This training seminar covers topics from the MIC program including: understanding MIC requirements and terminology; MIC reporting procedures; conducting risk and control assessments; developing an inventory of assessable units. The training aims to provide both relevant knowledge for commanding officers and practical skills for MIC coordinators.
GRESB slides - 2018 GRESB | Siemens Sustainable Real Assets Conference - London
MIC A Practical Approach
1. T H I S T R A I N I N G S E M I N A R I N C O R P O R A T E S
T O P I C S F R O M A V A R I E T Y O F M I C P R O G R A M
M A T E R I A L
MIC
A Practical Approach
YN2 Austin Skidmore, NRMW RCC (N5)
2. Training Objectives
Gain an advanced understanding of MIC requirements
Become familiar with MIC terminology and expectations
Understand MIC reporting procedure
Learn to conduct risk and control assessments
Be able to develop an Inventory of Assessable Units
Provide knowledge that is both relevant to Commanding
Officers and practical to front line MIC Coordinators
3. COLLECTION OF CONTROL SYSTEMS A COMMAND HAS ESTABLISHED TO
ACCOMPLISH ITS MISSION
PRACTICES ADOPTED MANAGEMENT TO PROVIDE ASSURANCE THAT
PROGRAMS CARRIED OUT IN ACCORDANCE WITH ESTABLISHED
OBJECTIVES
SYSTEM OF CONDUCTING PERIODIC REVIEWS OF PROCESS
EFFECTIVENESS
PROGRAM THAT INTENDS TO ELIMINATE OR REDUCE FRAUD, WASTE,
ABUSE AND MISMANAGEMENT
What is MIC?
4. A N E F F E C T I V E M I C P R O G R A M H E L P S I D E N T I F Y A N D C O R R E C T
W E A K N E S S E S W I T H I N A N O R G A N I Z A T I O N . B E N E F I T S O F A N
E F F E C T I V E M I C P R O G R A M I N C L U D E :
1 ) V I S I B I L I T Y I N T O O R G A N I Z A T I O N A L W E A K N E S S E S
2 ) A B I L I T Y T O A N T I C I P A T E P O T E N T I A L O R S Y S T E M I C W E A K N E S S E S
3 ) P R O C E S S E S T O C O R R E C T W E A K N E S S E S B E F O R E T H E Y B E C O M E
D E T R I M E N T A L T O T H E O R G A N I Z A T I O N
4 ) C O M P L I A N C E W I T H T H E F E D E R A L M A N A G E R S ’ F I N A N C I A L
I N T E G R I T Y A C T ( F M F I A ) A N D O T H E R L A W S A N D R E G U L A T I O N S
What does MIC do for my
organization?
5. Why must we engage in MIC?
Department of the Navy’s Internal Control Manual – SECNAV M-5200.35
SECNAV Instruction 5200.35E
OMB Circular A-123
GAO Standards For Internal Control
DoD Instruction 5010.40 (MIC) Program Procedures
DoD FY 2009 Guidance For Preparation Of The Annual SOA
DoD FY 2011 Internal Control Over Financial Reporting Guidance
Federal Managers Financial Integrity Act Of 1982 (FMFIA)
6. K E Y S T O S U C C E S S F O R A N E F F E C T I V E M I C P R O G R A M :
LEADERSHIP EMPHASIS:
A MIC Program must be supported by top leadership.
EDUCATION AND TRAINING:
Managers at all levels must understand the importance of internal controls.
MONITORING AND REPORTING :
Monitoring progress and reporting results are essential.
How can I make MIC a success?
8. MIC Plan
An executive summary
which captures the
command’s approach in
maintaining an internal
control program
Considered a Road Map
to new MIC Coordinators
12. T H E P R O C E S S O F S E G M E N T I N G A N O R G A N I Z A T I O N I N C L U D E S :
1 ) I D E N T I F Y I N G M A J O R C O M P O N E N T S O R P R O G R A M S
2 ) D I V I D I N G T H E C O M P O N E N T S I N T O A S S E S S A B L E U N I T S
3 ) R E L A T I N G A S S E S S A B L E U N I T S T O R E S P O N S I B L E M A N A G E R S
Segmenting the Organization
13. Inventory of Assessable Units (AU)
Develop an Inventory of AUs that:
Are divisions of major components, functions, or programs
Have clear limits or boundaries
Are identifiable to a specific responsible manager
Constitute the entire organization
14. Functional Area Sub-segment Department
Research, Development, Test and Evaluation
Major Systems Acquisition
Procurement
Contract Administration
Force Readiness
Manufacturing, Maintenance and Repair
Supply Operations
Property Management
Communications and/or Intelligence and/or
Security
Information Technology
Personnel and/or Organizational Management
Comptroller and/or Resource Management
Support Services
Security Assistance
Other (Transportation)
Financial Statement Reporting
N01
N1
N3
N4
N5
N6
N7
N8
N9
Segmenting the Organization
17. MIC Coordinator Top Leadership
Ensure requirements are
communicated and completed on time
Coordinate efforts to prepare a MIC
Plan and MIC Certification Statement
Monitor the performance and results
of risk assessments and reviews
Obtain MIC training
Establish of internal controls to
provide reasonable assurance
requirements are met
Maintain an inventory of assessable
units
Perform risk assessments and internal
control reviews.
