Briefing to the Office of Management and Budget DoD Financial

Report
“Paradigm Shift”
Department of Defense
Managers’ Internal Control Program
Association of Military Comptrollers
Professional Development Institute Conference
June 3, 2010
1
Purpose of Briefing
 Background/Current Environment
 “Paradigm Shift”
 DoD Managers’ Internal Control Program
 Leveraging Priorities of MICP Activities To Ensure
Accomplishment of Mission
 Where to Begin? - Framework to Monitor and Assess
Effectiveness – How?
 Changes in Policies That Impact SOA and MICP
Activities
 “Gold Standard” – DeCA and USSOCOM
2
DoD Background/Current Environment
Commission on Wartime
Contracting in Iraq and
Afghanistan – Contractor
Business Systems found
“systemic” problems with
current contract oversight,
e.g., agencies are underresourced to respond
effectively to wartime
needs (September 2009).
Secretary Gates ordering
a top-to-bottom paring of
the military bureaucracy to
search for at least $10
billion in annual savings.
He referred to the
Department as a bloated
bureaucracy, wasteful
business practices
(May 8, 2010).
GAO identified longstanding
weaknesses in DoD’s
business operations that
impact Department and
Warfighter, e.g., Weapon
Systems Acquisition,
Contract Management,
Supply Chain Management,
and Financial Management
(January 2009).
Commission on Wartime
Contracting in Iraq and
Afghanistan – Contingency
Contracting , due to sheer
size of contractor supported
operations and weaknesses
in contract management and
oversight systems, plentiful
opportunities for waste, fraud
and abuse.
(June 2009)
• “Military strong but
economically stagnant”
• Unrealistic to expect
Congress to continue to
approve budgets in the
coming years that grow
enough to sustain current
size of military
• Lack of recent review of “how
the Department is organized,
staffed and operated, indeed
every aspect of how it does
business”
• Total acquisition costs in FY
2007 portfolio of major
defense acquisition
programs increased by 40
percent from first estimates.
• DoD does not prioritize at
the strategic level system
investments
• At program level, programs
are started without knowing
what resources will truly be
needed
• Neither the military nor the
federal civilian acquisition
workforces have expanded
to keep pace with recent
years’ enormous growth in
number and value of
contracts
• More timely training needed
• Lack standards on
inherently government
functions
• Contractor business
systems are inadequate
Why?
• Unreliable data from
business systems
• Lack of ability to detect
contract cost errors
• Inadequate controls over
business systems
• Poor alignment of personnel
to meet wartime needs
A risk-based and results-oriented approach addresses competing resources
in an increasingly constrained fiscal environment
3
Paradigm Shift
Relevant to the DoD’s Challenge Towards Reliance on Risk-Based and
Results-Oriented Approach
In 1962, Thomas
Kuhn wrote The
Structure of
Scientific
Revolution, and
fathered, defined
and popularized
the concept of
"paradigm shift"
“Change is difficult. Human Beings resist
change; however, the process has been set
in motion long ago and we will continue to
co-create our own experience”. Kuhn states
that "awareness is prerequisite to all
acceptable changes of theory" (p. 67)
Shift in Focus and Approach
Connection Between
Theory and Realization
OSD’s
Priorities
Department
Awareness
Enhanced
Criteria
Proactively
Validate
Risk
Risk-Based &
Results Oriented
Approach
“Effective leadership is putting first things first. Effective management is discipline, carrying it out” --- quote from Stephen Covey author of “The 7 Habits of Highly Effective People”
4
DoD Managers’ Internal Control Program
Historically
Reliance Upon
Outside Audit
Agencies
• Reliance upon GAO,
DoDIG Military Audit
Services to identify material
internal control weaknesses
Self-Reporting –
Punitive Versus
Incentivized
• Candor not part of culture
– i.e., “group-think.”
Threat of retribution for
self-reporting.
Focus on Timelines
and Format
• Score received by
Component based upon
timeliness of SOA
submission and adherence
to format.
“Paper-Drill
Exercise”
• Ramp-up of submission of
SOA related activities occur
several weeks prior to
submission deadline versus
an ongoing activity yearround.
Renewed Emphasis
Reliance Upon
Resources in
Component
• Reliance upon analysis of
the Component’s
assessable units to
identify material internal
control weaknesses.
Self-Reporting –
Incentivize Versus
Punish
• Culture of organization
whereby reward selfreporting by all levels of
organization regarding
potential risks to the
mission and
recommendations for
mitigation.
Focus on Risk
• Based upon documentation of
segment of business processes
and procedures, identify risk,
rank risk and focus upon
greatest risks that may impact
organization (e.g., materiality)
and communicate risk and
remediation recommendation
through the “chain of
command.”
Report Supported
by Documentation of
MICP Process
• Develop SOA content
throughout the year based
upon documentation
internally generated,
analyzed and agreed upon
(i.e., processes, procedures,
controls, risk, ranking of risk,
mitigation of controls, and
reportable “material” internal
control weaknesses).
5
Where to Begin? – Review of Relevant
Statutes/Regulations
Statutory Authority
Federal Managers Financial Integrity Act of 1982 (FMFIA)
• Requires that the Secretary of Defense to submit a statement to the President and to the Congress
by December 31 providing an assessment of DoD Management Control (MC) systems and a plan for
correcting any material weaknesses
• Focuses on anticipating and preventing problems by stressing individual accountability by requiring
managers to have financial and management control over resources*
Regulatory Guidance
Office of Management and Budget (OMB) Circular A-123
• Implements FMFIA by providing guidance to Federal managers on improving the accountability and
effectiveness of Federal programs and operations by establishing, assessing, correcting, and
reporting on management controls
DoD Instruction, 5010.40 Management Control (MC) Program Procedures
• Provides procedures for implementation and use of MICP
* The continuous monitoring of processes, risk, and the mitigation of risk through adequate controls.
provides management with the tools to anticipate and prevent a problem before it potentially occurs
and/or is reported by auditors.
6
Background/Current DoD Environment
Condition:
Since 1982, when the Congress passed the Federal Managers’ Financial Integrity Act
• GAO and DoD auditors have continued to report :
– Significant weaknesses in the ability to provide timely, reliable, consistent, and accurate information for
management analysis, decision-making, and reporting (Report No. GAO-06013) and
– Inefficient accomplishment of mission goals tied to inability to identify, prioritize and mitigate risk through
adequate reliance upon controls
Cause:
•
•
•
•
DoD organizational culture resists department-level approaches to priority setting and investment decisions
Lack of sustained leadership, adequate transparency, and appropriate accountability
No implementation goals or timelines with which to establish accountability or measure progress
Need for an integrated risk management framework that identifies material weaknesses and is not totally
dependent upon internal auditor findings
Effect:
• Mismatch between programs and budgets
• Proportional, rather than strategic, allocation of resources to the services
• Detracts accomplishment of mission
– Negative publicity
– Increase costs
– potential loss of life
A risk-based and results-oriented approach addresses competing resources
in an increasingly constrained fiscal environment
7
DoD Senior Management Priorities
“Component’s Annual
Statement of Assurance
was not always complete”1
“Lack of appropriate
accountability across
DoD’s major business
areas results in billions of
dollars of wasted
resources annually”2
Reliance Upon Criteria
OMB defines internal control as
steps a component takes to
provide reasonable assurance
that the component’s objectives
are achieved through
effectiveness and efficiency of
operations (FMFIA, Section 2)
1.
