Briefing to the Office of Management and Budget DoD Financial
advertisement
“Paradigm Shift” Department of Defense Managers’ Internal Control Program Association of Military Comptrollers Professional Development Institute Conference June 3, 2010 1 Purpose of Briefing Background/Current Environment “Paradigm Shift” DoD Managers’ Internal Control Program Leveraging Priorities of MICP Activities To Ensure Accomplishment of Mission Where to Begin? - Framework to Monitor and Assess Effectiveness – How? Changes in Policies That Impact SOA and MICP Activities “Gold Standard” – DeCA and USSOCOM 2 DoD Background/Current Environment Commission on Wartime Contracting in Iraq and Afghanistan – Contractor Business Systems found “systemic” problems with current contract oversight, e.g., agencies are underresourced to respond effectively to wartime needs (September 2009). Secretary Gates ordering a top-to-bottom paring of the military bureaucracy to search for at least $10 billion in annual savings. He referred to the Department as a bloated bureaucracy, wasteful business practices (May 8, 2010). GAO identified longstanding weaknesses in DoD’s business operations that impact Department and Warfighter, e.g., Weapon Systems Acquisition, Contract Management, Supply Chain Management, and Financial Management (January 2009). Commission on Wartime Contracting in Iraq and Afghanistan – Contingency Contracting , due to sheer size of contractor supported operations and weaknesses in contract management and oversight systems, plentiful opportunities for waste, fraud and abuse. (June 2009) • “Military strong but economically stagnant” • Unrealistic to expect Congress to continue to approve budgets in the coming years that grow enough to sustain current size of military • Lack of recent review of “how the Department is organized, staffed and operated, indeed every aspect of how it does business” • Total acquisition costs in FY 2007 portfolio of major defense acquisition programs increased by 40 percent from first estimates. • DoD does not prioritize at the strategic level system investments • At program level, programs are started without knowing what resources will truly be needed • Neither the military nor the federal civilian acquisition workforces have expanded to keep pace with recent years’ enormous growth in number and value of contracts • More timely training needed • Lack standards on inherently government functions • Contractor business systems are inadequate Why? • Unreliable data from business systems • Lack of ability to detect contract cost errors • Inadequate controls over business systems • Poor alignment of personnel to meet wartime needs A risk-based and results-oriented approach addresses competing resources in an increasingly constrained fiscal environment 3 Paradigm Shift Relevant to the DoD’s Challenge Towards Reliance on Risk-Based and Results-Oriented Approach In 1962, Thomas Kuhn wrote The Structure of Scientific Revolution, and fathered, defined and popularized the concept of "paradigm shift" “Change is difficult. Human Beings resist change; however, the process has been set in motion long ago and we will continue to co-create our own experience”. Kuhn states that "awareness is prerequisite to all acceptable changes of theory" (p. 67) Shift in Focus and Approach Connection Between Theory and Realization OSD’s Priorities Department Awareness Enhanced Criteria Proactively Validate Risk Risk-Based & Results Oriented Approach “Effective leadership is putting first things first. Effective management is discipline, carrying it out” --- quote from Stephen Covey author of “The 7 Habits of Highly Effective People” 4 DoD Managers’ Internal Control Program Historically Reliance Upon Outside Audit Agencies • Reliance upon GAO, DoDIG Military Audit Services to identify material internal control weaknesses Self-Reporting – Punitive Versus Incentivized • Candor not part of culture – i.e., “group-think.” Threat of retribution for self-reporting. Focus on Timelines and Format • Score received by Component based upon timeliness of SOA submission and adherence to format. “Paper-Drill Exercise” • Ramp-up of submission of SOA related activities occur several weeks prior to submission deadline versus an ongoing activity yearround. Renewed Emphasis Reliance Upon Resources in Component • Reliance upon analysis of the Component’s assessable units to identify material internal control weaknesses. Self-Reporting – Incentivize Versus Punish • Culture of organization whereby reward selfreporting by all levels of organization regarding potential risks to the mission and recommendations for mitigation. Focus on Risk • Based upon documentation of segment of business processes and procedures, identify risk, rank risk and focus upon greatest risks that may impact organization (e.g., materiality) and communicate risk and remediation recommendation through the “chain of command.” Report Supported by Documentation of MICP Process • Develop SOA content throughout the year based upon documentation internally generated, analyzed and agreed upon (i.e., processes, procedures, controls, risk, ranking of risk, mitigation of controls, and reportable “material” internal control weaknesses). 5 Where to Begin? – Review of Relevant Statutes/Regulations Statutory Authority Federal Managers Financial Integrity Act of 1982 (FMFIA) • Requires that the Secretary of Defense to submit a statement to the President and to the Congress by December 31 providing an assessment of DoD Management Control (MC) systems and a plan for correcting any material weaknesses • Focuses on anticipating and preventing problems by stressing individual accountability by requiring managers to have financial and management control over resources* Regulatory Guidance Office of Management and Budget (OMB) Circular A-123 • Implements FMFIA by providing guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on management controls DoD Instruction, 5010.40 Management Control (MC) Program Procedures • Provides procedures for implementation and use of MICP * The continuous monitoring of processes, risk, and the mitigation of risk through adequate controls. provides management with the tools to anticipate and prevent a problem before it potentially occurs and/or is reported by auditors. 6 Background/Current DoD Environment Condition: Since 1982, when the Congress passed the Federal Managers’ Financial Integrity Act • GAO and DoD auditors have continued to report : – Significant weaknesses in the ability to provide timely, reliable, consistent, and accurate information for management analysis, decision-making, and reporting (Report No. GAO-06013) and – Inefficient accomplishment of mission goals tied to inability to identify, prioritize and mitigate risk through adequate reliance upon controls Cause: • • • • DoD organizational culture resists department-level approaches to priority setting and investment decisions Lack of sustained leadership, adequate transparency, and appropriate accountability No implementation goals or timelines with which to establish accountability or measure progress Need for an integrated risk management framework that identifies material weaknesses and is not totally dependent upon internal auditor findings Effect: • Mismatch between programs and budgets • Proportional, rather than strategic, allocation of resources to the services • Detracts accomplishment of mission – Negative publicity – Increase costs – potential loss of life A risk-based and results-oriented approach addresses competing resources in an increasingly constrained fiscal environment 7 DoD Senior Management Priorities “Component’s Annual Statement of Assurance was not always complete”1 “Lack of appropriate accountability across DoD’s major business areas results in billions of dollars of wasted resources annually”2 Reliance Upon Criteria OMB defines internal control as steps a component takes to provide reasonable assurance that the component’s objectives are achieved through effectiveness and efficiency of operations (FMFIA, Section 2) 1. 