EDFMTC Module 1 Participant Guide PDF
Document Details
Uploaded by Deleted User
Tags
Related
- Enterprise Cyber Risk Management PDF
- Certified Cybersecurity Technician Risk Management PDF
- 347 Study Guide - Exam 1 PDF
- Compliance Risk Management Applying The COSO ERM Framework PDF
- Module 1 Section 3 - Management's Responsibility for Enterprise Risk Management and Internal Control PDF
- EDFMTC Module 1 - Section 3 Extract - Participant Guide (PDF)
Summary
This participant guide provides an overview of Enterprise Risk Management (ERM) and internal controls within the Department of Defense (DoD). It explores the principles of ERM and internal controls, focusing on management's responsibility in mitigating risks and ensuring the success of operations. It also details relevant policies, regulations, and guidance, such as OMB Circular A-123.
Full Transcript
PARTICIPANT GUIDE EDFMTC Module 1: Resource Management Environment Management’s Responsibility for Enterprise Risk Management and Internal Control MODULE 3 | MANAGEMENT’S RESPONSIBILITY FOR ENTERPRISE RISK MANAGEMENT AND...
PARTICIPANT GUIDE EDFMTC Module 1: Resource Management Environment Management’s Responsibility for Enterprise Risk Management and Internal Control MODULE 3 | MANAGEMENT’S RESPONSIBILITY FOR ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL MANAGEMENT’S RESPONSIBILITY FOR ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL Module Objective Explore the principles of Enterprise Risk Management (ERM) and internal controls in mitigating risks within the DoD Effective management of risks and internal controls is essential for ensuring the success of any organization, including the Department of Defense (DoD). To achieve this goal, the DoD has established a framework that provides guidance on Enterprise Risk Management (ERM) and internal control. This module will cover the responsibilities of management in implementing ERM and internal control in the DoD. It will also provide an overview of the guidance and guidelines that management should follow to ensure effective implementation. You will cover key topics such as identifying and assessing risks, designing and implementing internal controls, monitoring and reporting on risks and internal controls, and addressing deficiencies in risk management and internal control processes. By the end of this module, you will better understand the critical role management plays in managing risks and internal controls in the DoD. You will also be familiar with the guidance and guidelines that govern the implementation of ERM and internal control in the organization. Lessons 1. Overview of ERM and IC 2. Internal Control Guidelines © Management Concepts. See inside front cover for additional details. 129 MODULE 3 | MANAGEMENT’S RESPONSIBILITY FOR ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL LESSON 1 Green Highlight - Possible Test Item STAR - Notes/Test Attention Yellow Highlight - General OVERVIEW OF ERM AND IC Lesson Objectives After completing this lesson, you will be able to: 3.1.1 Identify the components of ERM, including risk identification, assessment, mitigation, and monitoring 3.1.2 Describe the attributes of effective internal control, including control environment, risk assessment, control activities, information and communication, and monitoring activities 3.1.3 Understand OMB requirements for implementing ERM in federal agencies This lesson introduces the concepts of Enterprise Risk Management and internal control in the DoD. You will review the key policies, regulations, and guidance documents that govern ERM and IC in the DoD. This will give you a foundation for understanding the specific requirements and expectations of the DoD in managing risks and internal controls. 1.1 ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL FRAMEWORK Enterprise risk management (ERM) and internal control (IC) are components of a governance framework. ERM as a discipline deals with identifying, assessing, and managing risks. Through adequate risk management, agencies can concentrate efforts toward key points of failure and reduce or eliminate the potential for disruptive events. Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved. Over the years, government operations have changed dramatically, becoming increasingly complex and driven by changes in technology. At the same time, resources are limited and stakeholders expect greater program integrity, efficiency, and transparency of government operations. Federal leaders and managers are responsible for: Establishing and achieving goals and objectives Seizing opportunities to improve effectiveness and efficiency of operations Providing reliable reporting Maintaining compliance with relevant laws and regulations Implementing management practices that effectively identify, assess, respond, and report on risks Risks arise from a variety of external and internal environments. Examples include economic, operational, and organizational change factors, all of which would negatively impact an agency’s ability to meet goals and objectives if not resolved. © Management Concepts. See inside front cover for additional details. 130 MODULE 3 | MANAGEMENT’S RESPONSIBILITY FOR ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL THE ERM AND IC FRAMEWORK Federal leaders and managers achieve these aims through a governance structure defined through a variety of sources, including laws enacted by Congress and numerous executive directives and agency policies. Most relevant to this discussion, the federal government’s core governance processes are defined by Office of Management and Budget (OMB) budget guidance: OMB Circular A-11 defines the preparation by which the executive branch develops and executes strategic plans, prepares and submits the President’s Budget request, assembles Congressional Budget Justifications, conducts performance reviews, and issues Annual Performance Plans and Annual Performance Reports OMB Circular A-123 provides guidance to federal managers on improving the accountability and effectiveness of federal programs and operations by identifying and managing risks, and establishing