Submit an annual overall
MIC Certification Statement
Monitor and improve internal controls
What is my role?
22. The three phases of a
risk assessment
generally include:
Identifying a risk that
potentially impacts the
organization’s mission
and objectives
Assessing the impact
and likelihood of that
risk
Responding to the
risk with appropriate
controls
IDENTIFY ASSESS RESPOND
23. R I S K I D E N T I F I C A T I O N O C C U R S A S A R E S U L T O F
C O N S I D E R A T I O N O F F I N D I N G S F R O M A U D I T S , E V A L U A T I O N S ,
A N D O T H E R A S S E S S M E N T S
I D E N T I F I C A T I O N O F R I S K S R E S U L T I N G F R O M B U S I N E S S ,
P O L I T I C A L , A N D E C O N O M I C C H A N G E S A R E D E T E R M I N E D
R I S K S T O T H E A G E N C Y A S A R E S U L T O F P O S S I B L E N A T U R A L
C A T A S T R O P H E S O R C R I M I N A L O R T E R R O R I S T A C T I O N S A R E
T A K E N I N T O A C C O U N T
R I S K S P O S E D B Y N E W L E G I S L A T I O N O R R E G U L A T I O N S A R E
I D E N T I F I E D
Risk Identification
24. Risk
Identification
A risk assessment
determines where
potential hazards exists
that might prevent the
organization from
achieving its objectives.
Asking the following
questions may also help
to identify risks:
What could go wrong in the process?
What processes require the most
judgment?
What processes are most complex?
What must go right for proper
reporting?
How do we know whether we are
achieving our objectives?
Where are our vulnerable areas?
25. Business
Risk Types
Are we at risk of a
threat to mission,
threat to resources,
or threat to image?
Financial risk - Loss of assets or available operating
or capital budget
Human resources risk - Management and staff are
not sufficient to meet needs and mission of
organization
Reputation risk - Negative public opinion
Technology risk - Systems and technology tools, in
design and operation, do not allow achievement of
mission
Strategic risk - Mission or strategic plan does not
support overall DON objectives
Operational risk - Operational policies and
procedures do not sufficiently control business to
allow achievement of mission
Environmental risk - Operations negatively impact
the environment
26. GAO Risk Types
For each risk identified in a process, a control activity should be identified and
documented in the risk assessment.
The GAO identifies three types of risk:
1) Inherent risk - The original susceptibility to a potential hazard or material
misstatement, assuming there are no related specific control activities.
2) Control risk - The risk that a hazard or misstatement will not be prevented
or detected by the internal control.
3) Combined risk - The likelihood that a hazard or material misstatement
would occur and not be prevented or detected on a timely basis by the agency's
internal control.
27. Threat Types
Threat to Mission - Is there a threat to achieving the mission of the organization. Threats to
Mission include:
impaired fulfillment of essential mission or operations
unreliable information causing unsound management decisions
violations of statutory or regulatory requirements
impact on information security
depriving the public of needed Government services
Threat to Resources - Is there a threat to physical, financial or human resources. When a control
deficiency has a clear dollar value associated with it, anything greater than one percent (1%) of the
organization’s budget would be considered material.
Threat to Image - Consider the impact on the organization’s image does it bring substantial
negative publicity. Threats to Image may include:
sensitivity of the resources involved (e.g., drugs, munitions)
current or probable Congressional and / or media interest
diminished credibility or reputation of management
29. M E T H O D S U S E D B Y P R O G R A M M A N A G E R S T O E N S U R E A C H I E V E M E N T
O F O B J E C T I V E S A N D T O S A F E G U A R D T H E I N T E G R I T Y O F T H E I R
P R O G R A M S .
C O N T R O L A C T I V I T I E S A R E E S T A B L I S H E D T O M A N A G E A N D M I T I G A T E
T H E I D E N T I F I E D R I S K S .
E X A M P L E S O F C O N T R O L A C T I V I T I E S A R E P R O C E S S O W N E R S H I P ,
T R A N S A C T I O N A P P R O V A L S , S E P A R A T I O N O F D U T I E S , A N D
P E R F O R M A N C E M E A S U R E M E N T S .
