Office of the Secretary of Defense Comptroller’s
Manager’s Internal Control Program
Building a “Culture Focused on Accountability”
3 April 2014
Unclassified
OSD - Comptroller
Financial Improvement and
Audit Readiness
 DoD’s Priority – Achieving Auditable Financial Statements
 MICP - Why and How?
 MICP in Afghanistan
 Appendix
2
1.
3
2.
Incremental Milestones and Significant Challenges
1.
Audit Readiness for Budget Statements
by 30 September 2014
 “Audit Readiness” –
o The Department has strengthened
internal controls and improved
financial practices, processes and
systems
Budgetary
Turmoil
Capacity of
the DoDIG
Availability of
Independent
Auditors
o Reasonable confidence that the
information can withstand an audit
by an independent auditor.
2.
Full Audit Readiness By 30 September
2017
Challenges
 Full financial statement validation
 To date, $235 billion or 19 percent of
total budgetary resources have an
opinion or are under audit and $453
billion or 53 percent of DoD assets
are either under examination, have
been validated as audit ready or
have been asserted as audit ready
for existence and completeness of
critical assets .
Hundreds of
Legacy
Systems
Human Capital
- Right
Number and
Skill Set
Size and
Complexity of
the Department
3.
Audit Opinions on Financial
Statements
 Six DoD organizations
received unqualified audit
opinions on their FY13
financial statements.
o U.S. Army Corp of
Engineers – Civil Works
o Defense Commissary
Agency
Audit
Readiness
Progress
Audit Readiness Examinations
 Audit readiness validated by
examinations
o DFAS – Civilian Pay, Military Pay, and
Standard Disbursing Services
o DCPAS – Civilian Pay
o DISA – Enterprise Computing Services
 Examinations underway
o Defense Contract Audit
Agency
o Army – All General Fund activities
o Defense Finance and
Accounting Service
o Air Force – Civilian Pay (General Fund
and Working Capital Fund) and Funds
Distribution to Base.
o Defense Health Agency –
Contract Resource
Management
o Military Retirement Fund
 Three DoD organizations
received qualified opinions.
o Defense Information
Systems Agency – Working
Capital Fund and General
Fund
o Office of the Inspector
General
o Medicare – Eligible Retiree
Care Fund.
o Navy – Fund Balance with Treasury
o DFAS – Contract Pay
o DLA – Civilian Pay, Contract Pay,
Defense Agencies Initiatives (DAI),
Defense Automatic Addressing
System
o Service Medical Activity (Navy) –
Consumables
o Chemical Biological Defense Program
– Contract Pay, Other Budgetary
Activity, Reimbursable Work OrdersAcceptor, Reimbursable Work OrdersGrantor, and Fund Balance with
Treasury
Audit Readiness
Assertions
 Assertion of
Assessable Units
o Navy – Operating
Materials and
Supplies
o Defense Contract
Management
Agency – Fund
Balance with
Treasury,
Contract/Vendor
Pay, Reimbursement
Work OrdersAcceptor and
Reimbursement
Work OrdersGrantors
o Defense Logistics
Agency – Real
Property and
General EquipmentCapital Assets.
o Service Medical
Activity-Navy
o Chemical Biological
Defense Program –
Contract Pay, 5
Fund
Balance Treasury 4.
Currently In Wave 2
Wave 1
Wave 2
Wave 3
Wave 4
FY 2013
FY 2014
FY 2016
FY 2017
Appropriations
Received Audit
Readiness
SBR Audit Readiness
Mission Critical Assets
Existence & Completeness Audit Readiness
Full Financial
Statements Audit
Readiness
FY 2018 Full
Financial
Statements Audits
Wave 1. Completed when Appropriations Received was validated as audit ready. Focused on the processes and controls
associated with the receipt and distribution (through apportionments, allotments and sub-allotments) of congressionally
appropriated funds.
Wave 2. Focuses on processes, internal controls, systems, and supporting documentation that must be audit ready for the
General Fund SBR can be audited. It is dependent on achieving an auditable FBWT balance.
Wave 3. Focused on the Existence and Completeness assertions to include all assets recorded in the Accountable Property
System of Record, all existing assets are recorded in the APSR, reporting entity has the rights to report on assets, and
assets are consistently categorized, summarized, and reported from period to period (Presentation and Disclosure?