2. Specific Priorities1 1. Implementation of a “risk-based” Managers’ Internal Control Program that provides assurance on effectiveness of internal controls. 2. Reliance upon thorough documentation (to include identification of assessable units, assignment of assessable unit managers, documentation of current processes, controls, associated risk, prioritization of risk, and corrective action plans). OSD will increase their role in this area. Implementation of Criteria DoD Component’s Manager’s Internal Control Program should include the identification, assessment and if required strengthening of internal controls to provide reasonable assurance to ensure the most efficient and effective process to accomplish mission requirements – this is a continuous process Validation of Results • Assessments of program and administrative operations • Implementation of risk-based approach (based upon “materiality”) • Validation process of adequacy of the component’s Manager’s Internal Control Program “Report on DoD Compliance with Federal Managers’ Financial Integrity Act of 1982,” Report No. D-2007-093, dated May 8, 2007, Department of Defense, Inspector General. GAO’s High Risk Program, Testimony of the Comptroller General of the United States, dated March 15, 2006 8 Importance of Organizational Participation An Effective MICP Is Dependent Upon Bottom-Up Perspective Top-Down Perspective Director/Commander Formal Communication Framework MICP Coordinator Senior Managers MICP Program Manager Assessable Unit Managers • Clear, focused communications of the Component’s mission, and Commander/Director’s priorities and challenges, and organizational annual goals to include agreement of performance metrics to gauge incremental progress. • Formal Communication Framework between senior leadership and MICP Coordinators and – “Tone at the Top” (active participation in building organizational culture that supports constant review and self-reporting of risk). • Formal and informal access to Commander/Directors, Senior Managers, Functional Leads and Assessable Unit Managers. • Provides support towards compliance with laws, regulations and instructions and provides guidance to Component staff on implementation of MICP. • Full participation in communications stream. Key participate in execution of Component’s mission and MICP Coordinator’s input towards potential risks and controls to risk mitigate embedded in specific functional responsibilities. Key liaison between communication of Component’s goals and review of compliance. • Assist Senior Management in execution of mission through design and execution of MICP for specific functional areas. Regular formal/informal interface with Assessable Unit Managers. Provide guidance, milestones, expectations and overall feedback. • Ongoing communications with MICP Program Manager in confirmation of assessable unit process, controls and related risks. Receiver of feedback from management regarding prior reporting of material risk and changes to requirements towards assessable units. 9 Importance of Organizational Participation An Effective MICP Is Dependent Upon Bottom-Up Perspective Bottom-Up Perspective Director or Commander Formal Communication Framework Senior Managers • Conduct regularly scheduled meetings (at least monthly) with Senior Managers and MICP Coordinators to review potential risks to Component and recommendations of mitigation of risk. Include, when applicable, Assessable Unit Manager for presentation of specific supporting documentation. • Meet regularly with MICP Coordinator to review conclusions reached on current controls and recommendations for mitigation. Obtain information on potential material internal control weaknesses for immediate mitigation and/or communications with the Director/Commander for action/approval. MICP Coordinator • Develop communication strategy with MICP Program Managers to discuss identified risks, ranking of risks and potential recommendations for mitigation. Review potential “material weaknesses” and elevate when applicable based upon impact to mission and/or “systemic” risk to organization. MICP Program Manager • Organize regularly scheduled meetings with MICP Coordinator to discuss analysis of processes, procedures, identified risk, ranking of risk, adequacy of controls, and recommendations for mitigation. Assessable Unit Managers . • Document assigned assessable unit through process maps and related narratives . Identify risks and current controls. Provide recommendations for ranking of risk and mitigation of risk. Interface with MICP Program Manager regularly through formal and informal communications. Definition of “systemic” -- refers to something that is spread throughout, system-wide, affecting a group or system such as a body, economy, market or society as a whole. 10 Department Awareness – So What? History • In 2005, DoD Comptroller established the DoD Financial Improvement and Audit Readiness (FIAR) Directorate to manage DoDwide financial improvement efforts to include receipt and review of SOAs and to provide support in the implementation of the MICP • Three main goals: – provide timely, reliable, accurate and relevant financial information – sustain improvements through effective internal control program – achieve unqualified (clean) opinions on DoD’s financial statements Validation of the Implementation and Execution of Instruction No. 5010.40 Key Points Leverage OSD’s Support of DoD Component’s Managers’ Internal Control Activities to Include Risk Management Cycle • Continue to manage the receipt and reporting of the Annual Statement of Assurance and…… • Increase role through validation of assessment requirements to include review of: – Key controls (controls that address the relative assertions for a material activity or significant risk) – Procedures for “continuous monitoring” requirements of controls – Key aspects of a Manager’s Internal Control Program (e.g., “Tone at the Top,” SelfReporting Activities) • Identify and report “material” internal control weaknesses in addition to those reported by Internal Auditors • Leveraging the FIAR Financial Improvement Plans to highlight remediation • Increase validation activities of Component’s compliance with DoD Instruction No. 5010.40 • Appointment of MICP Administrator • Segment Component’s functions into assessable units and responsible unit manager • Documentation of actions to correct IC material weaknesses • Updated Charters • Assessment of ICs through defined process • Reliance upon SAT for assessing/monitoring MICP efforts • Provide Levels of Assurance • Identify and report IC weaknesses • Report material weaknesses in SOA 11 Why Have an Effective Managers’ Internal Control Program? Reliance Upon DoDIG, GAO and Other “Outside” Audit Agencies Reliance Upon an Effective Internal Control Program • Reactive versus Pro-Active • Control/Contain Negative Publicity • Reliance Upon Uninformed • Impact Upon Morale • Requires In-depth Understanding of Processes, Associated Risks and Controls* • Identification of Problem Prior to Impact • Part of Strategic Planning Process • Impact Upon Effectiveness and Over Accomplishment of a Component’s mission * Those persons assigned to a specific function within an organization will be the knowledge experts on efficiencies, inefficiencies, risks, and the identification and impact of current controls. --- These are the individuals to interview to document processes. 12 What Can Happen If Internal Management Controls Are Ineffective! Pilots’ checklists for takeoff, flight, before landing, and after landing • Became standard procedure after the 1935 crash of the Boeing Model 299 (predecessor to the famous Flying Fortress, B-17) • Pilots decided that the new aircraft Model 299 was not “too much airplane for one man to fly”, but more than one man could remember without help • Checklists (e.g., Internal Control) help compensate for the weaknesses of human memory to help ensure consistency and completeness in accomplishing a mission Note: Other examples include the USS Cole bombing, Fort Hood shooting, Pentagon shooting and recent cyber attacks. 