Presentation on theme: "Office of the Secretary of Defense - Comptroller’s"— Presentation transcript:
1Office of the Secretary of Defense - Comptroller’s Manager’s Internal Control Program3 April 2014UnclassifiedOSD - ComptrollerFinancial Improvement andAudit ReadinessBuilding a “Culture Focused on Accountability”
2Purpose of BriefingDoD’s Priority – Achieving Auditable Financial StatementsMICP - Why and How?MICP in AfghanistanAppendix1.
4Audit Readiness GoalsIncremental Milestones and Significant Challenges1.Audit Readiness for Budget Statements by 30 September 2014“Audit Readiness” –The Department has strengthened internal controls and improved financial practices, processes and systemsReasonable confidence that the information can withstand an audit by an independent auditor.Budgetary TurmoilCapacity of the DoDIGAvailability of Independent AuditorsChallenges2.Full Audit Readiness By 30 September 2017Full financial statement validationTo date, $235 billion or 19 percent of total budgetary resources have an opinion or are under audit and $453 billion or 53 percent of DoD assets are either under examination, have been validated as audit ready or have been asserted as audit ready for existence and completeness of critical assets .Size and Complexity of the DepartmentHundreds of Legacy SystemsHuman Capital - Right Number and Skill Set3.4
5Audit Readiness Progress Audit Opinions on Financial StatementsAudit Readiness ExaminationsAudit Readiness AssertionsSix DoD organizations received unqualified audit opinions on their FY13 financial statements.U.S. Army Corp of Engineers – Civil WorksDefense Commissary AgencyDefense Contract Audit AgencyDefense Finance and Accounting ServiceDefense Health Agency – Contract Resource ManagementMilitary Retirement FundThree DoD organizations received qualified opinions.Defense Information Systems Agency – Working Capital Fund and General FundOffice of the Inspector GeneralMedicare – Eligible Retiree Care Fund.Audit readiness validated by examinationsDFAS – Civilian Pay, Military Pay, and Standard Disbursing ServicesDCPAS – Civilian PayDISA – Enterprise Computing ServicesExaminations underwayArmy – All General Fund activitiesNavy – Fund Balance with TreasuryAir Force – Civilian Pay (General Fund and Working Capital Fund) and Funds Distribution to Base.DFAS – Contract PayDLA – Civilian Pay, Contract Pay, Defense Agencies Initiatives (DAI), Defense Automatic Addressing SystemService Medical Activity (Navy) – ConsumablesChemical Biological Defense Program – Contract Pay, Other Budgetary Activity, Reimbursable Work Orders- Acceptor, Reimbursable Work Orders- Grantor, and Fund Balance with TreasuryAssertion of Assessable UnitsNavy – Operating Materials and SuppliesDefense Contract Management Agency – Fund Balance with Treasury, Contract/Vendor Pay, Reimbursement Work Orders- Acceptor and Reimbursement Work Orders- GrantorsDefense Logistics Agency – Real Property and General Equipment- Capital Assets.Service Medical Activity-NavyChemical Biological Defense Program – Contract Pay, Fund Balance TreasuryAudit Readiness Progress4.
6Audit Readiness Strategy and Timeline Currently In Wave 2Wave 1FY 2013Wave 2FY 2014Wave 3FY 2016Wave 4FY 2017Appropriations Received Audit ReadinessSBR Audit ReadinessMission Critical Assets Existence & Completeness Audit ReadinessFull Financial Statements Audit ReadinessFY 2018 Full FinancialStatements AuditsWave 1. Completed when Appropriations Received was validated as audit ready. Focused on the processes and controlsassociated with the receipt and distribution (through apportionments, allotments and sub-allotments) of congressionallyappropriated funds.Wave 2. Focuses on processes, internal controls, systems, and supporting documentation that must be audit ready for theGeneral Fund SBR can be audited. It is dependent on achieving an auditable FBWT balance.Wave 3. Focused on the Existence and Completeness assertions to include all assets recorded in the Accountable PropertySystem of Record, all existing assets are recorded in the APSR, reporting entity has the rights to report on assets, andassets are consistently categorized, summarized, and reported from period to period (Presentation and Disclosure?Wave 4. Includes all other financial statements to include for example, General Fund Balance, Statement of Net Cost, etc.5.