Wave 4. Includes all other financial statements to include for example, General Fund Balance, Statement of Net Cost, etc.
5.
7
6.
 How do we minimize risk to the Command? – Risk is defined as “the potential
that a chosen action or activity will lead to a loss” - Loss: Life, funds, reputation (embarrassment), timeliness, accuracy, security,
privacy and completeness
So What?
 Limited Scope
Past
Review and Reporting of Risk – “Paper Drill”
• Reliance upon auditors
• Impact – Mitigation of risk
after the mission negatively
impacted
 Emphasis on
Requirement
 One point in time
 Coverage of all
functions
Future
Review and Reporting of Risk – Part of
Command Culture - Value Added
• Reliance upon internal
expertise
• Impact - Identification and
mitigation of inefficiencies
before Command negatively
impacted
 Emphasis on most
efficient and effect
way to meet
requirement
 Daily review
 If you rely upon an outside audit service to identify and report on control
deficiencies – it is to late (e.g., embarrassment and negative impact to mission).
8
7.
.
“Culture that has allowed massive waste of taxpayers’ dollars has become
business-as-usual at the Department of Defense. Particularly in today’s
fiscal environment, this cannot be tolerated. If this is not corrected, the
Department’s ability to continue defending the Nation and to provide for
its national security will be compromised. Taxpayers simply will not
tolerate the continuing waste of their resources in light of the debt we face
and our competing budgetary needs”. ~Senator John McCain, (R-AZ) –
Senate Armed Services Committee (SASC), September 2011.
“ We need to change the culture of the Department where Commanders
are held directly accountable for the efficient use of dollars.” ~Honorable
Robert Hale, DoD Comptroller – House Armed Services Committee,
January 2012.
“Need to Change the Culture,” – Communicate what senior management
needs to hear versus what you think they want to hear --- candor --proactive versus reactive. – Through the chain of command!
8.
 How do we minimize risk to the Command? – Risk is defined as “the potential
that a chosen action or activity will lead to a loss” - Loss: Life, funds, reputation (embarrassment), timeliness, accuracy, security,
privacy and completeness
So What?
 Limited Scope
Past
Review and Reporting of Risk – “Paper Drill”
• Reliance upon auditors
• Impact – Mitigation of risk
after the mission negatively
impacted
 Emphasis on
Requirement
 One point in time
 Coverage of all
functions
Future
Review and Reporting of Risk – Part of
Command Culture - Value Added
• Reliance upon internal
expertise
• Impact - Identification and
mitigation of inefficiencies
before Command negatively
impacted
 Emphasis on most
efficient and effect
way to meet
requirement
 Daily review
 If you rely upon an outside audit service to identify and report on control
deficiencies – it is to late (e.g., embarrassment and negative impact to mission).
10
9.
.
Groupthink
Groupthink is a psychological phenomenon that occurs within
groups of people. Group members try to minimize conflict and
reach a consensus decision without critical evaluation of
alternative ideas or viewpoints. Causes loss of individual
creativity, uniqueness, and independent thinking. Also, collective
optimism and collective avoidance.”
Status Quo
Candor
Status quo, a commonly used form of the
original Latin "statu quo" – literally "the state in
which" – is a Latin term meaning the current or
existing state of affairs.[1] To maintain the
status quo is to keep the things the way they
presently are.
Candor is unstained purity
freedom from prejudice or malice : fairness
Change
Change in an organization is
shifting/transitioning individuals, teams, and
organizations from a current state to a desired
future state. It is an organizational process
aimed at empowering employees to
recommend, accept and embrace changes in
their current business environment.
11
10.
An effective Managers’ Internal Control Program – Empowers those
that are involved in the operational, administrative and program
processes and procedures to self-report inefficiencies (i.e., risk) Empowerment = dependency upon candor, and encouragement of
self-reporting of risk.
 "The hardest thing you may ever be called upon to do is stand alone among your peers and superior
officers,“ – (leadership is the courage and integrity to do the right thing and to communicate the message
– of not what superiors want to hear but rather what they need to hear to in order to effectively lead).
 "To stick out your neck after discussion becomes consensus, and consensus ossifies into group think.”
American Forces Press Service, “Gates Urges West Point Graduates to be Great Leaders,” May 25 2009
 “Challenge conventional wisdom and
call things as you see them to
subordinates and superiors alike.”
 “As an officer if you blunt truths or
create an environment where candor
is not encouraged, then you’ve done
yourself and the institution a
disservice.”