I N T E R N A L C O N T R O L S E N S U R E T H E A C C O M P L I S H M E N T O F
O B J E C T I V E S ; C O M P L I A N C E W I T H L A W S A N D R E G U L A T I O N S ;
R E L I A B L E A N D T I M E L Y I N F O R M A T I O N A N D E F F I C I E N T O P E R A T I O N S .
Internal Controls
30. I N T E R N A L C O N T R O L S P R O V I D E R E A S O N A B L E A S S U R A N C E T H A T T H E
F O L L O W I N G A R E T R U E :
C O M P L I A N C E W I T H L A W S A N D R E G U L A T I O N S
A C C O M P L I S H M E N T O F O B J E C T I V E S
R E L I A B L E A N D T I M E L Y I N F O R M A T I O N F O R D E C I S I O N M A K I N G
E F F I C I E N T O P E R A T I O N S
S A F E G U A R D I N G O F R E S O U R C E S F R O M W A S T E , F R A U D , A B U S E A N D
M I S M A N A G E M E N T
What purpose do controls serve?
31. PREVENTATIVE DETECTIVE
DETER UNDESIRABLE EVENTS
FROM OCCURRING.
PREVENTATIVE CONTROLS
SHOULD BE DESIGNED TO
DISCOURAGE ERRORS AND
IRREGULARITIES FROM
OCCURRING
DETECT AND CORRECT
UNDESIRABLE EVENTS THAT
HAVE OCCURRED. DETECTIVE
CONTROLS SHOULD BE
DESIGNED TO IDENTIFY AN
ERROR OR IRREGULARITY
AFTER IT HAS OCCURRED
Types of Controls
32. DIRECTIVE CORRECTIVE
CAUSE OR ENCOURAGE A
DESIRABLE EVENT TO OCCUR.
DIRECTIVE CONTROLS SHOULD
BE DESIGNED TO ASSIST IN
ACCOMPLISHING GOALS AND
OBJECTIVES
ARE AIMED AT RESTORING THE
SYSTEM TO ITS EXPECTED
STATE. CORRECTIVE CONTROLS
CAN TERMINATE THE
AFFECTED PROCESS, REVERSE
THE ERROR, OR REMEDY THE
RESULTS OF THE ERROR
Types of Controls
33. MIC Process
DEVELOP MIC
PLAN
SEGMENT THE
ORGANIZATION
MAP THE
PROCESS
IDENTIFY
RISK/CONTROL
CONDUCT
RISK/CONTROL
ASSESSMENT
ASSIGN
RESPONSIBILITY
34. Conducting Risk Assessments
Risk assessments can vary in format; however,
documentation should:
Identify the risks to the accomplishment of the assessable unit’s objectives
Identify the level of inherent risk (high, moderate, low)
Identify the level of control risk (high, moderate, low)
Identify the level of combined risk (high, moderate, low)
Document any existing controls that are in place to mitigate the risk
35. Conducting Control Assessments
Internal control assessments can vary in format; however,
documentation should:
Relate each control to a specific risk
Identify the control test objective to validate assumed level of control risk
Describe the design of the control that will be tested
State effectiveness of the control design based on the test performed
Describe how the operation of the control was tested
State effectiveness of the control operation based upon the test performed
40. MIC Process
DEVELOP MIC
PLAN
SEGMENT THE
ORGANIZATION
MAP THE
PROCESS
IDENTIFY
RISK/CONTROL
CONDUCT
RISK/CONTROL
ASSESSMENT
DOCUMENT
FINDINGS
ASSIGN
RESPONSIBILITY
41. Documentation
DON anticipates
the MIC Program
will become
Auditable.
Here is what you
need to stay on
track:
MIC Plan
Inventory of Assessable Units (AU)
Risk Assessments (RA)
Internal Control Assessments
Statement of Assurance (SOA)
42. MIC Process
DEVELOP MIC
PLAN
SEGMENT THE
ORGANIZATION
MAP THE
PROCESS
IDENTIFY
RISK/CONTROL
CONDUCT
RISK/CONTROL
ASSESSMENT
DOCUMENT
FINDINGS
PREPARE
REPORTS ON
RESULTS
ASSIGN
RESPONSIBILITY
43. D I R E C T E D B Y T H E O V E R S I G H T P L A N N I N G B O A R D ( O P B )
C H A R T E R O F 1 5 J U N 0 4
1 3 F U N C T I O N A L C A T E G O R I E S
R E P O R T E D T O N A V A L A U D I T S E R V I C E A N D N A V I G
D A T A C A L L C O N D U C T E D F E B / M A R T I M E F R A M E
P R O V I D E D W E B - B A S E D D A T A E N T R Y T O O L O N L I N E T O
S U B M I T R I S K A N D O P P O R T U N I T Y
O N L Y E C H E L O N I I A N D A B O V E G E T A C C E S S
Risk and Opportunity Assessment
(ROA)
44. Functional
Categories
Risks and
Opportunities are
grouped into 13
Functional Areas
1) Acquisition Integrity/Fraud
2) Anti-Terrorism/Force Protection
3) Education and Training
4) Environmental Protection and Safety
5) Facilities and Real Property Management
6) Financial Management
7) Force Readiness and Fleet Operations
8) Healthcare and Member Support Services
9) Information Technology Management
10)Intelligence and Classified Programs
11) Logistics, Supply, and Maintenance Ops
12) Manpower and Personnel
13) Systems Acquisition and Acquisition Logistics
45. Sample Risk and Opportunity
Risk:
Stand-alone NOSC facilities are not in compliance with ATFP criteria.
