mic a practical approach

THIS TRAINING SEMINAR INCORPORATES TOPICS FROM A VARIETY OF MIC

PROGRAM MATERIAL

MIC A Practical Approach

YN2 Austin Skidmore, NRMW RCC (N5)

Training Objectives

Gain an advanced understanding of MIC requirements

Become familiar with MIC terminology and expectations

Understand MIC reporting procedure

Learn to conduct risk and control assessmentsBe able to develop an Inventory of Assessable

UnitsProvide knowledge that is both relevant to

Commanding Officers and practical to front line MIC Coordinators

COLLECTION OF CONTROL SYSTEMS A COMMAND HAS ESTABLISHED TO ACCOMPLISH ITS MISSION

PRACTICES ADOPTED MANAGEMENT TO PROVIDE ASSURANCE THAT PROGRAMS CARRIED OUT IN ACCORDANCE WITH ESTABLISHED OBJECTIVES

SYSTEM OF CONDUCTING PERIODIC REVIEWS OF PROCESS EFFECTIVENESS

PROGRAM THAT INTENDS TO ELIMINATE OR REDUCE FRAUD, WASTE, ABUSE AND MISMANAGEMENT

What is MIC?

A N E F F E C T I V E M I C P R O GR A M H E L P S I D E N T I F Y A N D C O R R E C T W EA K N E SS E S W I T H I N A N O R G A N I Z AT I O N. B EN E F I T S O F A N EF F EC T I V E M I C P R O G R A M I N C LU D E :

1) V I S I B I L I T Y I N T O O R G A N I Z AT I O N A L W E A K N E SS E S

2 ) A B I L I T Y T O A N T I C I PAT E P O T E N T I A L O R S Y S T EM I C W EA K N E SS E S

3 ) P R O C ESS ES T O C O R R EC T W EA K N E SS E S B E F O R E T H EY B E C O M E D E T R I M E N TA L T O T H E O R G A N I Z AT I O N

4 ) C O M P L I A N C E W I T H T H E F E D E R A L M A N A G E R S ’ F I N A N C I A L I N T EG R I T Y A C T ( F M F I A ) A N D O T H ER L AW S A N D R E G U L AT I O N S

What does MIC do for my organization?

Why must we engage in MIC?

Department of the Navy’s Internal Control Manual – SECNAV M-5200.35

SECNAV Instruction 5200.35E

OMB Circular A-123 GAO Standards For Internal Control DoD Instruction 5010.40 (MIC) Program Procedures DoD FY 2009 Guidance For Preparation Of The Annual SOA DoD FY 2011 Internal Control Over Financial Reporting Guidance Federal Managers Financial Integrity Act Of 1982 (FMFIA)

KEYS TO SUCCESS FOR AN EFFECTIVE MIC PROGRAM:

LEADERSHIP EMPHASIS : A MIC Program must be supported by top leadership.

EDUCATION AND TRAINING :

Managers at all levels must understand the importance of internal controls.

MONITORING AND REPORTING :

Monitoring progress and reporting results are essential.

How can I make MIC a success?

MIC Process

DEVELOP MIC PLAN

MIC Plan

An executive summary which captures the command’s approach in maintaining an internal control program

Considered a Road Map to new MIC Coordinators

MIC Process

DEVELOP MIC PLAN SEGMENT THE ORGANIZATION

THE PROCESS OF SEGMENTING AN ORGANIZATION INCLUDES:

1) IDENTIFYING MAJOR COMPONENTS OR PROGRAMS

2) DIVIDING THE COMPONENTS INTO ASSESSABLE UNITS

3) RELATING ASSESSABLE UNITS TO RESPONSIBLE MANAGERS

Segmenting the Organization

Inventory of Assessable Units (AU)

Develop an Inventory of AUs that:

Are divisions of major components, functions, or programs

Have clear limits or boundaries

Are identifiable to a specific responsible manager

Constitute the entire organization

Functional Area Sub-segment Department

Research, Development, Test and Evaluation

Major Systems Acquisition Procurement Contract Administration Force Readiness Manufacturing, Maintenance and Repair Supply Operations Property Management Communications and/or Intelligence

and/or Security Information Technology Personnel and/or Organizational

Management Comptroller and/or Resource

Management Support Services Security Assistance Other (Transportation) Financial Statement Reporting

N01 N1 N3 N4 N5 N6 N7 N8 N9

Segmenting the Organization

Sample Inventory of AUs

MIC Process


ASSIGN RESPONSIBILITY

MIC Coordinator Top Leadership

Ensure requirements are communicated and completed on time

Coordinate efforts to prepare a MIC Plan and MIC Certification Statement

Monitor the performance and results of risk assessments and reviews

Obtain MIC training

Establish of internal controls to provide reasonable assurance requirements are met

Maintain an inventory of assessable units

Perform risk assessments and internal control reviews.