Remarks delivered by Secretary
Robert M. Gates to the U.S. Air
Force Academy, April 2, 2010
 “In the early days of the surge, Gen.
Petraeus's forthright candor with both
superiors and subordinates was an
important part of the plan's success.”
 He never offered unwarranted or
sugar-coated optimism. His honesty -and action -- in the face of uncertainty
won the loyalty of those around him”.
Washington Post, Article titled,
“ Gen. Petraeus: No Sugar-Coated
Optimism”, by Col. Michael E. Haith
(Ret), United States Army, July 6, 2011
12
11.
 How Do We Minimize Risk to the Command? – Risk is defined as
“the potential that a chosen action or activity will lead to a loss”
 Loss can be: Life, funds, reputation (embarrassment), timeliness,
accuracy, security, privacy, completeness etc.
Change
Accomplish Requirement
Accomplish Requirement Efficiently & Effectively
Form Over
Substance
Substance
Over Form
Change of
Organizational
Culture
Groupthink
What does
leadership
want to
hear?
Focus on Risk
and Incentivize
Self – Reporting
Prioritize Risk With
Mission
Requirements and
Provide Mitigation
Candor
What does
leadership
need to
hear?
12.
Procedures
 Each DoD and OSD Component establishes a MICP
DoD Component Heads
 Establish a MICP to:
o Assess inherent risks in
mission-essential processes
o Document and design
internal controls
o Instruction
Applies to:
 OSD
 Military
Departments
 Joint Chiefs
of Staff
 Combatant
Commands
 DoDIG
Defense
Agencies
 DoD Field
Activities
 DoD
Components
 Establish a Senior Management Counsel to oversee
operational, financial, and financial systems reporting
 Appoint a MICP Coordinator
o Coordinates with assessable unit managers to
ensure proper documenting of end-to-end
processes
o Test the design and
operating effectiveness of
existing internal controls
o Identifies best practices and develops efficiencies
to improve control documentation, enhance
controls, eliminate inefficient controls, and
implement new controls.
o Identify and classify control
deficiencies and execute
corrective actions plans
o Ensures subject matter experts assess risk and
may impact mission or operations.
o Monitor and report the
status of corrective action
plans
o Assists in testing and classification of internal
controls
o Designate in writing the
MICP Coordinator
o Conduct a formal
assessment of the
acquisition functions
requirements outline
o Submit the annual
statement of assurance to
the Sec Def
o Ensures identification of internal control objectives.
o Ensures corrective actions plans are developed
o Ensures best practices and deficiencies are shared
across assessable units.
o Tracks progress of corrective actions
o Actively communications with the DoD Component
Senior Management Council
o Maintains MICP documentation
14
13.
Reporting Categories
Assessable
Units
Assessable Unit Managers
(AUMs)
 MICP Coordinator appoints
and trains AUM for each
assessable units
 Assess risk
 Identifies internal control
objectives
 Documents operational,
administrative, system and
financial internal controls
 Reviews processes and
procedures and
recommendations
 Tests effectiveness of
internal controls
 Identifies and classifies
internal control deficiencies
 Develops corrective actions
 Tracks progress of
corrective action plans
 Maintains MICP
documentation
 Communications
 Segments into
organizational,
functional or
other
assessable
units
 Intelligence
 Must ensure
entire
organization is
covered
 Information Technology
 Must be large
enough to
allow
managers to
evaluate
significant
portion of the
activity being
examined
 Must be small
enough to be
able to
document
processes and
controls
 Security
 Comptroller and Resource Management
 Contract Administration
 Force Readiness
 Acquisition
 Manufacturing, Maintenance, and Repair
 Other
 Personnel and Organizational Management
 Procurement
Statement of
Assurance
 Property Management
 Research, Development, Test and Evaluation
 Security Operations
 Support Services
 Budget-to-Report
 Hire-to-Retire
 Order-to-Cash
 Procure-to-Pay
 Acquire-to-Retire
 Plan-to-Stock
15
14.
What is the “Tone at the Top”?
“Tone at the Top” is a term that is used to define management’s leadership and commitment
towards openness, honesty, integrity, and ethical behavior. It is the most important
component of the control environment. The tone at the top is set by all levels of
management and has a trickle-down effect on all employees.
