Office of the Secretary of Defense Comptroller’s Manager’s Internal Control Program Building a “Culture Focused on Accountability” 3 April 2014 Unclassified OSD - Comptroller Financial Improvement and Audit Readiness DoD’s Priority – Achieving Auditable Financial Statements MICP - Why and How? MICP in Afghanistan Appendix 2 1. 3 2. Incremental Milestones and Significant Challenges 1. Audit Readiness for Budget Statements by 30 September 2014 “Audit Readiness” – o The Department has strengthened internal controls and improved financial practices, processes and systems Budgetary Turmoil Capacity of the DoDIG Availability of Independent Auditors o Reasonable confidence that the information can withstand an audit by an independent auditor. 2. Full Audit Readiness By 30 September 2017 Challenges Full financial statement validation To date, $235 billion or 19 percent of total budgetary resources have an opinion or are under audit and $453 billion or 53 percent of DoD assets are either under examination, have been validated as audit ready or have been asserted as audit ready for existence and completeness of critical assets . Hundreds of Legacy Systems Human Capital - Right Number and Skill Set Size and Complexity of the Department 3. Audit Opinions on Financial Statements Six DoD organizations received unqualified audit opinions on their FY13 financial statements. o U.S. Army Corp of Engineers – Civil Works o Defense Commissary Agency Audit Readiness Progress Audit Readiness Examinations Audit readiness validated by examinations o DFAS – Civilian Pay, Military Pay, and Standard Disbursing Services o DCPAS – Civilian Pay o DISA – Enterprise Computing Services Examinations underway o Defense Contract Audit Agency o Army – All General Fund activities o Defense Finance and Accounting Service o Air Force – Civilian Pay (General Fund and Working Capital Fund) and Funds Distribution to Base. o Defense Health Agency – Contract Resource Management o Military Retirement Fund Three DoD organizations received qualified opinions. o Defense Information Systems Agency – Working Capital Fund and General Fund o Office of the Inspector General o Medicare – Eligible Retiree Care Fund. o Navy – Fund Balance with Treasury o DFAS – Contract Pay o DLA – Civilian Pay, Contract Pay, Defense Agencies Initiatives (DAI), Defense Automatic Addressing System o Service Medical Activity (Navy) – Consumables o Chemical Biological Defense Program – Contract Pay, Other Budgetary Activity, Reimbursable Work OrdersAcceptor, Reimbursable Work OrdersGrantor, and Fund Balance with Treasury Audit Readiness Assertions Assertion of Assessable Units o Navy – Operating Materials and Supplies o Defense Contract Management Agency – Fund Balance with Treasury, Contract/Vendor Pay, Reimbursement Work OrdersAcceptor and Reimbursement Work OrdersGrantors o Defense Logistics Agency – Real Property and General EquipmentCapital Assets. o Service Medical Activity-Navy o Chemical Biological Defense Program – Contract Pay, 5 Fund Balance Treasury 4. Currently In Wave 2 Wave 1 Wave 2 Wave 3 Wave 4 FY 2013 FY 2014 FY 2016 FY 2017 Appropriations Received Audit Readiness SBR Audit Readiness Mission Critical Assets Existence & Completeness Audit Readiness Full Financial Statements Audit Readiness FY 2018 Full Financial Statements Audits Wave 1. Completed when Appropriations Received was validated as audit ready. Focused on the processes and controls associated with the receipt and distribution (through apportionments, allotments and sub-allotments) of congressionally appropriated funds. Wave 2. Focuses on processes, internal controls, systems, and supporting documentation that must be audit ready for the General Fund SBR can be audited. It is dependent on achieving an auditable FBWT balance. Wave 3. Focused on the Existence and Completeness assertions to include all assets recorded in the Accountable Property System of Record, all existing assets are recorded in the APSR, reporting entity has the rights to report on assets, and assets are consistently categorized, summarized, and reported from period to period (Presentation and Disclosure? Wave 4. Includes all other financial statements to include for example, General Fund Balance, Statement of Net Cost, etc. 5. 