Presentation on theme: "Office of the Secretary of Defense - Comptroller’s Manager’s Internal Control Program 3 April 2014 Unclassified OSD - Comptroller Financial Improvement."— Presentation transcript:
Office of the Secretary of Defense - Comptroller’s Manager’s Internal Control Program 3 April 2014 Unclassified OSD - Comptroller Financial Improvement and Audit Readiness Building a “Culture Focused on Accountability”
DoD’s Priority – Achieving Auditable Financial Statements MICP - Why and How? MICP in Afghanistan Appendix Purpose of Briefing 2 1.
Audit Readiness Goals Incremental Milestones and Significant Challenges “Audit Readiness” – o The Department has strengthened internal controls and improved financial practices, processes and systems o Reasonable confidence that the information can withstand an audit by an independent auditor. Audit Readiness for Budget Statements by 30 September 2014 Full financial statement validation To date, $235 billion or 19 percent of total budgetary resources have an opinion or are under audit and $453 billion or 53 percent of DoD assets are either under examination, have been validated as audit ready or have been asserted as audit ready for existence and completeness of critical assets. Full Audit Readiness By 30 September 2017 Challenges Challenges Budgetary Turmoil 4 Availability of Independent Auditors Capacity of the DoDIG Size and Complexity of the Department Hundreds of Legacy Systems 1. 2. Human Capital - Right Number and Skill Set 3.
Audit Readiness Progress Six DoD organizations received unqualified audit opinions on their FY13 financial statements. o U.S. Army Corp of Engineers – Civil Works o Defense Commissary Agency o Defense Contract Audit Agency o Defense Finance and Accounting Service o Defense Health Agency – Contract Resource Management o Military Retirement Fund Three DoD organizations received qualified opinions. o Defense Information Systems Agency – Working Capital Fund and General Fund o Office of the Inspector General o Medicare – Eligible Retiree Care Fund. Audit Opinions on Financial Statements 5 Audit readiness validated by examinations o DFAS – Civilian Pay, Military Pay, and Standard Disbursing Services o DCPAS – Civilian Pay o DISA – Enterprise Computing Services Examinations underway o Army – All General Fund activities o Navy – Fund Balance with Treasury o Air Force – Civilian Pay (General Fund and Working Capital Fund) and Funds Distribution to Base. o DFAS – Contract Pay o DLA – Civilian Pay, Contract Pay, Defense Agencies Initiatives (DAI), Defense Automatic Addressing System o Service Medical Activity (Navy) – Consumables o Chemical Biological Defense Program – Contract Pay, Other Budgetary Activity, Reimbursable Work Orders- Acceptor, Reimbursable Work Orders- Grantor, and Fund Balance with Treasury Audit Readiness Examinations Assertion of Assessable Units o Navy – Operating Materials and Supplies o Defense Contract Management Agency – Fund Balance with Treasury, Contract/Vendor Pay, Reimbursement Work Orders- Acceptor and Reimbursement Work Orders- Grantors o Defense Logistics Agency – Real Property and General Equipment- Capital Assets. o Service Medical Activity-Navy o Chemical Biological Defense Program – Contract Pay, Fund Balance Treasury Audit Readiness Assertions 4.
Audit Readiness Strategy and Timeline Mission Critical Assets Existence & Completeness Audit Readiness FY 2018 Full Financial Statements Audits SBR Audit Readiness Appropriations Received Audit Readiness Full Financial Statements Audit Readiness Wave 1 FY 2013 Wave 2 FY 2014 Wave 4 FY 2017 Wave 3 FY 2016 Wave 1. Completed when Appropriations Received was validated as audit ready. Focused on the processes and controls associated with the receipt and distribution (through apportionments, allotments and sub-allotments) of congressionally appropriated funds. Wave 2. Focuses on processes, internal controls, systems, and supporting documentation that must be audit ready for the General Fund SBR can be audited. It is dependent on achieving an auditable FBWT balance. Wave 3. Focused on the Existence and Completeness assertions to include all assets recorded in the Accountable Property System of Record, all existing assets are recorded in the APSR, reporting entity has the rights to report on assets, and assets are consistently categorized, summarized, and reported from period to period (Presentation and Disclosure? Wave 4. Includes all other financial statements to include for example, General Fund Balance, Statement of Net Cost, etc. Currently In Wave 2 5.
