1 / 24

Managers’ Internal Control (MIC) Program: Applications and Best Practices for Government Organizations April 4, 2014

Managers’ Internal Control (MIC) Program: Applications and Best Practices for Government Organizations April 4, 2014. Agenda. Value of Internal Control Internal Controls Defined DoD IG Audit Examples MICP Guidance & Policy Statement of Assurance AU Development Risk Identification

pearly
Download Presentation

Managers’ Internal Control (MIC) Program: Applications and Best Practices for Government Organizations April 4, 2014

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Managers’ Internal Control (MIC) Program: Applications and Best Practices for Government OrganizationsApril 4, 2014

  2. Agenda • Value of Internal Control • Internal Controls Defined • DoD IG Audit Examples • MICP Guidance & Policy • Statement of Assurance • AU Development • Risk Identification • Risk Mitigation • Testing Controls • Corrective Action Plans • Accomplishments • Program Myths & Facts • Internal Control Red Flags • DoD Report Analysis • Successful Program Components • Summary

  3. Today’s Goal…Simplify Internal Controls

  4. Value of Internal Control • Promotes a proactive approach to preventing issues and mitigating risk • Evaluates all organizational aspects, not just financial • Results of the Program can be used to assess, analyze, and improve operations and processes across the Department, Command, and Agency • Encourages communication to share lessons learned and accomplishments

  5. Internal Controls Defined • Internal Controls as defined by OMB A-123 are organizational policies, procedures, and tools to help managers achieve results and safeguard the integrity of their programs • Internal Control is a process that provides reasonable assurance that: • Programs, functions and processes are achieving their intended results; • Programs and resources are protected from waste, fraud, abuse, and mismanagement; & • Laws and regulations are being followed • Internal Control activities are being performed every day within the workplace “Internal Control provides reasonable, not absoluteassurance that areas and processes are operating as intended.”

  6. DoD IG Semi-Annual Report to Congress (1 April – 30 September 2013) • Contracting: Cost-Reimbursable Contracting – More than 65% of 161 contracts reviewed (valued at appx. $10.5B) did not comply with interim cost-reimbursable rules • Joint Warfighting: May be operating an underused aircraft in excess of required Operational Support Airlift aircraft inventory; officials did not comply with federal and DoD guidance when justifying the cost of using the aircraft • Cyber/Security: Commercial Access Control System did not effectively mitigate contractor access and allowed 52 convicted felons to access installations • Equipping and Training Afghan Security Forces: Contractor did not deliver products within contract timelines for 29 of 36 actions, which caused a lack of communications capability and excess costs

  7. MICP Guidance and Policy Agencies submit an annual Statement of Assurance that reports accomplishments, weaknesses, and provides a qualification statement on the strength of Internal Controls. • Army: Regulation 11-2; MICP • Air Force: Policy Directive 65-2 • Navy: SECNAV M-5200.5 • Marine Corps: MCO 5200.24d

  8. Statement of Assurance (SOA) • SOA Elements (for each Assessable Unit) • Risk • Risk Mitigation/Controls • Control Testing • Corrective Action Plans • Accomplishments

  9. Assessable Units/Functions • AU’s/Functions have a defined purpose that aid in the accomplishment of the organization's mission – not just those that are financial in nature • Designed to provide a reasonable span of control to conduct management reviews • Must have clear limits or boundaries, and be responsible to a specific manager • Small enough to provide reasonable assurance of adequate controls but large enough that a detected weakness has the potential to impact the mission (organizational or departmental) • AU’s are managed at the lowest possible level, as local management is most familiar with operations and can quickly isolate and resolve issues when they arise

  10. AU Decision Methodology Process • Some Higher Headquarters determine AU’s, while others are determined at the local Command level • If no direct guidance is provided; review organizational structure, past inspections and audits, and ‘new’ programs in place • Consider • Can performance of this function cause fraud, waste, abuse, or mismanagement? • Does the function have metrics or impact the Command mission? • Does the function offer a reasonable span of control? • Does the function provide clear limits and boundaries? • Using a Functional Risk Assessment can identify potential sources of risk

  11. Functional Risk Assessment

  12. AU Risk Evaluation • AU’s should have on average 2-4 risks • Good business practice to incorporate an AU risk that has a goal, objective, or metric associated with it • Evaluate the Risk • Inherent Risk – what is the probability of risk without any controls in place? • Control Risk – how risky is the AU with current processes and procedures in place? • Combined Risk – how risky is the AU after all mitigation factors are considered (i.e. what hasn’t been considered and could go wrong)?

