Managers’ Internal Control (MIC) Program:
Applications and Best Practices for
Government Organizations
April 4, 2014
Value of Internal Control
Internal Controls Defined
DoD IG Audit Examples
MICP Guidance & Policy
Statement of Assurance
AU Development
Risk Identification
Risk Mitigation
Testing Controls
Corrective Action Plans
Program Myths & Facts
Internal Control Red Flags
DoD Report Analysis
Successful Program Components
Today’s Goal…Simplify Internal Controls
Value of Internal Control
Promotes a proactive approach to
preventing issues and mitigating risk
 Evaluates all organizational aspects,
not just financial
 Results of the Program can be used to
assess, analyze, and improve
operations and processes across the
Department, Command, and Agency
 Encourages communication to share
lessons learned and accomplishments
Internal Controls Defined
Internal Controls as defined by OMB A-123 are organizational
policies, procedures, and tools to help managers achieve
results and safeguard the integrity of their programs
 Internal Control is a process that provides reasonable
assurance that:
Programs, functions and processes are achieving their intended results;
— Programs and resources are protected from waste, fraud, abuse, and
mismanagement; &
— Laws and regulations are being followed
Internal Control activities are being performed every day within
the workplace
“Internal Control provides reasonable, not absolute assurance
that areas and processes are operating as intended.”
DoD IG Semi-Annual Report to Congress
(1 April – 30 September 2013)
Contracting: Cost-Reimbursable Contracting – More than 65% of 161
contracts reviewed (valued at appx. $10.5B) did not comply with
interim cost-reimbursable rules
Joint Warfighting: May be operating an underused aircraft in excess of
required Operational Support Airlift aircraft inventory; officials did not
comply with federal and DoD guidance when justifying the cost of
using the aircraft
Cyber/Security: Commercial Access Control System did not effectively
mitigate contractor access and allowed 52 convicted felons to access
Equipping and Training Afghan Security Forces: Contractor did not
deliver products within contract timelines for 29 of 36 actions, which
caused a lack of communications capability and excess costs
MICP Guidance and Policy
Agencies submit an annual
Statement of Assurance that
reports accomplishments,
weaknesses, and provides a
qualification statement on the
strength of Internal Controls.
Agency Guidance
Army: Regulation 11-2; MICP
Air Force: Policy Directive 65-2
Navy: SECNAV M-5200.5
Marine Corps: MCO 5200.24d
DoD Instruction 5010.40,
Managers’ Internal Control
Program Procedures
GAO Standards for Internal Control
OMB A-123
Federal Managers Financial Integrity Act of 1982
Statement of Assurance (SOA)
SOA Elements
(for each Assessable Unit)
Risk Mitigation/Controls
Control Testing
Corrective Action Plans
Assessable Units/Functions
AU’s/Functions have a defined purpose that aid in the
accomplishment of the organization's mission – not just those
that are financial in nature
Designed to provide a reasonable span of control to conduct
management reviews
 Must have clear limits or boundaries, and be responsible to a specific
 Small enough to provide reasonable assurance of adequate controls but
large enough that a detected weakness has the potential to impact the
mission (organizational or departmental)
AU’s are managed at the lowest possible level, as local
management is most familiar with operations and can quickly
isolate and resolve issues when they arise
AU Decision Methodology Process
Some Higher Headquarters determine AU’s, while others are
determined at the local Command level
If no direct guidance is provided; review organizational structure,
past inspections and audits, and ‘new’ programs in place
Can performance of this function cause fraud, waste, abuse, or
Does the function have metrics or impact the Command mission?
Does the function offer a reasonable span of control?
Does the function provide clear limits and boundaries?
Using a Functional Risk Assessment can identify potential
sources of risk
Functional Risk Assessment
Name of Function:
Date of Assessment:
Functional Question
1. Is the Function manager assigned
in writing?
2. What emphasis of Internal Control
is used for this function?