Submit an annual overall MIC Certification Statement

Monitor and improve internal controls

What is my role?

MIC Process


MAP THE PROCESS


Flowcharting

This chart represents some of the most commonly used flowchart symbols

Symbols may very by source

MIC Process


MAP THE PROCESS

IDENTIFY RISK/CONTROL


The three phases of a risk assessment generally include:

Identifying a risk that potentially impacts the organization’s mission and objectives

Assessing the impact and likelihood of that risk

Responding to the risk with appropriate controls

IDENTIFY ASSESS RESPOND

RISK IDENTIFICATION OCCURS AS A RESULT OF CONSIDERATION OF FINDINGS FROM AUDITS, EVALUATIONS, AND OTHER ASSESSMENTS

IDENTIFICATION OF RISKS RESULTING FROM BUSINESS,POLITICAL, AND ECONOMIC CHANGES ARE DETERMINED

RISKS TO THE AGENCY AS A RESULT OF POSSIBLE NATURALCATASTROPHES OR CRIMINAL OR TERRORIST ACTIONS ARE TAKEN INTO ACCOUNT

RISKS POSED BY NEW LEGISLATION OR REGULATIONS AREIDENTIFIED

Risk Identification

Risk Identificatio

n

A risk assessment determines where potential hazards exists that might prevent the organization from achieving its objectives.

Asking the following questions may also help to identify risks:

What could go wrong in the process?

What processes require the most judgment?

What processes are most complex?

What must go right for proper reporting?

How do we know whether we are achieving our objectives?

Where are our vulnerable areas?

Business Risk Types

Are we at risk of a threat to mission, threat to resources, or threat to image?

Financial risk - Loss of assets or available operating or capital budget

Human resources risk - Management and staff are not sufficient to meet needs and mission of organization

Reputation risk - Negative public opinion

Technology risk - Systems and technology tools, in design and operation, do not allow achievement of mission

Strategic risk - Mission or strategic plan does not support overall DON objectives

Operational risk - Operational policies and procedures do not sufficiently control business to allow achievement of mission

Environmental risk - Operations negatively impact the environment

GAO Risk Types

For each risk identified in a process, a control activity should be identified and documented in the risk assessment.

The GAO identifies three types of risk:

1) Inherent risk - The original susceptibility to a potential hazard or material misstatement, assuming there are no related specific control activities.

2) Control risk - The risk that a hazard or misstatement will not be prevented or detected by the internal control.

3) Combined risk - The likelihood that a hazard or material misstatement would occur and not be prevented or detected on a timely basis by the agency's internal control.

Threat Types

Threat to Mission - Is there a threat to achieving the mission of the organization. Threats to Mission include:

impaired fulfillment of essential mission or operations unreliable information causing unsound management decisions violations of statutory or regulatory requirements impact on information security depriving the public of needed Government services

Threat to Resources - Is there a threat to physical, financial or human resources. When a control deficiency has a clear dollar value associated with it, anything greater than one percent (1%) of the organization’s budget would be considered material.

Threat to Image - Consider the impact on the organization’s image does it bring substantial negative publicity. Threats to Image may include:

sensitivity of the resources involved (e.g., drugs, munitions) current or probable Congressional and / or media interest diminished credibility or reputation of management

Categorizing Risk Level

M ET H O D S U SE D BY P R O G R A M M A N A G E R S T O EN S U R E A C H I EV E M E N T O F O B J E C T I V E S A N D T O SA F E G UA R D T H E I N T E G R I T Y O F T H E I R P R O G R A M S.

C O N T R O L A C T I V I T I E S A R E E STA B L I SH E D T O M A N A G E A N D M I T I G AT E T H E I D E N T I F I E D R I S K S.