2.
Specific Priorities1
1. Implementation of a “risk-based” Managers’ Internal Control
Program that provides assurance on effectiveness of internal
controls.
2. Reliance upon thorough documentation (to include identification
of assessable units, assignment of assessable unit managers,
documentation of current processes, controls, associated risk,
prioritization of risk, and corrective action plans).
OSD will increase their
role in this area.
Implementation of Criteria
DoD Component’s Manager’s
Internal Control Program should
include the identification,
assessment and if required
strengthening of internal controls
to provide reasonable assurance
to ensure the most efficient and
effective process to accomplish
mission requirements – this is a
continuous process
Validation of Results
• Assessments of program and
administrative operations
• Implementation of risk-based
approach (based upon
“materiality”)
• Validation process of adequacy
of the component’s Manager’s
Internal Control Program
“Report on DoD Compliance with Federal Managers’ Financial Integrity Act of 1982,” Report No. D-2007-093, dated May 8, 2007, Department of
Defense, Inspector General.
GAO’s High Risk Program, Testimony of the Comptroller General of the United States, dated March 15, 2006
8
Importance of Organizational
Participation
An Effective MICP Is Dependent Upon Bottom-Up Perspective
Top-Down Perspective
Director/Commander
Formal
Communication
Framework
MICP Coordinator
Senior Managers
MICP Program
Manager
Assessable Unit
Managers
• Clear, focused communications of the Component’s mission, and
Commander/Director’s priorities and challenges, and organizational annual goals to
include agreement of performance metrics to gauge incremental progress.
• Formal Communication Framework between senior leadership and
MICP Coordinators and – “Tone at the Top” (active participation in building
organizational culture that supports constant review and self-reporting of risk).
• Formal and informal access to Commander/Directors, Senior Managers,
Functional Leads and Assessable Unit Managers.
• Provides support towards compliance with laws, regulations and instructions
and provides guidance to Component staff on implementation of MICP.
• Full participation in communications stream. Key participate in execution of
Component’s mission and MICP Coordinator’s input towards potential risks and
controls to risk mitigate embedded in specific functional responsibilities. Key
liaison between communication of Component’s goals and review of compliance.
• Assist Senior Management in execution of mission through design and
execution of MICP for specific functional areas. Regular formal/informal
interface with Assessable Unit Managers. Provide guidance, milestones,
expectations and overall feedback.
• Ongoing communications with MICP Program Manager in confirmation of
assessable unit process, controls and related risks. Receiver of feedback from
management regarding prior reporting of material risk and changes to
requirements towards assessable units.
9
Importance of Organizational
Participation
An Effective MICP Is Dependent Upon Bottom-Up Perspective
Bottom-Up
Perspective
Director or
Commander
Formal
Communication
Framework
Senior Managers
• Conduct regularly scheduled meetings (at least monthly) with Senior
Managers and MICP Coordinators to review potential risks to Component and
recommendations of mitigation of risk. Include, when applicable, Assessable
Unit Manager for presentation of specific supporting documentation.
• Meet regularly with MICP Coordinator to review conclusions reached on
current controls and recommendations for mitigation. Obtain information on
potential material internal control weaknesses for immediate mitigation and/or
communications with the Director/Commander for action/approval.
MICP Coordinator
• Develop communication strategy with MICP Program Managers to discuss
identified risks, ranking of risks and potential recommendations for mitigation.
Review potential “material weaknesses” and elevate when applicable based
upon impact to mission and/or “systemic” risk to organization.
MICP Program Manager
• Organize regularly scheduled meetings with MICP Coordinator to discuss
analysis of processes, procedures, identified risk, ranking of risk, adequacy of
controls, and recommendations for mitigation.
Assessable Unit Managers
. • Document assigned assessable unit through process maps and related
narratives . Identify risks and current controls. Provide recommendations for
ranking of risk and mitigation of risk. Interface with MICP Program Manager
regularly through formal and informal communications.
Definition of “systemic” -- refers to something that is spread throughout, system-wide, affecting a group or system such as a body, economy,
market or society as a whole.
10
Department Awareness – So What?
History
• In 2005, DoD Comptroller
established the DoD Financial
Improvement and Audit Readiness
(FIAR) Directorate to manage DoDwide financial improvement efforts
to include receipt and review of
SOAs and to provide support in the
implementation of the MICP
• Three main goals:
– provide timely, reliable,
accurate and relevant
financial information
– sustain improvements
through effective internal
control program
– achieve unqualified (clean)
opinions on DoD’s financial
statements
Validation of the
Implementation and
Execution
of Instruction No.
5010.40
Key Points
Leverage OSD’s Support of DoD Component’s
Managers’ Internal Control Activities to Include
Risk Management Cycle
• Continue to manage the receipt and reporting of the
Annual Statement of Assurance and……
• Increase role through validation of assessment
requirements to include review of:
– Key controls (controls that address the relative
assertions for a material activity or significant
risk)
– Procedures for “continuous monitoring”
requirements of controls
– Key aspects of a Manager’s Internal Control
Program (e.g., “Tone at the Top,” SelfReporting Activities)
• Identify and report
“material”
internal control
weaknesses in
addition to those
reported by
Internal Auditors
• Leveraging the
FIAR Financial
Improvement Plans
to highlight
remediation
• Increase validation
activities of
Component’s
compliance with
DoD Instruction
No. 5010.40
• Appointment of MICP
Administrator
• Segment Component’s functions into
assessable units and responsible unit
manager
• Documentation of actions to
correct IC material weaknesses
• Updated Charters
• Assessment of ICs through defined process
• Reliance upon SAT for
assessing/monitoring MICP efforts
• Provide Levels of Assurance • Identify and report IC weaknesses
• Report material weaknesses in
SOA
11
Why Have an Effective Managers’
Internal Control Program?
Reliance Upon
DoDIG, GAO
and Other
“Outside”
Audit
Agencies
Reliance Upon
an Effective
Internal
Control
Program
• Reactive versus Pro-Active
• Control/Contain Negative Publicity
• Reliance Upon Uninformed
• Impact Upon Morale
• Requires In-depth Understanding of
Processes, Associated Risks and Controls*
• Identification of Problem Prior to Impact
• Part of Strategic Planning Process
• Impact Upon Effectiveness and Over
Accomplishment of a Component’s mission
* Those persons assigned to a specific function within an organization will be the knowledge experts
on efficiencies, inefficiencies, risks, and the identification and impact of current controls. --- These
are the individuals to interview to document processes.
12
What Can Happen If Internal
Management Controls Are Ineffective!