For a Managers’ Internal Control Program to be effective:
Need Senior Management’s Support Thru:
• Communication - Management must clearly communicate its ethics and values
throughout the area they manage. These values could be communicated formally
through written codes of conduct and policies, staff meetings, memos, etc. or
informally during day to day operations.
• Active Participation - Kick-Off and Quarter Meetings – Discussions relevant to internal
controls, and associated risks
• Reporting - Create and promote path for employees to self-report and feel safe from
retaliation
• Reward Active Participation - Creation of Commander’s Award – Recognition of
Successful Internal Control Activity
15.
Reliance Upon an Entity-Level Risk Assessment
•
•
•
•
•
•
Risk
Assessment
Process
Overview
Enhances ability to understand key business risks
Integral piece of management’s risk assessment process
Provides structured process that becomes the cornerstone for prioritizing risks
Focuses attention on areas meriting management review and monitoring
Builds knowledge and confidence in risk management
Understand the Component’s highest risks to mission
• Understand the Component’s business, to include strategies and objectives
• Develop a preliminary understanding of key business risks and processes and align
them to the Component’s strategic plan and objectives
• Create a customized risk universe – a framework to categorize key business risks –
that reflects the risks facing the Component
• Determining current risk monitoring activities
• Understand the effectiveness of entity-level controls, such as:
 Policies and procedures
 Code of conduct
 Segregation of duties
 Business continuity and disaster recovery plans for all primary data centers and
business unit facilities; and
 Fraud prevention/detection programs
• Scope the risk assessment by obtaining input from all key stakeholders
• Assess, prioritize, and validate key business risks with the key stakeholders
• Report the results of the risk assessment and using those results to develop a
17
16.
corrective action strategy
Importance of Organizational
Participation
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Top - Down Perspective
and Bottom - Up
Commander
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
Senior Functional
Managers
MICP Coordinator
Assessable
Unit Managers
• Clear, focused communications of the Component’s mission, and
Commander/Director’s priorities and challenges.
• Formal Communication Framework between senior leadership and
MICP
• Full participation with communications. Key participate in execution of
Component’s mission and MICP Coordinator’s input towards potential
risks and controls to risk mitigate
• Formal and informal access to Commander/Directors, Senior
Managers, Functional Leads and Assessable Unit Managers.
• Provides support towards compliance with laws, regulations and
instructions and provides guidance to Component staff on
implementation of MICP.
• Ongoing communications with MICP Program Manager in
confirmation of assessable unit process, controls and related risks.
Receiver of feedback from management regarding prior reporting of
material risk and changes to requirements towards assessable units.
17.
Historically – Reactive (What Does Management Want to Hear)
Reliance Upon
Outside Audit
Agencies
Self-Reporting –
Punitive Versus
Incentivized
• Reliance upon GAO,
DoDIG and Military Audit
Services to identify
material internal control
weaknesses.
• Candor not part of culture
– i.e., “group-think.” Threat
of retribution for selfreporting “bad news.”
• Filtered communications
Focus on Timelines
and Format
• Score received by
Component based
upon timeliness of
SOA submission and
adherence to format not
substance of content .
“Paper-Drill
Exercise”
• Ramp-up of submission
of SOA related activities
occur several weeks
prior to submission
deadline versus an
ongoing activity yearround.
Current Emphasis – Proactive (What Does Management Need to Hear)
Reliance Upon
Resources in
Component
• Reliance upon analysis
by “resident experts”
analysis of assessable
units to identify
material internal
control weaknesses.
Self-Reporting –
Incentivize Versus
Punish
• Development of a “cost
culture”
• Reward self-reporting
by all levels of
organization regarding
potential risks to the
mission and
recommendations for
mitigation.
Focus on Risk
• Based upon documentation
of segment of business
processes and procedures,
identify risk, rank risk and
focus upon greatest risks
that may impact
organization.
Report Supported
by Documentation
of MICP Process
• Develop SOA content
throughout the year
based upon
documentation internally
generated, analyzed and
agreed upon .
19
18.
Command – USFOR-A
Sub-component
 Comptroller – J-8
Function
 Commander’s Emergency Response Program
Assessable Units*
 Verification and accurate reporting of CERP
payments
“Assessable Units are defined as segments of business activities (i.e., transaction level).
20
19.
An Example - Process Flow
R-1
R-1
21
20.
