Collaboration Process 1

IC Objectives and Risk Tolerances Define, document, and implement top-down internal control objectives and risk tolerances:  Define internal control objectives in specific and measurable terms aligned to the Federal Financial Reporting and IT Cybersecurity laws and regulations to ensure compliance and be audit ready. DoD policy is not sufficient for audit readiness  Define levels of risk tolerance or performance variations in relation to the context of the objectives, mission, and applicable laws and regulations (ex. 1% error tolerance) 2

Identify and Assess Risk to IC Objectives Conduct risk assessments to identify and analyze the relevant risks in Operations and IT environments and determine the basis how to manage risks to ensure your objectives are achieved  Identify both inherent and residual risks by considering the type of risks that prevent achievement of objectives, meet the mission, and comply with applicable Federal laws and regulations  Inherent risk is the risk to an organization in the absence of management’s response  Residual risk remains after management has implemented controls in response to inherent risk 3

Analyze and Respond to Risks Analyze the risks by estimating the impact to mission and likelihood of occurrence or level of probability Consider fraud risk factors such as employees’ incentive, pressure, or opportunity to commit fraud Assess significant changes to the internal and external conditions that have already occurred or are expected to occur including changes to external requirements and technology Respond to the risks by designing, implementing, or aligning existing IT automated and Operations manual control activities ensuring risks are within defined risk tolerance or performance variation to the defined IC objectives 4

Knowledge of FISCAM Control Objectives DoD must implement minimal policies and procedures effectively designed and operational for each of the FISCAM control objectives IT controls directly support Operations control effectiveness by providing information assurance the operational data and application processes are effective. Therefore, Operations and IT management must collaborate to ensue mission accomplishment Evidence obtained through evaluations (inspections, assessments, audits, etc.) need to be in enough detail that it persuades a knowledgeable individual that the policy or procedure was effectively designed in accordance with minimal government standards and executed as intended Manual Operations Controls (require frequent testing) Automated IT Controls (annual testing normal) 5

FISCAM Control Considerations Remember, it is your data IT controls provide information assurance on and that it directly impacts Operational control effectiveness! IT General Controls (IS environment) Security Management  Status and effectiveness of DoD Risk Management Framework implementation Access Controls  Effectiveness of general, special, and external threat access controls Segregation of Duties  Effectiveness of SOD policies and enforcement to avoid insider threat Configuration Management  Change mgt methodologies and tools comply with policies and procedures Contingency Planning  Plan and tests confirm critical operations continue and data is recovered 6

FISCAM Control Considerations (cont.) IT Business Process Controls (IS system) Setup  Effectiveness of controls ensure transactions are processed in accordance with Federal Accounting Standards Input  Data interface controls from feeder systems and micro-applications are effectively documented and tested Processing  Data and transaction controls effectively identify exceptions and corresponding manual controls accurately and timely correct the errors Output  Effectiveness of controls ensure output transmitted is properly approved, complete, and accurate 7

UNITED IN SERVICE TO OUR NATION