8Turning Theory Into Reality How do we minimize risk to the Command? – Risk is defined as “the potential that a chosen action or activity will lead to a loss” --Loss: Life, funds, reputation (embarrassment), timeliness, accuracy, security,privacy and completenessSo What?Limited ScopeEmphasis onRequirementOne point in timeReliance upon auditorsImpact – Mitigation of risk after the mission negatively impactedPastReview and Reporting of Risk – “Paper Drill”Reliance upon internal expertiseImpact - Identification and mitigation of inefficiencies before Command negatively impactedFutureReview and Reporting of Risk – Part of Command Culture - Value AddedCoverage of allfunctionsEmphasis on mostefficient and effectway to meetrequirementDaily reviewIf you rely upon an outside audit service to identify and report on control deficiencies – it is to late (e.g., embarrassment and negative impact to mission)..7.
9Culture Needs to Change Driven By Senior Management “Culture that has allowed massive waste of taxpayers’ dollars has become business-as-usual at the Department of Defense. Particularly in today’s fiscal environment, this cannot be tolerated. If this is not corrected, the Department’s ability to continue defending the Nation and to provide for its national security will be compromised. Taxpayers simply will not tolerate the continuing waste of their resources in light of the debt we face and our competing budgetary needs”. ~Senator John McCain, (R-AZ) – Senate Armed Services Committee (SASC), September 2011.“ We need to change the culture of the Department where Commanders are held directly accountable for the efficient use of dollars.” ~Honorable Robert Hale, DoD Comptroller – House Armed Services Committee, January 2012.“Need to Change the Culture,” – Communicate what senior management needs to hear versus what you think they want to hear --- candor --- proactive versus reactive. – Through the chain of command!8.
10Turning Theory Into Reality How do we minimize risk to the Command? – Risk is defined as “the potential that a chosen action or activity will lead to a loss” --Loss: Life, funds, reputation (embarrassment), timeliness, accuracy, security,privacy and completenessSo What?Limited ScopeEmphasis onRequirementOne point in timeReliance upon auditorsImpact – Mitigation of risk after the mission negatively impactedPastReview and Reporting of Risk – “Paper Drill”Reliance upon internal expertiseImpact - Identification and mitigation of inefficiencies before Command negatively impactedFutureReview and Reporting of Risk – Part of Command Culture - Value AddedCoverage of allfunctionsEmphasis on mostefficient and effectway to meetrequirementDaily reviewIf you rely upon an outside audit service to identify and report on control deficiencies – it is to late (e.g., embarrassment and negative impact to mission)..9.
11Change of Culture Candor versus Groupthink Groupthink is a psychological phenomenon that occurs within groups of people. Group members try to minimize conflict and reach a consensus decision without critical evaluation of alternative ideas or viewpoints. Causes loss of individual creativity, uniqueness, and independent thinking. Also, collective optimism and collective avoidance.”Past – “Old School”GroupthinkStatus QuoStatus quo, a commonly used form of the original Latin "statu quo" – literally "the state in which" – is a Latin term meaning the current or existing state of affairs. To maintain the status quo is to keep the things the way they presently are.Future – Self Reporting – Good News and BadCandorCandor is unstained purityfreedom from prejudice or malice : fairnessChangeChange in an organization is shifting/transitioning individuals, teams, and organizations from a current state to a desired future state. It is an organizational process aimed at empowering employees to recommend, accept and embrace changes in their current business environment.10.
12Candor versus Groupthink An effective Managers’ Internal Control Program – Empowers those that are involved in the operational, administrative and program processes and procedures to self-report inefficiencies (i.e., risk) - Empowerment = dependency upon candor, and encouragement of self-reporting of risk."The hardest thing you may ever be called upon to do is stand alone among your peers and superior officers,“ – (leadership is the courage and integrity to do the right thing and to communicate the message – of not what superiors want to hear but rather what they need to hear to in order to effectively lead)."To stick out your neck after discussion becomes consensus, and consensus ossifies into group think.”American Forces Press Service, “Gates Urges West Point Graduates to be Great Leaders,” May“Challenge conventional wisdom and call things as you see them to subordinates and superiors alike.”“As an officer if you blunt truths or create an environment where candor is not encouraged, then you’ve done yourself and the institution a disservice.”“In the early days of the surge, Gen. Petraeus's forthright candor with both superiors and subordinates was an important part of the plan's success.”He never offered unwarranted or sugar-coated optimism. His honesty -- and action -- in the face of uncertainty won the loyalty of those around him”.Remarks delivered by Secretary Robert M. Gates to the U.S. Air Force Academy, April 2, 2010Washington Post, Article titled, “ Gen. Petraeus: No Sugar-Coated Optimism”, by Col. Michael E. Haith (Ret), United States Army, July 6, 201111.