An Example – Army Form DA 11-2
INTERNAL CONTROL EVALUATION CERTIFICATION
For use of this form, see AR 11-2; the proponent agency is ASA(FM&C).
3. ASSESSABLE UNIT
4. FUNCTION
5. METHOD OF EVALUATION (Check all that apply)
a. CHECKLIST
b. ALTERNATIVE METHOD (Indicate method)
APPENDIX (Enter appropriate letter)
6. EVALUATION CONDUCTED BY
a. NAME (Last, First, MI)
7. REMARKS (See Attached)
Use this block to describe the method used to test key controls, the internal control weakness(es) detected by the evaluation (if any) and the
corrective action(s) taken. (THIS IS MANDATORY)
a. METHOD OF TESTING KEY CONTROLS (Check all that apply)
Direct Observation Review of Files or Analysis
Other Documentation
Sampling
Simulation
Interviews
Other (Explain)
b. EVALUATION RESULTS (Include specific items tested):
c. INTERNAL CONTROL DEFICIENCIES DETECTED, IF ANY. (Include potential material weaknesses):
d. DESCRIBE CORRECTIVE ACTIONS TAKEN, IF APPLICABLE.
8.
CERTIFICATION
I certify that the key internal controls in this function have been evaluated in accordance with provisions of AR 11-2, Army Managers' Internal
Control Program. I also certify that corrective action has been initiated to resolve any deficiencies detected. These deficiencies and
corrective actions (if any) are described above or on attached documentation. This certification statement and any supporting documentation
will be retained on file subject to audit/inspection until superseded by a subsequent internal control evaluation.
a. ASSESSABLE UNIT MANAGER
(1) Typed Name and Title
(2) Signature
22
21.
An Example – Risk Matrix
Risk Assessment Results - High RISK
Inherent Risk
Mitigated Risk
Control Environment:
Is required to ensure all personnel
maintain proper oversight and
accountability of U.S. Government
property in order to maintain good
stewardship of resources and avoid
issues of fraud, waste or abuse.
Inherent Risks:
•
•
Loss or destruction of sensitive items
Loss or destruction of nonexpendable
or durable equipment
Existing Management Controls:
•
•
•
•
Provide hand receipts at the user level
Conduct monthly sensitive items
inventory by alternating officers
Provide leadership emphasis on
properly securing and using
equipment
Spot checks on property
accountability
Level
Likelihood of Occurrence
e
Nearly Certain (15 to 20)
d
Highly Likely
(11 to 14)
c
Likely
(8 to 10)
b
Unlikely
(5 to 7)
a
Remote
(4)
Level
Overall Risk Rating
Red – High
Yellow - Medium
Green – Low
Level
Consequence of Occurrence
1
Minimal/No Impact (6)
1
2
3
2
Minor Impact (7 to 14)
Y
R
R
R
R
e
3
Moderate Impact (15 to 19)
G
Y
R
R
R
d
4
Severe Impact (20 to 24)
G
Y
Y
R
R
c
5
Unacceptable Impact (25 to
30)
G
G
Y
Y
R
b
G
G
G
Y
Y
a
Consequences
4 5
Likelihood
•
23
22.
Unclassified
The MICP Assessments Includes
Functions of an Organization
Mfg, Maint, &
Repair
Force
Readiness
Contract Admin
Supply
Property
Mgmt
Commo,
Intel & Secur
Info Tech
Procurement
Personnel & Org
Major System Acq
Comptroller & RM
RDT&E
Security
Assist
Support
Svcs
FMFIA Over
Financial Reporting
Appendix A
23.
J. Monitor
Corrective
Plans
I. Report in SOA
“Material”
Findings
A. Identify
Functional Areas
Managers’
Internal
Control
Program
H. Mitigate Risk
Through
Remediation
G. Align Risk
with Command
Priorities
B. Identify
Assessable
Units
C. Assign
Assessable Unit
Manager(s)
D. Document
Key Processes
and Controls
F. Communicate
and Prioritize
Risk
E. Assess/Test
Internal Controls
25
24.
26
25.
27
26.
27.
“My intent is to move beyond checking the block and conduct
detailed analysis and an honest assessment when providing
reasonable assurance that financial, operational, and administrative
controls are in place…….It is “no longer business as usual,” in terms
of allocation and spending for non mission essential
resources”…..I want you to remain proactive in the self-identification of
issues and self-reporting of internal control deficiencies…….to prevent
a problem before it occurs instead of after the mission has been
negatively impacted and reported by an “outside audit
agency”……It is imperative that we use candor in our
communications to ensure that the execution of management
decisions is based upon information our senior leadership need to
hear versus information that is perceived to be desirable to hear.”