13 Where to Begin – “Tone At the Top” What is the “Tone at the Top”? “Tone at the Top” is a term that is used to define management’s leadership and commitment towards openness, honesty, integrity, and ethical behavior. It is the most important component of the control environment. The tone at the top is set by all levels of management and has a trickle-down effect on all employees. For a Managers’ Internal Control Program to be effective: Need Senior Management’s Support Thru: • Communication - Management must clearly communicate its ethics and values throughout the area they manage. These values could be communicated formally through written codes of conduct and policies, staff meetings, memos, etc. or informally during day to day operations. • Active Participation - Kick-Off and Quarter Meetings – Discussions relevant to internal controls, and associated risks • Reporting - Create and promote path for employees to self-report and feel safe from retaliation • Reward Active Participation - Creation of Commander’s Award – Recognition of Successful Internal Control Activity 14 Responsibilities of MICP Leadership Directors and Commanders Establishing and overseeing the MICP (Manager’s Internal Control Program) Complying with the requirements of the FMFIA (Federal Managers’ Financial Integrity Act) Designating the MICP Program Manager (Orders) Monitoring program implementation Ensuring managers understand their duties and responsibilities within the MICP Ensuring that MICP goals are established for each manager and elements reflecting these goals are included in their employee performance plan and annual evaluation • Prepare/distribute memorandum • Attend key MICP meetings • Institute annual recognition award • Incorporate MICP requirements in performance elements Assessable Unit Manager MICP Program Manager Assisting the Directors and AU Managers in designing and implementing Directorates’ MICP • Deciding where controls are needed (assessing vulnerability) Design and documentation of controls Placement of controls in operation Continuously monitoring and improving the effectiveness of controls Periodic testing of controls Retaining MICP documentation to support annual reports Identifying MICP training requirements and provide/arrange for training Reporting whether or not controls are in place and working effectively (identifying weaknesses) Timely and effective action to correct deficiencies Evaluating the effectiveness of management controls Tracking progress on correction of deficiencies Appointing AU Managers (in writing) Preparation of the Statement of Assurance (SOA) feeder report Preparing the Annual Statement of Assurance based upon the current fiscal year’s program, and identified weaknesses Ensuring material weaknesses are tracked and reported until corrected Providing technical advice and guidance to AU Managers • Prepares a MS Project Plan highlighting key milestones (completion of documentation requirements) • Meets regularly with Aus • Maintains/updates requirements • Ensures training provided and relevant • Ensure documentation/repository current and maintained • Provides feedback up and down • Provides incentives for self-reporting • Understands business/mission 15 15 Begin With An Entity-Level Risk Assessment Reliance Upon an Entity-Level Risk Assessment • • • • • • Enhances ability to understand key business risks Integral piece of management’s risk assessment process Provides structured process that becomes the cornerstone for prioritizing risks Focuses attention on areas meriting management review and monitoring Builds knowledge and confidence in risk management Understand the Component’s highest risks to mission Risk Assessment Process Overview • Understanding the Component’s business, including strategies and objectives • Developing a preliminary understanding of key business risks and processes and aligning them to the Component’s strategic plan and objectives • Creating a customized risk universe – a framework for categorizing key business risks – that reflects the risks facing the Component • Determining current risk monitoring activities • Understanding the effectiveness of entity-level controls, such as: Policies and procedures Code of conduct Segregation of duties Business continuity and disaster recovery plans for all primary data centers and business unit facilities; and Fraud prevention/detection programs • Scoping the risk assessment by obtaining input from all key stakeholders • Assessing, prioritizing, and validating key business risks with the key stakeholders • Reporting the results of the risk assessment and using those results to develop a corrective action strategy 16 What are the Attributes of an Effective Managers’ Internal Control Program? Tone at the Top Verify Components & Units Identify and Assess Risk Document Key Processes and Controls • Segment Component into organizations, functions, and subfunctions. • Conduct interviews of key stakeholders • Assign Manager responsible for documentation for assessable unit. • Define processes, systems, and associated acronyms in narratives using write-up template (see appendix for example) • Assign personnel responsible for subassessable units. • Document processes, controls, risks, system interfaces, and responsible stakeholders through process-flows with “swim lanes” (see appendix for example). • Have interviewed personnel review and sign-off on process-flows and narratives. . Assess Internal Controls (Testing) • From controls noted in process-flow documentation and supporting interviews, complete a Controls Matrix Worksheet Template (see example in appendix). • Highlight the current control activity and the ranking of the risk in terms of “high”, “medium” and “low” based upon agreed upon criteria (i.e., cost to organization if risk occurs). Document and Implement Improvements Monitor Corrective Action Plans • Assessable Unit Managers responsible to report assurance and track corrective actions to ensure prompt resolution of control deficiencies, reportable conditions, or material weaknesses identified during assessment. • Corrective action plan should note, deficiency, modification to control, assigned responsibility to modify control, milestone date for completion, and followup test work to ensure completion. (see example of corrective action template in appendix). • Focus upon those risks identified as “high” • Rely upon testing to ensure adequacy of controls Foundation for a “Results-Oriented” Risk-Based Managers’ Internal Control Program 17 Breakdown of A Component’s Functions Into Assessable Units Agency - Department of Defense Component 37 DoD Reporting Components such as SOCOM Sub-component SOCS, AFSOC, USASCO, NSWC, MARSOC and SOCCENT Function Contract Directorate Assessable Units* Design of Competition, Development of Statement of Work, and Contract Close Out Assessable Units are defined as segments of business activities. Each DoD Component is required to report 100% of its assessable units. 18 The MICP Assessments Must Consider All Mission Essential Functions Mfg, Maint, & Repair Supply Property Mgmt Force Readiness Commo, Intel & Secur Contract Admin Info Tech Procurement Personnel & Org Major System Acq Comptroller & RM RDT&E DoD Senior Assessment Team Security Assist Support Svcs FMFIA Over Financial Reporting Appendix A 19 The Element of “Risk” Management should identify internal and external risks that may prevent the organization from meeting its objectives. Risk Risk Assessment Risk Management The uncertainty of an event occurring that could have an impact on the achievement of objectives. A systemic process for assessing and integrating professional judgment about probable adverse conditions and/or events The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects. Example Per the Washington Post, April 20, 2010: “Pentagon Planning More Oversight of War-Zone Contractors” • Risk: The Army’s contracting workforce is only 55 percent of what it was in the mid-1990s, while the dollar value of contracts overseen has jumped from $11 billion to $165 billion. • Risk Assessment: Estimation provided that “we project recovery will take at least 10 years,” Lt. Gen. William N. Phillips, Principal Military Deputy, AT&L. • Risk Management: Creation (2008) of the Commission on Wartime Contracting in Iraq and Afghanistan to recommend improvements in reconstruction and logistics work in wake of concerns about fraud and waste. Recommendation to increase acquisition workforce and related training. Definition of “systemic” -- refers to something that is spread throughout, system-wide, affecting a group or system such as a body, economy, market or society as a whole (definition obtained from Wikipedia). . 