Turning Theory Into Reality Reliance upon auditors Impact – Mitigation of risk after the mission negatively impacted Past Review and Reporting of Risk – “Paper Drill” Reliance upon internal expertise Impact - Identification and mitigation of inefficiencies before Command negatively impacted Future Review and Reporting of Risk – Part of Command Culture - Value Added So What? So What? Limited Scope Emphasis on Requirement One point in time Coverage of all functions Emphasis on most efficient and effect way to meet requirement Daily review How do we minimize risk to the Command? – Risk is defined as “the potential that a chosen action or activity will lead to a loss” -- Loss: Life, funds, reputation (embarrassment), timeliness, accuracy, security, privacy and completeness. If you rely upon an outside audit service to identify and report on control deficiencies – it is to late (e.g., embarrassment and negative impact to mission). 8 7.
Culture Needs to Change Driven By Senior Management “Culture that has allowed massive waste of taxpayers’ dollars has become business-as-usual at the Department of Defense. Particularly in today’s fiscal environment, this cannot be tolerated. If this is not corrected, the Department’s ability to continue defending the Nation and to provide for its national security will be compromised. Taxpayers simply will not tolerate the continuing waste of their resources in light of the debt we face and our competing budgetary needs”. ~Senator John McCain, (R-AZ) – Senate Armed Services Committee (SASC), September 2011.Senator John McCain, (R-AZ) – Senate Armed Services Committee (SASC) “ We need to change the culture of the Department where Commanders are held directly accountable for the efficient use of dollars.” ~Honorable Robert Hale, DoD Comptroller – House Armed Services Committee, January 2012.onorable Robert Hale, DoD Comptroller – House Armed Services Committee “Need to Change the Culture,” – Communicate what senior management needs to hear versus what you think they want to hear --- candor --- proactive versus reactive. – Through the chain of command! 8.
Turning Theory Into Reality Reliance upon auditors Impact – Mitigation of risk after the mission negatively impacted Past Review and Reporting of Risk – “Paper Drill” Reliance upon internal expertise Impact - Identification and mitigation of inefficiencies before Command negatively impacted Future Review and Reporting of Risk – Part of Command Culture - Value Added So What? So What? Limited Scope Emphasis on Requirement One point in time Coverage of all functions Emphasis on most efficient and effect way to meet requirement Daily review How do we minimize risk to the Command? – Risk is defined as “the potential that a chosen action or activity will lead to a loss” -- Loss: Life, funds, reputation (embarrassment), timeliness, accuracy, security, privacy and completeness. If you rely upon an outside audit service to identify and report on control deficiencies – it is to late (e.g., embarrassment and negative impact to mission). 10 9.
Change of Culture Candor versus Groupthink Groupthink Candor Groupthink is a psychological phenomenon that occurs within groups of people. Group members try to minimize conflict and reach a consensus decision without critical evaluation of alternative ideas or viewpoints. Causes loss of individual creativity, uniqueness, and independent thinking. Also, collective optimism and collective avoidance.”consensus Candor is unstained purity freedom from prejudice or malice : fairnessprejudicefairness Change Status Quo Status quo, a commonly used form of the original Latin "statu quo" – literally "the state in which" – is a Latin term meaning the current or existing state of affairs.  To maintain the status quo is to keep the things the way they presently are.Latin term  Past – “Old School” Change in an organization is shifting/transitioning individuals, teams, and organizations from a current state to a desired future state. It is an organizational process aimed at empowering employees to recommend, accept and embrace changes in their current business environment.individualsteams organizations Future – Self Reporting – Good News and Bad 11 10.
