Upload
austin-skidmore
View
217
Download
0
Embed Size (px)
Citation preview
THIS TRAINING SEMINAR INCORPORATES TOPICS FROM A VARIETY OF MIC
PROGRAM MATERIAL
MIC A Practical Approach
YN2 Austin Skidmore, NRMW RCC (N5)
Training Objectives
Gain an advanced understanding of MIC requirements
Become familiar with MIC terminology and expectations
Understand MIC reporting procedure
Learn to conduct risk and control assessmentsBe able to develop an Inventory of Assessable
UnitsProvide knowledge that is both relevant to
Commanding Officers and practical to front line MIC Coordinators
COLLECTION OF CONTROL SYSTEMS A COMMAND HAS ESTABLISHED TO ACCOMPLISH ITS MISSION
PRACTICES ADOPTED MANAGEMENT TO PROVIDE ASSURANCE THAT PROGRAMS CARRIED OUT IN ACCORDANCE WITH ESTABLISHED OBJECTIVES
SYSTEM OF CONDUCTING PERIODIC REVIEWS OF PROCESS EFFECTIVENESS
PROGRAM THAT INTENDS TO ELIMINATE OR REDUCE FRAUD, WASTE, ABUSE AND MISMANAGEMENT
What is MIC?
A N E F F E C T I V E M I C P R O GR A M H E L P S I D E N T I F Y A N D C O R R E C T W EA K N E SS E S W I T H I N A N O R G A N I Z AT I O N. B EN E F I T S O F A N EF F EC T I V E M I C P R O G R A M I N C LU D E :
1) V I S I B I L I T Y I N T O O R G A N I Z AT I O N A L W E A K N E SS E S
2 ) A B I L I T Y T O A N T I C I PAT E P O T E N T I A L O R S Y S T EM I C W EA K N E SS E S
3 ) P R O C ESS ES T O C O R R EC T W EA K N E SS E S B E F O R E T H EY B E C O M E D E T R I M E N TA L T O T H E O R G A N I Z AT I O N
4 ) C O M P L I A N C E W I T H T H E F E D E R A L M A N A G E R S ’ F I N A N C I A L I N T EG R I T Y A C T ( F M F I A ) A N D O T H ER L AW S A N D R E G U L AT I O N S
What does MIC do for my organization?
Why must we engage in MIC?
Department of the Navy’s Internal Control Manual – SECNAV M-5200.35
SECNAV Instruction 5200.35E
OMB Circular A-123 GAO Standards For Internal Control DoD Instruction 5010.40 (MIC) Program Procedures DoD FY 2009 Guidance For Preparation Of The Annual SOA DoD FY 2011 Internal Control Over Financial Reporting Guidance Federal Managers Financial Integrity Act Of 1982 (FMFIA)
KEYS TO SUCCESS FOR AN EFFECTIVE MIC PROGRAM:
LEADERSHIP EMPHASIS : A MIC Program must be supported by top leadership.
EDUCATION AND TRAINING :
Managers at all levels must understand the importance of internal controls.
MONITORING AND REPORTING :
Monitoring progress and reporting results are essential.
How can I make MIC a success?
MIC Process
DEVELOP MIC PLAN
MIC Plan
An executive summary which captures the command’s approach in maintaining an internal control program
Considered a Road Map to new MIC Coordinators
MIC Process
DEVELOP MIC PLAN SEGMENT THE ORGANIZATION
THE PROCESS OF SEGMENTING AN ORGANIZATION INCLUDES:
1) IDENTIFYING MAJOR COMPONENTS OR PROGRAMS
2) DIVIDING THE COMPONENTS INTO ASSESSABLE UNITS
3) RELATING ASSESSABLE UNITS TO RESPONSIBLE MANAGERS
Segmenting the Organization
Inventory of Assessable Units (AU)
Develop an Inventory of AUs that:
Are divisions of major components, functions, or programs
Have clear limits or boundaries
Are identifiable to a specific responsible manager
Constitute the entire organization
Functional Area Sub-segment Department
Research, Development, Test and Evaluation
Major Systems Acquisition Procurement Contract Administration Force Readiness Manufacturing, Maintenance and Repair Supply Operations Property Management Communications and/or Intelligence
and/or Security Information Technology Personnel and/or Organizational
Management Comptroller and/or Resource
Management Support Services Security Assistance Other (Transportation) Financial Statement Reporting
N01 N1 N3 N4 N5 N6 N7 N8 N9
Segmenting the Organization
Sample Inventory of AUs
MIC Process
DEVELOP MIC PLAN SEGMENT THE ORGANIZATION
ASSIGN RESPONSIBILITY
MIC Coordinator Top Leadership
Ensure requirements are communicated and completed on time
Coordinate efforts to prepare a MIC Plan and MIC Certification Statement
Monitor the performance and results of risk assessments and reviews
Obtain MIC training
Establish of internal controls to provide reasonable assurance requirements are met
Maintain an inventory of assessable units
Perform risk assessments and internal control reviews.
