Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
DEPARTMENT OF THE NAVY COMMANDER NAVY RESERVE FORCE
1915 FORRESTAL DRIVE NORFOLK, VIRGINIA 23551-4615
COMNAVRESFORINST 5200.8C N002 29 Apr 2019 COMNAVRESFOR INSTRUCTION 5200.8C From: Commander, Navy Reserve Force Subj: NAVY RESERVE MANAGERS’ INTERNAL CONTROL PROGRAM Ref: (a) DoD Instruction 5010.40 of 30 May 2013 (b) SECNAVINST 5200.35F (c) SECNAV M-5200.35 of June 2008 (d) OPNAVINST 5200.25E (e) OPNAVINST 3500.39C (f) SECNAVINST 5210.16 Encl: (1) Department of Defense Internal Control Reporting Categories (2) COMNAVRESFORCOM Assessable Unit Inventory (3) COMNAVAIRFORES Assessable Unit Inventory (4) COMNAVIFORES Assessable Unit Inventory (5) Managers’ Internal Control Program Risk Assessment (6) Managers’ Internal Control Assessment (7) Managers’ Internal Control Corrective Action (8) Commanding Officer’s Managers’ Internal Control Program Spot Check (9) Managers' Internal Control Program Assessment 1. Purpose. This instruction reflects the requirements of references (a) through (f). It has been provided as a supplement to reference (c), in order to further delineate Navy Reserve Managers’ Internal Control Program (MICP) requirements. This instruction is a complete revision and should be read in its entirety. 2. Cancellation. COMNAVRESFORINST 5200.8B. 3. Background. The Secretary of the Navy (SECNAV) requires compliance with the Federal Managers’ Financial Integrity Act (FMFIA) of 1982 (Public Law 97-255). The FMFIA requires all executive agencies to establish internal accounting and administrative controls which provide reasonable assurance of compliance, safeguards, and accountability. 4. Scope. This instruction applies to Commander, Navy Reserve Force (COMNAVRESFOR), Commander, Navy Reserve Forces Command (COMNAVRESFORCOM), and all Navy Reserve echelon 3 commands. 5. Discussion a. The Department of the Navy (DON) MICP is the Navy’s method for demonstrating and documenting compliance with FMFIA. SECNAV expects all managers to be active participants.
COMNAVRESFORINST 5200.8C 29 Apr 2019
2
During audits and inspections, external agencies (Government Accountability Office, Department of Defense (DoD) Inspector General, Naval Inspector General, and Naval Audit Service) review command compliance with this program. b. The MICP stresses using a variety of existing methods to gauge the effectiveness, efficiency, and economy of work processes. A process is defined as the manner in which resources are employed in generating a product, performing a responsibility, or rendering a service in support of the Navy’s mission. It consists of starting and ending points that are connected by a series of decision points, which include metrics/controls and various work related steps. c. The former Command Evaluation Program has been absorbed into the MICP by Director, Navy Staff action memo of 11 January 2013. The processes and policies of former OPNAVINST 5000.52B and COMNAVRESFORINST 5232.1D are governed by references (b) and (d), and this instruction. d. The MICP encompasses three lines of effort: Internal Control over Operations (ICO), Internal Control over Financial Reporting (ICOFR), and Internal Controls over Financial Systems (ICOFS). The Navy Reserve Forces Command Inspector General (NAVRESFOR IG) will assure all three lines of effort conform to required timelines set by higher authority. The NAVRESFOR IG through the MICP coordinator will compile and submit with approval the yearly Certification Statements for ICO. The COMNAVRESFORCOM N8 Directorate will compile and submit with approval the yearly Certification Statements for ICOFR and ICOFS. 6. Policy. To ensure compliance with references (a) through (d), commands must complete the following: a. Maintain an Assessable Unit Inventory. The command will be segmented into organizational or functional units. The sum of the assessable units must equal the entire organization. The inventory shall include the name of the Assessable Unit, a list of Sub-Assessable Units, the DoD Internal Control Reporting Category associated with the Assessable Unit, and the responsible Stakeholder and Unit Manager identified by name and billet title. The MICP coordinator will maintain the inventory and make necessary changes to personnel as required. b. Maintain a MICP Plan. The MICP plan is an executive summary of a command’s MICP. The plan captures the organization’s approach to implementing an effective internal control program and serves as the first resource MICP coordinators use to understand the organization’s program. MICP plans are described in detail in reference (c). c. Perform Risk Assessments. Reference (e) outlines the DON Operational Risk Assessment process. This process will be used when performing risk assessments for work processes. Reference (c) also provides additional information to consider when performing risk assessments. One-page linear flowcharts or process mapping may assist in preparing risk assessments for major and essential operations or processes. Though each command is afforded the flexibility to produce a format of their own for conducting, producing, tracking assessments,
COMNAVRESFORINST 5200.8C 29 Apr 2019
3