requirements to assess, correct, and report on the effectiveness of internal controls The Federal Managers' Financial Integrity Act (FMFIA) of 1982 and OMB Circular A-123 are at the center of requirements to improve accountability in federal government programs and operations. In July 2016, OMB revised and expanded Circular A-123 to incorporate guidance on ERM and retitled it Management’s Responsibility for Enterprise Risk Management and Internal Control. The update was based on the need to emphasize the importance for federal agencies to have appropriate risk management processes and systems in place to identify challenges early, to bring them to the attention of agency leadership, and to develop solutions. In the updated circular, OMB further highlighted the need for federal agencies to effectively manage the risks they face toward achieving their strategic objectives and arising from their activities and operations. The expanded responsibilities in Circular A-123 reinforce the purposes of the FMFIA and the Government Performance and Results Act Modernization Act (GPRAMA), and also support improving the efficiency and effectiveness of the government. © Management Concepts. See inside front cover for additional details. 131 LESSON 1 | OVERVIEW OF ERM AND IC The policy changes in the July 2016 update of Circular A-123 modernized existing agency management efforts by requiring implementation in fiscal year (FY) 2017 of an ERM capability, coordinated with the strategic planning and strategic review process established by GPRAMA and the internal control processes required by FMFIA and the Government Accountability Office (GAO) Standards for Internal Control in the Federal Government (the Green Book). The integrated governance structure helped improve mission delivery, reduce costs, and focus corrective actions toward key risks. Successful implementation of the July 2016 updated circular requires agencies to establish and foster an open, transparent culture that encourages people to communicate information about potential risks and other concerns with their superiors without fear of retaliation or blame. Management must consistently apply internal control standards to meet the internal control principles and related components outlined in the circular and to assess and report on internal control effectiveness at least annually. Risk management practices must be taken into account when designing internal controls and assessing their effectiveness. Also, annually, agencies must develop a risk profile coordinated with their annual strategic reviews and provide assurances on internal control effectiveness in their Agency Financial Report (AFR) or the Performance and Accountability Report (PAR). Similarly, agency managers, Inspectors General (IGs), and other auditors should establish a new set of parameters encouraging the free flow of information about agency risk points and corrective measure adoption. An open and transparent culture results in the earlier identification of risk, allowing the opportunity to develop a collaborative response, ultimately leading to a more resilient government. Portions of OMB Circular A-123 have been modified by OMB memorandum M-17-26, Reducing Burden for Federal Agencies by Rescinding and Modifying OMB Memoranda, issued June 15, 2017 (refer to this memorandum for more information). Refer to Website To review the full circular, visit: https://www.whitehouse.gov/omb/information-for- agencies/circulars/. 132 © Management Concepts. See inside front cover for additional details. MODULE 3 | MANAGEMENT’S RESPONSIBILITY FOR ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL 1.1.1 Relationship between Enterprise Risk Management and Internal Control Guidance RELATIONSHIP BETWEEN ERM AND IC Enterprise Risk Management and internal control are components of an agency’s or organization’s governance framework. Leading international standards setters in the fields of risk management and internal control, including the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the International Organization for Standardization (ISO), incorporate internal control as part of the larger risk management process. ERM is viewed as a part of the overall governance process, and internal controls as an integral part of enterprise risk management. ERM involves a portfolio view of risk—consideration of all areas of organizational exposure to risk, such as financial, information technology, acquisitions, human capital, organizational performance, and reputation risk—thus increasing an agency’s chances of experiencing fewer unanticipated outcomes and executing a better assessment of risk associated with changes in the environment. Refer to Digital Guide Review the learning point Chaos to Control in the Digital Guide. 1.1.2 Enterprise Risk Management and Internal Control Guidance The Federal Managers’ Financial Integrity Act of 1982 (FMFIA), codified in Title 31 of the United States Code (U.S.C.), section 3512, established the legal framework for internal control in the federal government. The law requires ongoing evaluations and reports of the adequacy of the systems of internal accounting and administrative control of each executive agency. OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, implemented the FMFIA within the executive branch. When first issued as Internal Control © Management Concepts. See inside front cover for additional details. 