Managers’ Internal Control Program ICONO and ICOFR Navy Medicine Audit Readiness Training Symposium 5 and 6 June 2012 Ms. Meg Sherwood, Program Manager—ICONO Ms. Freda King, Program Manager—ICOFR Context Purpose Outcome Context To understand the MIC Program’s two parallel components: Internal Controls over Nonfinancial Operations (ICONO) and Internal Controls over Financial Reporting (ICOFR). Purpose To better define the MIC Program’s structure and objective. Outcome Commands are able to utilize the tools available in the MIC Program to support audit readiness efforts. FOR OFFICIAL USE ONLY 2 Agenda 1. MIC Program Overview 2. Internal Controls over Nonfinancial Operations (ICONO) 3. Internal Controls over Financial Reporting (ICOFR) 4. Exercise: Classifying and Reporting Deficiencies 5. Questions FOR OFFICIAL USE ONLY 3 Part 1: MIC PROGRAM OVERVIEW FOR OFFICIAL USE ONLY 4 Legal/Regulatory Framework Federal Managers’ Financial Integrity Act of 1982 (FMFIA) OMB Circular A-123 “Management’s Responsibility for Internal Control” ICONO ICOFR ICOFS ICONO: Internal Controls Over Non-financial Operations ICOFR: Internal Controls Over Financial Reporting ICOFS: Internal Controls Over Financial Systems Annual Statement of Assurance From FMFIA: “…internal accounting and administrative controls of each executive agency shall be established IAW standards prescribed by the Comptroller General…” ~ Head of each agency must prepare an annual statement certifying whether the agency’s systems of internal accounting and administrative control comply with FMFIA From OMB Circular A-123: ~ Implementing guidance for federal agencies ~ Establishes 3 objectives of internal controls ~ Outlines 5 standards of internal control activities 3 Levels of Assurance: ~ Unqualified: no material weaknesses (MWs) ~ Qualified: MWs identified with corrective action plan developed ~ No Assurance: no assessment done or MWs are pervasive Goal: Effective Internal Controls FOR OFFICIAL USE ONLY 5 What are Internal Controls? • Organization, policies and procedures to help program and financial managers achieve results and safeguard the integrity of their programs. • Ensure what should occur in daily activities does occur. • 3 objectives: • • • Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations Safeguarding of assets is a subset • Support performance-based management • Incorporate into every business process • Further, not hinder, mission accomplishment • Cost/benefit analysis when implementing controls Goal: provide reasonable assurance 3 objectives are met FOR OFFICIAL USE ONLY 6 5 Standards of Internal Control Activities Monitoring MICP, CLT, MEDIG, CE, JC, PPMAP Control Activities Policies/procedures, SOPs Risk Assessment DSG’s Areas for Leadership Engagement; Internal Controls Program Management Office (ICPMO) Control Environment “Tone from the top,” SG’s Memo on Internal Controls, Code of Ethics FOR OFFICIAL USE ONLY 7 MICP Program Guidance BUMEDINST 5200.13A Annual Program Guidance FOR OFFICIAL USE ONLY 8 ICONO and ICOFR Assessable Units (AUs) FY 12 Managers' Internal Control Program ICONO Assessable Units Quarter 4 Quarter 3 Quarter 2 Quarter 1 Reporting Responsibilities # 12-01 12-02 12-03 12-04 12-05 12-06 12-07 12-08 12-09 12-10 12-11 12-12 12-13 12-14 12-15 12-16 12-17 12-18 12-E1 12-19 12-20 12-21 12-22 12-23 12-24 12-25 12-26 12-E2 12-27 12-28 12-29 12-30 12-31 12-32 12-33 ASSESSABLE UNIT Command Evaluation Program Government Travel Charge Card Government Purchase Card I Information Assurance - Personally Identifiable Information Sustainment, Restoration, Modernization Process Records Management DOD-VA Health Care Resource Sharing Rates Personal Property Accountability - Maintenance Management Contract Management - Contracting Officer's Representative (COR) Responsibilities Aged Due-Ins Reprocessing of Single Use Devices Risk Management Custody and Control of Outpatient Medical Records Verification of Eligibility for Medical Care Reporting/Recording of OCO and WW Obligations Contract Management - Licensing & Credentialing for Medical Service Contracts Defense Travel System Timekeeping and Attendance Elective #1 (Region- or Activity-developed) UBO--TPC--MSA--MAC Government Purchase Card II Anti Fraud Medical Coding Personal Property Accountability - Equipment Management Pharmacy/Expired Drug Turn-In Information Assurance - Non-US Citizen Personnel Security Information Assurance - Protected Health Information (PHI) Elective #2 (Region- or Activity-developed) Reimbursable Support Agreements Patient Safety Command Manpower Data Management Command Special Pays Information