Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

MIC A Practical Approach

  • Be the first to comment

MIC A Practical Approach

  1. 1. T H I S T R A I N I N G S E M I N A R I N C O R P O R A T E S T O P I C S F R O M A V A R I E T Y O F M I C P R O G R A M M A T E R I A L MIC A Practical Approach YN2 Austin Skidmore, NRMW RCC (N5)
  2. 2. Training Objectives  Gain an advanced understanding of MIC requirements  Become familiar with MIC terminology and expectations  Understand MIC reporting procedure  Learn to conduct risk and control assessments  Be able to develop an Inventory of Assessable Units  Provide knowledge that is both relevant to Commanding Officers and practical to front line MIC Coordinators
  3. 3.  COLLECTION OF CONTROL SYSTEMS A COMMAND HAS ESTABLISHED TO ACCOMPLISH ITS MISSION  PRACTICES ADOPTED MANAGEMENT TO PROVIDE ASSURANCE THAT PROGRAMS CARRIED OUT IN ACCORDANCE WITH ESTABLISHED OBJECTIVES  SYSTEM OF CONDUCTING PERIODIC REVIEWS OF PROCESS EFFECTIVENESS  PROGRAM THAT INTENDS TO ELIMINATE OR REDUCE FRAUD, WASTE, ABUSE AND MISMANAGEMENT What is MIC?
  4. 4. A N E F F E C T I V E M I C P R O G R A M H E L P S I D E N T I F Y A N D C O R R E C T W E A K N E S S E S W I T H I N A N O R G A N I Z A T I O N . B E N E F I T S O F A N E F F E C T I V E M I C P R O G R A M I N C L U D E : 1 ) V I S I B I L I T Y I N T O O R G A N I Z A T I O N A L W E A K N E S S E S 2 ) A B I L I T Y T O A N T I C I P A T E P O T E N T I A L O R S Y S T E M I C W E A K N E S S E S 3 ) P R O C E S S E S T O C O R R E C T W E A K N E S S E S B E F O R E T H E Y B E C O M E D E T R I M E N T A L T O T H E O R G A N I Z A T I O N 4 ) C O M P L I A N C E W I T H T H E F E D E R A L M A N A G E R S ’ F I N A N C I A L I N T E G R I T Y A C T ( F M F I A ) A N D O T H E R L A W S A N D R E G U L A T I O N S What does MIC do for my organization?
  5. 5. Why must we engage in MIC?  Department of the Navy’s Internal Control Manual – SECNAV M-5200.35  SECNAV Instruction 5200.35E  OMB Circular A-123  GAO Standards For Internal Control  DoD Instruction 5010.40 (MIC) Program Procedures  DoD FY 2009 Guidance For Preparation Of The Annual SOA  DoD FY 2011 Internal Control Over Financial Reporting Guidance  Federal Managers Financial Integrity Act Of 1982 (FMFIA)
  6. 6. K E Y S T O S U C C E S S F O R A N E F F E C T I V E M I C P R O G R A M : LEADERSHIP EMPHASIS:  A MIC Program must be supported by top leadership. EDUCATION AND TRAINING:  Managers at all levels must understand the importance of internal controls. MONITORING AND REPORTING :  Monitoring progress and reporting results are essential. How can I make MIC a success?
  7. 7. MIC Process DEVELOP MIC PLAN
  8. 8. MIC Plan An executive summary which captures the command’s approach in maintaining an internal control program Considered a Road Map to new MIC Coordinators
  9. 9. MIC Process DEVELOP MIC PLAN SEGMENT THE ORGANIZATION
  10. 10. T H E P R O C E S S O F S E G M E N T I N G A N O R G A N I Z A T I O N I N C L U D E S : 1 ) I D E N T I F Y I N G M A J O R C O M P O N E N T S O R P R O G R A M S 2 ) D I V I D I N G T H E C O M P O N E N T S I N T O A S S E S S A B L E U N I T S 3 ) R E L A T I N G A S S E S S A B L E U N I T S T O R E S P O N S I B L E M A N A G E R S Segmenting the Organization
  11. 11. Inventory of Assessable Units (AU) Develop an Inventory of AUs that:  Are divisions of major components, functions, or programs  Have clear limits or boundaries  Are identifiable to a specific responsible manager  Constitute the entire organization