133 LESSON 1 | OVERVIEW OF ERM AND IC Systems in 1981, the circular was later retitled Management’s Responsibility for Internal Control. As previously noted, the July 2016 update included another title change. The circular provides guidance to federal managers on establishing an enterprise risk management capability and on improving the accountability and effectiveness of federal programs and operations by establishing, assessing, correcting, and reporting on internal control. The FMFIA required the Government Accountability Office (then known as the General Accounting Office) to establish internal control standards for the federal government. The current (September 2014) edition of the Green Book includes standards, principles, and attributes which provide the overall framework for establishing and maintaining internal control and for identifying and addressing major performance and management challenges and areas at greatest risk of fraud, waste, abuse, and mismanagement. These standards, principles, and attributes are the criteria that management should apply when establishing internal control within their respective agencies. The DoD established DoD Instruction (DODI) 5010.40, Managers’ Internal Control Program Procedures, to implement the FMFIA and OMB Circular A-123 within the Department of Defense. The instruction provides guidance for DoD management to apply in reviewing, assessing, and reporting on the effectiveness of internal controls within their respective organizations. 1.1.3 Federal Managers’ Financial Integrity Act of 1982 The FMFIA amended the Accounting and Auditing Act of 1950 to require ongoing evaluations and reports of the adequacy of the systems of internal accounting and administrative control of each executive agency. Specifically, its provisions require each executive agency to provide reasonable assurances that: Obligations and costs are in compliance with applicable law Funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation Revenues and expenditures applicable to agency operations are properly recorded and accounted for to permit the preparation of accounts and reliable financial and statistical reports and to maintain accountability over the assets Section 2 of the FMFIA requires that the head of each executive agency annually submit to the president and Congress: A statement on whether there is reasonable assurance that the agency’s controls are achieving their intended objectives A report on material weaknesses in the agency’s controls 1.1.4 Structure of OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control OMB Circular A-123 includes seven sections: I. Introduction. II. Defines management’s responsibilities for ERM and includes requirements for identifying and managing risks. It encourages agencies to establish a Risk Management Council (RMC), develop risk profiles which identify risks arising from mission and mission-support operations, and consider those risks as part of the annual strategic review process. It complements section 270 of OMB Circular A-11, which discusses agency responsibilities for identifying and managing strategic and programmatic risk as part of agency strategic planning, performance 134 © Management Concepts. See inside front cover for additional details. MODULE 3 | MANAGEMENT’S RESPONSIBILITY FOR ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL management, and performance reporting practices. Together, these two circulars constitute the ERM policy framework for the federal government. III. Provides guidance for establishing internal controls for risks identified by management that require a formal system of internal control to provide reasonable assurance that objectives are achieved. IV. Discusses management’s responsibility to continuously monitor, assess, and improve the effectiveness of internal controls. Also discusses documentation requirements, possible sources of information for use in the assessment on internal controls, identification of deficiencies, and the internal control evaluation approach. V. Provides guidance on correcting internal control deficiencies, corrective action plan requirements and audit follow up and resolution initiatives. An agency’s corrective action process provides the ability for management to develop a plan for addressing the risk associated with a control deficiency. An agency’s ability to correct control deficiencies is an indicator of the strength of its internal control environment. VI. Provides guidance on annual assurance statements and reporting requirements in accordance with 31 U.S.C. 3512 (that allows for a single assurance statement), government corporations, and classified matters. It also provides definitions for a control deficiency, significant deficiency, and a material weakness. VII. Discusses additional considerations such as managing privacy risks, conducting acquisition assessments, managing risk to grants, and managing Antideficiency Act risks. The circular also includes Appendices A–D, managing reporting and data integrity risk, managing risk framework of government charge card programs, estimation of and remediation of improper payments, and managing financial systems risk and compliance. 1.2 DEFINITION OF ERM According to OMB Circular A-123:1 ERM is an effective Agency-wide approach to addressing the full spectrum of the organization’s external and internal risks by understanding the combined impact of risks as an interrelated portfolio, rather than addressing risks only within silos. ERM provides an enterprise-wide, strategically aligned portfolio view of organizational challenges that provides better insight about how to most effectively prioritize resource allocations to ensure successful mission delivery. Discussion What are some common types of risks that organizations can face? How have you used or experienced ERM at your organization? 1 OMB 2016 © Management Concepts. See inside front cover for additional details. 