Assurance - Appropriate Use of IT Resources Information Assurance - IA Workforce Improvement Financial Management Training ALL ALL ALL ALL NME, NMW, WRNMMC ALL NME, NMW, WRNMMC NME, NMW, WRNMMC ALL ALL NMW NME, WRNMMC NME, NMW, WRNMMC NME, NMW, WRNMMC ALL NME, NMW, WRNMMC ALL ALL ALL NME, NMW, WRNMMC ALL ALL ALL ALL NME, NMW, WRNMMC ALL ALL ALL ALL NME, NMW, WRNMMC ALL ALL ALL ALL ALL Required by TMA BUMED X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X MICP analyzes operational and financial internal controls across all functional areas FY 12 Managers' Internal Control Program ICOFR CLT Process Areas Required by Quarter 1 2 3 4 ASSESSABLE UNIT Consumables Federal Receivables Real Property Civilian Payroll Reporting Responsibilities ALL ALL ALL ALL FOR OFFICIAL USE ONLY TMA X X X X BUMED X X X X 9 Quarterly & Annual Reporting Requirements • Quarterly Certifications • Annual Statement of Assurance (SOA) • Provide two levels of assurance, one for ICONO and one for ICOFR, that internal controls are in place and operating effectively • Provide sources that were assessed to determine the level of assurance and identify control deficiencies • Report deficiencies • Attest to implementation of Standard Operating Procedures (SOPs) FOR OFFICIAL USE ONLY 10 Sources of Internal Control Assessment • MICP Sources: • • ICONO: Assessable Unit results ICOFR: Command Level Testing (CLT) results • Other Sources: Internal to Navy Medicine • MEDIG findings • Command Evaluation Program • Logistics Assist Visits • UBO Quarterly Audits • Unauthorized Commitments • Management Observation • Program Reviews External to Navy Medicine • Government Accountability Office (GAO) • DoD IG findings • Navy IG findings • Navy Audit Service (NAS) • Joint Commission Inspections • PPMAP Inspections FOR OFFICIAL USE ONLY 11 Level of Assurance • Unqualified: Reasonable assurance with no material weaknesses (MWs) reported. Certification must be accompanied by a firm basis for this position. • Qualified: Reasonable assurance with the exception of one or more MW(s) reported. Certification must cite MW(s) that precluded an unqualified statement. • No Assurance: No reasonable assurance either because no assessments were conducted or MWs are pervasive. FOR OFFICIAL USE ONLY 12 Part 2: INTERNAL CONTROLS OVER NONFINANCIAL OPERATIONS (ICONO) FOR OFFICIAL USE ONLY 13 ICONO Assessable Units • Organized functionally • Inventory developed based on TMA- and BUMED-identified risks • Reviewed and updated annually with input from program managers/subject matter experts • Supplemented by Region/Activity identified electives • Support audit readiness initiatives • Increased effort to introduce data driven elements and transactional reviews into the assessments Goal: Identify control deficiencies and implement corrective actions FOR OFFICIAL USE ONLY 14 Identifying Deficiencies • Must be control related • Identified through the Assessable Units, as well as, the internal and external assessment sources • Classify the deficiency according to its severity • Establish corrective action plans to address deficiencies • • Activities are responsible for implementing the corrective actions within their control and updating their plans Regions/BUMED provide oversight to ensure corrective actions are being implemented and provide implementation assistance when needed • Report through quarterly Certification Statements and Annual Statement of Assurance (SOA) FOR OFFICIAL USE ONLY 15 Classifying Deficiencies • How severe is the deficiency? • Is there a significant threat to mission, resources, and/or image? • Deficiency Categories: • • • Material Weakness (MW): A reportable condition of combination of reportable conditions, which is significant enough to report to the next higher level. The determination is a management judgment as to whether a weakness is material. Reportable Condition (RC): A control deficiency, or combination of control deficiencies, that adversely affects the ability to meet mission objectives but are not deemed by the Head of the Component as serious enough to report as material weaknesses. Item to be Revisited (IR): An internal control issue brought to management’s attention with insufficient information to determine whether the control deficiency is material or not. These issues will be revisited throughout the following quarters to determine the materiality of 16 the control deficiency. FOR OFFICIAL USE ONLY Corrective Action Plans • Develop for all deficiencies—whether or not you report them • Elements to include: • • • • Identify the deficiency Set a target correction date