7 6. How do we minimize risk to the Command? – Risk is defined as “the potential that a chosen action or activity will lead to a loss” - Loss: Life, funds, reputation (embarrassment), timeliness, accuracy, security, privacy and completeness So What? Limited Scope Past Review and Reporting of Risk – “Paper Drill” • Reliance upon auditors • Impact – Mitigation of risk after the mission negatively impacted Emphasis on Requirement One point in time Coverage of all functions Future Review and Reporting of Risk – Part of Command Culture - Value Added • Reliance upon internal expertise • Impact - Identification and mitigation of inefficiencies before Command negatively impacted Emphasis on most efficient and effect way to meet requirement Daily review If you rely upon an outside audit service to identify and report on control deficiencies – it is to late (e.g., embarrassment and negative impact to mission). 8 7. . “Culture that has allowed massive waste of taxpayers’ dollars has become business-as-usual at the Department of Defense. Particularly in today’s fiscal environment, this cannot be tolerated. If this is not corrected, the Department’s ability to continue defending the Nation and to provide for its national security will be compromised. Taxpayers simply will not tolerate the continuing waste of their resources in light of the debt we face and our competing budgetary needs”. ~Senator John McCain, (R-AZ) – Senate Armed Services Committee (SASC), September 2011. “ We need to change the culture of the Department where Commanders are held directly accountable for the efficient use of dollars.” ~Honorable Robert Hale, DoD Comptroller – House Armed Services Committee, January 2012. “Need to Change the Culture,” – Communicate what senior management needs to hear versus what you think they want to hear --- candor --proactive versus reactive. – Through the chain of command! 8. How do we minimize risk to the Command? – Risk is defined as “the potential that a chosen action or activity will lead to a loss” - Loss: Life, funds, reputation (embarrassment), timeliness, accuracy, security, privacy and completeness So What? Limited Scope Past Review and Reporting of Risk – “Paper Drill” • Reliance upon auditors • Impact – Mitigation of risk after the mission negatively impacted Emphasis on Requirement One point in time Coverage of all functions Future Review and Reporting of Risk – Part of Command Culture - Value Added • Reliance upon internal expertise • Impact - Identification and mitigation of inefficiencies before Command negatively impacted Emphasis on most efficient and effect way to meet requirement Daily review If you rely upon an outside audit service to identify and report on control deficiencies – it is to late (e.g., embarrassment and negative impact to mission). 10 9. . Groupthink Groupthink is a psychological phenomenon that occurs within groups of people. Group members try to minimize conflict and reach a consensus decision without critical evaluation of alternative ideas or viewpoints. Causes loss of individual creativity, uniqueness, and independent thinking. Also, collective optimism and collective avoidance.” Status Quo Candor Status quo, a commonly used form of the original Latin "statu quo" – literally "the state in which" – is a Latin term meaning the current or existing state of affairs. To maintain the status quo is to keep the things the way they presently are. Candor is unstained purity freedom from prejudice or malice : fairness Change Change in an organization is shifting/transitioning individuals, teams, and organizations from a current state to a desired future state. It is an organizational process aimed at empowering employees to recommend, accept and embrace changes in their current business environment. 11 10. An effective Managers’ Internal Control Program – Empowers those that are involved in the operational, administrative and program processes and procedures to self-report inefficiencies (i.e., risk) Empowerment = dependency upon candor, and encouragement of self-reporting of risk. "The hardest thing you may ever be called upon to do is stand alone among your peers and superior officers,“ – (leadership is the courage and integrity to do the right thing and to communicate the message – of not what superiors want to hear but rather what they need to hear to in order to effectively lead). "To stick out your neck after discussion becomes consensus, and consensus ossifies into group think.” American Forces Press Service, “Gates Urges West Point Graduates to be Great Leaders,” May 25 2009 “Challenge conventional wisdom and call things as you see them to subordinates and superiors alike.” “As an officer if you blunt truths or create an environment where candor is not encouraged, then you’ve done yourself and the institution a disservice.” Remarks delivered by Secretary Robert M. Gates to the U.S. Air Force Academy, April 2, 2010 “In the early days of the surge, Gen. Petraeus's forthright candor with both superiors and subordinates was an