and corrective action, a standardized “MICP Tool,” enclosures (1) to (7) are recommended. Enclosure (8) is provided to allow a commanding officer to spot check the major or essential processes within Assessable Units while enclosure (9) provides a ready format for personnel to conduct periodic “testing” of internal control effectiveness. d. Perform Internal Control Assessments. Ensure major or essential processes are examined for efficiency, effectiveness, and economy. Enclosure (6) is used to document the Internal Control Assessment. Two or three key metrics will be used to measure performance. These key metrics should provide a quick look as to how well a process is progressing in achieving its intended purpose. To be viable, internal controls must be periodically tested. Test results should be reviewed, recorded, and filed to allow for external review or audit of the process and test results. Correctly documented internal control assessments should: (1) Relate each control to a specific risk. Describe the design of the control that will be tested. (2) Identify the control test objective to validate the assumed level of control risk. (3) Describe how the operation of the control was tested. (4) State whether the design of the control is effective, based upon the testing performed. (5) State whether the operation of the control is effective based upon the testing performed. e. Submit MICP Certification Statement. COMNAVRESFOR will submit a force-wide consolidated annual MICP certification statement. The required date of submission will be determined by the immediate superior in command. Further guidance for filling out and submitting the MICP certification statement is contained in reference (c). Echelon 3 commands will submit classified risks via Secret Internet Protocol Router Network (SIPR) to the COMNAVRESFOR MICP coordinator. f. Provide Corrective Actions for Reportable Conditions and Material Weaknesses. Corrective action plans for all material weaknesses and reportable conditions shall be included as an enclosure to the MICP certification statement. Formatting instructions are outlined in reference (c) and the web-based tool. 7. Action a. COMNAVRESFOR will: (1) Assign a MICP coordinator. (2) Ensure the Navy Reserve is trained and in compliance with the DON MICP.
COMNAVRESFORINST 5200.8C 29 Apr 2019
4
(3) Ensure subordinate commands are in compliance with the MICP for the Command Assessment Program. b. All echelon 3 commanders will: (1) Designate a command MICP coordinator in writing.
(2) Provide current MICP coordinator point of contact and phone number to respective ISIC, as directed. (3) Follow the policies and procedures set forth in this instruction. (4) Establish command instruction to define Assessable and Sub-Assessable Units, and assign stakeholders and unit managers. (5) Provide input as directed to the MICP coordinator in support of the annual MICP certification statement. (6) Ensure subordinate commands are in compliance with the MICP for the CAP.
c. MICP coordinators will: (1) Be designated in writing and complete the “Managers’ Internal Control Program for Managers,” a web-based MICP training found in Navy e-Learning (NeL). (2) Ensure the stakeholders and unit managers complete the “Managers’ Internal Control Program Training,” a web-based MICP training found in NeL. (3) Follow the policies and procedures set forth in this instruction. (4) Develop command instruction to define the Assessable and Sub-Assessable Units. (5) Coordinate managers for each Assessable and Sub-Assessable Units as required. (6) Provide quality assurance for the program for the command. (7) Maintain SIPR access to allow for the submission and/or receipt of classified risks. d. Stakeholders will: (1) Follow the policies and procedures set forth in this instruction. (2) Designate unit managers as required for Assessable and Sub-Assessable Units. (3) Manage the controls created to mitigate risks.
COMNAVRESFORINST 5200.8C 29 Apr 2019
5
(4) Complete the “Managers’ Internal Control Program for Managers,” a web-based MICP training found in NeL. e. Unit managers will (1) Assess areas of risk for assigned Assessable and Sub-Assessable Units. (2) Develop and implement controls to mitigate known risks. (3) Complete the “Managers’ Internal Control Program training,” a web-based MICP training found in NeL. 8. Records Management. Records created as a result of this instruction, regardless of media or format, must be managed per SECNAV Manual 5210.1 of January 2012. The reporting requirements in paragraphs 6 and 7 are exempt from reports control per reference (f). 9. Review and Effective Date. Per OPNAVINST 5215.17A, COMNAVRESFOR will review this instruction annually on the anniversary of its issuance date to ensure applicability, currency, and consistency with Federal, DoD, SECNAV, and Navy policy and statutory authority using OPNAV 5215/40. This instruction will automatically expire 10 years after effective date unless reissued or canceled prior to the 10-year anniversary date, or an extension has been granted. T. W. LUSCHER By direction Releasability and distribution: This instruction is cleared for public release and is available electronically only via COMNAVRESFOR Web site, https://www.mynrh.navy.mil
COMNAVRESFORINST 5200.8C 29 Apr 2019
Enclosure (1)
DEPARTMENT OF DEFENSE INTERNAL CONTROL REPORTING CATEGORIES
1. Detailed Department of Defense (DoD) internal controls reporting category descriptions are contained within enclosure (5) of reference (a). The DoD will designate each operational internal control deficiency into one of the following reporting categories: a. Communications.