  12. 12. Functional Area Sub-segment Department  Research, Development, Test and Evaluation  Major Systems Acquisition  Procurement  Contract Administration  Force Readiness  Manufacturing, Maintenance and Repair  Supply Operations  Property Management  Communications and/or Intelligence and/or Security  Information Technology  Personnel and/or Organizational Management  Comptroller and/or Resource Management  Support Services  Security Assistance  Other (Transportation)  Financial Statement Reporting  N01  N1  N3  N4  N5  N6  N7  N8  N9 Segmenting the Organization
  13. 13. Sample Inventory of AUs
  14. 14. MIC Process DEVELOP MIC PLAN SEGMENT THE ORGANIZATION ASSIGN RESPONSIBILITY
  15. 15. MIC Coordinator Top Leadership  Ensure requirements are communicated and completed on time  Coordinate efforts to prepare a MIC Plan and MIC Certification Statement  Monitor the performance and results of risk assessments and reviews  Obtain MIC training  Establish of internal controls to provide reasonable assurance requirements are met  Maintain an inventory of assessable units  Perform risk assessments and internal control reviews.  Submit an annual overall MIC Certification Statement  Monitor and improve internal controls What is my role?
  16. 16. MIC Process DEVELOP MIC PLAN SEGMENT THE ORGANIZATION MAP THE PROCESS ASSIGN RESPONSIBILITY
  17. 17. Flowcharting This chart represents some of the most commonly used flowchart symbols Symbols may very by source
  18. 18. MIC Process DEVELOP MIC PLAN SEGMENT THE ORGANIZATION MAP THE PROCESS IDENTIFY RISK/CONTROL ASSIGN RESPONSIBILITY
  19. 19. The three phases of a risk assessment generally include: Identifying a risk that potentially impacts the organization’s mission and objectives Assessing the impact and likelihood of that risk Responding to the risk with appropriate controls IDENTIFY ASSESS RESPOND
  20. 20. R I S K I D E N T I F I C A T I O N O C C U R S A S A R E S U L T O F C O N S I D E R A T I O N O F F I N D I N G S F R O M A U D I T S , E V A L U A T I O N S , A N D O T H E R A S S E S S M E N T S I D E N T I F I C A T I O N O F R I S K S R E S U L T I N G F R O M B U S I N E S S , P O L I T I C A L , A N D E C O N O M I C C H A N G E S A R E D E T E R M I N E D R I S K S T O T H E A G E N C Y A S A R E S U L T O F P O S S I B L E N A T U R A L C A T A S T R O P H E S O R C R I M I N A L O R T E R R O R I S T A C T I O N S A R E T A K E N I N T O A C C O U N T R I S K S P O S E D B Y N E W L E G I S L A T I O N O R R E G U L A T I O N S A R E I D E N T I F I E D Risk Identification
  21. 21. Risk Identification A risk assessment determines where potential hazards exists that might prevent the organization from achieving its objectives. Asking the following questions may also help to identify risks:  What could go wrong in the process?  What processes require the most judgment?  What processes are most complex?  What must go right for proper reporting?  How do we know whether we are achieving our objectives?  Where are our vulnerable areas?
  22. 22. Business Risk Types Are we at risk of a threat to mission, threat to resources, or threat to image?  Financial risk - Loss of assets or available operating or capital budget  Human resources risk - Management and staff are not sufficient to meet needs and mission of organization  Reputation risk - Negative public opinion  Technology risk - Systems and technology tools, in design and operation, do not allow achievement of mission  Strategic risk - Mission or strategic plan does not support overall DON objectives  Operational risk - Operational policies and procedures do not sufficiently control business to allow achievement of mission  Environmental risk - Operations negatively impact the environment