Candor versus Groupthink Remarks delivered by Secretary Robert M. Gates to the U.S. Air Force Academy, April 2, 2010 “Challenge conventional wisdom and call things as you see them to subordinates and superiors alike.” “As an officer if you blunt truths or create an environment where candor is not encouraged, then you’ve done yourself and the institution a disservice.” “In the early days of the surge, Gen. Petraeus's forthright candor with both superiors and subordinates was an important part of the plan's success.” He never offered unwarranted or sugar-coated optimism. His honesty -- and action -- in the face of uncertainty won the loyalty of those around him”. Washington Post, Article titled, “ Gen. Petraeus: No Sugar-Coated Optimism”, by Col. Michael E. Haith (Ret), United States Army, July 6, 2011 "The hardest thing you may ever be called upon to do is stand alone among your peers and superior officers,“ – (leadership is the courage and integrity to do the right thing and to communicate the message – of not what superiors want to hear but rather what they need to hear to in order to effectively lead). "To stick out your neck after discussion becomes consensus, and consensus ossifies into group think.” American Forces Press Service, “Gates Urges West Point Graduates to be Great Leaders,” May 25 2009 An effective Managers’ Internal Control Program – Empowers those that are involved in the operational, administrative and program processes and procedures to self-report inefficiencies (i.e., risk) - Empowerment = dependency upon candor, and encouragement of self-reporting of risk. 12 11.
T urning Theory Into Reality Prioritize Risk With Mission Requirements and Provide Mitigation Accomplish Requirement Accomplish Requirement Efficiently & Effectively Change Focus on Risk and Incentivize Self – Reporting Change of Organizational Culture Form Over Substance Substance Over Form Groupthink What does leadership want to hear? Candor What does leadership need to hear? How Do We Minimize Risk to the Command? – Risk is defined as “the potential that a chosen action or activity will lead to a loss” Loss can be: Life, funds, reputation (embarrassment), timeliness, accuracy, security, privacy, completeness etc. 12.
DoDI 5010.40 – MICP Procedures 14 13. o Instruction Applies to: OSD Military Departments Joint Chiefs of Staff Combatant Commands DoDIG Defense Agencies DoD Field Activities DoD Components Establish a MICP to: o Assess inherent risks in mission-essential processes o Document and design internal controls o Test the design and operating effectiveness of existing internal controls o Identify and classify control deficiencies and execute corrective actions plans o Monitor and report the status of corrective action plans o Designate in writing the MICP Coordinator o Conduct a formal assessment of the acquisition functions requirements outline o Submit the annual statement of assurance to the Sec Def DoD Component Heads Each DoD and OSD Component establishes a MICP Establish a Senior Management Counsel to oversee operational, financial, and financial systems reporting Appoint a MICP Coordinator o Coordinates with assessable unit managers to ensure proper documenting of end-to-end processes o Identifies best practices and develops efficiencies to improve control documentation, enhance controls, eliminate inefficient controls, and implement new controls. o Ensures subject matter experts assess risk and may impact mission or operations. o Ensures identification of internal control objectives. o Assists in testing and classification of internal controls o Ensures corrective actions plans are developed o Ensures best practices and deficiencies are shared across assessable units. o Tracks progress of corrective actions o Actively communications with the DoD Component Senior Management Council o Maintains MICP documentation Procedures
DoDI 5010.40 – MICP Procedures 15 14. Segments into organizational, functional or other assessable units Must ensure entire organization is covered Must be large enough to allow managers to evaluate significant portion of the activity being examined Must be small enough to be able to document processes and controls MICP Coordinator appoints and trains AUM for each assessable units Assess risk Identifies internal control objectives Documents operational, administrative, system and financial internal controls Reviews processes and procedures and recommendations Tests effectiveness of internal controls Identifies and classifies internal control deficiencies Develops corrective actions Tracks progress of corrective action plans Maintains MICP documentation Assessable Unit Managers (AUMs) Assessable Units Statement of Assurance Communications Intelligence Security Comptroller and Resource Management Contract Administration Force Readiness Information Technology Acquisition Manufacturing, Maintenance, and Repair Other Personnel and Organizational Management Procurement Property Management Research, Development, Test and Evaluation Security Operations Support Services Budget-to-Report Hire-to-Retire Order-to-Cash Procure-to-Pay Acquire-to-Retire Plan-to-Stock Reporting Categories
Where to Begin? - “Tone-at-the Top” What is the “Tone at the Top”? “Tone at the Top” is a term that is used to define management’s leadership and commitment towards openness, honesty, integrity, and ethical behavior. It is the most important component of the control environment. The tone at the top is set by all levels of management and has a trickle-down effect on all employees. For a Managers’ Internal Control Program to be effective: Need Senior Management’s Support Thru: Communication - Management must clearly communicate its ethics and values throughout the area they manage. These values could be communicated formally through written codes of conduct and policies, staff meetings, memos, etc. or informally during day to day operations. Active Participation - Kick-Off and Quarter Meetings – Discussions relevant to internal controls, and associated risks Reporting - Create and promote path for employees to self-report and feel safe from retaliation Reward Active Participation - Creation of Commander’s Award – Recognition of Successful Internal Control Activity 15.