b. Intelligence.
c. Security.
d. Comptroller and Resource Management.
e. Contract Administration.
f. Force Readiness.
g. Information Technology.
h. Acquisition.
i. Manufacturing, Maintenance and Repair.
j. Other (Primarily Transportation).
k. Personnel and Organizational Management.
l. Procurement.
m. Property Management.
n. Research, Development, Test and Evaluation.
o. Security Assistance.
p. Supply Operations.
q. Support Services.
2. Managers’ Internal Control Program coordinators shall create assessable units tied to the list above. It is not required to use all of the categories above; only use those categories which apply to the efforts conducted by the respective command structure. Assessable units shall also reflect the Command Assessment Guide.
COMNAVRESFORINST 5200.8C 29 Apr 2019
2 Enclosure (1)
3. When reporting financial reporting or financial system internal control material weakness according to evaluations conducted, the DoD and Office of the Secretary of Defense component will classify the end-to-end business processes affected by the control weakness. The following IC categories will be used to classify the material weakness: a. Budget-to-Report. b. Hire-to-Retire. c. Order-to-Cash. d. Procure-to-Pay. e. Acquire-to-Retire. f. Plan-to-Stock.
COMNAVRESFORINST 5200.8C 29 Apr 2019
Enclosure (2)
COMNAVRESFORCOM ASSESSABLE UNIT INVENTORY
# Assessable Unit Sub-Assessable Unit DoD Functional Categories Stakeholder
1 Command Master Chief
Command Master Chief Command Assessment Program Force Readiness N00
2 Human Resources HR Programs Assessment Personnel and Organization Management N00CP
Labor/Employee Relations Management/Advice
Personnel and Organization Management N00CP
Awards Personnel and Organization Management N00CP
Mandatory Training Personnel and Organization Management N00CP
Civilian Personnel Performance Personnel and Organization Management N00CP
Equal Employment Opportunity Programs
Personnel and Organization Management N00CP
Drug Free Workplace Programs Personnel and Organization Management N00CP
Request for Personnel Actions Validation
Personnel and Organization Management N00CP
DCPDS/TFMMS Data Integrity Personnel and Organization Management N00CP
Civilian Wage and Classification Personnel and Organization Management N00CP
3 Force Judge Advocate
Ethics/Standards of Conduct Training Support Services N00J
Administrative Separation-Military Support Services N00J
Ethics/Standards of Conduct Advice Support Services N00J
Freedom of Information/Privacy Act Support Services N00J
Courts Martial Support Services N00J
Non-Judicial Punishment Support Services N00J
JAGMAN Investigations Support Services N00J
Article 138, UCMJ Article 1150, Navy Regulations, Complains of Wrongdoing
Support Services N00J
Detachment for Cause Support Services N00J
Federal or U.S. Government Inspector General (IG) Investigations Support Services N00J
COMNAVRESFORINST 5200.8C 29 Apr 2019
2 Enclosure (2)
# Assessable Unit Sub-Assessable Unit DoD Functional Categories Stakeholder
Federal or U.S. Government fiscal and comptroller law Support Services N00J
General business and commercial law Support Services N00J
Legal Training/Oversight (U.S. Navy Reserve Component/Force) Support Services N00J
4 Inspector General Audit Follow-Up Liaison Other N002 Command Evaluation Program Other N002 Command Inspection Program Other N002 Investigations (i.e., Hotlines) Other N002 IG Command Assessment programs Other N002 Manager's Internal Control Program Other N002
5 Public Affairs Office
Provide PAO Support to Echelon 2, 3, 4 Staffs, Echelon 5 Commands, and SELRES
Support Services N00P
Publish, Distribute "TNR" Support Services N00P
Manage, Coordinate Naval Reserve Force Page on the Navy NewsStand Web site
Support Services N00P
Oversee, Manage Content for All Reserve Force Public Web Sites Support Services N00P
Research and Coordinate Response to External Information Queries Support Services N00P
Assist in Coordinating Local Community Relations Events Support Services N00P
Coordinate Speakers and Speeches for External Community Groups Support Services N00P
6 Safety Safety Policy Development Support Services N00S Safety Training Support Services N00S
Investigation of Employee Reports of Unsafe/Unhealthful Working Conditions
Support Services N00S
Unsafe/Unhealthful Working Conditions Support Services N00S