Pilots’ checklists for takeoff, flight, before landing, and after landing
• Became standard procedure after the 1935 crash of the Boeing Model 299
(predecessor to the famous Flying Fortress, B-17)
• Pilots decided that the new aircraft Model 299 was not “too much airplane for one
man to fly”, but more than one man could remember without help
• Checklists (e.g., Internal Control) help compensate for the weaknesses of human
memory to help ensure consistency and completeness in accomplishing a mission
Note: Other examples include the USS Cole bombing, Fort Hood shooting, Pentagon
shooting and recent cyber attacks.
13
Where to Begin – “Tone At the Top”
What is the “Tone at the Top”?
“Tone at the Top” is a term that is used to define management’s leadership and
commitment towards openness, honesty, integrity, and ethical behavior. It is the
most important component of the control environment. The tone at the top is set by
all levels of management and has a trickle-down effect on all employees.
For a Managers’ Internal Control Program to be effective:
Need Senior Management’s Support Thru:
• Communication - Management must clearly communicate its ethics and
values throughout the area they manage. These values could be
communicated formally through written codes of conduct and policies, staff
meetings, memos, etc. or informally during day to day operations.
• Active Participation - Kick-Off and Quarter Meetings – Discussions relevant
to internal controls, and associated risks
• Reporting - Create and promote path for employees to self-report and feel
safe from retaliation
• Reward Active Participation - Creation of Commander’s Award –
Recognition of Successful Internal Control Activity
14
Responsibilities of MICP Leadership
Directors and
Commanders
 Establishing and overseeing the
MICP (Manager’s Internal
Control Program)
 Complying with the requirements
of the FMFIA (Federal Managers’
Financial Integrity Act)
 Designating the MICP Program
Manager (Orders)
 Monitoring program
implementation
 Ensuring managers understand
their duties and responsibilities
within the MICP
 Ensuring that MICP goals are
established for each manager
and elements reflecting these
goals are included in their
employee performance plan and
annual evaluation
• Prepare/distribute memorandum
• Attend key MICP meetings
• Institute annual recognition award
• Incorporate MICP requirements in
performance elements
Assessable Unit Manager
MICP Program Manager
 Assisting the Directors and AU
Managers in designing and
implementing Directorates’ MICP
• Deciding where controls are
needed (assessing vulnerability)

Design and documentation of
controls

Placement of controls in operation

Continuously monitoring and
improving the effectiveness of
controls

Periodic testing of controls
 Retaining MICP documentation to
support annual reports

 Identifying MICP training
requirements and provide/arrange for
training
Reporting whether or not controls
are in place and working effectively
(identifying weaknesses)

Timely and effective action to
correct deficiencies
 Evaluating the effectiveness of
management controls

Tracking progress on correction of
deficiencies
 Appointing AU Managers (in writing)

Preparation of the Statement of
Assurance (SOA) feeder report
 Preparing the Annual Statement of
Assurance based upon the current
fiscal year’s program, and identified
weaknesses
 Ensuring material weaknesses are
tracked and reported until corrected
 Providing technical advice and
guidance to AU Managers
• Prepares a MS Project Plan
highlighting key milestones (completion
of documentation requirements)
• Meets regularly with Aus
• Maintains/updates requirements
• Ensures training provided and relevant
• Ensure documentation/repository
current and maintained
• Provides feedback up and down
• Provides incentives for self-reporting
• Understands business/mission 15
15
Begin With An Entity-Level Risk Assessment
Reliance Upon an Entity-Level Risk Assessment
•
•
•
•
•
•
Enhances ability to understand key business risks
Integral piece of management’s risk assessment process
Provides structured process that becomes the cornerstone for prioritizing risks
Focuses attention on areas meriting management review and monitoring
Builds knowledge and confidence in risk management
Understand the Component’s highest risks to mission
Risk
Assessment
Process
Overview
• Understanding the Component’s business, including strategies and objectives
• Developing a preliminary understanding of key business risks and processes and
aligning them to the Component’s strategic plan and objectives
• Creating a customized risk universe – a framework for categorizing key business
risks – that reflects the risks facing the Component
• Determining current risk monitoring activities
• Understanding the effectiveness of entity-level controls, such as:
 Policies and procedures
 Code of conduct
 Segregation of duties
 Business continuity and disaster recovery plans for all primary data centers
and business unit facilities; and
 Fraud prevention/detection programs
• Scoping the risk assessment by obtaining input from all key stakeholders
• Assessing, prioritizing, and validating key business risks with the key
stakeholders
• Reporting the results of the risk assessment and using those results to develop a
corrective action strategy
16
What are the Attributes of an Effective Managers’ Internal
Control Program?
Tone at the Top
Verify
Components
& Units
Identify and
Assess Risk
Document Key
Processes and
Controls
• Segment
Component into
organizations,
functions, and subfunctions.
• Conduct interviews of key stakeholders
• Assign Manager
responsible for
documentation for
assessable unit.
• Define processes, systems, and associated
acronyms in narratives using write-up template
(see appendix for example)
• Assign personnel
responsible for subassessable units.
• Document processes, controls, risks, system
interfaces, and responsible stakeholders through
process-flows with “swim lanes” (see appendix
for example).
• Have interviewed personnel review and sign-off
on process-flows and narratives. .
Assess Internal
Controls
(Testing)
• From controls noted in
process-flow
documentation and
supporting interviews,
complete a Controls Matrix
Worksheet Template (see
example in appendix).
• Highlight the current
control activity and the
ranking of the risk in terms
of “high”, “medium” and
“low” based upon agreed
upon criteria (i.e., cost to
organization if risk occurs).
Document and
Implement
Improvements
Monitor
Corrective
Action Plans
• Assessable Unit Managers responsible to
report assurance and track corrective
actions to ensure prompt resolution of
control deficiencies, reportable
conditions, or material weaknesses
identified during assessment.
• Corrective action plan should note,
deficiency, modification to control,
assigned responsibility to modify control,
milestone date for completion, and followup test work to ensure completion. (see
example of corrective action template in
appendix).
• Focus upon those risks
identified as “high”
• Rely upon testing to
ensure adequacy of
controls
Foundation for a “Results-Oriented” Risk-Based Managers’ Internal Control Program
17
Breakdown of A Component’s Functions Into
Assessable Units
Agency - Department of Defense
Component
 37 DoD Reporting Components such as SOCOM
Sub-component
 SOCS, AFSOC, USASCO, NSWC, MARSOC
and SOCCENT
Function
 Contract Directorate
Assessable Units*
 Design of Competition, Development of
Statement of Work, and Contract Close Out
Assessable Units are defined as segments of business activities. Each DoD Component is required to report
100% of its assessable units.
18
The MICP Assessments Must Consider
All Mission Essential Functions
Mfg, Maint, &
Repair
Supply
Property
Mgmt
Force Readiness
Commo,
Intel & Secur
Contract Admin
Info Tech
Procurement
Personnel & Org
Major System Acq
Comptroller & RM
RDT&E
DoD Senior
Assessment Team
Security
Assist
Support
Svcs
FMFIA Over
Financial Reporting
Appendix A
19
The Element of “Risk”
Management should identify internal and external risks that may prevent the organization
from meeting its objectives.