Reliance Upon an Entity-Level Risk Assessment Risk Assessment Process Overview Enhances ability to understand key business risks Integral piece of management’s risk assessment process Provides structured process that becomes the cornerstone for prioritizing risks Focuses attention on areas meriting management review and monitoring Builds knowledge and confidence in risk management Understand the Component’s highest risks to mission Understand the Component’s business, to include strategies and objectives Develop a preliminary understanding of key business risks and processes and align them to the Component’s strategic plan and objectives Create a customized risk universe – a framework to categorize key business risks – that reflects the risks facing the Component Determining current risk monitoring activities Understand the effectiveness of entity-level controls, such as: Policies and procedures Code of conduct Segregation of duties Business continuity and disaster recovery plans for all primary data centers and business unit facilities; and Fraud prevention/detection programs Scope the risk assessment by obtaining input from all key stakeholders Assess, prioritize, and validate key business risks with the key stakeholders Report the results of the risk assessment and using those results to develop a corrective action strategy 17 16.
Top - Down Perspective and Bottom - Up Clear, focused communications of the Component’s mission, and Commander/Director’s priorities and challenges. Formal Communication Framework between senior leadership and MICP Formal and informal access to Commander/Directors, Senior Managers, Functional Leads and Assessable Unit Managers. Provides support towards compliance with laws, regulations and instructions and provides guidance to Component staff on implementation of MICP. Formal Communication Framework Built Upon Trust and Empowerment Full participation with communications. Key participate in execution of Component’s mission and MICP Coordinator’s input towards potential risks and controls to risk mitigate Ongoing communications with MICP Program Manager in confirmation of assessable unit process, controls and related risks. Receiver of feedback from management regarding prior reporting of material risk and changes to requirements towards assessable units. An Effective MICP Is Dependent Upon Communication Through Chain-of-Command Importance of Organizational Participation Assessable Unit Managers MICP Coordinator Senior Functional Managers Commander 18 17.
Managers’ Internal Control Program Historically – Reactive (What Does Management Want to Hear) Current Emphasis – Proactive (What Does Management Need to Hear) Reliance Upon Outside Audit Agencies Focus on Timelines and Format “Paper-Drill Exercise” Self-Reporting – Punitive Versus Incentivized Reliance Upon Resources in Component Focus on Risk Report Supported by Documentation of MICP Process Self-Reporting – Incentivize Versus Punish Reliance upon GAO, DoDIG and Military Audit Services to identify material internal control weaknesses. Candor not part of culture – i.e., “group-think.” Threat of retribution for self- reporting “bad news.” Filtered communications Score received by Component based upon timeliness of SOA submission and adherence to format not substance of content. Ramp-up of submission of SOA related activities occur several weeks prior to submission deadline versus an ongoing activity year- round. Reliance upon analysis by “resident experts” analysis of assessable units to identify material internal control weaknesses. Development of a “cost culture” Reward self-reporting by all levels of organization regarding potential risks to the mission and recommendations for mitigation. Based upon documentation of segment of business processes and procedures, identify risk, rank risk and focus upon greatest risks that may impact organization. Develop SOA content throughout the year based upon documentation internally generated, analyzed and agreed upon. 19 18.