135 LESSON 1 | OVERVIEW OF ERM AND IC 1.2.1 Value of ERM Establishing ERM capability is necessary to: Integrate risk management and strategy Identify and mitigate risk associated with achievement of strategic goals, objectives, and initiatives Change organizational culture Better manage change Better identify and take advantage of opportunities Add value, enhance agency mission accomplishment, and maximize effectiveness Also, once established, an ERM program should: Help bring clarity to managing uncertainty Facilitate continual improvement Be tailored to the needs of the agency and take human and cultural factors into account Build upon and unite existing risk management processes, systems, and activities Be systematic, structured, and timely as well as dynamic, interactive, and responsive to change Be based on the best available information Be responsive to the evolving risk profile of the agency Be fully integrated into agency decision making processes, with active leadership support and engagement (i.e., setting the tone at the top) 1.2.2 Major Types of Risk Inherent risk, people risk, and control risk are three major types of risk that organizations need to consider when implementing an effective risk management strategy. THREE TYPES OF RISK 1.2.2.1 Inherent Risks Inherent risks are those that exist simply due to the nature and characteristics of a mission, type of program, or activity. They are simply there and cannot be changed or removed, so they must be managed. Inherent risk is often analyzed in the context of an assessable unit (AU), which is a major program, administrative activity, organization, or functional subdivision of an agency. The division of 136 © Management Concepts. See inside front cover for additional details. MODULE 3 | MANAGEMENT’S RESPONSIBILITY FOR ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL an organization into AUs is designed to represent the appropriate division of responsibilities and size to permit the effective evaluation of systems of internal control. Every element of an organization must be in an AU. When analyzing the inherent risk of an AU, it is important to remember: The presence of inherent risk does not reflect badly on the manager An underestimation of risk does reflect badly on the manager The internal control process is a collegial effort to make your agency as good as it can be. Managers accomplish this by identifying their risks and managing them. This is not a punitive process. Managers overcome their identified risks by designing and putting controls in place. Managers are accountable for these actions. To diagnose the inherent risk, the manager must take into consideration what the unit is expected to accomplish considering quality and cost. Example: Inherent Risks Inherent risks can include: Characteristics of a program Responsibility for sensitive assets Age and life expectancy of equipment Degree of centralization and/or contractor support Special concerns—environmental, political, etc. Complexity—the greater the complexity, the greater the risk Classified material 1.2.2.2 People Risks While all the reasons should be considered in any internal control review (ICR), integrity and personal gain issues deserve special consideration because of the potential losses they can cause. Tip An organization may face risks from internal or external sources—or both. People risks can occur because of integrity issues such as people's improper acts, which are designed to beat the system. In other words, they enrich themselves at the taxpayers' expense. People risk would also include fraud risk. © Management Concepts. See inside front cover for additional details. 137 LESSON 1 | OVERVIEW OF ERM AND IC Example: People Risks People risks can include: Bribes and kickbacks Inappropriate contracting Improper certification Thefts Conflicts of interest Improper payments Lack of training Poor management decisions 1.2.2.3 Control Risks Control risks are those that involve the characteristics and quality of the internal controls themselves. Generally speaking, there are risks that the controls may not be doing what they are supposed to do, creating vulnerabilities. If they are working, is there residual risk sufficiently significant to warrant additional controls? Some control risks come from the very size and complexity of the federal government. For instance, think of the multiple missions and programs of the Department of Homeland Security or of the numerous laws and rules governing the use of funds. Risks also come from a fast-changing world, such as changes in technology. All agencies and most programs and organization units undergo some change over the span of a year. Poll An office that processes grant applications has just had new software installed to make processing more efficient. o Inherent o People o Control Poll The inspector general (IG) reported that contracting officers have been using the wrong type of contract. o Inherent o People o Control 138 © Management Concepts. See inside front cover for additional details. MODULE 3 | MANAGEMENT’S RESPONSIBILITY FOR ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL Poll There is disagreement over who should authorize procurements (the policies do not reflect newly created positions). o Inherent o People o Control Poll DoD makes more than one billion payments per year. o Inherent o People o Control 1.2.3 ERM Model ENTERPRISE RISK MANAGEMENT MODEL © Management Concepts. See inside front cover for additional details. 139 LESSON 1 | OVERVIEW OF ERM AND IC OMB Circular A-123 includes an ERM model with seven phases:2 1. Establish the context. Understand and articulate the internal and external environments of the organization. 2. Initial risk identification. Use a structured and systematic approach to recognize where the potential for undesired outcomes or opportunities can arise. 3. Analyze and evaluate risks. Consider the causes, sources, probability of the risk occurring, and potential positive or negative outcomes, then prioritize the results of the analysis. 4. Develop alternatives. Systematically identify and assess a range of risk response options guided by risk appetite. 5. Respond to risks. Make decisions about the best options(s) among a number of alternatives, then prepare and execute the selected response strategy. 6. Monitor and review. Evaluate and monitor performance to determine whether the implemented risk management options achieved the stated goals and objectives. 7. Continuous risk identification. An iterative process, occurring throughout the year to include surveillance of leading indicators of future risk from internal and external environments. 