Risk
Risk Assessment
Risk Management
The uncertainty of an
event occurring that
could have an impact on
the achievement of
objectives.
A systemic process for
assessing and integrating
professional judgment
about probable adverse
conditions and/or events
The culture, processes
and structures that are
directed towards the
effective management of
potential opportunities
and adverse effects.
Example
Per the Washington Post, April 20, 2010: “Pentagon Planning More Oversight of War-Zone Contractors”
• Risk: The Army’s contracting workforce is only 55 percent of what it was in the mid-1990s, while the dollar value of
contracts overseen has jumped from $11 billion to $165 billion.
• Risk Assessment: Estimation provided that “we project recovery will take at least 10 years,” Lt. Gen. William N.
Phillips, Principal Military Deputy, AT&L.
• Risk Management: Creation (2008) of the Commission on Wartime Contracting in Iraq and Afghanistan to
recommend improvements in reconstruction and logistics work in wake of concerns about fraud and waste.
Recommendation to increase acquisition workforce and related training.
Definition of “systemic” -- refers to something that is spread throughout, system-wide, affecting a group or system such as a body, economy,
market or society as a whole (definition obtained from Wikipedia).
.
20
Department of Defense – OSD –Policy
DoD Instruction 5010.40, Managers’ Internal Control Program
What
DoD Instruction 5010.40,
Managers’ Internal Control
Program Procedures
• Established to:
– Review, assess, and
report on the effectiveness
of internal controls
– Identify and promptly
correct ineffective internal
controls, and
– Establish internal controls
when warranted
How
• Develop a Managers’ Internal Control Program that concludes with
the Component Head or Principal Deputy annually reporting
reasonable assurance on effectiveness of internal controls
• Segment into organizational assessable units and maintain an
inventory of these assessable units
• Assign internal control responsibility to leadership and provide
adequate training
• Report on whether internal controls provide reasonable assurance
• Track corrective actions
• Fully disclose material weaknesses
• Generate and maintain thorough documentation of activities
OSD Validation of Documentation Supporting Internal Control Activities
An “effective” Managers’ Internal Control Program includes review of program, operational, and
administrative controls in functional DoD reporting categories – not just those identified by the internal
auditors and/or the reporting of “low hanging fruit”
21
What is New?
Assessment of Acquisition Functions Under OMB Circular A-123
What
How
• Office of Federal Procurement Policy in
OMB published guidelines for internal
control reviews of acquisition functions
– Requirement to integrate the
internal control review of
acquisition with the existing internal
control assessment and annual
SOA reporting process
– For first year of implementation,
only the Components that report an
annual SOA directly to the Secretary
of Defense are required to complete
the acquisition assessment
• To conduct assessment of internal controls over
acquisition functions, a “DoD Assessment of Internal
Control over Acquisition Functions Template” has
been created
– For assessment of control environment, standards
and objectives have been embedded into the
template
– The template includes a column to document the
risk to properly implement the standard or
objective and the identification of control activities
to include policies and procedures that help
ensure the necessary actions are taken to address
the risk
DoD Assessment of Internal Control Over Acquisition Functions
Cornerstones
Template
Organizational
Alignment and
Leadership
Control
Environment
What are the
standards or
objectives that set
the tone or provide
structure?
Risk Assessment
Control Activities
What are the relevant
risks to properly
implement the
standards/objectives?
What are the policies
and procedures that
help ensure the
necessary actions are
taken to address
risk?
Monitoring
What monitoring
activities or separate
evaluations are in place
to assess performance
over time?
22
What is New?
For this reporting year,
Components will not be
scored on this new
requirement.
FFMIA Internal Controls Over Financial System Process (ICOFS)
What
• Requirement to conduct FFMIA
ICOFS assessments and to report
results annually in the SOA
• FFMIA requires that the Component’s
Integrated Financial Management
System be compliant with (substantial
compliance requirements):
– Federal system requirements;
– Federal accounting standards;
and
– U.S. Standard General Ledger at
the transaction level
Criteria
How
• Compliance with this requirement is accomplished through the
documentation of the substantial compliance requirements
• FFMIA compliance is determined through testing and evaluation by
an objective internal or external resource
• Compliance testing is performed in accordance with the Government
Accountability Office’s Financial Audit Manual (Section 300 of Volume
1, and Section 700 of Volume 2)
• FFMIA compliance test results should be retained for no less than 3
years
• Head of Component is responsible for preparing, maintaining, and
executing an Integrated Financial Management System Improvement
Plan when there is moderate risk of non-compliance
• The Head of each Reporting Entity is responsible for reporting the compliance of the Entity’s
Integrated Financial Management System (IFMS) with FFMIA, OMB Circular A-127, and Chapter 3 of
Volume 1 of the DoDFMR
• The IFMS is a unified set of financial systems and financial portions of mixed systems that encompass
the software, hardware, personnel, processes, procedures, controls and data necessary to carry out
financial management functions, and management of financial operations
23
MICP Requires Self-Reporting
“What Are the Qualities Necessary for You to Be Successful as a Military Leader,”
• “Challenge conventional wisdom and call things as you see them to subordinates and superiors alike”
• “As an officer if you blunt truths or create an environment where candor is not encouraged, then
you’ve done yourself and the institution a disservice”
• An example: “Hurdles faced by the officer known as the father of the ICBM. As a new brigadier general
in the 1950s, Bernard Schriever overcame numerous technology failures, massive Pentagon red-tape,
and most daunting of all, the Service’s Bomber Barons, led by Curtis LeMay himself, who believed that
nuclear weapons had no business being carried by anything without a pilot. The ICBM force would
become the backbone of America’s strategic deterrent for more than a generation, and was critical to
holding the Soviets long enough for their empire to collapse.”