important part of the plan's success.” He never offered unwarranted or sugar-coated optimism. His honesty -and action -- in the face of uncertainty won the loyalty of those around him”. Washington Post, Article titled, “ Gen. Petraeus: No Sugar-Coated Optimism”, by Col. Michael E. Haith (Ret), United States Army, July 6, 2011 12 11. How Do We Minimize Risk to the Command? – Risk is defined as “the potential that a chosen action or activity will lead to a loss” Loss can be: Life, funds, reputation (embarrassment), timeliness, accuracy, security, privacy, completeness etc. Change Accomplish Requirement Accomplish Requirement Efficiently & Effectively Form Over Substance Substance Over Form Change of Organizational Culture Groupthink What does leadership want to hear? Focus on Risk and Incentivize Self – Reporting Prioritize Risk With Mission Requirements and Provide Mitigation Candor What does leadership need to hear? 12. Procedures Each DoD and OSD Component establishes a MICP DoD Component Heads Establish a MICP to: o Assess inherent risks in mission-essential processes o Document and design internal controls o Instruction Applies to: OSD Military Departments Joint Chiefs of Staff Combatant Commands DoDIG Defense Agencies DoD Field Activities DoD Components Establish a Senior Management Counsel to oversee operational, financial, and financial systems reporting Appoint a MICP Coordinator o Coordinates with assessable unit managers to ensure proper documenting of end-to-end processes o Test the design and operating effectiveness of existing internal controls o Identifies best practices and develops efficiencies to improve control documentation, enhance controls, eliminate inefficient controls, and implement new controls. o Identify and classify control deficiencies and execute corrective actions plans o Ensures subject matter experts assess risk and may impact mission or operations. o Monitor and report the status of corrective action plans o Assists in testing and classification of internal controls o Designate in writing the MICP Coordinator o Conduct a formal assessment of the acquisition functions requirements outline o Submit the annual statement of assurance to the Sec Def o Ensures identification of internal control objectives. o Ensures corrective actions plans are developed o Ensures best practices and deficiencies are shared across assessable units. o Tracks progress of corrective actions o Actively communications with the DoD Component Senior Management Council o Maintains MICP documentation 14 13. Reporting Categories Assessable Units Assessable Unit Managers (AUMs) MICP Coordinator appoints and trains AUM for each assessable units Assess risk Identifies internal control objectives Documents operational, administrative, system and financial internal controls Reviews processes and procedures and recommendations Tests effectiveness of internal controls Identifies and classifies internal control deficiencies Develops corrective actions Tracks progress of corrective action plans Maintains MICP documentation Communications Segments into organizational, functional or other assessable units Intelligence Must ensure entire organization is covered Information Technology Must be large enough to allow managers to evaluate significant portion of the activity being examined Must be small enough to be able to document processes and controls Security Comptroller and Resource Management Contract Administration Force Readiness Acquisition Manufacturing, Maintenance, and Repair Other Personnel and Organizational Management Procurement Statement of Assurance Property Management Research, Development, Test and Evaluation Security Operations Support Services Budget-to-Report Hire-to-Retire Order-to-Cash Procure-to-Pay Acquire-to-Retire Plan-to-Stock 15 14. What is the “Tone at the Top”? “Tone at the Top” is a term that is used to define management’s leadership and commitment towards openness, honesty, integrity, and ethical behavior. It is the most important component of the control environment. The tone at the top is set by all levels of management and has a trickle-down effect on all employees. For a Managers’ Internal Control Program to be effective: Need Senior Management’s Support Thru: • Communication - Management must clearly communicate its ethics and values throughout the area they manage. These values could be communicated formally through written codes of conduct and policies, staff meetings, memos, etc. or informally during day to day operations. • Active Participation - Kick-Off and Quarter Meetings – Discussions relevant to internal controls, and associated risks • Reporting - Create and promote path for employees to self-report and feel safe from retaliation • Reward Active Participation - Creation of Commander’s Award – Recognition of Successful Internal Control Activity 15. Reliance Upon an Entity-Level Risk Assessment • • • • • • Risk Assessment Process Overview Enhances ability to understand key business risks Integral piece of management’s risk assessment process Provides structured process that becomes the cornerstone for prioritizing risks Focuses attention on areas meriting management review and monitoring Builds knowledge and confidence in risk management Understand the Component’s highest risks to mission • Understand the Component’s business, to include strategies and objectives • Develop a preliminary understanding of key business risks and processes and align them to the Component’s strategic plan and objectives • Create a customized risk universe – a framework to categorize key business risks – that reflects the risks facing the Component • Determining current risk monitoring activities • Understand the effectiveness of entity-level controls, such as: Policies and procedures Code of conduct Segregation of duties Business continuity and disaster recovery plans for all primary data centers and business unit facilities; and Fraud prevention/detection programs • Scope the risk assessment by obtaining input from all key stakeholders • Assess, prioritize, and validate key business risks with the key stakeholders • Report the results of the risk assessment and using those results to develop a 17 16. corrective action strategy Importance of Organizational Participation An Effective MICP Is Dependent Upon Communication Through Chain-of-Command Top - Down Perspective and Bottom - Up Commander Formal Communication Framework Built Upon Trust and Empowerment Senior Functional Managers MICP Coordinator Assessable Unit Managers • Clear, focused communications of the Component’s mission, and Commander/Director’s priorities and challenges. • Formal Communication Framework between senior leadership and MICP • Full participation with communications. Key participate in execution of Component’s mission and MICP Coordinator’s input towards potential risks and controls to risk mitigate • Formal and informal access to Commander/Directors, Senior Managers, Functional Leads and Assessable Unit Managers. • Provides support towards compliance with laws, regulations and instructions and provides guidance to Component staff on implementation of MICP. • Ongoing communications with MICP Program Manager in confirmation of assessable unit process, controls and related risks. Receiver of feedback from management regarding prior reporting of material risk and changes to requirements towards assessable units. 17. Historically – Reactive (What Does Management Want to Hear) Reliance Upon Outside Audit Agencies Self-Reporting – Punitive Versus Incentivized • Reliance upon GAO, DoDIG and Military Audit Services to identify material internal control weaknesses. • Candor not part of culture – i.e., “group-think.” Threat of retribution for selfreporting “bad news.” • Filtered communications Focus on Timelines and Format • Score received by Component based upon timeliness of SOA submission and adherence to format not substance of content . “Paper-Drill Exercise” • Ramp-up of submission of SOA related activities occur several weeks prior to submission deadline versus an ongoing activity yearround. Current Emphasis – Proactive (What Does Management Need to Hear) Reliance Upon Resources in Component • Reliance upon analysis by “resident experts” analysis of assessable units to identify material internal control weaknesses. Self-Reporting – Incentivize Versus Punish • Development of a “cost culture” • Reward self-reporting by all levels of organization regarding potential risks to the mission and recommendations for mitigation. Focus on Risk • Based upon documentation of segment of business processes and procedures, identify risk, rank risk and focus upon greatest risks that may impact organization. Report Supported by Documentation of MICP Process • Develop SOA content throughout the year based upon documentation internally generated, analyzed and agreed upon . 19 18. Command – USFOR-A Sub-component Comptroller – J-8 Function Commander’s Emergency Response Program Assessable Units* Verification and accurate reporting of CERP payments “Assessable Units are defined as segments of business activities (i.e., transaction level). 20 19. An Example - Process Flow R-1 R-1 21 20. An Example – Army Form DA 11-2 INTERNAL CONTROL EVALUATION CERTIFICATION For use of this form, see AR 11-2; the proponent agency is ASA(FM&C). 