13Turning Theory Into Reality How Do We Minimize Risk to the Command? – Risk is defined as “the potential that a chosen action or activity will lead to a loss”Loss can be: Life, funds, reputation (embarrassment), timeliness, accuracy, security, privacy, completeness etc.ChangeAccomplish RequirementAccomplish Requirement Efficiently & Effectively“Mitigation of Risk ”Form Over SubstancePrioritize Risk With Mission Requirements and Provide MitigationSubstance Over FormChange of Organizational CultureFocus on Risk and Incentivize Self – ReportingGroupthinkWhat does leadership want to hear?CandorWhat does leadership need to hear?12.
14DoDI 5010.40 – MICP Procedures 13. Procedures Each DoD and OSD Component establishes a MICPEstablish a Senior Management Counsel to oversee operational, financial, and financial systems reportingAppoint a MICP CoordinatorCoordinates with assessable unit managers to ensure proper documenting of end-to-end processesIdentifies best practices and develops efficiencies to improve control documentation, enhance controls, eliminate inefficient controls, and implement new controls.Ensures subject matter experts assess risk and may impact mission or operations.Ensures identification of internal control objectives.Assists in testing and classification of internal controlsEnsures corrective actions plans are developedEnsures best practices and deficiencies are shared across assessable units.Tracks progress of corrective actionsActively communications with the DoD Component Senior Management CouncilMaintains MICP documentationDoD Component HeadsEstablish a MICP to:Assess inherent risks in mission-essential processesDocument and design internal controlsTest the design and operating effectiveness of existing internal controlsIdentify and classify control deficiencies and execute corrective actions plansMonitor and report the status of corrective action plansDesignate in writing the MICP CoordinatorConduct a formal assessment of the acquisition functions requirements outlineSubmit the annual statement of assurance to the Sec DefInstruction Applies to:OSDMilitary DepartmentsJoint Chiefs of StaffCombatant CommandsDoDIG Defense AgenciesDoD Field ActivitiesDoD Components13.
15Assessable Unit Managers (AUMs) Statement of Assurance DoDI – MICP ProceduresReporting CategoriesAssessable UnitsCommunicationsIntelligenceSecurityComptroller and Resource ManagementContract AdministrationForce ReadinessInformation TechnologyAcquisitionManufacturing, Maintenance, and RepairOtherPersonnel and Organizational ManagementProcurementProperty ManagementResearch, Development, Test and EvaluationSecurity OperationsSupport ServicesBudget-to-ReportHire-to-RetireOrder-to-CashProcure-to-PayAcquire-to-RetirePlan-to-StockAssessable Unit Managers (AUMs)Segments into organizational, functional or other assessable unitsMust ensure entire organization is coveredMust be large enough to allow managers to evaluate significant portion of the activity being examinedMust be small enough to be able to document processes and controlsMICP Coordinator appoints and trains AUM for each assessable unitsAssess riskIdentifies internal control objectivesDocuments operational, administrative, system and financial internal controlsReviews processes and procedures and recommendationsTests effectiveness of internal controlsIdentifies and classifies internal control deficienciesDevelops corrective actionsTracks progress of corrective action plansMaintains MICP documentationStatement of Assurance14.