  13. AU Risk Mitigation • Each Risk traditionally has multiple mitigation tools in place to prevent/minimize the risk from occurring. These can include, but are not limited to: • Policies, guidance, processes, procedures • Delegation of Authority Letters • Training • Templates, checklists • Audits, inspections • Mitigation approaches must be in use today • Each mitigating factor is a control and can be tested

  14. Testing Controls • Management evaluates and tests AU controls via unscheduled assessments to validate controls are working as designed as part of the Certification Statement • Agencies and Commands vary in testing frequency; some test all AU’s (at least one control) annually; others only every 3-5 years • Testing controls often includes: • Type of Test: Observation, Inspection, Document Analysis, Transaction Testing, Re-performing task, Interview • Control Type: Automated or Manual • Frequency of Test: Daily, Weekly, Monthly, Quarterly, Annually • Results of Test • If tests do not produce intended results, a Corrective Action Plan should be developed to track weakness through resolution

  15. Corrective Action Plans • Used when a Control Test does not produce desired results • Weakness must be classified • Item to be Revisited: traditionally a “low” risk weakness; can be resolved easily at local Manager level • Reportable Condition: a “medium” risk weakness; may be a result of one or a combination of deficiencies that hinder ability to meet requirements. These weaknesses are traditionally identified to Department Managers • Material Weakness: a “high/serious” risk weakness; traditionally reported up to higher management levels • Material Weaknesses are reported in the Command SOA • Corrective Action Plans should report the description of finding and POA&M for resolution • Once resolved; control is to be tested again to confirm correction has been made

  16. Accomplishments • Accomplishments are just that: things that have been done well in the past year • Encourage each AU to find one reportable accomplishment during the year • Employee Recognitions • News Articles • Cost Savings/Avoidance Approaches • Result of a Corrected Weakness • Include description of accomplishment; what improvement(s) resulted; current and future impact(s), etc.

  17. Program Myths & Facts

  18. “Red Flags” in Internal Control • Discrepancies between actual performance and anticipated results • Lack of data integrity/protection • Receipts not matching deposits • Disbursements to unknown/unapproved vendors • One signature on checks or pre-signed blank checks • Gaps in receipt or check numbers • Ignoring training requirements • Chronic late, inconsistent, or incorrect reporting • Disregard for internal control policies and procedures

  19. DoD IG Semiannual Report Analysis • Audit issued 56 reports with 412 recommendations • 7 reports that addressed Joint Warfighting, Readiness in Intelligence Enterprise, and issues in the security and nuclear enterprises • Investigations were the basis for 111 arrests, 175 criminal charges, as well as $619.8 million returned to the government • Issued 83 reports identifying $23.5 B in questionable monetary benefits, and achieved an additional $2.2 billion in financial savings based on completion of corrective actions

  20. Internal Control Program Lessons Learned • Senior Leadership and organizational communication is key to program success • Typically little to no consistency across departments or enterprise • Management feels program is merely a paper drill • Keep management informed and trained • Lack of management training in IC Program results in little to no reporting of issues when initially identified • Negative connotation of IG inspections prevent management from reporting issues • IG Audits are there to protect the stakeholders; Internal Controls is a proactive approach to preventing issues • Sound program implementation results in better overall organizational efficiencies

  21. Successful Internal Control Program Components • Internal Control methodologies are embedded in daily operations • Proactive relationship between Leadership & Management • Standardized processes, templates & reports • Offer localized training in addition to mandated courses • Regular meetings/reporting with Management • Quarterly follow up on Weaknesses • Coordinate program approach with IG as applicable; include IG Audit areas of concern within program • Decrease use of paper via a web-based/SharePoint application for data collection and reporting

  22. An Effective Internal Control Program can Prevent… • Inadequate process documentation • Service payments not made within established timelines and policies • Improper expenditure reporting • Program management of noncompliance and reporting • Incomplete records and authorizations • Incomplete contract payment reconciliations • Incomplete employee certification validation • Fraud, Waste, Abuse and Mismanagement

  23. Summary • Internal Controls provide reasonable assurance, not absolute • Management sets the tone at the top • Most issues originate from outdated or lacking processes and policies • Using past IG Audits and Functional Risk Assessments can help identify where issues are most likely to occur • IC Programs are designed to detect issues during daily business operations “Internal controls can’t prevent every error but can reduce the probability of occurrence.”

  24. Questions?

More Related