1.2.4 Risk Profile OMB Circular A-123 requires each agency to develop a risk profile. Additional guidance concerning the content and development of a risk profile is provided in the Playbook: Enterprise Risk Management for the U.S. Federal Government (the ERM Playbook), published by the Chief Financial Officers Council and the Performance Improvement Council. The primary purpose of a risk profile is to provide a thoughtful analysis of the risks an agency faces toward achieving its strategic objectives and arising from its activities and operations. The risk profile assists in determining the aggregate level and types of risk that the agency and its management are willing to assume to achieve its strategic objectives. The risk profile is a prioritized inventory of the most significant risks identified and assessed through the risk assessment process versus a risk register's complete inventory of risks. Steps to Creating a Risk Profile When developing a risk profile or a listing and assessment of the agency’s top risks, an agency will want to ask questions at each step to tailor the risk profile to its circumstances. Appendix D of the ERM Playbook provides a list of questions agencies may consider as part of developing a risk profile. The answers to these questions will enable agencies to identify the most significant risks, assess those risks, and determine appropriate response strategies. There is no single best way to document an agency’s risk profile and agencies have discretion in terms of the appropriate content and format for their risk profiles. However, Circular A-123 calls for agencies to include the seven components: Identification of objectives Identification of risk Inherent risk assessment Current risk response Residual risk assessment 2 OMB 2016 140 © Management Concepts. See inside front cover for additional details. MODULE 3 | MANAGEMENT’S RESPONSIBILITY FOR ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL Proposed risk response Proposed action category Although it is logical that these seven components will often be involved in risk analysis at all levels of an agency, they only need to be documented for the major risks at the overall agency level. The ERM Playbook provides explanations of the content involved in each step of creation of the risk profile. Refer to Resource Handout: Creating a Risk Profile 1.3 WHAT ARE INTERNAL CONTROLS? Recall that the Green Book defines internal control as "a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity are achieved."3 These objectives and related risks can be broadly classified into one or more of the following categories: Operations. Effectiveness and efficiency of operations. Reporting. Reliability of reporting for internal and external use. Compliance. Compliance with applicable laws and regulations. Safeguarding all assets is a subset of the categories of objectives. Management designs an internal control system to provide reasonable assurance regarding the prevention or prompt detection and correction of unauthorized acquisition, use, or disposition of an entity’s assets. A number of laws and regulations over the past several decades have mandated various systems of internal control. Individually and collectively, they have strengthened the government’s management and control over its programs and activities. 3 GAO 2014 © Management Concepts. See inside front cover for additional details. 141 LESSON 1 | OVERVIEW OF ERM AND IC TIMELINE OF INTERNAL CONTROL MANDATES One of the key requirements for effectively managing operations and meeting the intent of effective internal controls is having accurate, timely financial information. The Federal Financial Management Improvement Act (FFMIA) of 1996 recognized that many of the financial systems were not standardized, were not able to meet audit requirements, and were not able to communicate across systems. The FFMIA is intended to ensure that federal financial systems provide reliable, consistent, and uniform disclosure of financial data by adhering to accounting standards. The act mandates that the 24 CFO Act agencies implement and maintain financial management systems that substantially comply with: Federal financial management systems requirements Federal accounting standards The U.S. Government Standard General Ledger (USSGL) at the transaction level Internal controls are essential for supporting the effectiveness and integrity of every process step, providing feedback to management. These controls consist of rules, procedures, techniques, and devices used by managers to ensure that daily operations align with expectations. According to OMB Circular A-123, internal controls should be an integral part of the entire cycle of planning, budgeting, management, accounting, and auditing, supporting the effectiveness and integrity of each process step while providing continual feedback to management. 142 © Management Concepts. See inside front cover for additional details. MODULE 3 | MANAGEMENT’S RESPONSIBILITY FOR ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL 1.3.1 Types of Controls Controls can be characterized according to their purpose: Preventative. These controls are designed to prevent undesirable events from happening. Detective. These controls are designed to identify if other controls have failed. Controls are required for effective and efficient management Internal controls are all the things organizations of programs and activities of all types, not just financial do to ensure what is supposed to happen does management, as some may believe. and what should not happen does not The activities of federal government agencies are dynamic, so an internal control monitoring policy must be directed at both internal and external risks to which the organization may be exposed. 1.3.1.1 Government Accountability Office Definition According to OMB Circular A-123 and the Green Book, internal control in the broadest sense includes the plan of organization, methods, and procedures adopted by management to meet its goals. Internal control includes processes for planning, organizing, directing, controlling, and reporting on agency operations. Internal control aims to better achieve the objectives of any given entity Refer to Websites To access OMB Circular A-123, visit: https://www.whitehouse.gov/omb/information-for- agencies/circulars/. To access the GAO Standards for Internal Control in the Federal Government (the Green Book), visit: https://www.gao.gov/products/GAO-14-704G. Internal control is a major part of managing an organization. It supports performance-based management and serves as the first line of defense in safeguarding assets. Internal control ultimately helps managers achieve desired results through effective stewardship of public resources. Internal control should be an integral part of the entire cycle of planning, budgeting, management, accounting, and auditing. It should support the effectiveness and the integrity of every step of the process and provide continual feedback to management. © Management Concepts. See inside front cover for additional details. 