• “The need for candor is not just an abstract notion --- It has very real effects on the perception of the
military and the wars themselves. The military campaigns from Korea to Vietnam, Somalia, the Balkans,
Iraq and Afghanistan have been frustrating, controversial efforts for the American public and our
American armed forces – each conflict has prompted debates over whether senior military officers were
being too deferential or not deferential enough to civilians, and whether civilians, in turn, were too
receptive or not receptive enough to military advice. “
Remarks delivered by Secretary Robert M. Gates to the U.S. Air Force Academy, on April 02, 2010
24
Conclusion/Next Steps
“Paradigm shift” in management and reporting of internal controls – through:
• Emphasis on risk-based approach to focus on the essential elements;
• Focus on effectiveness of processes related to improvement of information that is important
to Senior Management (e.g., existence and completeness of missions critical assets);
• Reliance on an effective Management Control Program versus reliance upon internal
auditors to identify and report upon “material” internal control weaknesses;
• Validation by OSD of the effectiveness of Component’s Management Internal Control
Programs to include:
 Adherence with MICP Procedures provided in DoD Instruction No. 5010.40
 Annual identification of assessable units
 Documentation of an inventory of internal controls
 Documentation that supports the reliance upon risk assessments to include
testing of controls when deemed applicable
 Documentation that supports continuous monitoring to provide basis for
Component-level annual assessment and reporting of effectiveness of
program, operational, and administrative internal controls
DoD MICP Point of Contact: Steve Silverstein, 703-607-0300 Ext. 123
[email protected]
25
Appendix
26
The “Gold Standard”
27
Managers’
Internal
Control
Program
Impact
June 3, 2010
Pamela F. Conklin
Defense Commissary Agency
Defense Commissary Agency
• “Tone at the Top”
– FY 2006 Director Supports MIC Program
• Emphasis restated annually at Director’s Call and Senior Level Staff meetings
– Functional Process Owners part of DeCA’s Senior Assessment Team
– Assessable Unit Managers Identified
• Process Owners Identified
• Agency Strategic Impact Link/Statement of Assurance
– MIC/OMB Circular 123-Appendix A
• Combined as One – DeCA! (Standard process implementation)
• DeCA aligned financial and non-financial processes to mirror one another.
» Narratives, flowcharts
» Risk Assessment
» Test Plan
» Control Analysis
– External Audit of Financial Statements
– Inspector General Commissary Inspection Evaluation Program (CCI)
– Internal Review – Audit Plan
– Lean 6 Sigma Continuous Process Improvement
29
Training Employees on Utilizing the
Appendix A Methodology
• OneNet Training
– Video Presentation
• Face-to-face
– AUMs and process owners
– Zone Manager Training
– Store Director Training (Classroom
instruction)
• Posters, Flyers, Rack cards
• Manuals
– DeCAM 70-2.1(Under Review)
– DeCAM 70-2.2
– DeCAM 70-2.3
• SharePoint – portal documentation
30
Follow-Up
• Annual Review of Business Processes with each Process Owner
• Continuous Communication
• Continuous Process Improvement
31
Managers’
Internal
Control
Program
Impact
June 3, 2010
M. Scott Deutsch
US Special Operations Command
US Special Operations Command
• Command Support – “Tone at the Top”
– USSOCOM Directive 5-1 – Managers’ Internal Control Program
• Reiterates the importance of the program
• Establishes format and flow of information for the Annual Statement of
Assurance Submission
• Provides templates for use and uniformity across the command
– Command Tasker
• Annual memorandum signed by the CoS
• Timelines and guidance for submission of the Statement of Assurance
• Internally developed form for tracking evaluation dates of identified AUM required
– Scoring of Feeder Statements
• Established a panel that reviews, evaluates, and scores feeder statements
• Formal memorandum with recommendations for overall improvement provided
• Memorandum that recognizes the overall highest score sent throughout the
command signed by the Commander
33
US Special Operations Command
• Training
– Annual MICP Training Workshop
• Includes representatives from all of the 26 Components, Theater Support
Commands, and Headquarter Staff
• Reviews updates to the overall program
• Guest speakers from outside sources that are experts in the field
• Conduct onsite training for Directors, AUMs, and Process Owners
• Awareness
– Newcomer Briefing
• Provides an overview of the MICP
• Required for all personnel that arrive Headquarters
– MICP Portal Webpage
•
•
•
•
Reference Materials
Historical documentation
Templates for uniform use
Information sharing across the entire command
34
Process Flow
R-1
R-1
35
Narratives – Documenting Information
Key process activities should be distinguished from controls in the
narrative.
• Each activity/step should include the who, what, where, when, why, and
how often of the process
• Activities should be presented in a manner that tells a story, from start to
finish
• Descriptions of activities should be comprehensive enough to facilitate a
clear understanding of the process to a third party
36
Controls Matrix Template
Title of Organization
Function of Organization
Sub-Function of Organization
Control Matrix Worksheet
Scope Date Month, Year – Month, Year
POC:
Date:
Assessable Unit:
Control
Point
Obtained from
process flow
Control
Objective
Process
Procedure
Controls should
be in place to
ensure that only
authorized
personnel can
reallocate and/or
reprogram
funds.
Budget
Execution/Funding
Control Risk
(High, Medium
or Low)
Medium
Description
The Reprogramming Team approves
formal reprogramming request after
receipt of OSD memorandum of
implementation. Segregation of
duties/Authorization
Reprogramming funds between different
appropriations require OSD and
Congressional approval. Approval
37
Criteria to Validate MICP
38
Areas to be Validated
(Next Fiscal Year - 2011)
Scoring Legend
2 - Partially compliant
3 - Compliant
Entity Level
1) Has the component completed an entity-wide internal risk assessment?
2) Did the component designate an individual as responsible for the Managers' Internal Control Program (MICP)?
3) Did the component send a representative to the MICP annual conference?
4) Does the component demonstrate an effective "Tone at the Top" management approach through active participation, memorandums regarding the
internal control program, incentive rewards, etc.?
Assessable Unit
1 - Non-compliant
5) Is the component segmented into organizations, functions and assessable units (sub-functions)? Does the breakdown make sense?
6) Has the component identified an individual responsible for each assessable unit (Assessable Unit Manager)?
7) Does the component provide a training program to managers and assessable unit managers for conducting risk assessments and performing internal
control reviews?
8) Does the component conduct regular meetings with Commander/MICP Manager/ MICP Assessable Unit Managers? Are the meetings verified with related
documentation/minutes)?
9) Did the component document interviews of key stakeholders for each assessable unit?
Risk Assessment
10) Has risk been ranked in accordance with materiality with written description and justification?
11)
12)
13)
14)
Is the ranking of identified specific risk agree with overall universe of risk?
Have the Assessable Units with the "highest" risks been reviewed and controls modified accordingly?
Does the component note potential risks in current processes and related controls to mitigate these risks?
Is there documentation of testing of controls to ensure that risk identified as high risk are mitigated?
Internal Control Review / Reporting
15) Have internal control reviews been performed for all "high risk" Assessable Units? Have the related controls been modified accordingly?
16) Does the Statement of Assurance properly reflect material weaknesses and are the material weaknesses traceable to related documentation?
17) For each internal control material weakness noted, is there a thorough description and a related corrective action plan that specifies modifications to
control, assigned responsibilities, milestone dates and follow-up test work?
18) Does the component utilize a documented self-reporting matrix for ineffective internal controls?
19) Does the component have a recognition program that promotes self-reporting and significant reporting of internal control weaknesses?
Documentation / Record Retention
20) Did the component document defined processes, systems and associated acronyms in narratives using the provided write-up template?
21) Does the component maintain a central repository (i.e. E-room, filing, etc.) to store documentation?