20 Department of Defense – OSD –Policy DoD Instruction 5010.40, Managers’ Internal Control Program What DoD Instruction 5010.40, Managers’ Internal Control Program Procedures • Established to: – Review, assess, and report on the effectiveness of internal controls – Identify and promptly correct ineffective internal controls, and – Establish internal controls when warranted How • Develop a Managers’ Internal Control Program that concludes with the Component Head or Principal Deputy annually reporting reasonable assurance on effectiveness of internal controls • Segment into organizational assessable units and maintain an inventory of these assessable units • Assign internal control responsibility to leadership and provide adequate training • Report on whether internal controls provide reasonable assurance • Track corrective actions • Fully disclose material weaknesses • Generate and maintain thorough documentation of activities OSD Validation of Documentation Supporting Internal Control Activities An “effective” Managers’ Internal Control Program includes review of program, operational, and administrative controls in functional DoD reporting categories – not just those identified by the internal auditors and/or the reporting of “low hanging fruit” 21 What is New? Assessment of Acquisition Functions Under OMB Circular A-123 What How • Office of Federal Procurement Policy in OMB published guidelines for internal control reviews of acquisition functions – Requirement to integrate the internal control review of acquisition with the existing internal control assessment and annual SOA reporting process – For first year of implementation, only the Components that report an annual SOA directly to the Secretary of Defense are required to complete the acquisition assessment • To conduct assessment of internal controls over acquisition functions, a “DoD Assessment of Internal Control over Acquisition Functions Template” has been created – For assessment of control environment, standards and objectives have been embedded into the template – The template includes a column to document the risk to properly implement the standard or objective and the identification of control activities to include policies and procedures that help ensure the necessary actions are taken to address the risk DoD Assessment of Internal Control Over Acquisition Functions Cornerstones Template Organizational Alignment and Leadership Control Environment What are the standards or objectives that set the tone or provide structure? Risk Assessment Control Activities What are the relevant risks to properly implement the standards/objectives? What are the policies and procedures that help ensure the necessary actions are taken to address risk? Monitoring What monitoring activities or separate evaluations are in place to assess performance over time? 22 What is New? For this reporting year, Components will not be scored on this new requirement. FFMIA Internal Controls Over Financial System Process (ICOFS) What • Requirement to conduct FFMIA ICOFS assessments and to report results annually in the SOA • FFMIA requires that the Component’s Integrated Financial Management System be compliant with (substantial compliance requirements): – Federal system requirements; – Federal accounting standards; and – U.S. Standard General Ledger at the transaction level Criteria How • Compliance with this requirement is accomplished through the documentation of the substantial compliance requirements • FFMIA compliance is determined through testing and evaluation by an objective internal or external resource • Compliance testing is performed in accordance with the Government Accountability Office’s Financial Audit Manual (Section 300 of Volume 1, and Section 700 of Volume 2) • FFMIA compliance test results should be retained for no less than 3 years • Head of Component is responsible for preparing, maintaining, and executing an Integrated Financial Management System Improvement Plan when there is moderate risk of non-compliance • The Head of each Reporting Entity is responsible for reporting the compliance of the Entity’s Integrated Financial Management System (IFMS) with FFMIA, OMB Circular A-127, and Chapter 3 of Volume 1 of the DoDFMR • The IFMS is a unified set of financial systems and financial portions of mixed systems that encompass the software, hardware, personnel, processes, procedures, controls and data necessary to carry out financial management functions, and management of financial operations 23 MICP Requires Self-Reporting “What Are the Qualities Necessary for You to Be Successful as a Military Leader,” • “Challenge conventional wisdom and call things as you see them to subordinates and superiors alike” • “As an officer if you blunt truths or create an environment where candor is not encouraged, then you’ve done yourself and the institution a disservice” • An example: “Hurdles faced by the officer known as the father of the ICBM. As a new brigadier general in the 1950s, Bernard Schriever overcame numerous technology failures, massive Pentagon red-tape, and most daunting of all, the Service’s Bomber Barons, led by Curtis LeMay himself, who believed that nuclear weapons had no business being carried by anything without a pilot. The ICBM force would become the backbone of America’s strategic deterrent for more than a generation, and was critical to holding the Soviets long enough for their empire to collapse.” • “The need for candor is not just an abstract notion --- It has very real effects on the perception of the military and the wars themselves. The military campaigns from Korea to Vietnam, Somalia, the Balkans, Iraq and Afghanistan have been frustrating, controversial efforts for the American public and our American armed forces – each conflict has prompted debates over whether senior military officers were being too deferential or not deferential enough to civilians, and whether civilians, in turn, were too receptive or not receptive enough to military advice. “ Remarks delivered by Secretary Robert M. Gates to the U.S. Air Force Academy, on April 02, 2010 24 Conclusion/Next Steps “Paradigm shift” in management and reporting of internal controls – through: • Emphasis on risk-based approach to focus on the essential elements; • Focus on effectiveness of processes related to improvement of information that is important to Senior Management (e.g., existence and completeness of missions critical assets); • Reliance on an effective Management Control Program versus reliance upon internal auditors to identify and report upon “material” internal control weaknesses; • Validation by OSD of the effectiveness of Component’s Management Internal Control Programs to include: Adherence with MICP Procedures provided in DoD Instruction No. 5010.40 Annual identification of assessable units Documentation of an inventory of internal controls Documentation that supports the reliance upon risk assessments to include testing of controls when deemed applicable Documentation that supports continuous monitoring to provide basis for Component-level annual assessment and reporting of effectiveness of program, operational, and administrative internal controls DoD MICP Point of Contact: Steve Silverstein, 703-607-0300 Ext. 123 Steve.Silverstein@OSD.Mil 25 Appendix 26 The “Gold Standard” 27 Managers’ Internal Control Program Impact June 3, 2010 Pamela F. Conklin Defense Commissary Agency Defense Commissary Agency • “Tone at the Top” – FY 2006 Director Supports MIC Program • Emphasis restated annually at Director’s Call and Senior Level Staff meetings – Functional Process Owners part of DeCA’s Senior Assessment Team – Assessable Unit Managers Identified • Process Owners Identified • Agency Strategic Impact Link/Statement of Assurance – MIC/OMB Circular 123-Appendix A • Combined as One – DeCA! (Standard process implementation) • DeCA aligned financial and non-financial processes to mirror one another. » Narratives, flowcharts » Risk Assessment » Test Plan » Control Analysis – External Audit of Financial Statements – Inspector General Commissary Inspection Evaluation Program (CCI) – Internal Review – Audit Plan – Lean 6 Sigma Continuous Process Improvement 29 Training Employees on Utilizing the Appendix A Methodology • OneNet Training – Video Presentation • Face-to-face – AUMs and process owners – Zone Manager Training – Store Director Training (Classroom instruction) • Posters, Flyers, Rack cards • Manuals – DeCAM 70-2.1(Under Review) – DeCAM 70-2.2 – DeCAM 70-2.3 • SharePoint – portal documentation 30 Follow-Up • Annual Review of Business Processes with each Process Owner • Continuous Communication • Continuous Process Improvement 31 Managers’ Internal Control Program Impact June 3, 2010 M. Scott Deutsch US Special Operations Command US Special Operations Command • Command Support – “Tone at the Top” – USSOCOM Directive 5-1 – Managers’ Internal Control Program • Reiterates the importance of the program • Establishes format and flow of information for the Annual Statement of Assurance Submission • Provides templates for use and uniformity across the command – Command Tasker • Annual memorandum signed by the CoS • Timelines and guidance for submission of the Statement of Assurance • Internally developed form for tracking evaluation dates of identified AUM required – Scoring of Feeder Statements • Established a panel that reviews, evaluates, and scores feeder statements • Formal memorandum with recommendations for overall improvement provided • Memorandum that recognizes the overall highest score sent throughout the command signed by the Commander 33 US Special Operations Command • Training – Annual MICP Training Workshop • Includes representatives from all of the 26 Components, Theater Support Commands, and Headquarter Staff • Reviews updates to the overall program • Guest speakers from outside sources that are experts in the field • Conduct onsite training for Directors, AUMs, and Process Owners • Awareness – Newcomer Briefing • Provides an overview of the MICP • Required for all personnel that arrive Headquarters – MICP Portal Webpage • • • • Reference Materials Historical documentation Templates for uniform use Information sharing across the entire command 34 Process Flow R-1 R-1 35 Narratives – Documenting Information Key process activities should be distinguished from controls in the narrative. • Each activity/step should include the who, what, where, when, why, and how often of the process • Activities should be presented in a manner that tells a story, from start to finish • Descriptions of activities should be comprehensive enough to facilitate a clear understanding of the process to a third party 36 Controls Matrix Template Title of Organization Function of Organization Sub-Function of Organization Control Matrix Worksheet Scope Date Month, Year – Month, Year POC: Date: Assessable Unit: Control Point Obtained from process flow Control Objective Process Procedure Controls should be in place to ensure that only authorized personnel can reallocate and/or reprogram funds. Budget Execution/Funding Control Risk (High, Medium or Low) Medium Description The Reprogramming Team approves formal reprogramming request after receipt of OSD memorandum of implementation. Segregation of duties/Authorization Reprogramming funds between different appropriations require OSD and Congressional approval. Approval 37 Criteria to Validate MICP 38 Areas to be Validated (Next Fiscal Year - 2011) Scoring Legend 2 - Partially compliant 3 - Compliant Entity Level 1) Has the component completed an entity-wide internal risk assessment? 2) Did the component designate an individual as responsible for the Managers' Internal Control Program (MICP)? 3) Did the component send a representative to the MICP annual conference? 4) Does the component demonstrate an effective "Tone at the Top" management approach through active participation, memorandums regarding the internal control program, incentive rewards, etc.? Assessable Unit 1 - Non-compliant 5) Is the component segmented into organizations, functions and assessable units (sub-functions)? Does the breakdown make sense? 6) Has the component identified an individual responsible for each assessable unit (Assessable Unit Manager)? 7) Does the component provide a training program to managers and assessable unit managers for conducting risk assessments and performing internal control reviews? 8) Does the component conduct regular meetings with Commander/MICP Manager/ MICP Assessable Unit Managers? Are the meetings verified with related documentation/minutes)? 9) Did the component document interviews of key stakeholders for each assessable unit? Risk Assessment 10) Has risk been ranked in accordance with materiality with written description and justification? 11) 12) 13) 14) Is the ranking of identified specific risk agree with overall universe of risk? Have the Assessable Units with the "highest" risks been reviewed and controls modified accordingly? Does the component note potential risks in current processes and related controls to mitigate these risks? Is there documentation of testing of controls to ensure that risk identified as high risk are mitigated? Internal Control Review / Reporting 15) Have internal control reviews been performed for all "high risk" Assessable Units? Have the related controls been modified accordingly? 16) Does the Statement of Assurance properly reflect material weaknesses and are the material weaknesses traceable to related documentation? 17) For each internal control material weakness noted, is there a thorough description and a related corrective action plan that specifies modifications to control, assigned responsibilities, milestone dates and follow-up test work? 18) Does the component utilize a documented self-reporting matrix for ineffective internal controls? 19) Does the component have a recognition program that promotes self-reporting and significant reporting of internal control weaknesses? Documentation / Record Retention 20) Did the component document defined processes, systems and associated acronyms in narratives using the provided write-up template? 21) Does the component maintain a central repository (i.e. E-room, filing, etc.) to store documentation? 39 “Tone at the Top” 40 42 “Generic” Control Objectives/Risks By Functional Area 43 Specific Control Objectives Related to Specific Functions – Acquisitions Function Acquisition - Major System Sub-process Control Objectives Controls Risks Acquisition Planning Ensure accurate requirements for the system Authorization of procurement are captured and well-defined in the contract Failure to follow FAR requirements for solicitations; failure to follow laws and regulations for procurement Request for goods; Request for Proposal (RFP) Integration across the organization in acquisition planning to ensure contract requirements sufficiently capture the organization's objectives Inadequately trained or inexperienced procurement staff Failure to utilize purchase efficiencies gained through GSA, FPI, and UNICOR Ensure total system costs are properly assessed and Authorization of funding sufficient funding is obligated appropriately Failure to properly assess the total system costs and establish sufficient funding for the duration of the contract Receipt of assets (system) Existence - system is delivered/received at the accurate price according to the contract terms Authorization of payments Failure to promptly track system with accurate pricing Receive vendor invoice Completeness - all debts are fully recorded Periodic reconciliation of existence of