143 LESSON 1 | OVERVIEW OF ERM AND IC 1.3.1.2 Internal Controls vs. Management Controls OMB and GAO broadly define internal controls as covering all aspects of an organization’s management. The term management controls may be used to emphasize management's responsibility of controls. The two terms are interchangeable, but the preferred term is internal controls. Regardless of what controls are called, management is responsible for them—from their inception to their application and review—and for the results that are supposed to be achieved. Refer to Digital Guide Review the video AMPA's ERM and IC Strategy and the handout Gold Star ERM and IC Strategy. Be prepared to discuss with your class. 144 © Management Concepts. See inside front cover for additional details. MODULE 3 | MANAGEMENT’S RESPONSIBILITY FOR ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL LESSON 2 INTERNAL CONTROL GUIDELINES Lesson Objectives After completing this lesson, you will be able to: 3.2.1 Explain the role of internal control standards and guidelines in ensuring accountability and transparency in government operations 3.2.2 Describe internal control standards, techniques, and documentation in DoD’s internal control program Internal controls are a crucial aspect of any organization's operations to help ensure that resources are being used effectively and that the organization's objectives are achieved. In this lesson, we will explore the concept of internal controls and how they can be implemented effectively in an organization. Internal controls are processes, procedures, and systems that are put in place by an organization to ensure that its assets are safeguarded, its financial information is accurate and reliable, and that its operations are conducted in compliance with laws and regulations. Effective internal controls help to minimize the risk of fraud, error, and noncompliance, and they provide a framework for ensuring that the organization's goals are met efficiently and effectively. 2.1 AN EFFECTIVE INTERNAL CONTROL PROCESS To accomplish the objectives of the FMFIA, also known as the Integrity Act, agency management must establish an effective process to ensure the act’s requirements are met. While OMB does not spell out a specific assessment process for agencies to use, a similar process has been used by various agencies since 1982. © Management Concepts. See inside front cover for additional details. 145 LESSON 2 | INTERNAL CONTROL GUIDELINES PROCESS FOR INTERNAL CONTROL 146 © Management Concepts. See inside front cover for additional details. MODULE 3 | MANAGEMENT’S RESPONSIBILITY FOR ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL Refer to Digital Guide Review the video Internal Control Process and prepare to discuss with your class. Agencies carry out the Integrity Act through overarching programs, which vary in several ways: Person responsible for responding to the act (usually at a high level in the agency) Name and make-up of a high-level council or committee to oversee the program and help the agency head determine weaknesses to report Roles and responsibilities of program administrators, managers, and coordinators at various levels of assessment and reporting Types and degrees of assessments carried out Although these variations are not significant in terms of responding to the basic requirements of the law, they can reflect the control culture of an organization and have an impact on the level of accountability that exists. The stakes are high for a federal agency or program when waste, fraud, or mission failure occur, so it is necessary for agency management to ensure that broad and deep coverage is provided through implementation of its internal control program. Comprehensive assessments of internal control, including risk assessments, will help ensure that problems are kept to a minimum. 2.2 OMB CIRCULAR A-123 INTERNAL CONTROL REQUIREMENTS OMB prescribed certain internal control requirements related to operations, financial reporting, information systems, and organizations providing agencies cross service support. Circular A-123 emphasizes that internal control guarantees neither the success of agency programs, nor the absence of waste, fraud, and mismanagement, but is a means of managing the risk associated with federal programs and operations. It requires agencies and individual federal managers to: Define the control environment (e.g., programs, operations, or financial reporting) Communicate the objectives of internal control to the organization Ensure the organization is committed to sustaining an effective internal control environment Perform risk assessments to identify the most significant areas within that environment in which to place or enhance internal control Develop and implement cost effective internal control activities to address risks Continuously monitor and test control activities to identify poorly designed or ineffective controls Redesign or improve weak control activities Report annually on findings of internal control. Reports submitted under FMFIA must include a statement on the conformance of the respective agency’s accounting system with standards prescribed by the Federal Accounting Standards Advisory Board. © Management Concepts. See inside front cover for additional details. 