Submit an annual overall MIC Certification Statement
Monitor and improve internal controls
What is my role?
MIC Process
DEVELOP MIC PLAN SEGMENT THE ORGANIZATION
MAP THE PROCESS
ASSIGN RESPONSIBILITY
Flowcharting
This chart represents some of the most commonly used flowchart symbols
Symbols may very by source
MIC Process
DEVELOP MIC PLAN SEGMENT THE ORGANIZATION
MAP THE PROCESS
IDENTIFY RISK/CONTROL
ASSIGN RESPONSIBILITY
The three phases of a risk assessment generally include:
Identifying a risk that potentially impacts the organization’s mission and objectives
Assessing the impact and likelihood of that risk
Responding to the risk with appropriate controls
IDENTIFY ASSESS RESPOND
RISK IDENTIFICATION OCCURS AS A RESULT OF CONSIDERATION OF FINDINGS FROM AUDITS, EVALUATIONS, AND OTHER ASSESSMENTS
IDENTIFICATION OF RISKS RESULTING FROM BUSINESS,POLITICAL, AND ECONOMIC CHANGES ARE DETERMINED
RISKS TO THE AGENCY AS A RESULT OF POSSIBLE NATURALCATASTROPHES OR CRIMINAL OR TERRORIST ACTIONS ARE TAKEN INTO ACCOUNT
RISKS POSED BY NEW LEGISLATION OR REGULATIONS AREIDENTIFIED
Risk Identification
Risk Identificatio
n
A risk assessment determines where potential hazards exists that might prevent the organization from achieving its objectives.
Asking the following questions may also help to identify risks:
What could go wrong in the process?
What processes require the most judgment?
What processes are most complex?
What must go right for proper reporting?
How do we know whether we are achieving our objectives?
Where are our vulnerable areas?
Business Risk Types
Are we at risk of a threat to mission, threat to resources, or threat to image?
Financial risk - Loss of assets or available operating or capital budget
Human resources risk - Management and staff are not sufficient to meet needs and mission of organization
Reputation risk - Negative public opinion
Technology risk - Systems and technology tools, in design and operation, do not allow achievement of mission
Strategic risk - Mission or strategic plan does not support overall DON objectives
Operational risk - Operational policies and procedures do not sufficiently control business to allow achievement of mission
Environmental risk - Operations negatively impact the environment
GAO Risk Types
For each risk identified in a process, a control activity should be identified and documented in the risk assessment.
The GAO identifies three types of risk:
1) Inherent risk - The original susceptibility to a potential hazard or material misstatement, assuming there are no related specific control activities.
2) Control risk - The risk that a hazard or misstatement will not be prevented or detected by the internal control.
3) Combined risk - The likelihood that a hazard or material misstatement would occur and not be prevented or detected on a timely basis by the agency's internal control.
Threat Types
Threat to Mission - Is there a threat to achieving the mission of the organization. Threats to Mission include:
impaired fulfillment of essential mission or operations unreliable information causing unsound management decisions violations of statutory or regulatory requirements impact on information security depriving the public of needed Government services
Threat to Resources - Is there a threat to physical, financial or human resources. When a control deficiency has a clear dollar value associated with it, anything greater than one percent (1%) of the organization’s budget would be considered material.
Threat to Image - Consider the impact on the organization’s image does it bring substantial negative publicity. Threats to Image may include:
sensitivity of the resources involved (e.g., drugs, munitions) current or probable Congressional and / or media interest diminished credibility or reputation of management
Categorizing Risk Level
M ET H O D S U SE D BY P R O G R A M M A N A G E R S T O EN S U R E A C H I EV E M E N T O F O B J E C T I V E S A N D T O SA F E G UA R D T H E I N T E G R I T Y O F T H E I R P R O G R A M S.
C O N T R O L A C T I V I T I E S A R E E STA B L I SH E D T O M A N A G E A N D M I T I G AT E T H E I D E N T I F I E D R I S K S.
EXA M P L ES O F C O N T R O L A C T I V I T I E S A R E P R O C E SS O W N E R S H I P, T R A N S A C T I O N A P P R OVA L S, S EPA R AT I O N O F D U T I E S, A N D P E R F O R M A N C E M E A S U R EM E N T S.