EXA M P L ES O F C O N T R O L A C T I V I T I E S A R E P R O C E SS O W N E R S H I P, T R A N S A C T I O N A P P R OVA L S, S EPA R AT I O N O F D U T I E S, A N D P E R F O R M A N C E M E A S U R EM E N T S.

I N T E R N A L C O N T R O L S E N S U R E T H E A C C O M P L I S H M EN T O F O B J E C T I V ES ; C O M P L I A N C E W I T H L AW S A N D R E G U L AT I O N S ; R E L I A B L E A N D T I M E LY I N F O R M AT I O N A N D E F F I C I E N T O P E R AT I O N S.

Internal Controls

I N T E R N A L C O N T R O L S P R OV I D E R E A S O N A B L E A SS U R A N C E T H AT T H E F O L L O W I N G A R E T R U E :

C O M P L I A N C E W I T H L AWS A N D R E G U L AT I O N S

A C C O M P L I S H M E N T O F O B J EC T I V E S

R E L I A B L E A N D T I M E LY I N F O R M AT I O N F O R D EC I S I O N M A K I N G

E F F I C I E N T O P ER AT I O N S

S A F E G UA R D I N G O F R E SO U R C E S F R O M WA ST E , F R A U D, A B U S E A N D M I SM A N A G E M EN T

What purpose do controls serve?

PREVENTATIVE DETECTIVE

DETER UNDESIRABLE EVENTS FROM OCCURRING. PREVENTATIVE CONTROLS SHOULD BE DESIGNED TO DISCOURAGE ERRORS AND IRREGULARITIES FROM OCCURRING

DETECT AND CORRECT UNDESIRABLE EVENTS THAT HAVE OCCURRED. DETECTIVE CONTROLS SHOULD BE DESIGNED TO IDENTIFY AN ERROR OR IRREGULARITY AFTER IT HAS OCCURRED

Types of Controls

DIRECTIVE CORRECTIVE

CAUSE OR ENCOURAGE A DESIRABLE EVENT TO OCCUR. DIRECTIVE CONTROLS SHOULD BE DESIGNED TO ASSIST IN ACCOMPLISHING GOALS AND OBJECTIVES

ARE AIMED AT RESTORING THE SYSTEM TO ITS EXPECTED STATE. CORRECTIVE CONTROLS CAN TERMINATE THE AFFECTED PROCESS, REVERSE THE ERROR, OR REMEDY THE RESULTS OF THE ERROR

Types of Controls

MIC Process


MAP THE PROCESS


CONDUCT RISK/CONTROL ASSESSMENT


Conducting Risk Assessments

Risk assessments can vary in format; however,documentation should:

Identify the risks to the accomplishment of the assessable unit’s objectives

Identify the level of inherent risk (high, moderate, low)

Identify the level of control risk (high, moderate, low)

Identify the level of combined risk (high, moderate, low)

Document any existing controls that are in place to mitigate the risk

Conducting Control Assessments

Internal control assessments can vary in format; however,

documentation should: Relate each control to a specific risk

Identify the control test objective to validate assumed level of control risk

Describe the design of the control that will be tested

State effectiveness of the control design based on the test performed

Describe how the operation of the control was tested

State effectiveness of the control operation based upon the test performed

RA, Control Test, and CA easy three step process

Sample Risk Assessment

Sample Control Assessment

MIC Process


MAP THE PROCESS



DOCUMENT FINDINGS


Documentation

DON anticipates the MIC Program will become Auditable.

Here is what you need to stay on track:

MIC Plan

Inventory of Assessable Units (AU)

Risk Assessments (RA)

Internal Control Assessments

Statement of Assurance (SOA)

MIC Process


MAP THE PROCESS



DOCUMENT FINDINGS

PREPARE REPORTS ON

RESULTS


DIRECTED BY THE OVERSIGHT PLANNING BOARD (OPB) CHARTER OF 15 JUN 04

13 FUNCTIONAL CATEGORIES REPORTED TO NAVAL AUDIT SERVICE AND NAVIG

DATA CALL CONDUCTED FEB/MAR TIME FRAME

PROVIDED WEB-BASED DATA ENTRY TOOL ONLINE TO SUBMIT RISK AND OPPORTUNITY

ONLY ECHELON I I AND ABOVE GET ACCESS

Risk and Opportunity Assessment

(ROA)