Identify the corrective actions that will be taken to remediate the deficiency Call attention to higher level assistance, if needed • Monitor and update progress on a regular basis FOR OFFICIAL USE ONLY 17 Determining What Deficiencies to Report • Report from your organization’s perspective • • MTFs/activities should report deficiencies as they impact the MTF/activity Regions should report deficiencies as they impact the Region • Questions to ask: • • • Does higher echelon need to know about this issue? Can we resolve this issue within our own means at the MTF/activity or Regional level? Does this issue permeate the entire Region or is it an isolated issue? FOR OFFICIAL USE ONLY 18 Determining Level of Assurance • A management decision • Based on the types of deficiencies identified and whether or not the items need to be reported to the next higher level • 3 levels of assurance: qualified, unqualified, no assurance Level of Assurance Types of Deficiencies Unqualified No MWs Some RCs and/or IRs identified Qualified 1 or more MWs No Assurance MWs are pervasive No assessments were conducted FOR OFFICIAL USE ONLY 19 How ICONO Efforts Support Audit Readiness • Examine and/or test internal controls to ensure compliance with laws, regulations, policies, etc. • Evaluate processes to determine if Standard Operating Procedures (SOPs) are fully implemented and correct processes where they are not • Practice pulling documents which support transactions • Identify internal control deficiencies and correct them before audit FOR OFFICIAL USE ONLY 20 Part 3: INTERNAL CONTROLS OVER FINANCIAL REPORTING (ICOFR) FOR OFFICIAL USE ONLY 21 OMB Circular A-123, Appendix A Internal Controls Over Financial Reporting (ICOFR) Objective • OMB Circular A-123, Appendix A - Internal Controls over Financial Reporting (ICOFR) Requires Management to Assess, Test, Document, and Report on Financial Controls • Financial Improvement and Audit Readiness(FIAR) Plan Provide Guidelines, Goals, Priorities, and Strategies to become Audit Ready • Achieving Audit Readiness DoD’s Goals and Roles to Achieve Audit Readiness FOR OFFICIAL USE ONLY 23 Appendix A - Governing Statutes • Federal Managers’ Financial Integrity Act of 1982 Requires all DoD managers to assess the effectiveness of management controls applicable to their responsibilities An Act to amend the Accounting and Auditing Act of 1950 to require ongoing evaluations and reports of the adequacy of the systems of internal accounting and administrative control • Sarbanes-Oxley Act of 2002 Public Company Accounting Reform and Investor Protection Act FOR OFFICIAL USE ONLY 24 Appendix A - Requirements • Reporting on Financial Internal Controls Internal Controls are specific policies procedures and activities that are established to manage or mitigate risks • Assessing and Validating Controls and Processes Internal Controls are part of every process and activity being performed throughout the organization • Providing ICOFR Annual Assurance Statement Internal controls provided reasonable assurance that what should happen does happen FOR OFFICIAL USE ONLY 25 Internal Control • Internal Control Objectives: • Effectiveness and Efficiency of Operations, • Reliability of Financial Reporting, and • Compliance with Applicable Laws and Regulations FOR OFFICIAL USE ONLY 26 Standards of Internal Control Activities • Control Environment - the organizational structure to sustain organizational support for effective internal control • Risk Assessment - identify internal and external risks that may prevent the organization from meeting its objectives • Control Activities - include policies, procedures and mechanisms in place to help ensure that agency objectives are met • Information and Communications - should be relevant, reliable, and timely • Monitoring - periodic reviews, reconciliations or comparisons of data should be included as part of the regular assigned duties of personnel FOR OFFICIAL USE ONLY 27 Financial Improvement and Audit Readiness (FIAR) • FIAR Plan (OMB Circular A-123, Appendix A) •Goals •Priorities •Strategies •FIAR Phases •Discovery •Corrective Action •Evaluation •Assertion •Validation •Audit FOR OFFICIAL USE ONLY 28 FIAR Goals • Improve the Department’s Financial Management Operations • Provide our Service men and women with the resources they need to carry out the mission • Improving our stewardship of the resources entrusted to us by the taxpayers. FOR OFFICIAL USE ONLY 29 FIAR Priorities • The First Priority is the Budgetary Resources. The benefits of focusing on budgetary information are to: Improve the visibility of