NOSC facilities are under the purview of CNIC, but despite efforts to
update OPNAVINST 3300.53B, this instruction has not been updated
New Navy Reserve accessions often do not meet mobilization standards
Opportunity:
NAVRESFOR is unable to use DTS to book travel requirements and
process travel claims at this time. Legacy business processes require
NAVPTO involvement and a manpower intensive process at the CTO to
book Navy Reserve travel arrangements
46.
47. A N A N N U A L R E P O R T T H A T C E R T I F I E S T H E S E C N A V ’ S L E V E L O F
R E A S O N A B L E A S S U R A N C E
C E R T I F I E S T H E O V E R A L L A D E Q U A C Y A N D E F F E C T I V E N E S S O F
I N T E R N A L C O N T R O L S W I T H I N T H E D O N
A V E N U E T O R E P O R T P O T E N T I A L “ N A V Y - W I D E ” I S S U E S B A S E D O N
I N P U T S F R O M T H E F I E L D
C O M P R I S E D O F W E A K N E S S E S A N D A C C O M P L I S H M E N T S I N D E N T I F I E D
B Y A S S E S S M E N T F I N D I N G S
P R O V I D E S M O N I T O R I N G A N D T R A C K I N G O F C O R R E C T I V E A C T I O N S
Statement of Assurance
(SOA)
49. Reasonable Assurance
An unqualified statement of assurance - reasonable assurance with
no material weaknesses reported.
A qualified statement of assurance - reasonable assurance with
exception of one or more material weakness(es) noted.
A statement of no assurance - no reasonable assurance because no
assessments conducted or the noted material weaknesses are pervasive.
50. Determining Materiality
What constitutes a “material” weakness?
Materiality is a management judgment. It is difficult to apply a strict
formula to determine whether something is or is not material
Is the issue control-related?
Is the issue command/activity-wide?
Does the issue pose a Threat to Mission, Resources, or Image?
* An issue is only material if it affects your organization as a whole
51. Material
Weakness
Criteria
Material Weakness
guidelines exist within
DoD Instruction 5010.40.
A Material Weakness
must satisfy two
conditions:
It must be a deficiency in which existing internal
controls do not provide reasonable assurance
that the objectives of the MIC Program are being
met. In effect, the weakness results from internal
controls that are not in place, not used, or not
adequate.
It must be a deficiency that requires the
attention of the next higher level of
management. Managers should report a
weakness to the next higher level if doing so is
required to resolve the issue. A manager should
also consider reporting a weakness to the next
higher level if it is serious enough to bring to
their attention (even if the issue can be resolved
at the reporting manager's level).
52. SOA Online Tool
The Tool encompasses all four segments of the SOA reporting requirements:
New Weaknesses
Prior Period Weaknesses
Accomplishments
Management Control Certification Statement
Efficiency: Streamlines SOA data collection and reporting process
Access: Easy access to submit updates and certification statements
Monitoring: Provides a mechanism to track accomplishments and weaknesses
Consolidation: Acts as a central database and stores historical data
Consistency: Templates in the tool assist in completing certification statement
53. SOA Tool
New MIC Coordinators go
to:
<https://www/fmosystems.na
vy.mil/soa/login/index.cfm?fus
eAction=Logout>
Here MIC Coordinators
request access to the SOA
Tool and prepare the annual
SOA Certification Statement
58. Self-Assessment Tool
Available at the FMO Systems website:
<http://www.fmo.navy.mil/fin_imp/mic/tools_index.htm>
Web-based Tool to provide Commands "current state” measurement
of their MIC Program. This tool will help Leaders answer the following
Internal Control questions:
Are they designed well?
Are they functioning as designed?
Are further improvements needed?
Editor's Notes
These threat types are associated with an identified risk.