16Where to Begin? - “Tone-at-the Top” What is the “Tone at the Top”?“Tone at the Top” is a term that is used to define management’s leadership and commitment towards openness, honesty, integrity, and ethical behavior. It is the most important component of the control environment. The tone at the top is set by all levels of management and has a trickle-down effect on all employees.For a Managers’ Internal Control Program to be effective:Need Senior Management’s Support Thru:Communication - Management must clearly communicate its ethics and values throughout the area they manage. These values could be communicated formally through written codes of conduct and policies, staff meetings, memos, etc. or informally during day to day operations.Active Participation - Kick-Off and Quarter Meetings – Discussions relevant to internal controls, and associated risksReporting - Create and promote path for employees to self-report and feel safe from retaliationReward Active Participation - Creation of Commander’s Award – Recognition of Successful Internal Control Activity15.
17Begin With An Entity- Level Risk Assessment Reliance Upon an Entity-Level Risk AssessmentEnhances ability to understand key business risksIntegral piece of management’s risk assessment processProvides structured process that becomes the cornerstone for prioritizing risksFocuses attention on areas meriting management review and monitoringBuilds knowledge and confidence in risk managementUnderstand the Component’s highest risks to missionUnderstand the Component’s business, to include strategies and objectivesDevelop a preliminary understanding of key business risks and processes and align them to the Component’s strategic plan and objectivesCreate a customized risk universe – a framework to categorize key business risks – that reflects the risks facing the ComponentDetermining current risk monitoring activitiesUnderstand the effectiveness of entity-level controls, such as:Policies and proceduresCode of conductSegregation of dutiesBusiness continuity and disaster recovery plans for all primary data centers and business unit facilities; andFraud prevention/detection programsScope the risk assessment by obtaining input from all key stakeholdersAssess, prioritize, and validate key business risks with the key stakeholdersReport the results of the risk assessment and using those results to develop a corrective action strategyRisk Assessment Process Overview16.
18Importance of Organizational Participation An Effective MICP Is Dependent Upon Communication Through Chain-of-CommandTop - Down Perspective and Bottom - UpClear, focused communications of the Component’s mission, andCommander/Director’s priorities and challenges.Formal Communication Framework between senior leadership andMICPCommanderFormal Communication Framework Built Upon Trust and EmpowermentFull participation with communications. Key participate in execution of Component’s mission and MICP Coordinator’s input towards potential risks and controls to risk mitigateSenior Functional ManagersFormal and informal access to Commander/Directors, Senior Managers, Functional Leads and Assessable Unit Managers.Provides support towards compliance with laws, regulations and instructions and provides guidance to Component staff on implementation of MICP.MICP CoordinatorOngoing communications with MICP Program Manager in confirmation of assessable unit process, controls and related risks. Receiver of feedback from management regarding prior reporting of material risk and changes to requirements towards assessable units.Assessable Unit Managers17.
19Managers’ Internal Control Program Historically – Reactive (What Does Management Want to Hear)Reliance Upon Outside Audit AgenciesSelf-Reporting – Punitive Versus IncentivizedFocus on Timelines and Format“Paper-Drill Exercise”Reliance upon GAO, DoDIG and Military Audit Services to identify material internal control weaknesses.Candor not part of culture – i.e., “group-think.” Threat of retribution for self- reporting “bad news.”Filtered communicationsScore received by Component based upon timeliness of SOA submission and adherence to format not substance of content .Ramp-up of submission of SOA related activities occur several weeks prior to submission deadline versus an ongoing activity year-round.Current Emphasis – Proactive (What Does Management Need to Hear)Reliance Upon Resources in ComponentSelf-Reporting – Incentivize Versus PunishFocus on RiskReport Supported by Documentation of MICP ProcessReliance upon analysis by “resident experts” analysis of assessable units to identify material internal control weaknesses.Development of a “cost culture”Reward self-reporting by all levels of organization regarding potential risks to the mission and recommendations for mitigation.Based upon documentation of segment of business processes and procedures, identify risk, rank risk and focus upon greatest risks that may impact organization.Develop SOA content throughout the year based upon documentation internally generated, analyzed and agreed upon .18.
20Breakdown of Command’s Functions Into Assessable Units Command – USFOR-ASub-componentComptroller – J-8FunctionCommander’s Emergency Response ProgramAssessable Units*Verification and accurate reporting of CERP payments“Assessable Units are defined as segments of business activities (i.e., transaction level).19.