147 LESSON 2 | INTERNAL CONTROL GUIDELINES FOUNDATIONS FOR FEDERAL ERM 2.2.1 Internal Control over Operations Management is responsible at all levels for ensuring controls over agency operations or activities are sufficient to ensure efficient and effective achievement of organization goals and objectives with minimum risk. Assessment of the effectiveness of controls over operations is one of the key components (in addition to assessment of controls over financial reporting and information systems) that enables an agency head to render an annual statement of assurance required by the FMFIA. Effective control over operations also enables compliance with laws and regulations. 2.2.2 Internal Control over Reporting (ICOR) Tip The current title for this process is internal control over reporting (ICOR) but was previously internal control over financial reporting (ICOFR). If you plan to take the CDFM exam, you may be responsible to know and use the older title. Circular A-123 also addresses ICOFR, a process designed to provide reasonable assurance regarding the reliability of financial reporting. Reliability of financial reporting means that management can reasonably make the following assertions: All reported transactions actually occurred during the reporting period and all assets and liabilities exist as of the reporting date (existence and occurrence) All assets, liabilities, and transactions that should be reported have been included and no unauthorized transactions or balances are included (completeness) All assets are legally owned by the agency and all liabilities are legal obligations of the agency (rights and obligations) 148 © Management Concepts. See inside front cover for additional details. MODULE 3 | MANAGEMENT’S RESPONSIBILITY FOR ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL All assets and liabilities have been properly valued, and where applicable, all costs have been properly allocated (valuation) The financial report is presented in the proper form and any required disclosures are present (presentation and disclosure) The transactions are in compliance with applicable laws and regulations (compliance) All assets have been safeguarded against fraud and abuse Documentation for internal control, all transactions, and other significant events is readily available for examination OMB Circular A-123, Appendix A was updated in 2018. Prior to this update, Appendix A was prescriptive and rigorous in what agencies had to implement to provide reasonable assurance over ICOFR. This update balances that rigor by giving agencies the flexibility to decide which control activities are necessary to achieve reasonable assurance over internal controls and processes that support overall data quality contained in agency reports. This change aligns Appendix A with the 2014 update to the GAO Green Book in part, by expanding the scope from ICOFR to include ICOR. It provides a methodology for agency management to assess, document, and report on ICOR and requires agencies to consider ICOR in addition to other controls in their existing annual assurance statements. The overall relationship among the subcategories of reporting objectives can be described as: Internal financial and nonfinancial reporting objectives. External financial and nonfinancial reporting objectives. 2.2.3 Internal Control over Financial Systems (ICOFS) Defense financial managers need to be aware of internal control over information systems, especially related to the management and use of financial systems. The Federal Information System Controls Audit Manual (FISCAM), originally issued by GAO in January 1999, presents a methodology for performing information system control audits of federal and other governmental entities in accordance with professional standards. FISCAM: Is a top-down, risk-based evaluation that considers materiality and significance in determining effective and efficient audit procedures Includes narrative that is designed to provide a basic understanding of the methodology, general controls and business process application controls addressed by FISCAM May be used as a basis for the independent evaluation of a federal agency’s information security program required by the Federal Information Security Management Act (FISMA). FISMA requires that each year each agency shall have performed an independent evaluation of the information security program and practices of that agency to determine the effectiveness of such program and practices. Next, we'll review general and business process application controls included in the FISCAM. © Management Concepts. See inside front cover for additional details. 149 LESSON 2 | INTERNAL CONTROL GUIDELINES 2.2.3.1 General Controls General controls are the policies and procedures that apply to all or a large segment of an entity’s information systems and help ensure their proper operation.1 Security management. These controls provide reasonable assurance that security management is effective. — Security management program — Periodic assessments and validation of risk — Security control policies and procedures — Security awareness training and other security-related personnel issues — Periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices — Remediation of information security weaknesses — Security over activities performed by external third parties Access controls. These controls provide reasonable assurance that access to computer resources (data, equipment, and facilities) is reasonable and restricted to authorized individuals. — Protection of information system boundaries — Identification and authentication mechanisms — Authorization controls — Protection of sensitive system resources — Audit and monitoring capability, including incident handling — Physical security controls Configuration management. These controls provide reasonable assurance that changes to information system resources are authorized and systems are configured and operated securely and as intended. — Configuration management policies, plans, and procedures — Current configuration identification information — Proper authorization, testing, approval, and tracking of all configuration changes — Routine monitoring of the configuration — Updating software on a timely basis to protect against known vulnerabilities — Documentation and approval of emergency changes to the configuration Segregation of duties. These controls provide