NAVOSH Inspection Support Services N00S
NAVOSH Self-Assessment (PR&MS) Support Services N00S
Mishap Ivestigation/Reporting (WESS2) and ESAMS Support Services N00S
Record keeping Support Services N00S
OSHA Inspection/Liaison Support Services N00S
Oversight/Guidance/Command support of all Mission-Oriented Support Services N00S
COMNAVRESFORINST 5200.8C 29 Apr 2019
3 Enclosure (2)
# Assessable Unit Sub-Assessable Unit DoD Functional Categories Stakeholder
NAVOSH Programs at Lower Echelons
7 Command Services Correspondence Support Services N01A
Officer Fitness Reports/Enlisted Evaluations Support Services N01A
Directives Management Support Services N01A
Congressional Inquiries Support Services N01A
Personnel Identifiable Information Manager Support Services N01A
MWR Support Services N00
8 Force Chaplain Chaplain/Religious Program Specialists Assignments Support Services N01G
Fund Management and Execution Support Services N01G
Chaplain/Religious Program Specialists Mobilization Sourcing Support Services N01G
Chaplain/Religious Program Specialists Mobilization Processing Support Services N01G
9 Security Manager Information Security Program (Including Classified Material) Security N01S
Personnel Security Program Security N01S
10 Equal Opportunity Equal Employment Opportunity Programs
Personnel and Organization Management N00EEO
Command Managed EEO-Military Personnel and Organization Management N01E
11 Manpower and Personnel Management (N1)
Shore Manpower and Requirement Determination Program
Personnel and Organization Management N1
Billet Authorizations Personnel and Organization Management N1
Manning Control Personnel and Organization Management N1
Pay/Personnel System Change Management
Personnel and Organization Management N1
Officer/Enlisted Incentive Programs Personnel and Organization Management N1
Reserve Pay and Assistance Team (RPAT)
Personnel and Organization Management N1
New Accession Training (NAT) Program
Personnel and Organization Management N1
Officer/Enlisted Assignments Personnel and Organization Management N1
COMNAVRESFORINST 5200.8C 29 Apr 2019
4 Enclosure (2)
# Assessable Unit Sub-Assessable Unit DoD Functional Categories Stakeholder
Unit Action/Billet Management Personnel and Organization Management N1
Strategic Sealift Officer Program Personnel and Organization Management N1
MGIB-SR Personnel and Organization Management N1
Post 9-11 Transferability Personnel and Organization Management N1
Fleet Ride Reserve Component Personnel and Organization Management N1
12 Intelligence (N2) Intelligence Intelligence N2
13 Operations (N3) RC Resources and Fund Management Force Readiness N3
Force Travel Force Readiness N3 Force Protection Security N3
Mobilization Sourcing and Readiness Force Readiness N3
Mobilization Advertising Force Readiness N3 Mobilization Cancellation Force Readiness N3
14 Logistics Management (N4) GCPC Program Supply Management N4
GTCC Program Supply Management N4
Supply Management (Including Material Requisitioning, Issue, and Receipt)
Supply Management N4
Duty/Staff Vehicle Management Supply Management N4 Berthing Program Management Supply Management N4 Clothing Program Management Supply Management N4 Subsistence Program Management Supply Management N4 Facilities Management Supply Management N4
Fleet Fuel Card Program Management Supply Management N4
15 Policy and Plans (N5) Policy Board Issues Force Readiness N5
Program Shore Installation Management Requirements Supply Management N5
Execute Reserve Shore Installation Management Supply Management N5
Organizational Change Requests (OCR) Support Services N5
Warrior and Family Support, CIAC, Yellow Ribbon Programs Support Services N5
COMNAVRESFORINST 5200.8C 29 Apr 2019
5 Enclosure (2)
# Assessable Unit Sub-Assessable Unit DoD Functional Categories Stakeholder
16 Information Technology (N6) Information Security Information Technology N6
Cybersecurity Management Information Technology N6
Key Management Infrastructure (KMI) Program Information Technology N6
Wi-Fi Program Information Technology N6 Information Technology Tracking Information Technology N6
Information Technology Procurement Information Technology N6
Information Technology Support Services Information Technology N6
Information Technology Policy and Procedures Information Technology N6
Information Technology Administration Information Technology N6
Information Technology Change Management Information Technology N6