Command – USFOR-A Sub-component Comptroller – J-8 Assessable Units* Verification and accurate reporting of CERP payments Function Commander’s Emergency Response Program “Assessable Units are defined as segments of business activities (i.e., transaction level). 20 19.
22 21. INTERNAL CONTROL EVALUATION CERTIFICATION For use of this form, see AR 11-2; the proponent agency is ASA(FM&C). 3. ASSESSABLE UNIT 4. FUNCTION 5. METHOD OF EVALUATION (Check all that apply) a. CHECKLIST b. ALTERNATIVE METHOD (Indicate method) APPENDIX (Enter appropriate letter) 6. EVALUATION CONDUCTED BY a. NAME (Last, First, MI) 7. REMARKS (See Attached) Use this block to describe the method used to test key controls, the internal control weakness(es) detected by the evaluation (if any) and the corrective action(s) taken. (THIS IS MANDATORY) a. METHOD OF TESTING KEY CONTROLS (Check all that apply) Direct ObservationReview of Files orAnalysisSamplingSimulationInterviews Other Documentation Other (Explain) b. EVALUATION RESULTS (Include specific items tested): c. INTERNAL CONTROL DEFICIENCIES DETECTED, IF ANY. (Include potential material weaknesses): d. DESCRIBE CORRECTIVE ACTIONS TAKEN, IF APPLICABLE. 8.CERTIFICATION I certify that the key internal controls in this function have been evaluated in accordance with provisions of AR 11-2, Army Managers' Internal Control Program. I also certify that corrective action has been initiated to resolve any deficiencies detected. These deficiencies and corrective actions (if any) are described above or on attached documentation. This certification statement and any supporting documentation will be retained on file subject to audit/inspection until superseded by a subsequent internal control evaluation. a. ASSESSABLE UNIT MANAGER (1) Typed Name and Title (2) Signature An Example – Army Form DA 11-2
Mitigated Risk Inherent Risk Risk Assessment Results - High RISK Is required to ensure all personnel maintain proper oversight and accountability of U.S. Government property in order to maintain good stewardship of resources and avoid issues of fraud, waste or abuse. Loss or destruction of sensitive items Loss or destruction of nonexpendable or durable equipment Provide hand receipts at the user level Conduct monthly sensitive items inventory by alternating officers Provide leadership emphasis on properly securing and using equipment Spot checks on property accountability Control Environment: Inherent Risks: Existing Management Controls: An Example – Risk Matrix 1 2 3 4 5 YRRRR e GYRRR d GYYRR c GGYYR b GGGYY a Consequences Likelihood 23 22.
RDT&E Major System Acq Procurement Contract Admin Commo, Intel & Secur Property Mgmt Supply Mfg, Maint, & Repair Force Readiness Comptroller & RM Personnel & Org Info Tech FMFIA Over Financial Reporting Support Svcs Security Assist Unclassified The MICP Assessments Includes Functions of an Organization Appendix A 23.
Managers’ Internal Control Program Cycle Managers’ Internal Control Program Managers’ Internal Control Program A. Identify Functional Areas B. Identify Assessable Units C. Assign Assessable Unit Manager(s) D. Document Key Processes and Controls E. Assess/Test Internal Controls F. Communicate and Prioritize Risk G. Align Risk with Command Priorities H. Mitigate Risk Through Remediation I. Report in SOA “Material” Findings J. Monitor Corrective Plans 25 24.
GEN Allen’s “Tone-at-the Top” Letter of 18 October 2012 27 26.
GEN Allen’s “Tone-at-the Top” Letter of 18 October 2012 27.
GEN Allen’s “Tone-at-the Top” Letter of 18 October 2012 “ My intent is to move beyond checking the block and conduct detailed analysis and an honest assessment when providing reasonable assurance that financial, operational, and administrative controls are in place…….It is “no longer business as usual,” in terms of allocation and spending for non mission essential resources”…..I want you to remain proactive in the self-identification of issues and self-reporting of internal control deficiencies…….to prevent a problem before it occurs instead of after the mission has been negatively impacted and reported by an “outside audit agency”……It is imperative that we use candor in our communications to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear.” 29 28.