Functional Categories

Risks and Opportunities are grouped into 13 Functional Areas

1) Acquisition Integrity/Fraud 2) Anti-Terrorism/Force Protection 3) Education and Training 4) Environmental Protection and Safety 5) Facilities and Real Property Management6) Financial Management7) Force Readiness and Fleet Operations 8) Healthcare and Member Support Services9) Information Technology Management10)Intelligence and Classified Programs 11)Logistics, Supply, and Maintenance Ops12)Manpower and Personnel 13)Systems Acquisition and Acquisition

Logistics

Sample Risk and OpportunityRisk:

Stand-alone NOSC facilities are not in compliance with ATFP criteria. NOSC facilities are under the purview of CNIC, but despite efforts to update OPNAVINST 3300.53B, this instruction has not been updated

New Navy Reserve accessions often do not meet mobilization standards

Opportunity:

NAVRESFOR is unable to use DTS to book travel requirements and process travel claims at this time. Legacy business processes require NAVPTO involvement and a manpower intensive process at the CTO to book Navy Reserve travel arrangements

A N A N N UA L R EP O RT T H AT C E RT I F I E S T H E SE C N AV ’ S L E V E L O F R E A S O N A B L E A SS U R A N C E

C E RT I F I ES T H E OV E R A L L A D E Q UA C Y A N D E F F E C T I V EN E SS O F I N T E R N A L C O N T R O L S W I T H I N T H E D O N

AV E N U E T O R EP O RT P O T E N T I A L “N AV Y-W I D E ” I SSU E S B A S E D O N I N P U T S F R O M T H E F I E L D

C O M P R I S E D O F W E A K N E SS E S A N D A C C O M P L I S H M E N T S I N D E N T I F I E DBY A SS E SS M E N T F I N D I N G S

P R OV I D ES M O N I T O R I N G A N D T R A C K I N G O F C O R R EC T I V E A C T I O N S

Statement of Assurance(SOA)

Certification Statement

Annual SOA Certification Statement Letterhead Memorandum

Reasonable Assurance

An unqualified statement of assurance - reasonable assurance with no material weaknesses reported.

A qualified statement of assurance - reasonable assurance with exception of one or more material weakness(es) noted.

A statement of no assurance - no reasonable assurance because no assessments conducted or the noted material weaknesses are pervasive.

Determining Materiality

What constitutes a “material” weakness?Materiality is a management judgment. It is difficult to apply a strict formula to determine whether something is or is not material

Is the issue control-related?

Is the issue command/activity-wide?

Does the issue pose a Threat to Mission, Resources, or Image?

* An issue is only material if it affects your organization as a whole

Material WeaknessCriteria

Material Weakness guidelines exist within DoD Instruction 5010.40.

A Material Weakness must satisfy two conditions:

It must be a deficiency in which existing internal controls do not provide reasonable assurance that the objectives of the MIC Program are being met. In effect, the weakness results from internal controls that are not in place, not used, or not adequate.

It must be a deficiency that requires the attention of the next higher level of management. Managers should report a weakness to the next higher level if doing so is required to resolve the issue. A manager should also consider reporting a weakness to the next higher level if it is serious enough to bring to their attention (even if the issue can be resolved at the reporting manager's level).

SOA Online Tool

The Tool encompasses all four segments of the SOA reporting requirements:

New Weaknesses Prior Period Weaknesses Accomplishments Management Control Certification Statement

Efficiency: Streamlines SOA data collection and reporting process

Access: Easy access to submit updates and certification statements

Monitoring: Provides a mechanism to track accomplishments and weaknesses

Consolidation: Acts as a central database and stores historical data

Consistency: Templates in the tool assist in completing certification statement

SOA Tool

New MIC Coordinators go to:

<https://www/fmosystems.navy.mil/soa/login/index.cfm?fuseAction=Logout>

Here MIC Coordinators request access to the SOA Tool and prepare the annual SOA Certification Statement

Inputs are being recognized

RCCs

CNRFC

DON

CNO

Reporting Chain

CONGRESSSECDEFSECNAV

CNOCNRFC

NRMW RCCNOSC

Self-Assessment Tool

Available at the FMO Systems website:

<http://www.fmo.navy.mil/fin_imp/mic/tools_index.htm>

Web-based Tool to provide Commands "current state” measurement

of their MIC Program. This tool will help Leaders answer the following

Internal Control questions:

Are they designed well?

Are they functioning as designed?

Are further improvements needed?

mic a practical approach

Documents