I N T E R N A L C O N T R O L S E N S U R E T H E A C C O M P L I S H M EN T O F O B J E C T I V ES ; C O M P L I A N C E W I T H L AW S A N D R E G U L AT I O N S ; R E L I A B L E A N D T I M E LY I N F O R M AT I O N A N D E F F I C I E N T O P E R AT I O N S.
Internal Controls
I N T E R N A L C O N T R O L S P R OV I D E R E A S O N A B L E A SS U R A N C E T H AT T H E F O L L O W I N G A R E T R U E :
C O M P L I A N C E W I T H L AWS A N D R E G U L AT I O N S
A C C O M P L I S H M E N T O F O B J EC T I V E S
R E L I A B L E A N D T I M E LY I N F O R M AT I O N F O R D EC I S I O N M A K I N G
E F F I C I E N T O P ER AT I O N S
S A F E G UA R D I N G O F R E SO U R C E S F R O M WA ST E , F R A U D, A B U S E A N D M I SM A N A G E M EN T
What purpose do controls serve?
PREVENTATIVE DETECTIVE
DETER UNDESIRABLE EVENTS FROM OCCURRING. PREVENTATIVE CONTROLS SHOULD BE DESIGNED TO DISCOURAGE ERRORS AND IRREGULARITIES FROM OCCURRING
DETECT AND CORRECT UNDESIRABLE EVENTS THAT HAVE OCCURRED. DETECTIVE CONTROLS SHOULD BE DESIGNED TO IDENTIFY AN ERROR OR IRREGULARITY AFTER IT HAS OCCURRED
Types of Controls
DIRECTIVE CORRECTIVE
CAUSE OR ENCOURAGE A DESIRABLE EVENT TO OCCUR. DIRECTIVE CONTROLS SHOULD BE DESIGNED TO ASSIST IN ACCOMPLISHING GOALS AND OBJECTIVES
ARE AIMED AT RESTORING THE SYSTEM TO ITS EXPECTED STATE. CORRECTIVE CONTROLS CAN TERMINATE THE AFFECTED PROCESS, REVERSE THE ERROR, OR REMEDY THE RESULTS OF THE ERROR
Types of Controls
MIC Process
DEVELOP MIC PLAN SEGMENT THE ORGANIZATION
MAP THE PROCESS
IDENTIFY RISK/CONTROL
CONDUCT RISK/CONTROL ASSESSMENT
ASSIGN RESPONSIBILITY
Conducting Risk Assessments
Risk assessments can vary in format; however,documentation should:
Identify the risks to the accomplishment of the assessable unit’s objectives
Identify the level of inherent risk (high, moderate, low)
Identify the level of control risk (high, moderate, low)
Identify the level of combined risk (high, moderate, low)
Document any existing controls that are in place to mitigate the risk
Conducting Control Assessments
Internal control assessments can vary in format; however,
documentation should: Relate each control to a specific risk
Identify the control test objective to validate assumed level of control risk
Describe the design of the control that will be tested
State effectiveness of the control design based on the test performed
Describe how the operation of the control was tested
State effectiveness of the control operation based upon the test performed
RA, Control Test, and CA easy three step process
Sample Risk Assessment
Sample Control Assessment
MIC Process
DEVELOP MIC PLAN SEGMENT THE ORGANIZATION
MAP THE PROCESS
IDENTIFY RISK/CONTROL
CONDUCT RISK/CONTROL ASSESSMENT
DOCUMENT FINDINGS
ASSIGN RESPONSIBILITY
Documentation
DON anticipates the MIC Program will become Auditable.