budgetary transactions Provide for operational efficiencies through more readily available financial information; Improve fiscal stewardship (ensures that funds appropriated, expended and recorded are reported accurately, reliably and timely); and Improve budget processes and controls • The Second Priority is the Mission Critical Assets. Mission critical assets are: Military Equipment Real Property Inventory Operating Materials and Supplies General Equipment FOR OFFICIAL USE ONLY 30 FIAR Strategies • Wave 1 Appropriations Received Wave 2 Statement of Budgetary Resources Wave 3 Mission Critical Assets Existence & Completeness FOR OFFICIAL USE ONLY Wave 4 Full Audit (except for valuation) 31 WAVE 1 Appropriations Received • Accurate and timely recording of the budget authority needed to commit, obligate, and expend funds • Processes and controls include activities performed to control and record transactions related to: Receipt of the budget (Appropriations Received) Distribution of the Budget to the Major Commands Fund Balance with Treasury (FBWT) FOR OFFICIAL USE ONLY 32 WAVE 2 Statement of Budgetary Resources • The SBR presents: all budgetary resources a reporting entity has available the status of those resources at period end a reconciliation of changes in obligated balances from the beginning to the end of the period and cash collections and disbursements for the period reported. • Includes all processes, internal controls, systems and supporting documentation that must be audit ready before the SBR can be audited. FOR OFFICIAL USE ONLY 33 Sample Statement of Budgetary Resources (SBR) BUDGETARY FINANCING ACCOUNTS BUDGETARY RESOURCES Unobligated balance, brought forward, Oct 1 Recoveries of prior year unpaid obligations Budget authority Appropriation Spending authority from offsetting collections Earned Collected Change in receivables from Federal sources Change in unfilled customer orders Advance received Without advance from Federal sources Subtotal Nonexpenditure transfer, net, anticipated and actual Permanently not available Total Budgetary Resources Status of Budgetary Resources Obligations incurred: Direct Reimbursable Unobligated balance: Apportioned Sub Total Unobligated balance not available Total status of budgetary resources 28,026,796 24,029,026 165,257,644 7,806,105 (144,220) 323,916 76,479 173,322,124 1,711,873 (3,170,061) 223,921,758 186,801,435 10,215,890 197,017,325 23,899,972 23,899,972 3,004,461 223,921,758 Changes in Obligated Balances Obligated balance, net Unpaid obligations, brought forward, Oct 1 Less: Uncollected customer payments for Federal sources, brought forward, Oct 1 Total unpaid obligated balance Obligations incurred net (+/-) Less: Gross outlays Less: Recoveries of prior year unpaid obligations, actual Change in uncollected customer payments from federal sources (+/-) Obligated balance, net, end of period Unpaid obligations Less: Uncollected customer payments from Federal sources (-) Total, unpaid obligated balance, net, end of period Net Outlays: Gross Outlays Less: Offsetting Collections Less: Distributed offsetting receipts Net Outlays 2009 Combined FOR OFFICIAL USE ONLY 93,776,544 (3,864,218) 89,912,326 197,017,325 (165,217,414) (24,029,026) 65,742 101,547,429 (3,798,476) 97,746,953 165,217,414 (8,130,022) (321,451) 156,765,941 34 WAVE 3 Mission Critical Assets (E&C) • Focuses on the “existence and completeness” financial statement assertions and includes the “rights” assertion and portions of the “presentation and disclosure” assertion. • Reporting entities must ensure that: all assets recorded in the property books exist all of the reporting entities’ assets are recorded in their system reporting entities have the right to report all assets (Rights) assets are consistently categorized, summarized, and reported period to period (Presentation and Disclosure). FOR OFFICIAL USE ONLY 35 WAVE 4 Full Audit • Include the proprietary side of financial transactions covered in Wave 2, and: • accounts receivable earned revenue accounts payable gross costs other liabilities Adds the “valuation” assertion for assets FOR OFFICIAL USE ONLY 36 Assertions Existence: Only valid or authorized transactions are processed during the correct period, and the underlying asset exists during the period reported in the accounting system Completeness: All transactions are processed that should be and the entire population of assets is accounted for and established. Rights & Obligations: Assets represent the rights of the organization as of a given date (Ownership/Custody) Valuation: Assets, liability, equity, revenue, and