We Need to Change How We Do Business Drawdown plan estimates for U.S. and more than a dozen other nations will shrink the foreign military footprint in Afghanistan by 40,000 troops in total by close of CY 2012 Reactive or Proactive Identification and execution of plans prior to drawdown will result in significant savings. Approach: Reactive: Continue “business as usual” or Proactive: Pursue and enact policies prior to planned draw down of personnel. “Does it make sense?” Construction Leases Purchases – equipment/supplies Overtime Vehicles Projects 29.
USFOR-A Specific Challenges “High personnel turnover/lack of continuity” “Reliance upon accurate property book with additional burden associated with draw down” “Lack of trained personnel for contract surveillance towards “service” type contracts” “Draw down of personnel and conflicting strategies in high tempo environment “ “Balance of requirements of completing assigned missions and evaluation of internal controls,” and “Lack of contract oversight/contractors having duties that are inherently governmental in functions.” 31 30.
Components identify Assessable Unit Manager (AUM) Provide overview of MICP to AUM Inform of training, communication and documentation responsibilities with AUM and related deliverables Identify functional areas, and command/control responsibilities Review Commander’s priorities and concerns of regarding risk Obtain initial feedback of additional areas of risk that should be included in prioritization of risk process. Provide functional areas and assessable unit managers assigned to each area Participate on monthly status calls with USFOR-A MICP Coordinator Two-way communications of alignment of risk from the Commander perspective and risk identified by the Regional and Other Commands Review documentation and “next steps” Provide mitigation of risk with corrective actions as these issues are identified Provide assessment of risk for each functional area Prioritize risk for each functional area Provide “quick reaction” recommendations that may provide mitigation of risk to the Command due to overall risk and/or systemic in nature Document processes/procedures and controls Determine for high and medium risk levels the evaluation of controls (do controls mitigate risk or do they require remediation) Complete review of assessable units with recommendations for corrective actions Determine material internal control deficiencies that are material Complete the USFOR-A Statement of Assurance An Example - MICP Plan of Action Overview of the FY 13 Managers’ Internal Control Program 31.
33 Milestone: 15 November 2012 Assign Directorate Assessable Unit Coordinator (AUC) Contact USFOR-A MICP Coordinator to schedule MICP Introductory Training (one hour) Participate in monthly interface (i.e., telephone call and/or face-to-face) with USFOR-A MICP Coordinator Review organizational structure and identify assessable units (functional area) Assign staff person(s) responsibility for each assessable unit and sub function if required -- Assessable Unit Managers (AUM) Have MICP Coordinator and each assessable unit manager sign “appointment letter” Complete computer –based MICP training (MICP Coordinator and Assessable Unit Managers) Request onsite coaching/training from USFOR-A MICP Coordinator Contact USFOR-A MICP Coordinator to schedule one hour MICP Training for Assessable Unit Managers (AUMs) Provide list of assessable units to USFOR-A Coordinator Provide MICP Coordinator and Assessable Unit Manager signed “appointment letters” Milestone: 15 December 2012 Identify and prioritize risk associated with each major process/procedure for each assessable unit Provide documentation/analysis of identified potential risk and recommendation for remediation (i.e., corrective actions) Provide risk and remediation to MICP Coordinator (if “material” then brief through chain of command) Participate in a in-process-review and monthly USFOR-A MICP VTC. An Example - Next Steps USFOR-A MICP Coordinator: Steve Silverstein, J8 (DSN: 318-449-4159) Robert. S.Silverstein@swa.army.mil Share Drive “FY13 USFOR-A Managers’ Internal Control Program”S.Silverstein@swa.army.mil 32.
Acquisition Planning Funding Acquisition Methods Contract Types Competition Full and Open Competition Yes No Justification Detailed Description Approval By Contracting Officer R-1 C C Justification provides a detailed description of why it is not possible or practical to obtain full and open competition for the procurement/acquisition (to include only one responsible source, unusual and compelling urgency, authorization or required by statue etc. Contracting Officer signs and dates justification statement Contracting Officer approves the justification but does not review or does not enforce the requirements towards a detailed and complete explanation. Need to Take Two Steps Back – In order To Take One Step Forward Function - Procurement/Acquisition Assessable Unit – Competition/ Sole Source Need to Document (at “transaction lever) GRAP Related Processes, Controls and Risk 35.