assets to recorded amounts Failure to properly review delivery of assets 44 Function Sub-process Control Objectives Controls Overpayment of taxes on purchase transactions and contracts Record Accounts Payable Accuracy of amounts, terms, account balances Cash disbursement Timely recording Timing - date of transaction posting and independent coincides with occurrence of the review of asset acquisition transactions Acquisition -Major System (cont.) Segregation of responsibilities: authorization, custody of assets, recording, and reconciliation Managing Fixed Assets Risks Separation of asset custody from other functions (i.e. accounting) Records of fixed assets purchased with Federal funds comply with federal regulations. Maintaining Fixed Asset Register and/or Master File Including any Relevant Maintenance Activity Files 45 Function Inventory / Property Management Sub-process Control Objectives Requisitioning All goods to be transferred to operations are appropriately requisitioned. Receiving Purchased Inventory Materials Ensure recorded property transactions represent economic events that actually occurred and are properly classified and recorded in the correct period Receipts of purchased inventory (including raw materials) are recorded timely and in the appropriate period. Ensure recorded property Transfer Goods to Operations exists at a given date. Controls Materials received are checked to verify that they comply with approved requisition. Risks Failure to properly review goods Improper costing of assets Ineffective acquisition policy due to inefficient maintenance of inventories, supplies, and IT assets All materials requisitioned are properly transferred. 46 Function Inventory / Property Management (cont.) Sub-process Perform Reconciliations Control Objectives Controls Risks Ensure recorded property at a given date, is supported by Periodic reconciliation of appropriate detailed records existence of inventory to that are accurately recorded amounts summarized and reconciled to the account balance Ensure all existing property as of the reporting date, including property in the custody of third parties, are included in the general ledger. Ensure recorded property is owned by the entity. The entity has rights to the recorded asset at a given date. Overpayment of taxes on purchase transactions and contracts Materials are transfered only on the basis of a properly approved requisition. Ensure property balances and related footnote disclosures Requisitions are prenumbered contain all information needed and investigated when missing. for fair presentation in accordance with US GAAP. Inadequate processes and policies to secure physical assets Failure to implement security controls Recorded purchased inventory (including raw materials and excluding consignment goods) represent materials acquired by the entity 47 Function Inventory / Property Management (cont.) Sub-process Control Objectives Controls Risks Only valid changes are made Maintain Inventory Master File to the inventory management master file. Security and Monitoring of Inventory Approvals from appropriate Only valid customer orders are marketing/sales personnel are processed. verified for customer orders. Miscategorization Ensure materials are securely stored and inventory is adequately safeguarded. Theft of assets Ensure inventory is stored in an appropriate location that is conducive to efficient use of assets and operations Inappropriate location and/or inefficient operation of assets Misuse of assets by government personnel Monitor inventories for slowmoving and obsolete materials and removing those materials if needed Inadequate capacity planning Efficiently process excess property for donation or disposal Improper production planning Defective materials are returned timely to suppliers. Failure to undertake timely maintenance of plant and machinery Mismanagement of software and hardware inventory 48 Function Inventory / Property Management (cont.) Sub-process Issue Inventory to Customer Control Objectives Controls Complete and accurate records of products stored and available for shipment are maintained. All shipments are accurately documented, and such documentation is forwarded to account receivable on a timely basis. Risks Regulatory noncompliance Product transfer documents are required for movements of product into or out of storage. Such documents are prenumbered, and missing documents are investigated. Discrepancy between physical and financial information Shipping document information is compared with customer order information before shipment. Shipping document information is independently verified prior to shipment. 49 Function Sub-process Acquisition Planning Contract Administration Control Objectives Controls Risks Ensure accurate business requirements are captured and scope is well-defined in the contract's Statement of Work (SOW) Contract objectives are not fully expressed in the SOW requirements, and are not fulfilled by the contract execution Ensure integration across the organization in planning to address similar project goals in other departments Duplication or redundancy of contract requirements across multiple contracts within a particular organization Ensure total project costs are properly assessed and sucient funding is obligated appropriately Failure to properly assess the total project costs and establish sufficient funding for the duration of the project Failure to utilize purchase efficiencies gained through GSA, FPI, and UNICOR Inability to maintain a steady funding stream over a multiple year contract to successfully execute the program Acquisition transactions are properly recorded, including commitment, obligation, A/P, and payment Authorization of acquisition transactions Improper authorization of acquisition transactions 50 Function Contract Administration (cont.) Sub-process Contract Award Control Objectives Controls Selection of and award to the company that is best qualified to fulfill the contract requirements Evaluation committee is comprised of experienced staff who understand the contract requirements and will make the proper selection Risks Selection of unqualified company Ineffective selection of a contractor based solely on low price instead of best value Preclude protest of award Selection is made based on the evaluation criteria that are expressly defined in the RFP or solicitation documentation Risk of protest due to undefendable or unsound selection choice Ensure all qualified companies are given an equal opportunity to be awarded the contract Shrinking field of qualified companies to achieve contract goals Selection of an effective contract vehicle or type (fixed fee, cost reimbursement, cost plus incentive) Inappropriate selections of an effective contract vehicle or type Unclearly defined price structure, deliverable requirements, or incentive requirements Insufficient retention of documentation to support the awarding of decisions Leakage or sale of insider information to bidders 51 Function Sub-process Contract Contract Administration Administration (cont.) Control Objectives Ensure appropriate government personnel are aligned to the project Controls Risks Effective human resources policies on appropriate staffing, retention, and organizational structure Loss of contract focus due to changes in administration or key government personnel Lack of procedures to identify and monitor risks on existing contracts Inability to find or retain subject matter experts to oversee a contract Consistent performance of contract and fulfillment of contract requirements Contractor satisfies quality performance standards Requirement included in the contract for contractor to effectively manage and limit turnover and obtain government approval for project staffing decisions High contractor turnover causing inconsistent or misdirected performance Lack of procedures to assess the adequacy and appropriateness of costs for services and goods received Mechanisms to measure the contractor's performance relative Lack of mechanisms in place to the contract requirements, to measure contract such