3. Where is program administered?
4. What type of written
procedures/policy governs function?
5. What goals, objectives and
measurements are associated with
6. How strong are the checks and
balances of the function?
7. Are adequate personnel and
resources assigned to the function?
8. How prevalent is automation
within the function?
9. How stable/old is the function?
10. What is the external impact if the
function does not work as designed?
11. How frequent are errors or
irregularities identified?
12. How accurate are the
reports/deliverables of the function?
13. Can the function/resources be
convertible to assets?
14. When was the last audit on the
High Risk: Strongly Recommend AU be Developed
Medium Risk: Recommend AU be Developed
Low Risk: Do Not Recommend AU be Developed
High (3 points)
Minor emphasis of control
and/or oversight
Third Party/ Contractor
Little to no guidance;
significant discretion
No goals, objectives, or
measurements associated with
Lacking and/or severely
Insufficient personnel or
resources assigned
Little automation; manually
driven process
New, major change or
expiring (within 2 years)
High sensitivity and/or
significant impact
Routinely; most findings and
errors not fully resolved
Usually inadequate or late
Can be directly convertible to
More than 2 years
Medium (2 points)
Yes, but alternate not identified
in writing
Average emphasis of control
and/or oversight
Flexible guidance with
discretion allowed at the local level
Goals, objectives, or
measurements associated are used
informally or with little follow up
Need improvement
Adequate personnel and
resources, but training or education
is required
Some automation and manually
Some changes to function over
Medium sensitivity and/or
moderate impact
Most significant findings and
errors fully corrected within
reasonable time
Sometimes inaccurate,
incomplete and/or late
Converted to assets other than
Between 9 and 24 months
26 or more Points
19-25 Points
Less than 18 Points
Low (1 point)
Yes, with alternate
identified in writing
High emphasis of control
and/or oversight
DoN/USMC only
Specific guidance with
little to no discretion
Goals, objectives, or
measurements are formally
established and monitored
Adequate personnel and
Full automation
Stable with minor or no
changes to function
Low sensitivity and/or
low impact
No irregularities or
significant errors found within
18 months; minor errors
resolved quickly
Accurate and Timely
Not convertible
Less than 9 months
AU Risk Evaluation
AU’s should have on average 2-4 risks
Good business practice to incorporate an AU risk that has a
goal, objective, or metric associated with it
Evaluate the Risk
Inherent Risk – what is the probability of risk without any
controls in place?
Control Risk – how risky is the AU with current processes and
procedures in place?
Combined Risk – how risky is the AU after all mitigation factors
are considered (i.e. what hasn’t been considered and could go
AU Risk Mitigation
Each Risk traditionally has multiple mitigation tools in
place to prevent/minimize the risk from occurring. These
can include, but are not limited to:
Policies, guidance, processes, procedures
Delegation of Authority Letters
Templates, checklists
Audits, inspections
Mitigation approaches must be in use today
Each mitigating factor is a control and can be tested
Testing Controls
Management evaluates and tests AU controls via unscheduled
assessments to validate controls are working as designed as part of
the Certification Statement
Agencies and Commands vary in testing frequency; some test all AU’s
(at least one control) annually; others only every 3-5 years
Testing controls often includes:
Type of Test: Observation, Inspection, Document Analysis, Transaction
Testing, Re-performing task, Interview
— Control Type: Automated or Manual
— Frequency of Test: Daily, Weekly, Monthly, Quarterly, Annually
— Results of Test
If tests do not produce intended results, a Corrective Action Plan
should be developed to track weakness through resolution
Corrective Action Plans
Used when a Control Test does not produce desired results
Weakness must be classified
Item to be Revisited: traditionally a “low” risk weakness; can be resolved
easily at local Manager level
— Reportable Condition: a “medium” risk weakness; may be a result of one
or a combination of deficiencies that hinder ability to meet
requirements. These weaknesses are traditionally identified to
Department Managers
— Material Weakness: a “high/serious” risk weakness; traditionally
reported up to higher management levels
Material Weaknesses are reported in the Command SOA
Corrective Action Plans should report the description of finding and
POA&M for resolution
Once resolved; control is to be tested again to confirm correction has
been made
Accomplishments are just that: things that have been
done well in the past year
Encourage each AU to find one reportable
accomplishment during the year
Employee Recognitions
— News Articles
— Cost Savings/Avoidance Approaches
— Result of a Corrected Weakness
Include description of accomplishment; what
improvement(s) resulted; current and future impact(s),
Program Myths & Facts
Internal control starts with a strong set of
policies and procedures.