39
“Tone at the Top”
40
42
“Generic” Control
Objectives/Risks By
Functional Area
43
Specific Control Objectives Related to
Specific Functions – Acquisitions
Function
Acquisition - Major
System
Sub-process
Control Objectives
Controls
Risks
Acquisition Planning
Ensure accurate
requirements for the system
Authorization of procurement
are captured and well-defined
in the contract
Failure to follow FAR
requirements for solicitations;
failure to follow laws and
regulations for procurement
Request for goods; Request
for Proposal (RFP)
Integration across the
organization in acquisition
planning to ensure contract
requirements sufficiently
capture the organization's
objectives
Inadequately trained or
inexperienced procurement
staff
Failure to utilize purchase
efficiencies gained through
GSA, FPI, and UNICOR
Ensure total system costs are
properly assessed and
Authorization of funding
sufficient funding is obligated
appropriately
Failure to properly assess the
total system costs and
establish sufficient funding for
the duration of the contract
Receipt of assets (system)
Existence - system is
delivered/received at the
accurate price according to
the contract terms
Authorization of payments
Failure to promptly track
system with accurate pricing
Receive vendor invoice
Completeness - all debts are
fully recorded
Periodic reconciliation of
existence of assets to recorded
amounts
Failure to properly review
delivery of assets
44
Function
Sub-process
Control Objectives
Controls
Overpayment of taxes on
purchase transactions and
contracts
Record Accounts Payable
Accuracy of amounts, terms,
account balances
Cash disbursement
Timely recording
Timing - date of transaction posting
and independent
coincides with occurrence of the
review of
asset acquisition
transactions
Acquisition -Major System
(cont.)
Segregation of responsibilities:
authorization, custody of assets,
recording, and reconciliation
Managing Fixed Assets
Risks
Separation of
asset custody
from other
functions (i.e.
accounting)
Records of fixed assets purchased
with Federal funds comply with
federal regulations.
Maintaining Fixed Asset Register and/or
Master File Including any Relevant
Maintenance Activity Files
45
Function
Inventory /
Property
Management
Sub-process
Control Objectives
Requisitioning
All goods to be transferred to
operations are appropriately
requisitioned.
Receiving Purchased
Inventory Materials
Ensure recorded property
transactions represent
economic events that actually
occurred and are properly
classified and recorded in the
correct period
Receipts of purchased
inventory (including raw
materials) are recorded timely
and in the appropriate period.
Ensure recorded property
Transfer Goods to Operations
exists at a given date.
Controls
Materials received are checked
to verify that they comply with
approved requisition.
Risks
Failure to properly review
goods
Improper costing of assets
Ineffective acquisition policy
due to inefficient maintenance
of inventories, supplies, and IT
assets
All materials requisitioned are
properly transferred.
46
Function
Inventory /
Property
Management
(cont.)
Sub-process
Perform Reconciliations
Control Objectives
Controls
Risks
Ensure recorded property at a
given date, is supported by
Periodic reconciliation of
appropriate detailed records
existence of inventory to
that are accurately
recorded amounts
summarized and reconciled to
the account balance
Ensure all existing property as
of the reporting date, including
property in the custody of third
parties, are included in the
general ledger.
Ensure recorded property is
owned by the entity. The
entity has rights to the
recorded asset at a given
date.
Overpayment of taxes on
purchase transactions and
contracts
Materials are transfered only on
the basis of a properly approved
requisition.
Ensure property balances and
related footnote disclosures
Requisitions are prenumbered
contain all information needed
and investigated when missing.
for fair presentation in
accordance with US GAAP.
Inadequate processes and
policies to secure physical
assets
Failure to implement security
controls
Recorded purchased inventory
(including raw materials and
excluding consignment goods)
represent materials acquired
by the entity
47
Function
Inventory /
Property
Management
(cont.)
Sub-process
Control Objectives
Controls
Risks
Only valid changes are made
Maintain Inventory Master File to the inventory management
master file.
Security and Monitoring of
Inventory
Approvals from appropriate
Only valid customer orders are
marketing/sales personnel are
processed.
verified for customer orders.
Miscategorization
Ensure materials are securely
stored and inventory is
adequately safeguarded.
Theft of assets
Ensure inventory is stored in
an appropriate location that is
conducive to efficient use of
assets and operations
Inappropriate location and/or
inefficient operation of assets
Misuse of assets by
government personnel
Monitor inventories for slowmoving and obsolete materials
and removing those materials
if needed
Inadequate capacity planning
Efficiently process excess
property for donation or
disposal
Improper production planning
Defective materials are
returned timely to suppliers.
Failure to undertake timely
maintenance of plant and
machinery
Mismanagement of software
and hardware inventory
48
Function
Inventory /
Property
Management
(cont.)
Sub-process
Issue Inventory to Customer
Control Objectives
Controls
Complete and accurate
records of products stored and
available for shipment are
maintained.
All shipments are accurately
documented, and such
documentation is forwarded to
account receivable on a timely
basis.
Risks
Regulatory noncompliance
Product transfer documents are
required for movements of
product into or out of storage.
Such documents are prenumbered, and missing
documents are investigated.
Discrepancy between physical
and financial information
Shipping document information
is compared with customer order
information before shipment.
Shipping document information
is independently verified prior to
shipment.
49
Function
Sub-process
Acquisition Planning
Contract
Administration
Control Objectives
Controls
Risks
Ensure accurate business
requirements are captured
and scope is well-defined in
the contract's Statement of
Work (SOW)
Contract objectives are not
fully expressed in the SOW
requirements, and are not
fulfilled by the contract
execution
Ensure integration across the
organization in planning to
address similar project goals
in other departments
Duplication or redundancy of
contract requirements across
multiple contracts within a
particular organization
Ensure total project costs are
properly assessed and sucient
funding is obligated
appropriately
Failure to properly assess the
total project costs and
establish sufficient funding for
the duration of the project
Failure to utilize purchase
efficiencies gained through
GSA, FPI, and UNICOR
Inability to maintain a steady
funding stream over a multiple
year contract to successfully
execute the program
Acquisition transactions are
properly recorded, including
commitment, obligation, A/P,
and payment
Authorization of acquisition
transactions
Improper authorization of
acquisition transactions
50
Function
Contract
Administration
(cont.)
Sub-process
Contract Award
Control Objectives
Controls
Selection of and award to the
company that is best qualified
to fulfill the contract
requirements
Evaluation committee is
comprised of experienced staff
who understand the contract
requirements and will make the
proper selection
Risks
Selection of unqualified
company
Ineffective selection of a
contractor based solely on low
price instead of best value
Preclude protest of award
Selection is made based on the
evaluation criteria that are
expressly defined in the RFP or
solicitation documentation
Risk of protest due to
undefendable or unsound
selection choice
Ensure all qualified companies
are given an equal opportunity
to be awarded the contract
Shrinking field of qualified
companies to achieve contract
goals
Selection of an effective
contract vehicle or type (fixed
fee, cost reimbursement, cost
plus incentive)
Inappropriate selections of an
effective contract vehicle or
type
Unclearly defined price
structure, deliverable
requirements, or incentive
requirements
Insufficient retention of
documentation to support the
awarding of decisions
Leakage or sale of insider
information to bidders
51
Function
Sub-process
Contract
Contract Administration
Administration
(cont.)