37 36. Statement of Assurance (SoA) (per DoDI 5010.40, Managers’ Internal Control (MIC) Program Procedures) Assessable Unit An organizational subdivision of a DoD Component that must comply with the MIC Program. Note that Components: Must segment into organizational assessable units All parts of the DoD Component must be covered Must maintain a current inventory of its assessable units Control Deficiency The design or operation of a control that does not allow the organization to prevent or detect misstatements on a timely basis or to accomplish the mission objectives. Financial Statement Reporting Entity (FSRE) An entity assigned by either the Office of Management and Budget (OMB) or the DoD to produce and provide to OUSD(Comptroller) stand alone, financial statements, both quarterly and annual. Internal Controls The organization, policies, and procedures that help program and financial managers achieve results and safeguard the integrity of their program Internal Control Assessment A documented evaluation on the effectiveness and adequacy of the system [of internal controls] to meet the mission objectives, implemented in a cost effective way. Internal Control Assessment (Overall) An assessment of the internal control effectiveness for the functions under the Federal Manager’ Financial Integrity Act (FMFIA). The overall process includes all programs, activities, and operational areas [i.e., the Internal Control Reporting Categories defined in DoDI 5010.40]. Internal Control Assessment (ICA) Internal Control Over Financial Reporting (ICOFR) An assessment of the effectiveness of internal controls over financial reporting which closely follows the guidance in Appendix A of OMB Circular A-123 and MIC Program Annual Guidance provided by OUSD(Comptroller). Material Weakness (Overall) A reportable condition that is significant enough to report to the next higher level. It is management’s judgment as to whether a weakness is deemed material responsible for the area in question DoDI 5010.40 Terms
38 37. Reasonable Assurance An informed judgment by management as to the overall adequacy and effectiveness of internal controls based upon available information that the systems of internal controls are operating as intended. There are three possible assurance statements: An unqualified statement of assurance is reasonable assurance with no material weaknesses reported. Each unqualified SoA shall provide a firm basis for that position, which the PSA or Principal Deputy (the Director or Deputy Director for DoD Field Activities) will summarize in the cover memorandum. Tab A contains a more extensive explanation of how the assessment helped justify the reporting entity’s assertion of an unqualified statement. A qualified statement of assurance is reasonable assurance with the exception of one or more material weakness(es) noted. The cover memorandum must cite the material weaknesses in internal management controls that preclude an unqualified statement. Tab B fully describes all weaknesses, the corrective actions being taken, and by whom, and the projected dates of correction for each action. A statement of no assurance is no reasonable assurance because no assessments were conducted or the noted material weaknesses are pervasive. The reporting entity shall provide an extensive rationale for this position. Reportable Condition (Overall) A control deficiency (or combination of deficiencies) that in management’s judgment, should be communicated because they represent significant weaknesses in the design or operation of internal controls that could adversely affect the organization’s ability to meet its internal control objectives. Reportable Condition (ICOFR) A control deficiency (or combination of deficiencies) that adversely affects the entity’s ability to initiate, authorize, record, process or report external financial data reliably according to generally accepted principles such that there is more than a remote likelihood that a misstatement of the entity’s financial statements, or other significant financial reports, is more than inconsequential will not be prevented or detected Risk The possibility an event will adversely effect the achievement of internal control objectives and result in the loss of Government resources or cause an agency to fail to accomplish significant mission objectives through fraud, error, or mismanagement. Systemic Weakness A weakness that materially affects internal controls across organizational and program lines, and usually affects more than one DoD Component.. DoDI 5010.40 Terms
39 38.. Risk The possibility an event will adversely effect the achievement of internal control objectives and result in the loss of Government resources or cause an agency to fail to accomplish significant mission objectives through fraud, error, or mismanagement. Systemic Weakness A weakness that materially affects internal controls across organizational and program lines, and usually affects more than one DoD Component. Note: A systemic weakness is determined by the PSA with functional responsibility for the area in question DoDI 5010.40 Terms