as a survey of government performance personnel aligned to the project Insufficient management of the project scope to achieve project goals and complete tasks within budget 52 Function Sub-process Contract Closeout Contract Administration (cont.) Control Objectives Controls Risks Contracts are closed out within the specified time period following completion of the contract, making leftover funds available for other needs Federal regulation to review and close completed contracts, and deobligate remaining funds on a timely basis Failure to close out a contract on a timely basis, making leftover funds unavailable for other needs Ensure all deliverables specified in the contract have been received Lack of analysis to ensure receipt of deliverables prior to contract closure Lack of information gathered on performance to assess prospective contract renewals Untimely closure of contracts in accordance with financial and administrative guidelines creating a backlog 53 Function Sub-process Systematic Data Processing IT Management Control Objectives Controls Systems are maintained to allow timely communication of accurate internal and external information to relevant personnel. Information systems are instituted that ensure the accuracy and timeliness of internal and external information. All production programs needed to process batch and on-line transactions and prepare related reports are executed timely and to normal completion. Processing is monitored by management to ensure successful and timely completion, including a review and resolution of any exceptions. Risks Exceptions to normal processing are logged, reviewed by management, and promptly resolved. Batch and on-line processing procedures are defined to ensure that jobs and/or transactions are processed to normal completion or are recovered and reprocessed. Only valid production programs are executed. Automated scheduling tools have been implemented to ensure the authorization and completeness of the flow of processing. Access to production processing control language and executable programs is defined to restrict the ability to execute, modify, delete or create to appropriate individuals. Data is retained in accordance with laws, regulations, and company policy to enable retrieval when needed. Management and users plan and schedule backup and retention of data; and erasure and release of media when retention is no longer required. Management periodically reviews retention and release records. Continued adherence to Constant review of the applicable applicable IT laws and regulations legislations Inefficient data retention processes and tools Failure to constantly review the applicable legislations 54 Function Sub-process IT System Maintenance IT Management (cont.) Control Objectives Controls New network and communication software is appropriately implemented and functions consistent with management's intentions. Management has established formal policies to ensure that before changes are made to application systems, data structures, network and communication software, and systems software and hardware or the environment in which they operate, all affected parties are informed and the timing of modifications is coordinated with them to ensure minimum impact on other processing activities. Risks Network and communication software and hardware are initially installed and evaluated in a test environment before implementation. Current documentation for network software, communication software, and the network topology is available and used when installing and/or maintaining the network. System implementation procedures include training users on appropriate use of new or substantially modified systems. Compliance with these procedures is monitored by management. As new employees are hired and as employees transfer within the entity, they receive formal training on relevant application systems. 55 Function IT Management (cont.) Sub-process IT System Testing Control Objectives Access to the test and production environments is restricted. Controls Risks Passwords or other mechanisms are in place to restrict access test and production environments Tests are performed using a complete and representative set of test data instead of production data. The impact of proposed hardware, application system, data structure, and system software changes is assessed and reviewed by management before implementation into production in order to minimize disruptions to operations. 56 Function Sub-process Modifications or Upgrades to IT Systems IT Management (cont.) Control Objectives Controls Risks Management has established formal policies to ensure that before changes are made to Modifications to existing application systems, data network and communication structures, network and software are appropriately communication software, and Ineffective/delayed implemented and modified systems software and hardware development, testing and network and communication or the environment in which they deployment of new technology software function consistently operate, all affected parties are with management's intentions. contacted and the timing of such modifications is coordinated with them to ensure minimum impact on other processing activities. Implementation is performed in a manner that allows the original environment to be restored if necessary. Network and communication software and hardware are initially installed and evaluated in a test environment before implementation. A formal methodology or process is used to guide the acquisition, development or maintenance of hardware, application systems, network and communication software and systems software. Requests for changes network and communication software in the production environment are documented and approved by management. Management monitors implementation of all such changes. 57 Function Sub-process Architecture - Federal Enterprise Control Objectives Ensure architecture is aligned with the organizational strategy and objectives and allows organizational requirements to be satisfied Controls Risks Failure to implement a technology aligned with the organization’s strategy IT Management (cont.) Organizational requirements are not being met by systems currently in place AssetManagement Ineffective software acquisition methodology Technology 58 Function Sub-process Information Security IT Management (cont.) Control Objectives Controls Risks Integrity of the organization's network is maintained through the firewall and security measures designed to prevent viruses, attacks, and access by unauthorized parties Issue and use of Common Access Cards (CAC) for all personnel who access the DoD organization's network Access to information systems is restricted to those who are authorized for a particular system and who have a specific business related need to access the data contained within the system Access to information systems requires a CAC with a valid certificate, Untimely application of security user name/password, or some other patches mechanism to ensure personnel identity Use of unlicensed or unsupported software and hardware System Access Authorization Request Vulnerability to malicious attacks, (SAAR) Forms are completed and ineffective antivirus measures, lack approved prior to granting access to of physical/logical security information systems Ineffective/inefficient access controls Unauthorized access to personally identifiable information Unclear ownership and classification of data Data and information stored on electronic media are not accessed by anyone other than those intended to have such permission All media (tapes, manuals, guides, etc.) are stored in a secured environmentally-controlled location. Failure to secure transportable media Removable media are labeled to enable proper identification. Automated data retention tools have been approved by management and implemented to manage the backup and retention data plan and schedule. 