3. ASSESSABLE UNIT 4. FUNCTION 5. METHOD OF EVALUATION (Check all that apply) a. CHECKLIST b. ALTERNATIVE METHOD (Indicate method) APPENDIX (Enter appropriate letter) 6. EVALUATION CONDUCTED BY a. NAME (Last, First, MI) 7. REMARKS (See Attached) Use this block to describe the method used to test key controls, the internal control weakness(es) detected by the evaluation (if any) and the corrective action(s) taken. (THIS IS MANDATORY) a. METHOD OF TESTING KEY CONTROLS (Check all that apply) Direct Observation Review of Files or Analysis Other Documentation Sampling Simulation Interviews Other (Explain) b. EVALUATION RESULTS (Include specific items tested): c. INTERNAL CONTROL DEFICIENCIES DETECTED, IF ANY. (Include potential material weaknesses): d. DESCRIBE CORRECTIVE ACTIONS TAKEN, IF APPLICABLE. 8. CERTIFICATION I certify that the key internal controls in this function have been evaluated in accordance with provisions of AR 11-2, Army Managers' Internal Control Program. I also certify that corrective action has been initiated to resolve any deficiencies detected. These deficiencies and corrective actions (if any) are described above or on attached documentation. This certification statement and any supporting documentation will be retained on file subject to audit/inspection until superseded by a subsequent internal control evaluation. a. ASSESSABLE UNIT MANAGER (1) Typed Name and Title (2) Signature 22 21. An Example – Risk Matrix Risk Assessment Results - High RISK Inherent Risk Mitigated Risk Control Environment: Is required to ensure all personnel maintain proper oversight and accountability of U.S. Government property in order to maintain good stewardship of resources and avoid issues of fraud, waste or abuse. Inherent Risks: • • Loss or destruction of sensitive items Loss or destruction of nonexpendable or durable equipment Existing Management Controls: • • • • Provide hand receipts at the user level Conduct monthly sensitive items inventory by alternating officers Provide leadership emphasis on properly securing and using equipment Spot checks on property accountability Level Likelihood of Occurrence e Nearly Certain (15 to 20) d Highly Likely (11 to 14) c Likely (8 to 10) b Unlikely (5 to 7) a Remote (4) Level Overall Risk Rating Red – High Yellow - Medium Green – Low Level Consequence of Occurrence 1 Minimal/No Impact (6) 1 2 3 2 Minor Impact (7 to 14) Y R R R R e 3 Moderate Impact (15 to 19) G Y R R R d 4 Severe Impact (20 to 24) G Y Y R R c 5 Unacceptable Impact (25 to 30) G G Y Y R b G G G Y Y a Consequences 4 5 Likelihood • 23 22. Unclassified The MICP Assessments Includes Functions of an Organization Mfg, Maint, & Repair Force Readiness Contract Admin Supply Property Mgmt Commo, Intel & Secur Info Tech Procurement Personnel & Org Major System Acq Comptroller & RM RDT&E Security Assist Support Svcs FMFIA Over Financial Reporting Appendix A 23. J. Monitor Corrective Plans I. Report in SOA “Material” Findings A. Identify Functional Areas Managers’ Internal Control Program H. Mitigate Risk Through Remediation G. Align Risk with Command Priorities B. Identify Assessable Units C. Assign Assessable Unit Manager(s) D. Document Key Processes and Controls F. Communicate and Prioritize Risk E. Assess/Test Internal Controls 25 24. 26 25. 27 26. 27. “My intent is to move beyond checking the block and conduct detailed analysis and an honest assessment when providing reasonable assurance that financial, operational, and administrative controls are in place…….It is “no longer business as usual,” in terms of allocation and spending for non mission essential resources”…..I want you to remain proactive in the self-identification of issues and self-reporting of internal control deficiencies…….to prevent a problem before it occurs instead of after the mission has been negatively impacted and reported by an “outside audit agency”……It is imperative that we use candor in our communications to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear.” 29 28. Reactive or Proactive Drawdown plan estimates for U.S. and more than a dozen other nations will shrink the foreign military footprint in Afghanistan by 40,000 troops in total by close of CY 2012 Identification and execution of plans prior to drawdown will result in significant savings. Approach: Reactive: Continue “business as usual” or Proactive: Pursue and enact policies prior to planned draw down of personnel. “Does it make sense?” • Construction • Leases • Purchases – equipment/supplies • Overtime • Vehicles • Projects 29. • “High personnel turnover/lack of continuity” • “Reliance upon accurate property book with additional burden associated with draw down” • “Lack of trained personnel for contract surveillance towards “service” type contracts” • “Draw down of personnel and conflicting strategies in high tempo environment “ • “Balance of requirements of completing assigned missions and evaluation of internal controls,” and • “Lack of contract oversight/contractors having duties that are inherently governmental in functions.” 