  23. 23. GAO Risk Types For each risk identified in a process, a control activity should be identified and documented in the risk assessment. The GAO identifies three types of risk: 1) Inherent risk - The original susceptibility to a potential hazard or material misstatement, assuming there are no related specific control activities. 2) Control risk - The risk that a hazard or misstatement will not be prevented or detected by the internal control. 3) Combined risk - The likelihood that a hazard or material misstatement would occur and not be prevented or detected on a timely basis by the agency's internal control.
  24. 24. Threat Types  Threat to Mission - Is there a threat to achieving the mission of the organization. Threats to Mission include:  impaired fulfillment of essential mission or operations  unreliable information causing unsound management decisions  violations of statutory or regulatory requirements  impact on information security  depriving the public of needed Government services  Threat to Resources - Is there a threat to physical, financial or human resources. When a control deficiency has a clear dollar value associated with it, anything greater than one percent (1%) of the organization’s budget would be considered material.  Threat to Image - Consider the impact on the organization’s image does it bring substantial negative publicity. Threats to Image may include:  sensitivity of the resources involved (e.g., drugs, munitions)  current or probable Congressional and / or media interest  diminished credibility or reputation of management
  25. 25. Categorizing Risk Level
  26. 26. M E T H O D S U S E D B Y P R O G R A M M A N A G E R S T O E N S U R E A C H I E V E M E N T O F O B J E C T I V E S A N D T O S A F E G U A R D T H E I N T E G R I T Y O F T H E I R P R O G R A M S . C O N T R O L A C T I V I T I E S A R E E S T A B L I S H E D T O M A N A G E A N D M I T I G A T E T H E I D E N T I F I E D R I S K S . E X A M P L E S O F C O N T R O L A C T I V I T I E S A R E P R O C E S S O W N E R S H I P , T R A N S A C T I O N A P P R O V A L S , S E P A R A T I O N O F D U T I E S , A N D P E R F O R M A N C E M E A S U R E M E N T S . I N T E R N A L C O N T R O L S E N S U R E T H E A C C O M P L I S H M E N T O F O B J E C T I V E S ; C O M P L I A N C E W I T H L A W S A N D R E G U L A T I O N S ; R E L I A B L E A N D T I M E L Y I N F O R M A T I O N A N D E F F I C I E N T O P E R A T I O N S . Internal Controls
  27. 27. I N T E R N A L C O N T R O L S P R O V I D E R E A S O N A B L E A S S U R A N C E T H A T T H E F O L L O W I N G A R E T R U E :  C O M P L I A N C E W I T H L A W S A N D R E G U L A T I O N S  A C C O M P L I S H M E N T O F O B J E C T I V E S  R E L I A B L E A N D T I M E L Y I N F O R M A T I O N F O R D E C I S I O N M A K I N G  E F F I C I E N T O P E R A T I O N S  S A F E G U A R D I N G O F R E S O U R C E S F R O M W A S T E , F R A U D , A B U S E A N D M I S M A N A G E M E N T What purpose do controls serve?
  28. 28. PREVENTATIVE DETECTIVE  DETER UNDESIRABLE EVENTS FROM OCCURRING. PREVENTATIVE CONTROLS SHOULD BE DESIGNED TO DISCOURAGE ERRORS AND IRREGULARITIES FROM OCCURRING  DETECT AND CORRECT UNDESIRABLE EVENTS THAT HAVE OCCURRED. DETECTIVE CONTROLS SHOULD BE DESIGNED TO IDENTIFY AN ERROR OR IRREGULARITY AFTER IT HAS OCCURRED Types of Controls
  29. 29. DIRECTIVE CORRECTIVE  CAUSE OR ENCOURAGE A DESIRABLE EVENT TO OCCUR. DIRECTIVE CONTROLS SHOULD BE DESIGNED TO ASSIST IN ACCOMPLISHING GOALS AND OBJECTIVES  ARE AIMED AT RESTORING THE SYSTEM TO ITS EXPECTED STATE. CORRECTIVE CONTROLS CAN TERMINATE THE AFFECTED PROCESS, REVERSE THE ERROR, OR REMEDY THE RESULTS OF THE ERROR Types of Controls