Information Technology Certification and Accreditation Information Technology N6
17 Training (N7) General Military Training Force Readiness N7
NROWS Orders Processing (ADT Schools) Force Readiness N7
Auxiliary Craft Unit Programs Force Readiness N7 18 SAPR SAPR Support Services N00S 19 Comptroller (N8) Budget Formulation/Justification Procurement N8 Budget Execution Procurement N8 Funds Receipt Distribution (FDR) Procurement N8 Reimbursables Grantor/Performer Procurement N8 Civilian Pay and Time Keeping Procurement N8
20 Force Medical (N9) Medical/Dental Readiness Management Support Services N9
Medical Policy Development Support Services N9 MEDHOLD Support Services N9 Suicide Prevention Support Services N9
Line of Duty Claims/Incapacitation Pay Support Services N9
21 Command DAPA Drug/Alcohol Program-Military Force Readiness N9 Urinalysis Force Readiness N9
COMNAVRESFORINST 5200.8C 29 Apr 2019
Enclosure (3)
COMNAVAIRFORES ASSESSABLE UNIT INVENTORY
Assessable Unit DoD Functional Categories Stakeholder
1 Aviation Safety Support Services N00AS
2 Command Investigation Processing Support Services N00J
3 Ethics Support Services N00J
4 Freedom of Information Act (FOIA) Support Services N00J
5 Military Justice Processing Support Services N00J
6 Personally Identifying Information (PII) Support Services N00J
7 Privacy Act Support Services N00J
8 Officer FITREP/Enlisted EVAL Support Services N01A1
9 Defense Travel Processing Force Readiness N01A1
10 National Guard and Reserve Equipment Appropriation (NGREA) & OMNR/Expense Unfunded Requirements
Procurement
N01A1
11 Government Commercial Purchase Card (GCPC) Supply Management N414D
12 Base, Station, and Installation Physical Security Security N3
13 Data Protection Information Technology N6
14 Managers’ Internal Control Program Support Services CNAP OSO
15 Military Pay Personnel and Organization Management N01A2
16 Protection of controlled Unclassified info Security N3
17 Training Force Readiness N7
18 SAPR Support Services N00S CNRFC
COMNAVRESFORINST 5200.8C 29 Apr 2019
Enclosure (4)
COMNAVIFORES ASSESSABLE UNIT INVENTORY
# Assessable Unit Sub-Assessable Unit DoD Functional Categories Stakeholder
1 Command Programs
Command Master Chief Command Assessment Program Force Readiness N00C
"Private Mess" Administration Support Services N03 Personal Financial Management Support Services N01SEL
Family Care Program Force Readiness N01SEL
Family Advocacy Program Support Services N01SEL
Urinalysis Program Coordinator (UPC) Support Services N03
Drug and Alcohol Program Advisor (DAPA) Support Services N03
Sexual Assault Prevention and Response (SAPR) Support Services N1H
2 Human Resources HR Programs Assessment Personnel and Organization Management N1
Awards Personnel and Organization Management N1
Mandatory Training Personnel and Organization Management N1
Civilian Personnel Performance Personnel and Organization Management N1
Equal Employment Opportunity Programs
Personnel and Organization Management N1
Drug Free Workplace Programs Personnel and Organization Management N1
DCPDS Data Integrity Personnel and Organization Management N1
Civilian Pay and Time Keeping/SLDCADA Procurement N1
3 Force Judge Advocate Legal Matters Support Services N00J
Freedom of Information/Privacy Act Support Services N00J
Detachment for Cause Support Services N00J Congressional Inquiries Support Services N00J
Legal Training/Oversight (U.S. Navy Reserve Component/Force) Support Services N00J
4 Inspector General Audit Follow-Up Liaison Other N01I
COMNAVRESFORINST 5200.8C 29 Apr 2019
2 Enclosure (4)
# Assessable Unit Sub-Assessable Unit DoD Functional Categories Stakeholder
Command Evaluation Program Other N01I
Command Inspection Program Other N01I Investigations (i.e., Hotlines) Other N01I
IG Command Assessment Programs Other N01I
Manager's Internal Control Program Other N01I
5 Public Affairs Office Public Affairs Program Support Services N01P
6 Safety Safety Program Support Services N4 Safety Training Support Services N4
Investigation of Employee Reports of Unsafe/Unhealthful Working Conditions
Support Services N4
Unsafe/Unhealthful Working Conditions Support Services N4
NAVOSH Inspection Support Services N4
NAVOSH Self-Assessment (PR&MS) Support Services N4
Mishap Ivestigation/Reporting (WESS2) and ESAMS Support Services N4
OSHA Inspection/Liaison Support Services N4