Here is what you need to stay on track:
MIC Plan
Inventory of Assessable Units (AU)
Risk Assessments (RA)
Internal Control Assessments
Statement of Assurance (SOA)
MIC Process
DEVELOP MIC PLAN SEGMENT THE ORGANIZATION
MAP THE PROCESS
IDENTIFY RISK/CONTROL
CONDUCT RISK/CONTROL ASSESSMENT
DOCUMENT FINDINGS
PREPARE REPORTS ON
RESULTS
ASSIGN RESPONSIBILITY
DIRECTED BY THE OVERSIGHT PLANNING BOARD (OPB) CHARTER OF 15 JUN 04
13 FUNCTIONAL CATEGORIES REPORTED TO NAVAL AUDIT SERVICE AND NAVIG
DATA CALL CONDUCTED FEB/MAR TIME FRAME
PROVIDED WEB-BASED DATA ENTRY TOOL ONLINE TO SUBMIT RISK AND OPPORTUNITY
ONLY ECHELON I I AND ABOVE GET ACCESS
Risk and Opportunity Assessment
(ROA)
Functional Categories
Risks and Opportunities are grouped into 13 Functional Areas
1) Acquisition Integrity/Fraud 2) Anti-Terrorism/Force Protection 3) Education and Training 4) Environmental Protection and Safety 5) Facilities and Real Property Management6) Financial Management7) Force Readiness and Fleet Operations 8) Healthcare and Member Support Services9) Information Technology Management10)Intelligence and Classified Programs 11)Logistics, Supply, and Maintenance Ops12)Manpower and Personnel 13)Systems Acquisition and Acquisition
Logistics
Sample Risk and OpportunityRisk:
Stand-alone NOSC facilities are not in compliance with ATFP criteria. NOSC facilities are under the purview of CNIC, but despite efforts to update OPNAVINST 3300.53B, this instruction has not been updated
New Navy Reserve accessions often do not meet mobilization standards
Opportunity:
NAVRESFOR is unable to use DTS to book travel requirements and process travel claims at this time. Legacy business processes require NAVPTO involvement and a manpower intensive process at the CTO to book Navy Reserve travel arrangements
A N A N N UA L R EP O RT T H AT C E RT I F I E S T H E SE C N AV ’ S L E V E L O F R E A S O N A B L E A SS U R A N C E
C E RT I F I ES T H E OV E R A L L A D E Q UA C Y A N D E F F E C T I V EN E SS O F I N T E R N A L C O N T R O L S W I T H I N T H E D O N
AV E N U E T O R EP O RT P O T E N T I A L “N AV Y-W I D E ” I SSU E S B A S E D O N I N P U T S F R O M T H E F I E L D
C O M P R I S E D O F W E A K N E SS E S A N D A C C O M P L I S H M E N T S I N D E N T I F I E DBY A SS E SS M E N T F I N D I N G S
P R OV I D ES M O N I T O R I N G A N D T R A C K I N G O F C O R R EC T I V E A C T I O N S
Statement of Assurance(SOA)
Certification Statement
Annual SOA Certification Statement Letterhead Memorandum
Reasonable Assurance
An unqualified statement of assurance - reasonable assurance with no material weaknesses reported.
A qualified statement of assurance - reasonable assurance with exception of one or more material weakness(es) noted.
A statement of no assurance - no reasonable assurance because no assessments conducted or the noted material weaknesses are pervasive.
Determining Materiality
What constitutes a “material” weakness?Materiality is a management judgment. It is difficult to apply a strict formula to determine whether something is or is not material
Is the issue control-related?
Is the issue command/activity-wide?
Does the issue pose a Threat to Mission, Resources, or Image?
* An issue is only material if it affects your organization as a whole
Material WeaknessCriteria
Material Weakness guidelines exist within DoD Instruction 5010.40.
A Material Weakness must satisfy two conditions:
It must be a deficiency in which existing internal controls do not provide reasonable assurance that the objectives of the MIC Program are being met. In effect, the weakness results from internal controls that are not in place, not used, or not adequate.
It must be a deficiency that requires the attention of the next higher level of management. Managers should report a weakness to the next higher level if doing so is required to resolve the issue. A manager should also consider reporting a weakness to the next higher level if it is serious enough to bring to their attention (even if the issue can be resolved at the reporting manager's level).
SOA Online Tool
The Tool encompasses all four segments of the SOA reporting requirements:
New Weaknesses Prior Period Weaknesses Accomplishments Management Control Certification Statement
Efficiency: Streamlines SOA data collection and reporting process
Access: Easy access to submit updates and certification statements
Monitoring: Provides a mechanism to track accomplishments and weaknesses
Consolidation: Acts as a central database and stores historical data
Consistency: Templates in the tool assist in completing certification statement
SOA Tool
New MIC Coordinators go to:
<https://www/fmosystems.navy.mil/soa/login/index.cfm?fuseAction=Logout>
Here MIC Coordinators request access to the SOA Tool and prepare the annual SOA Certification Statement
Inputs are being recognized
RCCs
CNRFC
DON
CNO
Reporting Chain
CONGRESSSECDEFSECNAV
CNOCNRFC
NRMW RCCNOSC
Self-Assessment Tool
Available at the FMO Systems website:
<http://www.fmo.navy.mil/fin_imp/mic/tools_index.htm>
Web-based Tool to provide Commands "current state” measurement
of their MIC Program. This tool will help Leaders answer the following
Internal Control questions:
Are they designed well?
Are they functioning as designed?
Are further improvements needed?