59 Function Sub-process Physical and Environmental Security Control Objectives Controls Risks In the event of a breakdown in a system, server or network, Backups are archived off-site to Inability to recover from a information and data minimize risk that data is lost. business interruption contained within a system is not permanently lost. IT Management (cont.) Data centers and physical locations of servers and information systems is protected by adequate security Inadequate physical security around data centers Lack of segregation of duties 60 Function Sub-process Protection From Physical Threat Force Protection Control Objectives Controls Risks All organizations and parties who could potentially be impacted by a Regular administration and updating threat are aware of the potential of force protection training for threat and the severity of certain threats Ensure that threats are recognized by all who could be impacted Effective mechanism by which to coordinate and disseminate threat information at military installations Ensure that threat information is communicated in a timely manner to all relevant organizations Ensure that the severity of a threat and level of potential that a Force Protection Condition (FPCON) threat may occur are understood System uniformly by all relevant organizations and parties Ability to identify and mitigate force protection gaps and weaknesses Central authority responsible for overseeing, coordinating and executing force protection measures of deployments Ensure DoD maintains security oversight of the transit of military DoD maintains control over the equipment and that custody is transit of military equipment during never fully transferred to non-DoD deployment entities Potential that custody of military equipment falls into the hands of individuals or groups whose interests are counter to those of the United States Conduct regular vulnerability Ability to assess the susceptibility assessment of potential threat to to and potential of a threat, and assets and physical areas, computer thus be prepared to defend networks, installation infrastructure, against it and transportation systems Existence of an antiterrorism plan and the consistent review and update of such a plan 61 Function Force Protection (cont.) Sub-process Control Objectives Data centers and physical locations of servers and Protection From Cyber Threat information systems is protected by adequate security Controls Risks Inadequate physical security around data centers Integrity of the organization's network is maintained through the firewall and security measures designed to prevent viruses, attacks, and access by unauthorized parties Data and information stored on electronic media are not accessed by anyone other than those intended to have such permission 62 Function Procurement Sub-process Vendor Selection Control Objectives Identify and purchase from vendors capable of meeting the entity's needs Controls Investigate and periodically update vendor capabilities regarding production quality and capacity, price (including volume or cash discounts and payment terms), order lead-time requirements, current and former customer satisfaction, financial condition, and management stability. Periodically update vendor information based on vendor terms and specifications of contracts or purchase orders (e.g., timely delivery of acceptable items, correction of errors or problems, and service). Risks Inadequate vendor screening, including periodic requalification of existing vendors, resulting in vendor inability to meet technical specifications, quantity requirements, price, delivery dates/lead time, and service Appropriate review of purchase orders Monitor production problems related to out-of-stock materials and to material specifications; also monitor frequency of returned purchase (performance indicators) Develop data on alternative vendors and periodically reevaluate vendor selection decisions Specify procedures for notification by vendors of potential performance problems and for appropriate investigation and follow-through 63 Function Procurement (cont.) Sub-process Vendor Selection (cont.) Control Objectives Purchase items only from legally qualified vendors, and in conformity with applicable laws, regulations and contracts Controls Risks Unavailable or inaccurate Maintain updated vendor information or other improper information about fraudulent acts activities of vendors Investigate possible legal restrictions on providing the materials required and pending litigation Consider ways to simplify vendor investigation procedures Institute and monitor code of conduct Ensure adequate supply of materials Timely communication to Procurement of Operations' or other activities' needs Poor communication of Operations' or other activities' needs Vendors' inability to provide needed quantities due to other higher-priority orders or an interruption in their own supplies Utilize long-term needs analysis 64 Function Sub-process Procurement Purchasing (cont.) Control Objectives Order items that meet appropriate specifications Controls Review existing and revised specifications by technical personnel. Risks Inappropriate production specifications Monitor and analyze production problems related to material specifications (performance indicator). Examples of performance indicators include comparing current-period data on production stoppages and slowdowns, rush orders, spoilage, and material price and quantity variances to prior-period data, peer or industry data, budgets, or other pre-established goals. Communicate production specifications to procurement personnel. Appropriate review and approval of contracts and purchase orders. 65 Function Sub-process Procurement Purchasing (cont.) (cont.) Control Objectives Pay agreed upon prices or appropriate "market" price Controls Obtain competitive bids for each acquisition Risks Out-of-date or incomplete price Consider volume purchases by determining total usage of similar materials. Combine orders to obtain volume discount. Appropriate review of purchase orders Monitor material price variances (performance indicator) Use hedging or forward contracts Perform a market analysis to determine price as appropriate 66 Function Sub-process Procurement Purchasing (cont.) (cont.) Control Objectives Controls Order appropriate quantities at Maintain accurate perpetual appropriate times inventory records Risks Unavailable or inaccurate information on inventory levels or production needs Match periodic production schedules to inventory information and order lead-time requirements Appropriate review of purchase orders Use forecasts * (Note: Implementing Just-inTime or a similar inventory and production management philosophy may result in better efficiency) 67 Function Sub-process Procurement Purchasing (cont.) (cont.) Control Objectives Update vendor information completely and accurately to reflect open purchase orders Controls Route copies of purchase orders to appropriate personnel Risks Information on issued purchase orders is not clearly or completely communicated Purchase orders are not entered into the system on a timely basis Pre-number purchase orders and periodically verify their entry into the system. Investigate unusual time delays in entering data. Receive items ordered on a timely basis Unavailable or inaccurate Specify shipment mode and information on items ordered delivery date on purchase orders but not received Pre-number and account for purchase orders Match receiving information with purchase order information and promptly follow through on outstanding orders (Undeliverable Orders Report) Monitor vendor performance in terms of timely delivery; follow up in cases of poorly performing vendors 68 Function Sub-process Procurement Purchasing (cont.) (cont.) Control Objectives Record authorized purchase orders completely and accurately Controls Pre-number and account for purchase orders Risks Purchase orders may be lost Pre-number and account for purchase orders Inadequate policies and procedures to prevent unauthorized use Prevent unauthorized use of purchase orders Maintain physical security of purchase orders Approve purchase orders Notify vendors of company personnel authorized to approve purchase orders 69