Oversight/Guidance/Command support of all Mission-Oriented NAVOSH Programs at Lower Echelons
Support Services N4
7 Command Services Correspondence Support Services N01C
Officer Fitness Reports/Enlisted Evaluations Support Services N01C
Directives Management Support Services N01C
Person Identifiable Information Manager Support Services N6
MWR Support Services N01C
Military Awards and Recognition Support Services N01C
Command Fitness Program Support Services N01SEL
Victim and Witness Assistance Program (VWAP) Support Services N03
Education Services Officer Support Services N03
Official Mail Control Support Services N01C
Command PASS Coordinator (CPC) Support Services N01C
8 Security Manager Information Security Program (Including Classified Material) Security N01S
Personnel Security Program Security N01S
COMNAVRESFORINST 5200.8C 29 Apr 2019
3 Enclosure (4)
# Assessable Unit Sub-Assessable Unit DoD Functional Categories Stakeholder
Special Security Administration Security N01S
Operational Security Security N01S Industrial Security Security N01S
Force Protection Security N01S
9 Manpower & Personnel Management (N1)
Pay/Personnel System Change Management
Personnel and Organization Management N1
Officer/Enlisted Incentive Programs
Personnel and Organization Management N1
Prior Service Reenlistment Eligibility-Reserve
Personnel and Organization Management N1
New Accession Training (NAT) Program
Personnel and Organization Management N1
Command Managed EEO-Military Personnel and Organization Management N01
Career Development Programs Support Services N1
Mobilization Readiness and Execution Force Readiness N1
Telework Program Personnel and Organization Management N1
Personnel Transaction Personnel and Organization Management N1
Mobilization Sourcing and readiness Force Readiness N1
Mobilization Advertising Force Readiness N1
10 Intelligence Intelligence Intelligence Oversight N01
11 Operations (N3) Operations Planning Force Readiness N3
SharePoint Management and Implementation Support Services N3
Continuity of Operations (COOP) Force Readiness N3
12 Logistics Management (N4) GCPC Program Supply Management N4
GTCC Program Supply Management N4
Supply Management (Including Material Requisitioning, Issue, and Receipt)
Supply Management N4
COMNAVRESFORINST 5200.8C 29 Apr 2019
4 Enclosure (4)
# Assessable Unit Sub-Assessable Unit DoD Functional Categories Stakeholder
Duty/Staff Vehicle Management Supply Management N4
Fleet Fuel Card Program Management Supply Management N4
13 Information Technology (N6) Information Technology Information Technology N6
Information Security Information Technology N6 Information Technology Tracking Information Technology N6
Cybersecurity Management Information Technology N6
Electronic Key Management Infrastructure (KMI) Program Information Technology N6
Information Technology Certification and Accreditation Information Technology N6
14 Training (N7) General Military Training Force Readiness N7 Specialized Training Force Readiness N7 Schoolhouse Training Programs Force Readiness N7
NROWS Orders Processing (ADT Schools) Force Readiness N7
IWC Programs Force Readiness N7 15 Budget (N8) Budget Formulation/Justification Procurement N8 Budget Execution Procurement N8
Funds Receipt Distribution (FDR) Procurement N8 Reimbursables Grantor/Performer Procurement N8
Reserve Personnel Navy (RPN) Procurement N8 Accounting/Financial Integrity Procurement N8
O&MNR, Navy Reserve Procurement N8
RC Resources and Fund Management Force Readiness N8
Force Travel Force Readiness N8
16 Force Medical Medical/Dental Readiness Management Support Services N1H
Suicide Prevention Coordinator Support Services N1H
COMNAVRESFORINST 5200.8C 29 Apr 2019
Enclosure (5)
MANAGERS’ INTERNAL CONTROL PROGRAM RISK ASSESSMENT TEMPLATES
Sub-Assessable Unit (Assessable Unit) (Identify the unit above for which you are
assessing risk)
Identify risk by asking the following questions
Risk Questions Answers Action Person 1. What could go wrong with this process? 2. What processes require the most judgement? 3. What processes are the most complex? 4. What must happen for this process to work correctly?
5. How could we fail to accurately report the actual status?
6. How do we know whether we are achieving our objectives?
7. Where are the most vulnerable areas?
Identified Risks (Based on answers above articulate your risks) 1. 2. 3.