22An Example – Army Form DA 11-2 INTERNAL CONTROL EVALUATION CERTIFICATIONFor use of this form, see AR 11-2; the proponent agency is ASA(FM&C).3. ASSESSABLE UNIT4. FUNCTION5. METHOD OF EVALUATION (Check all that apply)a. CHECKLISTb. ALTERNATIVE METHOD (Indicate method)APPENDIX (Enter appropriate letter)6. EVALUATION CONDUCTED BYa. NAME (Last, First, MI)7. REMARKS (See Attached)Use this block to describe the method used to test key controls, the internal control weakness(es) detected by the evaluation (if any) and the corrective action(s) taken. (THIS IS MANDATORY)a. METHOD OF TESTING KEY CONTROLS (Check all that apply)Direct Observation Review of Files or Analysis Sampling Simulation InterviewsOther DocumentationOther (Explain)b. EVALUATION RESULTS (Include specific items tested):c. INTERNAL CONTROL DEFICIENCIES DETECTED, IF ANY. (Include potential material weaknesses):d. DESCRIBE CORRECTIVE ACTIONS TAKEN, IF APPLICABLE.8. CERTIFICATIONI certify that the key internal controls in this function have been evaluated in accordance with provisions of AR 11-2, Army Managers' Internal Control Program. I also certify that corrective action has been initiated to resolve any deficiencies detected. These deficiencies and corrective actions (if any) are described above or on attached documentation. This certification statement and any supporting documentation will be retained on file subject to audit/inspection until superseded by a subsequent internal control evaluation.a. ASSESSABLE UNIT MANAGER(1) Typed Name and Title(2) Signature21.
23CJ1 – Property Accountability An Example – Risk MatrixCJ1 – Property AccountabilityRisk Assessment Results - High RISKMitigated RiskInherent RiskControl Environment:Is required to ensure all personnel maintain proper oversight and accountability of U.S. Government property in order to maintain good stewardship of resources and avoid issues of fraud, waste or abuse.LevelLikelihood of OccurrenceeNearly Certain (15 to 20)dHighly Likely (11 to 14)cLikely (8 to 10)bUnlikely (5 to 7)aRemote (4)LevelOverall Risk RatingRed – HighYellow - MediumGreen – LowInherent Risks:Loss or destruction of sensitive itemsLoss or destruction of nonexpendable or durable equipmentLevelConsequence of Occurrence1Minimal/No Impact (6)2Minor Impact (7 to 14)3Moderate Impact (15 to 19)4Severe Impact (20 to 24)5Unacceptable Impact (25 to 30)ConsequencesExisting Management Controls:YReGdcbaProvide hand receipts at the user levelConduct monthly sensitive items inventory by alternating officersProvide leadership emphasis on properly securing and using equipmentSpot checks on property accountabilityLikelihood22.
24The MICP Assessments Includes Functions of an Organization UnclassifiedThe MICP Assessments Includes Functions of an OrganizationMfg, Maint, &RepairSupplyPropertyMgmtForce ReadinessCommo,Intel & SecurContract AdminInfo TechProcurementPersonnel & OrgMajor System AcqComptroller & RMRDT&ESecurity AssistSupportSvcsFMFIA OverFinancial ReportingAppendix A23.
25Managers’ Internal Control Program Cycle A. Identify Functional AreasJ. Monitor Corrective PlansB. Identify Assessable UnitsManagers’ Internal Control ProgramI. Report in SOA “Material” FindingsC. Assign Assessable Unit Manager(s)H. Mitigate Risk Through RemediationD. Document Key Processes and ControlsG. Align Risk with Command PrioritiesE. Assess/Test Internal ControlsF. Communicate and Prioritize Risk24.
27GEN Allen’s “Tone-at-the Top” Letter of 18 October 2012 26.
28GEN Allen’s “Tone-at-the Top” Letter of 18 October 2012 27.
29GEN Allen’s “Tone-at-the Top” Letter of 18 October 2012 “My intent is to move beyond checking the block and conduct detailed analysis and an honest assessment when providing reasonable assurance that financial, operational, and administrative controls are in place…….It is “no longer business as usual,” in terms of allocation and spending for non mission essential resources”…..I want you to remain proactive in the self-identification of issues and self-reporting of internal control deficiencies…….to prevent a problem before it occurs instead of after the mission has been negatively impacted and reported by an “outside audit agency”……It is imperative that we use candor in our communications to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear.”28.