expense components have been included in the financial statements at appropriate amounts. Presentation and Disclosure: Components of the financial statements are properly classified, described and disclosed (properly recorded as acquisitions, disposals, reparable, expendable, salvageable) FOR OFFICIAL USE ONLY 37 Asserting • We will be asserting : that our financial controls are in place and operating effectively that our financial reports are accurately prepared that transactions can be supported with documentation and that that we have fully complied with our laws and regulations. FOR OFFICIAL USE ONLY 38 BUMED Assertion Dates to TMA Assessable Units Assertion Dates Travel SEP 2012 Consumables DEC 2012 Reimbursable Work Orders – Grantor DEC 2012 Reimbursable Work Orders – Performer APR 2013 Military Payroll APR 2013 Contract Administration JUL 2013 Non-Federal Receivables JUL 2013 Federal Receivables SEP 2013 Civilian Payroll DEC 2013 Financial Reporting DEC 2013 Fund Balance with Treasury DEC 2013 FOR OFFICIAL USE ONLY 39 FIAR Phases Audit Discovery Corrective Action Validation Assertion Evaluation FOR OFFICIAL USE ONLY 40 BUMED’s FIP Tool Box • Command Level Testing/Validation Testing • Standard Operating Procedures (SOPs) • FMO Samples and Workbooks • NAS Sample Testing FOR OFFICIAL USE ONLY 41 Audit Preparation Verify Beginning Balances Supporting Documents Population IT Controls Control Testing Service Providers Reconciliations Managers’ Internal Control Program (MICP) ICONO ICOFR MICP FOR OFFICIAL USE ONLY 43 Audit Readiness • It’s not just a Job; it’s the path to audit success… FOR OFFICIAL USE ONLY 44 Audit Readiness Trivia • What are the Priorities of the FIAR Plan? • What are Two Internal Control Objectives? • What are the Five Financial Assertions? • What is the date for Audit of the SBR? • What is the date for Full Audit? FOR OFFICIAL USE ONLY 45 Part 4: EXERCISE: CLASSIFYING AND REPORTING DEFICIENCIES FOR OFFICIAL USE ONLY 46 Scenario • At Naval Hospital Atlantis, during a 6 month timeframe, questionable transactions were found on the GTCCs for 60 members. During this timeframe, the total number of members who used their card was 70. • The types of questionable transactions included: • Expenses not related to official government travel such as video games purchased at Target • Cash advances taken within a member’s permanent duty station and the member is not on official government travel orders • Airline tickets purchased for a member’s spouse and children • Lodging charges for a member’s personal travel following a period of official government travel • These questionable expenses were not identified during travel card or DTS voucher review processes FOR OFFICIAL USE ONLY 47 Analysis • Is the deficiency a threat to mission, resources, and/or image? • How would you classify the deficiency and why? • Material Weakness, Reportable Condition, Item to be Revisited • What is your corrective action plan? • Would you report the deficiency? Why or why not? • Is the deficiency related to ICONO, ICOFR, or both? • If you do report the deficiency, what level of assurance do you report? • Unqualified, Qualified, or No assurance FOR OFFICIAL USE ONLY 48 Higher Level Resources • Federal Managers’ Financial Integrity Act of 1982 (P.L. 97-255) • OMB Circular A-123: Management’s Responsibility for Internal Control • DoD Financial Improvement and Audit Readiness (FIAR) Guidance of December 2011 • DoDI 5010.40 of 29 July 2010: Managers’ Internal Control Program (MICP) Procedures • SECNAVINST 5200.35E of 8 November 2006: Department of the Navy (DON) Managers’ Internal Control (MIC) Program • SECNAV M-5200.35 of June 2008: Department of the Navy Managers’ Internal Control Manual • OPNAVINST 5200.25D of 03 October 2011: Managers’ Internal Control Program • GAO Products: “Standards for Internal Control in the Federal Government” and “Internal Control Management and Evaluation Tool” 49 FOR OFFICIAL USE ONLY BUMED Resources • SG’s Memo on Internal Controls in Navy Medicine of 5 January 2012; Reference: 5200 Ser M82/11UM82757 • DSG’s Memo on Annual Areas for Leadership Engagement of 30 August 2010; Reference: 5200 Ser M82/10UM82749 • BUMEDINST 5200.13A of 29 October 2008: Managers’ Internal Control Program • Managers’ Internal Control Program (MICP) Guidance for Fiscal Year (FY) 2012 dated 6 October 2011; Reference: 5200 Ser M82/11UM82758 FOR OFFICIAL USE ONLY 50 Questions? Contact Information • Meg Sherwood Phone: 703-681-9487 Email: margaret.sherwood@med.navy.mil • Freda King Phone: 703-681-9471 Email: freda.king@med.navy.mil FOR OFFICIAL USE ONLY 51