N1)

Pay/Personnel System Change Management


Officer/Enlisted Incentive Programs


Prior Service Reenlistment Eligibility-Reserve


New Accession Training (NAT) Program


Command Managed EEO-Military Personnel and Organization Management N01

Career Development Programs Support Services N1

Mobilization Readiness and Execution Force Readiness N1

Telework Program Personnel and Organization Management N1

Personnel Transaction Personnel and Organization Management N1

Mobilization Sourcing and readiness Force Readiness N1

Mobilization Advertising Force Readiness N1

10 Intelligence Intelligence Intelligence Oversight N01

11 Operations (N3) Operations Planning Force Readiness N3

SharePoint Management and Implementation Support Services N3

Continuity of Operations (COOP) Force Readiness N3

12 Logistics Management (N4) GCPC Program Supply Management N4

GTCC Program Supply Management N4

Supply Management (Including Material Requisitioning, Issue, and Receipt)

Supply Management N4


4 Enclosure (4)


Duty/Staff Vehicle Management Supply Management N4

Fleet Fuel Card Program Management Supply Management N4

13 Information Technology (N6) Information Technology Information Technology N6

Information Security Information Technology N6 Information Technology Tracking Information Technology N6

Cybersecurity Management Information Technology N6

Electronic Key Management Infrastructure (KMI) Program Information Technology N6

Information Technology Certification and Accreditation Information Technology N6

14 Training (N7) General Military Training Force Readiness N7 Specialized Training Force Readiness N7 Schoolhouse Training Programs Force Readiness N7

NROWS Orders Processing (ADT Schools) Force Readiness N7

IWC Programs Force Readiness N7 15 Budget (N8) Budget Formulation/Justification Procurement N8 Budget Execution Procurement N8

Funds Receipt Distribution (FDR) Procurement N8 Reimbursables Grantor/Performer Procurement N8

Reserve Personnel Navy (RPN) Procurement N8 Accounting/Financial Integrity Procurement N8

O&MNR, Navy Reserve Procurement N8

RC Resources and Fund Management Force Readiness N8

Force Travel Force Readiness N8

16 Force Medical Medical/Dental Readiness Management Support Services N1H

Suicide Prevention Coordinator Support Services N1H


Enclosure (5)

MANAGERS’ INTERNAL CONTROL PROGRAM RISK ASSESSMENT TEMPLATES

Sub-Assessable Unit (Assessable Unit) (Identify the unit above for which you are

assessing risk)

Identify risk by asking the following questions

Risk Questions Answers Action Person 1. What could go wrong with this process? 2. What processes require the most judgement? 3. What processes are the most complex? 4. What must happen for this process to work correctly?

5. How could we fail to accurately report the actual status?

6. How do we know whether we are achieving our objectives?

7. Where are the most vulnerable areas?

Identified Risks (Based on answers above articulate your risks) 1. 2. 3.


2 Enclosure (5)

Risk Assessment Definitions Risk Likelihood Description Risk Impact Description 1 - Very Low Risk

A risk that has little to no chance to occur. A risk that has very robust and/or long-standing mitigation and/or management strategies in place.

1 - Very Low Risk

Risks that have little or no impact on the business unit and/or area. Very low risks can hamper the ability of a business unit or area to achieve a goal or objective, usually one of lesser significance. Rarely will they rise to the level where they could actually prevent the business unit or area from achieving a goal or objective. They do not have any discernable impact on the business unit’s ability to achieve its mission. Usually, only a small percentage of risks fall into this category.

2 - Low Risk A risk that is not likely to occur. A risk that has strong mitigation and/or management strategies in place that are functioning as intended.

2 - Low Risk Risks that may have discernable impact on the business unit and/or area. Low risks can hamper the ability of a business unit or area to achieve one or more objectives, usually those of lesser significance. Occasionally they will rise to the level where they could actually prevent the achievement of a business unit’s goals or objectives, but are unlikely to have any impact on the business unit’s ability to achieve its mission. Many risks fall into this rating category.

3 - Medium Risk

A risk that has a chance to occur. Mitigation and/or management strategies are in place but may not be robust enough to prevent the risk from occurring. However, the mitigation/management strategies in place would most likely lessen the chance of occurrence.

3 - Medium Risk

Risks that have the potential to have considerable impact on the business unit and/or area. Medium risks can affect the achievement of one or more goals and objectives, but usually will not rise to the level of preventing an organization from achieving its mission. Significant risks may have substantial internal and/or external repercussions. A large percentage of risks fall into this rating category.


3 Enclosure (5)

Risk Assessment Definitions Risk Likelihood Description Risk Impact Description 4 - High Risk A risk that is more likely to occur than not to

occur; a high degree of certainly that the risk will occur. A risk that has more than a 50% chance of occurring. Effective mitigation and/or management strategies are not in place or are not functioning as intended.

4 - High Risk Risks that are likely to have substantial impact on the agency, the business unit and/or area, in that order. High risks can significantly hamper an organization’s ability to achieve multiple and/or key goals and objectives. They could also rise to the level or preventing or impairing an organization from achieving its mission. Major risks often have serious internal and/or external repercussions. This is often the top rating category in terms of significance for the majority of business units. Usually, only a small percentage of risks fall into this category.

5 - Very High Risk

A risk that is occurring or is certain to occur given the environment or factors involved. Mitigation and/or management strategies are not in place or are not functioning as intended.

5 - Very High Risk

Risks that are likely to have critical impact on the agency and/or the business unit in that order. Very high risks are potentially business ending events, or at the very least could prevent the business unit from accomplishing its mission, not just a single goal or objective. Extreme risks have significant potential for grave consequences on an organization, its people, and/or processes. Very few risks fall in to this rating category, and many business units will not have any such risks.