29
28.
Reactive or Proactive
Drawdown plan
estimates for U.S.
and more than a
dozen other
nations will shrink
the foreign military
footprint in
Afghanistan by
40,000 troops in
total by close of
CY 2012
Identification and execution of plans prior to drawdown
will result in significant savings.
Approach:
Reactive: Continue “business as usual” or
Proactive: Pursue and enact policies prior to
planned draw down of personnel.
“Does it make sense?”
• Construction
• Leases
• Purchases – equipment/supplies
• Overtime
• Vehicles
• Projects
29.
• “High personnel turnover/lack of continuity”
• “Reliance upon accurate property book with additional burden associated
with draw down”
• “Lack of trained personnel for contract surveillance towards “service” type
contracts”
• “Draw down of personnel and conflicting strategies in high tempo
environment “
• “Balance of requirements of completing assigned missions and evaluation
of internal controls,” and
• “Lack of contract oversight/contractors having duties that are inherently
governmental in functions.”
31
30.
An Example - MICP Plan of Action
Overview of the FY 13 Managers’ Internal Control Program
 Components identify Assessable Unit Manager (AUM)
 Provide overview of MICP to AUM
 Inform of training, communication and documentation responsibilities with AUM and related
deliverables
 Identify functional areas, and command/control responsibilities
 Review Commander’s priorities and concerns of regarding risk
 Obtain initial feedback of additional areas of risk that should be included in prioritization of
risk process.
 Provide functional areas and assessable unit managers assigned to each area
 Participate on monthly status calls with USFOR-A MICP Coordinator
 Two-way communications of alignment of risk from the Commander perspective and
risk identified by the Regional and Other Commands
 Review documentation and “next steps”
 Provide mitigation of risk with corrective actions as these issues are identified
 Provide assessment of risk for each functional area
 Prioritize risk for each functional area
 Provide “quick reaction” recommendations that may provide mitigation of risk to the Command due
to overall risk and/or systemic in nature
 Document processes/procedures and controls
 Determine for high and medium risk levels the evaluation of controls (do controls mitigate risk or do
they require remediation)
 Complete review of assessable units with recommendations for corrective actions
 Determine material internal control deficiencies that are material
 Complete the USFOR-A Statement of Assurance
31.
Milestone: 15 November 2012
• Assign Directorate Assessable Unit Coordinator (AUC)
• Contact USFOR-A MICP Coordinator to schedule MICP Introductory Training (one hour)
• Participate in monthly interface (i.e., telephone call and/or face-to-face) with USFOR-A MICP Coordinator
• Review organizational structure and identify assessable units (functional area)
• Assign staff person(s) responsibility for each assessable unit and sub function if required -- Assessable Unit Managers
(AUM)
• Have MICP Coordinator and each assessable unit manager sign “appointment letter”
• Complete computer –based MICP training (MICP Coordinator and Assessable Unit Managers)
• Request onsite coaching/training from USFOR-A MICP Coordinator
• Contact USFOR-A MICP Coordinator to schedule one hour MICP Training for Assessable Unit Managers (AUMs)
• Provide list of assessable units to USFOR-A Coordinator
• Provide MICP Coordinator and Assessable Unit Manager signed “appointment letters”
Milestone: 15 December 2012
• Identify and prioritize risk associated with each major process/procedure for each assessable unit
• Provide documentation/analysis of identified potential risk and recommendation for remediation (i.e., corrective
actions)
• Provide risk and remediation to MICP Coordinator (if “material” then brief through chain of command)
• Participate in a in-process-review and monthly USFOR-A MICP VTC.
33
32.
34
33.
35
34.
Need to Take Two Steps Back –
In order To Take One Step Forward
Need to Document (at “transaction lever) GRAP Related
Processes, Controls and Risk
Acquisition
Planning
Acquisition
Methods
Funding
Competition
Function Full and
Open
Competition
Contract
Types
Procurement/Acquisition
Assessable Unit – Competition/ Sole Source
Yes
C
Justification provides a detailed
description of why it is not possible
or practical to obtain full and open
competition for the
procurement/acquisition (to
include only one responsible
source, unusual and compelling
urgency, authorization or required
by statue etc. Contracting Officer
signs and dates justification
statement
R-1
Contracting Officer approves the
justification but does not review
or does not enforce the
requirements towards a detailed
and complete explanation.