COMNAVRESFORINST 5200.8C 29 Apr 2019
2 Enclosure (5)
Risk Assessment Definitions Risk Likelihood Description Risk Impact Description 1 - Very Low Risk
A risk that has little to no chance to occur. A risk that has very robust and/or long-standing mitigation and/or management strategies in place.
1 - Very Low Risk
Risks that have little or no impact on the business unit and/or area. Very low risks can hamper the ability of a business unit or area to achieve a goal or objective, usually one of lesser significance. Rarely will they rise to the level where they could actually prevent the business unit or area from achieving a goal or objective. They do not have any discernable impact on the business unit’s ability to achieve its mission. Usually, only a small percentage of risks fall into this category.
2 - Low Risk A risk that is not likely to occur. A risk that has strong mitigation and/or management strategies in place that are functioning as intended.
2 - Low Risk Risks that may have discernable impact on the business unit and/or area. Low risks can hamper the ability of a business unit or area to achieve one or more objectives, usually those of lesser significance. Occasionally they will rise to the level where they could actually prevent the achievement of a business unit’s goals or objectives, but are unlikely to have any impact on the business unit’s ability to achieve its mission. Many risks fall into this rating category.
3 - Medium Risk
A risk that has a chance to occur. Mitigation and/or management strategies are in place but may not be robust enough to prevent the risk from occurring. However, the mitigation/management strategies in place would most likely lessen the chance of occurrence.
3 - Medium Risk
Risks that have the potential to have considerable impact on the business unit and/or area. Medium risks can affect the achievement of one or more goals and objectives, but usually will not rise to the level of preventing an organization from achieving its mission. Significant risks may have substantial internal and/or external repercussions. A large percentage of risks fall into this rating category.
COMNAVRESFORINST 5200.8C 29 Apr 2019
3 Enclosure (5)
Risk Assessment Definitions Risk Likelihood Description Risk Impact Description 4 - High Risk A risk that is more likely to occur than not to
occur; a high degree of certainly that the risk will occur. A risk that has more than a 50% chance of occurring. Effective mitigation and/or management strategies are not in place or are not functioning as intended.
4 - High Risk Risks that are likely to have substantial impact on the agency, the business unit and/or area, in that order. High risks can significantly hamper an organization’s ability to achieve multiple and/or key goals and objectives. They could also rise to the level or preventing or impairing an organization from achieving its mission. Major risks often have serious internal and/or external repercussions. This is often the top rating category in terms of significance for the majority of business units. Usually, only a small percentage of risks fall into this category.
5 - Very High Risk
A risk that is occurring or is certain to occur given the environment or factors involved. Mitigation and/or management strategies are not in place or are not functioning as intended.
5 - Very High Risk
Risks that are likely to have critical impact on the agency and/or the business unit in that order. Very high risks are potentially business ending events, or at the very least could prevent the business unit from accomplishing its mission, not just a single goal or objective. Extreme risks have significant potential for grave consequences on an organization, its people, and/or processes. Very few risks fall in to this rating category, and many business units will not have any such risks.
Identified Risks Risk severity
Likelihood Impact
COMNAVRESFORINST 5200.8C 29 Apr 2019
4 Enclosure (5)
For Every Risk, List a Control Action for (Assessable Unit/ Sub-Assessable Unit) Risk Risk Severity Control Action Monitoring Activity Monitoring
Frequency Likelihood Impact List the risks identified in "Risk Assessment
tab" that are moderate or higher.
What are the steps taken
to control the risk? How is the risk
monitored?
How often is the risk monitored (weekly, monthly, quarterly)?
COMNAVRESFORINST 5200.8C 29 Apr 2019
Enclosure (6)
MANAGERS’ INTERNAL CONTROL PROGRAM CONTROL ASSESSMENT TEMPLATES
Internal Control Test for Assessable/Sub-Assessable Units List control action and have reasonably informed individual test/review your controls.
Risk Control Action Test/Review
Controls Was Control design
effective Residual Risk
Tester Likelihood Impact
COMNAVRESFORINST 5200.8C 29 Apr 2019
Enclosure (7)
MANAGERS’ INTERNAL CONTROL CORRECTIVE ACTION TEMPLATE
Corrective Actions for Sub-Assessable unit (Assessable Unit)
If controls are ineffective, criteria fits, submit Material Weakness or Reportable Condition to CNRF MIC Program Manager
Ineffective Control Threat to Mission,
Resource, or Image? Issue is Command
Wide?