30We Need to Change How We Do Business Reactive or ProactiveDrawdown plan estimates for U.S. and more than a dozen other nations will shrink the foreign military footprint in Afghanistan by 40,000 troops in total by close of CY 2012Identification and execution of plans prior to drawdown will result in significant savings.Approach:Reactive: Continue “business as usual” orProactive: Pursue and enact policies prior toplanned draw down of personnel.“Does it make sense?”ConstructionLeasesPurchases – equipment/suppliesOvertimeVehiclesProjects29.
31USFOR-A Specific Challenges “High personnel turnover/lack of continuity”“Reliance upon accurate property book with additional burden associated with draw down”“Lack of trained personnel for contract surveillance towards “service” type contracts”“Draw down of personnel and conflicting strategies in high tempo environment ““Balance of requirements of completing assigned missions and evaluation of internal controls,” and“Lack of contract oversight/contractors having duties that are inherently governmental in functions.”30.
32An Example - MICP Plan of Action Components identify Assessable Unit Manager (AUM)Provide overview of MICP to AUMInform of training, communication and documentation responsibilities with AUM and related deliverablesIdentify functional areas, and command/control responsibilitiesReview Commander’s priorities and concerns of regarding riskObtain initial feedback of additional areas of risk that should be included in prioritization of risk process.Provide functional areas and assessable unit managers assigned to each areaParticipate on monthly status calls with USFOR-A MICP CoordinatorTwo-way communications of alignment of risk from the Commander perspective and risk identified by the Regional and Other CommandsReview documentation and “next steps”Provide mitigation of risk with corrective actions as these issues are identifiedProvide assessment of risk for each functional areaPrioritize risk for each functional areaProvide “quick reaction” recommendations that may provide mitigation of risk to the Command due to overall risk and/or systemic in natureDocument processes/procedures and controlsDetermine for high and medium risk levels the evaluation of controls (do controls mitigate risk or do they require remediation)Complete review of assessable units with recommendations for corrective actionsDetermine material internal control deficiencies that are materialComplete the USFOR-A Statement of AssuranceOverview of the FY 13 Managers’ Internal Control Program31.
33An Example - Next Steps USFOR-A MICP Coordinator: Steve Silverstein, J8 (DSN: ) Robert Share Drive “FY13 USFOR-A Managers’ Internal Control Program”Milestone: 15 November 2012Assign Directorate Assessable Unit Coordinator (AUC)Contact USFOR-A MICP Coordinator to schedule MICP Introductory Training (one hour)Participate in monthly interface (i.e., telephone call and/or face-to-face) with USFOR-A MICP CoordinatorReview organizational structure and identify assessable units (functional area)Assign staff person(s) responsibility for each assessable unit and sub function if required -- Assessable Unit Managers (AUM)Have MICP Coordinator and each assessable unit manager sign “appointment letter”Complete computer –based MICP training (MICP Coordinator and Assessable Unit Managers)Request onsite coaching/training from USFOR-A MICP CoordinatorContact USFOR-A MICP Coordinator to schedule one hour MICP Training for Assessable Unit Managers (AUMs)Provide list of assessable units to USFOR-A CoordinatorProvide MICP Coordinator and Assessable Unit Manager signed “appointment letters”Milestone: 15 December 2012Identify and prioritize risk associated with each major process/procedure for each assessable unitProvide documentation/analysis of identified potential risk and recommendation for remediation (i.e., corrective actions)Provide risk and remediation to MICP Coordinator (if “material” then brief through chain of command)Participate in a in-process-review and monthly USFOR-A MICP VTC.32.
36Need to Take Two Steps Back – In order To Take One Step Forward Need to Document (at “transaction lever) GRAP Related Processes, Controls and RiskAcquisition PlanningFundingAcquisition MethodsCompetitionContract TypesFunction Procurement/AcquisitionAssessable Unit – Competition/ Sole SourceFull and Open CompetitionYesCJustification provides a detailed description of why it is not possible or practical to obtain full and open competition for the procurement/acquisition (to include only one responsible source, unusual and compelling urgency, authorization or required by statue etc. Contracting Officer signs and dates justification statementNoJustificationDetailed DescriptionR-1Contracting Officer approves the justification but does not review or does not enforce the requirements towards a detailed and complete explanation.Approval By Contracting OfficerCR-135.