31 30. An Example - MICP Plan of Action Overview of the FY 13 Managers’ Internal Control Program Components identify Assessable Unit Manager (AUM) Provide overview of MICP to AUM Inform of training, communication and documentation responsibilities with AUM and related deliverables Identify functional areas, and command/control responsibilities Review Commander’s priorities and concerns of regarding risk Obtain initial feedback of additional areas of risk that should be included in prioritization of risk process. Provide functional areas and assessable unit managers assigned to each area Participate on monthly status calls with USFOR-A MICP Coordinator Two-way communications of alignment of risk from the Commander perspective and risk identified by the Regional and Other Commands Review documentation and “next steps” Provide mitigation of risk with corrective actions as these issues are identified Provide assessment of risk for each functional area Prioritize risk for each functional area Provide “quick reaction” recommendations that may provide mitigation of risk to the Command due to overall risk and/or systemic in nature Document processes/procedures and controls Determine for high and medium risk levels the evaluation of controls (do controls mitigate risk or do they require remediation) Complete review of assessable units with recommendations for corrective actions Determine material internal control deficiencies that are material Complete the USFOR-A Statement of Assurance 31. Milestone: 15 November 2012 • Assign Directorate Assessable Unit Coordinator (AUC) • Contact USFOR-A MICP Coordinator to schedule MICP Introductory Training (one hour) • Participate in monthly interface (i.e., telephone call and/or face-to-face) with USFOR-A MICP Coordinator • Review organizational structure and identify assessable units (functional area) • Assign staff person(s) responsibility for each assessable unit and sub function if required -- Assessable Unit Managers (AUM) • Have MICP Coordinator and each assessable unit manager sign “appointment letter” • Complete computer –based MICP training (MICP Coordinator and Assessable Unit Managers) • Request onsite coaching/training from USFOR-A MICP Coordinator • Contact USFOR-A MICP Coordinator to schedule one hour MICP Training for Assessable Unit Managers (AUMs) • Provide list of assessable units to USFOR-A Coordinator • Provide MICP Coordinator and Assessable Unit Manager signed “appointment letters” Milestone: 15 December 2012 • Identify and prioritize risk associated with each major process/procedure for each assessable unit • Provide documentation/analysis of identified potential risk and recommendation for remediation (i.e., corrective actions) • Provide risk and remediation to MICP Coordinator (if “material” then brief through chain of command) • Participate in a in-process-review and monthly USFOR-A MICP VTC. 33 32. 34 33. 35 34. Need to Take Two Steps Back – In order To Take One Step Forward Need to Document (at “transaction lever) GRAP Related Processes, Controls and Risk Acquisition Planning Acquisition Methods Funding Competition Function Full and Open Competition Contract Types Procurement/Acquisition Assessable Unit – Competition/ Sole Source Yes C Justification provides a detailed description of why it is not possible or practical to obtain full and open competition for the procurement/acquisition (to include only one responsible source, unusual and compelling urgency, authorization or required by statue etc. Contracting Officer signs and dates justification statement R-1 Contracting Officer approves the justification but does not review or does not enforce the requirements towards a detailed and complete explanation. No Justification Detailed Description C Approval By Contracting Officer R-1 35. Statement of Assurance (SoA) (per DoDI 5010.40, Managers’ Internal Control (MIC) Program Procedures) Assessable Unit An organizational subdivision of a DoD Component that must comply with the MIC Program. Note that Components: Must segment into organizational assessable units All parts of the DoD Component must be covered Must maintain a current inventory of its assessable units Control Deficiency The design