No
Justification
Detailed
Description
C
Approval By
Contracting
Officer
R-1
35.
Statement of Assurance (SoA)
(per DoDI 5010.40, Managers’ Internal Control (MIC) Program Procedures)
Assessable Unit
An organizational subdivision of a DoD Component that must comply with the MIC Program. Note that Components:
Must segment into organizational assessable units
All parts of the DoD Component must be covered
Must maintain a current inventory of its assessable units
Control Deficiency
The design or operation of a control that does not allow the organization to prevent or detect misstatements on a timely basis
or to accomplish the mission objectives.
Financial Statement Reporting Entity (FSRE)
An entity assigned by either the Office of Management and Budget (OMB) or the DoD to produce and provide to
OUSD(Comptroller) stand alone, financial statements, both quarterly and annual.
Internal Controls
The organization, policies, and procedures that help program and financial managers achieve results and safeguard the
integrity of their program
Internal Control Assessment
A documented evaluation on the effectiveness and adequacy of the system [of internal controls] to meet the mission
objectives, implemented in a cost effective way.
Internal Control Assessment (Overall)
An assessment of the internal control effectiveness for the functions under the Federal Manager’ Financial Integrity Act
(FMFIA). The overall process includes all programs, activities, and operational areas [i.e., the Internal Control Reporting
Categories defined in DoDI 5010.40].
Internal Control Assessment (ICA) Internal Control Over Financial Reporting (ICOFR)
An assessment of the effectiveness of internal controls over financial reporting which closely follows the guidance in
Appendix A of OMB Circular A-123 and MIC Program Annual Guidance provided by OUSD(Comptroller).
Material Weakness (Overall)
A reportable condition that is significant enough to report to the next higher level. It is management’s judgment as to whether
37
a weakness is deemed material responsible for the area in question
36.
Reasonable Assurance
An informed judgment by management as to the overall adequacy and effectiveness of internal controls based upon available
information that the systems of internal controls are operating as intended.
There are three possible assurance statements:
An unqualified statement of assurance is reasonable assurance with no material weaknesses reported. Each unqualified
SoA shall provide a firm basis for that position, which the PSA or Principal Deputy (the Director or Deputy Director for DoD
Field Activities) will summarize in the cover memorandum. Tab A contains a more extensive explanation of how the
assessment helped justify the reporting entity’s assertion of an unqualified statement.
A qualified statement of assurance is reasonable assurance with the exception of one or more material weakness(es)
noted. The cover memorandum must cite the material weaknesses in internal management controls that preclude an
unqualified statement. Tab B fully describes all weaknesses, the corrective actions being taken, and by whom, and the
projected dates of correction for each action.
A statement of no assurance is no reasonable assurance because no assessments were conducted or the noted material
weaknesses are pervasive. The reporting entity shall provide an extensive rationale for this position.
Reportable Condition (Overall)
A control deficiency (or combination of deficiencies) that in management’s judgment, should be communicated because they
represent significant weaknesses in the design or operation of internal controls that could adversely affect the organization’s
ability to meet its internal control objectives.
Reportable Condition (ICOFR)
A control deficiency (or combination of deficiencies) that adversely affects the entity’s ability to initiate, authorize, record,
process or report external financial data reliably according to generally accepted principles such that there is more than a
remote likelihood that a misstatement of the entity’s financial statements, or other significant financial reports, is more than
inconsequential will not be prevented or detected
Risk
The possibility an event will adversely effect the achievement of internal control objectives and result in the loss of
Government resources or cause an agency to fail to accomplish significant mission objectives through fraud, error, or
mismanagement.
Systemic Weakness
A weakness that materially affects internal controls across organizational and program lines, and usually affects more than38
one DoD Component.
37.
.
Risk
The possibility an event will adversely effect the achievement of internal control objectives and result in the loss of
Government resources or cause an agency to fail to accomplish significant mission objectives through fraud, error, or
mismanagement.
Systemic Weakness
A weakness that materially affects internal controls across organizational and program lines, and usually affects more than
one DoD Component.
Note: A systemic weakness is determined by the PSA with functional responsibility for the area in question
39
38.