37DoDI TermsStatement of Assurance (SoA) (per DoDI , Managers’ Internal Control (MIC) Program Procedures)Assessable Unit An organizational subdivision of a DoD Component that must comply with the MIC Program. Note that Components:Must segment into organizational assessable unitsAll parts of the DoD Component must be coveredMust maintain a current inventory of its assessable unitsControl Deficiency The design or operation of a control that does not allow the organization to prevent or detect misstatements on a timely basis or to accomplish the mission objectives.Financial Statement Reporting Entity (FSRE) An entity assigned by either the Office of Management and Budget (OMB) or the DoD to produce and provide to OUSD(Comptroller) stand alone, financial statements, both quarterly and annual.Internal Controls The organization, policies, and procedures that help program and financial managers achieve results and safeguard the integrity of their programInternal Control Assessment A documented evaluation on the effectiveness and adequacy of the system [of internal controls] to meet the mission objectives, implemented in a cost effective way.Internal Control Assessment (Overall) An assessment of the internal control effectiveness for the functions under the Federal Manager’ Financial Integrity Act (FMFIA). The overall process includes all programs, activities, and operational areas [i.e., the Internal Control Reporting Categories defined in DoDI ].Internal Control Assessment (ICA) Internal Control Over Financial Reporting (ICOFR) An assessment of the effectiveness of internal controls over financial reporting which closely follows the guidance in Appendix A of OMB Circular A-123 and MIC Program Annual Guidance provided by OUSD(Comptroller).Material Weakness (Overall) A reportable condition that is significant enough to report to the next higher level. It is management’s judgment as to whether a weakness is deemed material responsible for the area in question36.
38DoDI TermsReasonable Assurance An informed judgment by management as to the overall adequacy and effectiveness of internal controls based upon available information that the systems of internal controls are operating as intended.There are three possible assurance statements:An unqualified statement of assurance is reasonable assurance with no material weaknesses reported. Each unqualified SoA shall provide a firm basis for that position, which the PSA or Principal Deputy (the Director or Deputy Director for DoD Field Activities) will summarize in the cover memorandum. Tab A contains a more extensive explanation of how the assessment helped justify the reporting entity’s assertion of an unqualified statement.A qualified statement of assurance is reasonable assurance with the exception of one or more material weakness(es) noted. The cover memorandum must cite the material weaknesses in internal management controls that preclude an unqualified statement. Tab B fully describes all weaknesses, the corrective actions being taken, and by whom, and the projected dates of correction for each action.A statement of no assurance is no reasonable assurance because no assessments were conducted or the noted material weaknesses are pervasive. The reporting entity shall provide an extensive rationale for this position.Reportable Condition (Overall) A control deficiency (or combination of deficiencies) that in management’s judgment, should be communicated because they represent significant weaknesses in the design or operation of internal controls that could adversely affect the organization’s ability to meet its internal control objectives.Reportable Condition (ICOFR) A control deficiency (or combination of deficiencies) that adversely affects the entity’s ability to initiate, authorize, record, process or report external financial data reliably according to generally accepted principles such that there is more than a remote likelihood that a misstatement of the entity’s financial statements, or other significant financial reports, is more than inconsequential will not be prevented or detectedRisk The possibility an event will adversely effect the achievement of internal control objectives and result in the loss of Government resources or cause an agency to fail to accomplish significant mission objectives through fraud, error, or mismanagement.Systemic Weakness A weakness that materially affects internal controls across organizational and program lines, and usually affects more than one DoD Component..37.
39DoDI Terms.Risk The possibility an event will adversely effect the achievement of internal control objectives and result in the loss of Government resources or cause an agency to fail to accomplish significant mission objectives through fraud, error, or mismanagement.Systemic Weakness A weakness that materially affects internal controls across organizational and program lines, and usually affects more than one DoD Component. Note: A systemic weakness is determined by the PSA with functional responsibility for the area in question38.