or operation of a control that does not allow the organization to prevent or detect misstatements on a timely basis or to accomplish the mission objectives. Financial Statement Reporting Entity (FSRE) An entity assigned by either the Office of Management and Budget (OMB) or the DoD to produce and provide to OUSD(Comptroller) stand alone, financial statements, both quarterly and annual. Internal Controls The organization, policies, and procedures that help program and financial managers achieve results and safeguard the integrity of their program Internal Control Assessment A documented evaluation on the effectiveness and adequacy of the system [of internal controls] to meet the mission objectives, implemented in a cost effective way. Internal Control Assessment (Overall) An assessment of the internal control effectiveness for the functions under the Federal Manager’ Financial Integrity Act (FMFIA). The overall process includes all programs, activities, and operational areas [i.e., the Internal Control Reporting Categories defined in DoDI 5010.40]. Internal Control Assessment (ICA) Internal Control Over Financial Reporting (ICOFR) An assessment of the effectiveness of internal controls over financial reporting which closely follows the guidance in Appendix A of OMB Circular A-123 and MIC Program Annual Guidance provided by OUSD(Comptroller). Material Weakness (Overall) A reportable condition that is significant enough to report to the next higher level. It is management’s judgment as to whether 37 a weakness is deemed material responsible for the area in question 36. Reasonable Assurance An informed judgment by management as to the overall adequacy and effectiveness of internal controls based upon available information that the systems of internal controls are operating as intended. There are three possible assurance statements: An unqualified statement of assurance is reasonable assurance with no material weaknesses reported. Each unqualified SoA shall provide a firm basis for that position, which the PSA or Principal Deputy (the Director or Deputy Director for DoD Field Activities) will summarize in the cover memorandum. Tab A contains a more extensive explanation of how the assessment helped justify the reporting entity’s assertion of an unqualified statement. A qualified statement of assurance is reasonable assurance with the exception of one or more material weakness(es) noted. The cover memorandum must cite the material weaknesses in internal management controls that preclude an unqualified statement. Tab B fully describes all weaknesses, the corrective actions being taken, and by whom, and the projected dates of correction for each action. A statement of no assurance is no reasonable assurance because no assessments were conducted or the noted material weaknesses are pervasive. The reporting entity shall provide an extensive rationale for this position. Reportable Condition (Overall) A control deficiency (or combination of deficiencies) that in management’s judgment, should be communicated because they represent significant weaknesses in the design or operation of internal controls that could adversely affect the organization’s ability to meet its internal control objectives. Reportable Condition (ICOFR) A control deficiency (or combination of deficiencies) that adversely affects the entity’s ability to initiate, authorize, record, process or report external financial data reliably according to generally accepted principles such that there is more than a remote likelihood that a misstatement of the entity’s financial statements, or other significant financial reports, is more than inconsequential will not be prevented or detected Risk The possibility an event will adversely effect the achievement of internal control objectives and result in the loss of Government resources or cause an agency to fail to accomplish significant mission objectives through fraud, error, or mismanagement. Systemic Weakness A weakness that materially affects internal controls across organizational and program lines, and usually affects more than38 one DoD Component. 37. . Risk The possibility an event will adversely effect the achievement of internal control objectives and result in the loss of Government resources or cause an agency to fail to accomplish significant mission objectives through fraud, error, or mismanagement. Systemic Weakness A weakness that materially affects internal controls across organizational and program lines, and usually affects more than one DoD Component. Note: A systemic weakness is determined by the PSA with functional responsibility for the area in question 39 38.