Control Objectives
Ensure appropriate
government personnel are
aligned to the project
Controls
Risks
Effective human resources
policies on appropriate staffing,
retention, and organizational
structure
Loss of contract focus due to
changes in administration or
key government personnel
Lack of procedures to identify
and monitor risks on existing
contracts
Inability to find or retain
subject matter experts to
oversee a contract
Consistent performance of
contract and fulfillment of
contract requirements
Contractor satisfies quality
performance standards
Requirement included in the
contract for contractor to
effectively manage and limit
turnover and obtain government
approval for project staffing
decisions
High contractor turnover
causing inconsistent or
misdirected performance
Lack of procedures to assess
the adequacy and
appropriateness of costs for
services and goods received
Mechanisms to measure the
contractor's performance relative Lack of mechanisms in place
to the contract requirements,
to measure contract
such as a survey of government performance
personnel aligned to the project
Insufficient management of
the project scope to achieve
project goals and complete
tasks within budget
52
Function
Sub-process
Contract Closeout
Contract
Administration
(cont.)
Control Objectives
Controls
Risks
Contracts are closed out
within the specified time
period following completion of
the contract, making leftover
funds available for other
needs
Federal regulation to review and
close completed contracts, and
deobligate remaining funds on a
timely basis
Failure to close out a contract
on a timely basis, making
leftover funds unavailable for
other needs
Ensure all deliverables
specified in the contract have
been received
Lack of analysis to ensure
receipt of deliverables prior to
contract closure
Lack of information gathered
on performance to assess
prospective contract renewals
Untimely closure of contracts
in accordance with financial
and administrative guidelines
creating a backlog
53
Function
Sub-process
Systematic Data Processing
IT Management
Control Objectives
Controls
Systems are maintained to allow
timely communication of accurate
internal and external information
to relevant personnel.
Information systems are instituted
that ensure the accuracy and
timeliness of internal and external
information.
All production programs needed
to process batch and on-line
transactions and prepare related
reports are executed timely and
to normal completion.
Processing is monitored by
management to ensure successful
and timely completion, including a
review and resolution of any
exceptions.
Risks
Exceptions to normal processing are
logged, reviewed by management,
and promptly resolved.
Batch and on-line processing
procedures are defined to ensure
that jobs and/or transactions are
processed to normal completion or
are recovered and reprocessed.
Only valid production programs
are executed.
Automated scheduling tools have
been implemented to ensure the
authorization and completeness of
the flow of processing.
Access to production processing
control language and executable
programs is defined to restrict the
ability to execute, modify, delete or
create to appropriate individuals.
Data is retained in accordance
with laws, regulations, and
company policy to enable
retrieval when needed.
Management and users plan and
schedule backup and retention of
data; and erasure and release of
media when retention is no longer
required. Management periodically
reviews retention and release
records.
Continued adherence to
Constant review of the applicable
applicable IT laws and regulations legislations
Inefficient data retention
processes and tools
Failure to constantly review the
applicable legislations
54
Function
Sub-process
IT System Maintenance
IT
Management
(cont.)
Control Objectives
Controls
New network and
communication software is
appropriately implemented
and functions consistent with
management's intentions.
Management has established
formal policies to ensure that
before changes are made to
application systems, data
structures, network and
communication software, and
systems software and hardware
or the environment in which they
operate, all affected parties are
informed and the timing of
modifications is coordinated with
them to ensure minimum impact
on other processing activities.
Risks
Network and communication
software and hardware are
initially installed and evaluated in
a test environment before
implementation.
Current documentation for
network software,
communication software, and the
network topology is available and
used when installing and/or
maintaining the network.
System implementation
procedures include training users
on appropriate use of new or
substantially modified systems.
Compliance with these
procedures is monitored by
management. As new
employees are hired and as
employees transfer within the
entity, they receive formal
training on relevant application
systems.
55
Function
IT
Management
(cont.)
Sub-process
IT System Testing
Control Objectives
Access to the test and
production environments is
restricted.
Controls
Risks
Passwords or other mechanisms
are in place to restrict access
test and production
environments
Tests are performed using a
complete and representative set
of test data instead of production
data.
The impact of proposed
hardware, application system,
data structure, and system
software changes is assessed
and reviewed by management
before implementation into
production in order to minimize
disruptions to operations.
56
Function
Sub-process
Modifications or Upgrades to
IT Systems
IT
Management
(cont.)
Control Objectives
Controls
Risks
Management has established
formal policies to ensure that
before changes are made to
Modifications to existing
application systems, data
network and communication
structures, network and
software are appropriately
communication software, and
Ineffective/delayed
implemented and modified
systems software and hardware development, testing and
network and communication
or the environment in which they deployment of new technology
software function consistently
operate, all affected parties are
with management's intentions.
contacted and the timing of such
modifications is coordinated with
them to ensure minimum impact
on other processing activities.
Implementation is performed in a
manner that allows the original
environment to be restored if
necessary.
Network and communication
software and hardware are
initially installed and evaluated in
a test environment before
implementation.
A formal methodology or process
is used to guide the acquisition,
development or maintenance of
hardware, application systems,
network and communication
software and systems software.
Requests for changes network
and communication software in
the production environment are
documented and approved by
management. Management
monitors implementation of all
such changes.
57
Function
Sub-process
Architecture - Federal
Enterprise
Control Objectives
Ensure architecture is aligned
with the organizational
strategy and objectives and
allows organizational
requirements to be satisfied
Controls
Risks
Failure to implement a
technology aligned with the
organization’s strategy
IT
Management
(cont.)
Organizational requirements
are not being met by systems
currently in place
AssetManagement
Ineffective software acquisition
methodology Technology
58
Function
Sub-process
Information Security
IT Management
(cont.)
Control Objectives
Controls
Risks
Integrity of the organization's
network is maintained through the
firewall and security measures
designed to prevent viruses,
attacks, and access by
unauthorized parties
Issue and use of Common Access
Cards (CAC) for all personnel who
access the DoD organization's
network
Access to information systems is
restricted to those who are
authorized for a particular system
and who have a specific business
related need to access the data
contained within the system
Access to information systems
requires a CAC with a valid certificate,
Untimely application of security
user name/password, or some other
patches
mechanism to ensure personnel
identity
Use of unlicensed or unsupported
software and hardware
System Access Authorization Request
Vulnerability to malicious attacks,
(SAAR) Forms are completed and
ineffective antivirus measures, lack
approved prior to granting access to
of physical/logical security
information systems
Ineffective/inefficient access
controls
Unauthorized access to personally
identifiable information
Unclear ownership and
classification of data
Data and information stored on
electronic media are not accessed
by anyone other than those
intended to have such permission
All media (tapes, manuals, guides,
etc.) are stored in a secured
environmentally-controlled location.
Failure to secure transportable
media
Removable media are labeled to
enable proper identification.
Automated data retention tools have
been approved by management and
implemented to manage the backup
and retention data plan and schedule.