  30. 30. MIC Process DEVELOP MIC PLAN SEGMENT THE ORGANIZATION MAP THE PROCESS IDENTIFY RISK/CONTROL CONDUCT RISK/CONTROL ASSESSMENT ASSIGN RESPONSIBILITY
  31. 31. Conducting Risk Assessments Risk assessments can vary in format; however, documentation should:  Identify the risks to the accomplishment of the assessable unit’s objectives  Identify the level of inherent risk (high, moderate, low)  Identify the level of control risk (high, moderate, low)  Identify the level of combined risk (high, moderate, low)  Document any existing controls that are in place to mitigate the risk
  32. 32. Conducting Control Assessments Internal control assessments can vary in format; however, documentation should:  Relate each control to a specific risk  Identify the control test objective to validate assumed level of control risk  Describe the design of the control that will be tested  State effectiveness of the control design based on the test performed  Describe how the operation of the control was tested  State effectiveness of the control operation based upon the test performed
  33. 33. RA, Control Test, and CA easy three step process
  34. 34. Sample Risk Assessment
  35. 35. Sample Control Assessment
  36. 36. MIC Process DEVELOP MIC PLAN SEGMENT THE ORGANIZATION MAP THE PROCESS IDENTIFY RISK/CONTROL CONDUCT RISK/CONTROL ASSESSMENT DOCUMENT FINDINGS ASSIGN RESPONSIBILITY
  37. 37. Documentation DON anticipates the MIC Program will become Auditable. Here is what you need to stay on track:  MIC Plan  Inventory of Assessable Units (AU)  Risk Assessments (RA)  Internal Control Assessments  Statement of Assurance (SOA)
  38. 38. MIC Process DEVELOP MIC PLAN SEGMENT THE ORGANIZATION MAP THE PROCESS IDENTIFY RISK/CONTROL CONDUCT RISK/CONTROL ASSESSMENT DOCUMENT FINDINGS PREPARE REPORTS ON RESULTS ASSIGN RESPONSIBILITY
  39. 39.  D I R E C T E D B Y T H E O V E R S I G H T P L A N N I N G B O A R D ( O P B ) C H A R T E R O F 1 5 J U N 0 4  1 3 F U N C T I O N A L C A T E G O R I E S  R E P O R T E D T O N A V A L A U D I T S E R V I C E A N D N A V I G  D A T A C A L L C O N D U C T E D F E B / M A R T I M E F R A M E  P R O V I D E D W E B - B A S E D D A T A E N T R Y T O O L O N L I N E T O S U B M I T R I S K A N D O P P O R T U N I T Y  O N L Y E C H E L O N I I A N D A B O V E G E T A C C E S S Risk and Opportunity Assessment (ROA)
  40. 40. Functional Categories Risks and Opportunities are grouped into 13 Functional Areas 1) Acquisition Integrity/Fraud 2) Anti-Terrorism/Force Protection 3) Education and Training 4) Environmental Protection and Safety 5) Facilities and Real Property Management 6) Financial Management 7) Force Readiness and Fleet Operations 8) Healthcare and Member Support Services 9) Information Technology Management 10)Intelligence and Classified Programs 11) Logistics, Supply, and Maintenance Ops 12) Manpower and Personnel 13) Systems Acquisition and Acquisition Logistics
  41. 41. Sample Risk and Opportunity Risk:  Stand-alone NOSC facilities are not in compliance with ATFP criteria. NOSC facilities are under the purview of CNIC, but despite efforts to update OPNAVINST 3300.53B, this instruction has not been updated  New Navy Reserve accessions often do not meet mobilization standards Opportunity:  NAVRESFOR is unable to use DTS to book travel requirements and process travel claims at this time. Legacy business processes require NAVPTO involvement and a manpower intensive process at the CTO to book Navy Reserve travel arrangements