Is It a Material Weakness or a
Reportable Condition
Have you reported to CNRF MIC Program
Manager for Submission
COMNAVRESFORINST 5200.8C 29 Apr 2019
Enclosure (8)
COMMANDING OFFICER’S MANAGERS’ INTERNAL CONTROL PROGRAM SPOT CHECK
Activity/Department: Work Process: Step 1. Identify Risks: Yes No N/A a. Has a flowchart been completed identifying major steps of the work process? Yes No N/A b. Have applicable risks of each step with possible causes for those risks been documented? If no, comment in, “Issues/Comments” section. NOTE: Risk includes: Financial, Human Resource (personnel), Reputation (image), Technology, Strategic, Operational, Resources, and Environmental. Step 2. Assess Risks: Each risk identified in Step 1 will be assigned. a. Risk Assessment Code (RAC) using the “Impact Severity Category” and “Likelihood of occurrence Rating.” The below matrices are a guide for assessing hazards. Yes No N/A b. Has each risk been assigned a RAC? Impact Category Matrix: Likelihood of occurrence:
I (severe impact to mission etc) A (likely to occur immediately) II (serious impact to mission etc) B (probably will occur in time) III (moderate impact to mission etc) C (may occur in time) IV (little to low impact to mission etc) D (unlikely to occur) Risk Assessment Code Risk Impact Likelihood Rating
1=Critical I A B C D 2=Serious II 1 1 2 3 3=Moderate III 1 2 3 4 4=Minor IV 2 3 4 5 5=Negligible 3 4 5 5 Step 3. Risk Decisions: Yes No N/A a. Have risks moderate and higher been prioritized and internal controls selected to reduce process risks? Yes No N/A b. Do selected internal controls provide benefits that outweigh risks?
COMNAVRESFORINST 5200.8C 29 Apr 2019
2 Enclosure (8)
Yes No N/A c. If risk outweighs benefit, does the process warrant reporting to higher authority as a material weakness? Discuss issues in “Issues/Comments” section. Step 4. Internal Control Implementation (more than one type internal control may apply): a. Have “Process Controls” been implemented that reduce risks Yes No N/A by design, software selection, or substitution when technically or economically feasible? b. Have “Administrative Controls” been implemented that reduce risks through specific administrative actions, such as: Yes No N/A (1) Establishing written policies, programs, Instructions and standard operating procedures? Yes No N/A (2) Training personnel to recognize risks and take appropriate measures? Yes No N/A c. Other. Step 5. Supervision: Yes No N/A a. Is there periodic supervisory oversight of internal controls for the work process? Are the controls tested for effectiveness? Yes No N/A b. Are risk assessments and internal control assessments reviewed at least once a year? Yes No N/A c. Are internal controls periodically tested, and are test results reviewed and filed for external review/audit? Yes No N/A d. Is a corrective action plan put in place for controls that no longer reduce risk to an appropriate level? Initial Risk Assessment conducted by: ____________________ Date: __________________ Assessment reviewed by: ______________________________ Date: ________________ Are test results reviewed and filed for external review/audit?
COMNAVRESFORINST 5200.8C 29 Apr 2019
3 Enclosure (8)
Issues/Comments Actions (Include estimated completion dates)
COMNAVRESFORINST 5200.8C 29 Apr 2019
Enclosure (9)
MANAGERS' INTERNAL CONTROL PROGRAM ASSESSMENT
“Do our Controls work?” 1. Assessable Unit/Work Process: 2. Method(s) used? Physical inspection/walk-through. Review documents. Interviewed cognizant managers. Evaluated data. Conducted simulation. 3. Test Results Yes No a. Does the flowchart reflect the process? Yes No b. Is the process producing intended results? Yes No c. Are protections against fraud, waste, abuse and mismanagement practices adequate? Yes No d. Are laws and regulations followed? Yes No e. Is the process effective, efficient, and economical? Yes No f. Has an MICP Risk Assessment been completed? (1) Risk Assessment Code: 1 – Critical 2 – Serious 3 – Moderate 4 – Minor 5 – Negligible Yes No g. Are the internal controls acceptable for reducing risks? Yes No h. Are internal controls reviewed often enough to be effective?
COMNAVRESFORINST 5200.8C 29 Apr 2019
2 Enclosure (9)
Yes No i. Are internal control tests being conducted to validate internal controls and are the results filed for later review/audit? 4. For any “NO” response above, indicate the remedial action planned and expected completion date. Yes No 5. Does this process warrant reporting as a material weakness? 6. Spot check conducted by: ___________________________ Date: __________________