Internal control starts with a strong control
Internal control - that’s why we have
internal auditors.
Management is the owner of the internal
control program.
Internal control is a finance thing. We do
what the Comptroller’s office tells us to do.
Internal control is integral to every aspect of
the business.
Internal Controls are just an annual paper
Internal Controls are reported annually for
evaluation, but the program operates daily.
With downsizing and empowerment, we
have to give up a certain amount of control.
With downsizing and empowerment, we
need different forms of control.
Internal controls are a necessary evil. They
take time away from our core activities, i,e,
serving customers, making products, etc.
Internal controls should be built into, not
onto, business processes.
If controls are strong enough, we can be
sure there will be no fraud, and financial
statements will be accurate.
Internal controls provide reasonable, but
not absolute, assurance that the
organization’s objectives will be achieved.
“Red Flags” in Internal Control
Discrepancies between actual performance and anticipated
Lack of data integrity/protection
Receipts not matching deposits
Disbursements to unknown/unapproved vendors
One signature on checks or pre-signed blank checks
Gaps in receipt or check numbers
Ignoring training requirements
Chronic late, inconsistent, or incorrect reporting
Disregard for internal control policies and procedures
DoD IG Semiannual Report Analysis
Audit issued 56 reports with 412 recommendations
 7 reports that addressed Joint Warfighting, Readiness in
Intelligence Enterprise, and issues in the security and
nuclear enterprises
 Investigations were the basis for 111 arrests, 175
criminal charges, as well as $619.8 million returned to
the government
 Issued 83 reports identifying $23.5 B in questionable
monetary benefits, and achieved an additional $2.2 billion
in financial savings based on completion of corrective
Internal Control Program Lessons Learned
Senior Leadership and organizational communication is key to
program success
Typically little to no consistency across departments or enterprise
— Management feels program is merely a paper drill
Keep management informed and trained
Negative connotation of IG inspections prevent management
from reporting issues
Lack of management training in IC Program results in little to no
reporting of issues when initially identified
IG Audits are there to protect the stakeholders; Internal Controls is a
proactive approach to preventing issues
Sound program implementation results in better overall
organizational efficiencies
Successful Internal Control Program Components
Internal Control methodologies are embedded in daily
Proactive relationship between Leadership & Management
Standardized processes, templates & reports
Offer localized training in addition to mandated courses
Regular meetings/reporting with Management
Quarterly follow up on Weaknesses
Coordinate program approach with IG as applicable; include IG
Audit areas of concern within program
Decrease use of paper via a web-based/SharePoint application
for data collection and reporting
An Effective Internal Control Program can Prevent…
Inadequate process documentation
 Service payments not made within established timelines
and policies
 Improper expenditure reporting
 Program management of noncompliance and reporting
 Incomplete records and authorizations
 Incomplete contract payment reconciliations
 Incomplete employee certification validation
 Fraud, Waste, Abuse and Mismanagement
Internal Controls provide reasonable assurance, not absolute
 Management sets the tone at the top
 Most issues originate from outdated or lacking processes
and policies
 Using past IG Audits and Functional Risk Assessments can
help identify where issues are most likely to occur
 IC Programs are designed to detect issues during daily
business operations
“Internal controls can’t prevent every error but can
reduce the probability of occurrence.”

similar documents