Identified Risks Risk severity

Likelihood Impact


4 Enclosure (5)

For Every Risk, List a Control Action for (Assessable Unit/ Sub-Assessable Unit) Risk Risk Severity Control Action Monitoring Activity Monitoring

Frequency Likelihood Impact List the risks identified in "Risk Assessment

tab" that are moderate or higher.

What are the steps taken

to control the risk? How is the risk

monitored?

How often is the risk monitored (weekly, monthly, quarterly)?


Enclosure (6)

MANAGERS’ INTERNAL CONTROL PROGRAM CONTROL ASSESSMENT TEMPLATES

Internal Control Test for Assessable/Sub-Assessable Units List control action and have reasonably informed individual test/review your controls.

Risk Control Action Test/Review

Controls Was Control design

effective Residual Risk

Tester Likelihood Impact


Enclosure (7)

MANAGERS’ INTERNAL CONTROL CORRECTIVE ACTION TEMPLATE

Corrective Actions for Sub-Assessable unit (Assessable Unit)

If controls are ineffective, criteria fits, submit Material Weakness or Reportable Condition to CNRF MIC Program Manager

Ineffective Control Threat to Mission,

Resource, or Image? Issue is Command

Wide?

Is It a Material Weakness or a

Reportable Condition

Have you reported to CNRF MIC Program

Manager for Submission


Enclosure (8)

COMMANDING OFFICER’S MANAGERS’ INTERNAL CONTROL PROGRAM SPOT CHECK

Activity/Department: Work Process: Step 1. Identify Risks: Yes No N/A a. Has a flowchart been completed identifying major steps of the work process? Yes No N/A b. Have applicable risks of each step with possible causes for those risks been documented? If no, comment in, “Issues/Comments” section. NOTE: Risk includes: Financial, Human Resource (personnel), Reputation (image), Technology, Strategic, Operational, Resources, and Environmental. Step 2. Assess Risks: Each risk identified in Step 1 will be assigned. a. Risk Assessment Code (RAC) using the “Impact Severity Category” and “Likelihood of occurrence Rating.” The below matrices are a guide for assessing hazards. Yes No N/A b. Has each risk been assigned a RAC? Impact Category Matrix: Likelihood of occurrence:

I (severe impact to mission etc) A (likely to occur immediately) II (serious impact to mission etc) B (probably will occur in time) III (moderate impact to mission etc) C (may occur in time) IV (little to low impact to mission etc) D (unlikely to occur) Risk Assessment Code Risk Impact Likelihood Rating

1=Critical I A B C D 2=Serious II 1 1 2 3 3=Moderate III 1 2 3 4 4=Minor IV 2 3 4 5 5=Negligible 3 4 5 5 Step 3. Risk Decisions: Yes No N/A a. Have risks moderate and higher been prioritized and internal controls selected to reduce process risks? Yes No N/A b. Do selected internal controls provide benefits that outweigh risks?


2 Enclosure (8)

Yes No N/A c. If risk outweighs benefit, does the process warrant reporting to higher authority as a material weakness? Discuss issues in “Issues/Comments” section. Step 4. Internal Control Implementation (more than one type internal control may apply): a. Have “Process Controls” been implemented that reduce risks Yes No N/A by design, software selection, or substitution when technically or economically feasible? b. Have “Administrative Controls” been implemented that reduce risks through specific administrative actions, such as: Yes No N/A (1) Establishing written policies, programs, Instructions and standard operating procedures? Yes No N/A (2) Training personnel to recognize risks and take appropriate measures? Yes No N/A c. Other. Step 5. Supervision: Yes No N/A a. Is there periodic supervisory oversight of internal controls for the work process? Are the controls tested for effectiveness? Yes No N/A b. Are risk assessments and internal control assessments reviewed at least once a year? Yes No N/A c. Are internal controls periodically tested, and are test results reviewed and filed for external review/audit? Yes No N/A d. Is a corrective action plan put in place for controls that no longer reduce risk to an appropriate level? Initial Risk Assessment conducted by: ____________________ Date: __________________ Assessment reviewed by: ______________________________ Date: ________________ Are test results reviewed and filed for external review/audit?


3 Enclosure (8)

Issues/Comments Actions (Include estimated completion dates)


Enclosure (9)

MANAGERS' INTERNAL CONTROL PROGRAM ASSESSMENT

“Do our Controls work?” 1. Assessable Unit/Work Process: 2. Method(s) used? Physical inspection/walk-through. Review documents. Interviewed cognizant managers. Evaluated data. Conducted simulation. 3. Test Results Yes No a. Does the flowchart reflect the process? Yes No b. Is the process producing intended results? Yes No c. Are protections against fraud, waste, abuse and mismanagement practices adequate? Yes No d. Are laws and regulations followed? Yes No e. Is the process effective, efficient, and economical? Yes No f. Has an MICP Risk Assessment been completed? (1) Risk Assessment Code: 1 – Critical 2 – Serious 3 – Moderate 4 – Minor 5 – Negligible Yes No g. Are the internal controls acceptable for reducing risks? Yes No h. Are internal controls reviewed often enough to be effective?


2 Enclosure (9)

Yes No i. Are internal control tests being conducted to validate internal controls and are the results filed for later review/audit? 4. For any “NO” response above, indicate the remedial action planned and expected completion date. Yes No 5. Does this process warrant reporting as a material weakness? 6. Spot check conducted by: ___________________________ Date: __________________

Documents

DEPARTMENT OF THE NAVY Navy... · department of the navy. commander navy reserve force . 1915 forrestal drive . norfolk, virginia 23551-4615 . comnavresforinst 5200.8c . n002 . 29