  42. 42. A N A N N U A L R E P O R T T H A T C E R T I F I E S T H E S E C N A V ’ S L E V E L O F R E A S O N A B L E A S S U R A N C E C E R T I F I E S T H E O V E R A L L A D E Q U A C Y A N D E F F E C T I V E N E S S O F I N T E R N A L C O N T R O L S W I T H I N T H E D O N A V E N U E T O R E P O R T P O T E N T I A L “ N A V Y - W I D E ” I S S U E S B A S E D O N I N P U T S F R O M T H E F I E L D C O M P R I S E D O F W E A K N E S S E S A N D A C C O M P L I S H M E N T S I N D E N T I F I E D B Y A S S E S S M E N T F I N D I N G S P R O V I D E S M O N I T O R I N G A N D T R A C K I N G O F C O R R E C T I V E A C T I O N S Statement of Assurance (SOA)
  43. 43. Certification Statement Annual SOA Certification Statement Letterhead Memorandum
  44. 44. Reasonable Assurance  An unqualified statement of assurance - reasonable assurance with no material weaknesses reported.  A qualified statement of assurance - reasonable assurance with exception of one or more material weakness(es) noted.  A statement of no assurance - no reasonable assurance because no assessments conducted or the noted material weaknesses are pervasive.
  45. 45. Determining Materiality What constitutes a “material” weakness? Materiality is a management judgment. It is difficult to apply a strict formula to determine whether something is or is not material  Is the issue control-related?  Is the issue command/activity-wide?  Does the issue pose a Threat to Mission, Resources, or Image? * An issue is only material if it affects your organization as a whole
  46. 46. Material Weakness Criteria Material Weakness guidelines exist within DoD Instruction 5010.40. A Material Weakness must satisfy two conditions:  It must be a deficiency in which existing internal controls do not provide reasonable assurance that the objectives of the MIC Program are being met. In effect, the weakness results from internal controls that are not in place, not used, or not adequate.  It must be a deficiency that requires the attention of the next higher level of management. Managers should report a weakness to the next higher level if doing so is required to resolve the issue. A manager should also consider reporting a weakness to the next higher level if it is serious enough to bring to their attention (even if the issue can be resolved at the reporting manager's level).
  47. 47. SOA Online Tool The Tool encompasses all four segments of the SOA reporting requirements:  New Weaknesses  Prior Period Weaknesses  Accomplishments  Management Control Certification Statement Efficiency: Streamlines SOA data collection and reporting process Access: Easy access to submit updates and certification statements Monitoring: Provides a mechanism to track accomplishments and weaknesses Consolidation: Acts as a central database and stores historical data Consistency: Templates in the tool assist in completing certification statement
  48. 48. SOA Tool New MIC Coordinators go to: <https://www/fmosystems.na vy.mil/soa/login/index.cfm?fus eAction=Logout> Here MIC Coordinators request access to the SOA Tool and prepare the annual SOA Certification Statement
  49. 49. Inputs are being recognized
  50. 50. RCCs CNRFC DON CNO
  51. 51. Reporting Chain
  52. 52. Self-Assessment Tool Available at the FMO Systems website: <http://www.fmo.navy.mil/fin_imp/mic/tools_index.htm> Web-based Tool to provide Commands "current state” measurement of their MIC Program. This tool will help Leaders answer the following Internal Control questions:  Are they designed well?  Are they functioning as designed?  Are further improvements needed?

    Be the first to comment

    Login to see the comments

  • SetzThonger

    May. 6, 2019

Views

Total views

412

On Slideshare

0

From embeds

0

Number of embeds

14

Actions

Downloads

12

Shares

0

Comments

0

Likes

1

×