59
Function
Sub-process
Physical and Environmental
Security
Control Objectives
Controls
Risks
In the event of a breakdown in
a system, server or network,
Backups are archived off-site to Inability to recover from a
information and data
minimize risk that data is lost.
business interruption
contained within a system is
not permanently lost.
IT
Management
(cont.)
Data centers and physical
locations of servers and
information systems is
protected by adequate
security
Inadequate physical security
around data centers
Lack of segregation of duties
60
Function
Sub-process
Protection From Physical Threat
Force
Protection
Control Objectives
Controls
Risks
All organizations and parties who
could potentially be impacted by a
Regular administration and updating
threat are aware of the potential
of force protection training
for threat and the severity of
certain threats
Ensure that threats are
recognized by all who could be
impacted
Effective mechanism by which to
coordinate and disseminate threat
information at military installations
Ensure that threat information is
communicated in a timely
manner to all relevant
organizations
Ensure that the severity of a
threat and level of potential that a
Force Protection Condition (FPCON)
threat may occur are understood
System
uniformly by all relevant
organizations and parties
Ability to identify and mitigate
force protection gaps and
weaknesses
Central authority responsible for
overseeing, coordinating and
executing force protection measures
of deployments
Ensure DoD maintains security
oversight of the transit of military DoD maintains control over the
equipment and that custody is
transit of military equipment during
never fully transferred to non-DoD deployment
entities
Potential that custody of military
equipment falls into the hands of
individuals or groups whose
interests are counter to those of
the United States
Conduct regular vulnerability
Ability to assess the susceptibility
assessment of potential threat to
to and potential of a threat, and
assets and physical areas, computer
thus be prepared to defend
networks, installation infrastructure,
against it
and transportation systems
Existence of an antiterrorism plan
and the consistent review and
update of such a plan
61
Function
Force
Protection
(cont.)
Sub-process
Control Objectives
Data centers and physical
locations of servers and
Protection From Cyber Threat information systems is
protected by adequate
security
Controls
Risks
Inadequate physical security
around data centers
Integrity of the organization's
network is maintained through
the firewall and security
measures designed to prevent
viruses, attacks, and access
by unauthorized parties
Data and information stored
on electronic media are not
accessed by anyone other
than those intended to have
such permission
62
Function
Procurement
Sub-process
Vendor Selection
Control Objectives
Identify and purchase from
vendors capable of meeting
the entity's needs
Controls
Investigate and periodically
update vendor capabilities
regarding production quality and
capacity, price (including volume
or cash discounts and payment
terms), order lead-time
requirements, current and former
customer satisfaction, financial
condition, and management
stability.
Periodically update vendor
information based on vendor
terms and specifications of
contracts or purchase orders
(e.g., timely delivery of
acceptable items, correction of
errors or problems, and service).
Risks
Inadequate vendor screening,
including periodic requalification of existing
vendors, resulting in vendor
inability to meet technical
specifications, quantity
requirements, price, delivery
dates/lead time, and service
Appropriate review of purchase
orders
Monitor production problems
related to out-of-stock materials
and to material specifications;
also monitor frequency of
returned purchase (performance
indicators)
Develop data on alternative
vendors and periodically
reevaluate vendor selection
decisions
Specify procedures for
notification by vendors of
potential performance problems
and for appropriate investigation
and follow-through
63
Function
Procurement
(cont.)
Sub-process
Vendor Selection (cont.)
Control Objectives
Purchase items only from
legally qualified vendors, and
in conformity with applicable
laws, regulations and
contracts
Controls
Risks
Unavailable or inaccurate
Maintain updated vendor
information or other improper
information about fraudulent acts
activities of vendors
Investigate possible legal
restrictions on providing the
materials required and pending
litigation
Consider ways to simplify vendor
investigation procedures
Institute and monitor code of
conduct
Ensure adequate supply of
materials
Timely communication to
Procurement of Operations' or
other activities' needs
Poor communication of
Operations' or other activities'
needs
Vendors' inability to provide
needed quantities due to other
higher-priority orders or an
interruption in their own
supplies
Utilize long-term needs analysis
64
Function
Sub-process
Procurement
Purchasing
(cont.)
Control Objectives
Order items that meet
appropriate specifications
Controls
Review existing and revised
specifications by technical
personnel.
Risks
Inappropriate production
specifications
Monitor and analyze production
problems related to material
specifications (performance
indicator). Examples of
performance indicators include
comparing current-period data
on production stoppages and
slowdowns, rush orders,
spoilage, and material price and
quantity variances to prior-period
data, peer or industry data,
budgets, or other pre-established
goals.
Communicate production
specifications to procurement
personnel.
Appropriate review and approval
of contracts and purchase
orders.
65
Function
Sub-process
Procurement
Purchasing (cont.)
(cont.)
Control Objectives
Pay agreed upon prices or
appropriate "market" price
Controls
Obtain competitive bids for each
acquisition
Risks
Out-of-date or incomplete
price
Consider volume purchases by
determining total usage of similar
materials. Combine orders to
obtain volume discount.
Appropriate review of purchase
orders
Monitor material price variances
(performance indicator)
Use hedging or forward contracts
Perform a market analysis to
determine price as appropriate
66
Function
Sub-process
Procurement
Purchasing (cont.)
(cont.)
Control Objectives
Controls
Order appropriate quantities at Maintain accurate perpetual
appropriate times
inventory records
Risks
Unavailable or inaccurate
information on inventory levels
or production needs
Match periodic production
schedules to inventory
information and order lead-time
requirements
Appropriate review of purchase
orders
Use forecasts
* (Note: Implementing Just-inTime or a similar inventory and
production management
philosophy may result in better
efficiency)
67
Function
Sub-process
Procurement
Purchasing (cont.)
(cont.)
Control Objectives
Update vendor information
completely and accurately to
reflect open purchase orders
Controls
Route copies of purchase orders
to appropriate personnel
Risks
Information on issued
purchase orders is not clearly
or completely communicated
Purchase orders are not
entered into the system on a
timely basis
Pre-number purchase orders and
periodically verify their entry into
the system. Investigate unusual
time delays in entering data.
Receive items ordered on a
timely basis
Unavailable or inaccurate
Specify shipment mode and
information on items ordered
delivery date on purchase orders
but not received
Pre-number and account for
purchase orders
Match receiving information with
purchase order information and
promptly follow through on
outstanding orders
(Undeliverable Orders Report)
Monitor vendor performance in
terms of timely delivery; follow
up in cases of poorly performing
vendors
68
Function
Sub-process
Procurement
Purchasing (cont.)
(cont.)
Control Objectives
Record authorized purchase
orders completely and
accurately
Controls
Pre-number and account for
purchase orders
Risks
Purchase orders may be lost
Pre-number and account for
purchase orders
Inadequate policies and
procedures to prevent
unauthorized use
Prevent unauthorized use of
purchase orders
Maintain physical security of
purchase orders
Approve purchase orders
Notify vendors of company
personnel authorized to approve
purchase orders
69

similar documents