reasonable assurance that incompatible duties are effectively segregated. — Segregation of incompatible duties and responsibilities and related policies — Control of personnel activities through formal operating procedures, supervision, and review Contingency planning. These controls provide reasonable assurance that contingency planning protects information resources and minimizes the risk of unplanned interruptions, and provides for recovery of critical operations should interruptions occur. — Assessment of the criticality and sensitivity of computerized operations and identification of supporting resources — Steps taken to prevent and minimize potential damage and interruption 1 GAO 2009 150 © Management Concepts. See inside front cover for additional details. MODULE 3 | MANAGEMENT’S RESPONSIBILITY FOR ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL — Comprehensive contingency plan — Periodic testing of the contingency plan, with appropriate adjustments to the plan based on the testing 2.2.3.2 Business Process Application Controls Business process application controls are directly related to individual computerized applications. They help ensure that transactions are complete, accurate, valid, confidential, and available. Completeness. Controls provide reasonable assurance that all transactions that occurred are input into the system, accepted for processing, processed once and only once by the system, and properly included in output. Accuracy. Controls provide reasonable assurance that: — Transactions are properly recorded, with correct amount/data, and on a timely basis (in the proper period) — Key data elements input for transactions are accurate — Data elements are processed accurately by applications that produce reliable results — Output is accurate Validity. Controls provide reasonable assurance that: — All recorded transactions and actually occurred (are real), relate to the organization, are authentic, and were properly approved in accordance with management’s authorization — Output contains only valid data Confidentiality. Controls provide reasonable assurance that application data and reports and other output are protected against unauthorized access. Availability. Controls provide reasonable assurance that application data and reports and other relevant business information are readily available to users when needed. 2.2.4 Internal Control Related to Use of Shared Service Providers Tip The current Green Book does not list shared service providers, but this material may still be included on the CDFM exam. The Green Book provides internal control considerations for service organizations (e.g., shared service providers). Service organization internal control considerations include management’s responsibility for the performance of third party-provided processes, establishing user controls at the agency receiving services, and service organization oversight. Management’s responsibility for processes performed by third-party service organizations. Third-party service providers perform activities such as accounting and payroll processing, employee benefit plan servicing, information technology services, and procurement services for many agencies. Agencies are ultimately responsible for the services and processes provided by third-party service organizations as they relate to the agency’s ability to maintain internal control over operations, reporting, and compliance with laws and regulations. Management’s responsibility for establishing user controls. If the processes provided by the third-party service organization are significant to an agency’s internal control objectives, then the agency is responsible for establishing user agency controls that complement the © Management Concepts. See inside front cover for additional details. 151 LESSON 2 | INTERNAL CONTROL GUIDELINES service organization’s controls. Management still retains overall responsibility and accountability for all controls related to the processes provided by the third party and must monitor the process as a whole to make sure it is effective. Examples of user agency controls include: Input/output controls. In most third-party provider situations, the agency must have access to the information processed by a service organization. In some cases, this information enables the agency to compare the service organization’s results with the results of an independent source. Performance monitoring. Agencies must have a process for monitoring the service organization’s performance in relation to various metrics, as typically defined in a service-level agreement. Most of these metrics must be tailored to specific operations. Process controls. In some third-party provider situations, the agency’s user controls are closely tied to the service organization’s processes and provide direct assurance over their operation. For example, an agency that has its IT development provided by a third-party service organization chooses to document, track, approve, and test all application changes internally, thus retaining significant control over the IT development process. 2.3 THE GREEN BOOK—GAO STANDARDS FOR INTERNAL CONTROL IN THE FEDERAL GOVERNMENT The GAO Green Book, updated in September 2014, defines the standards for internal control in the federal government. FMFIA requires federal executive branch entities to establish internal control in accordance with these standards. The standards provide criteria for assessing the design, implementation, and operating effectiveness of internal control in federal government entities to determine whether an internal control system is effective. The Green Book defines the standards through components, principles, and attributes and explains why they are integral to an entity’s internal control system. The Green Book is structured as follows: Overview: — Section 1: Overview of the fundamental concepts of internal control — Section 2: Discussion of internal control components, principles, and attributes; how these relate to an entity’s objectives; and the three categories of objectives — Section 3: Discussion of the evaluation of the entity’s internal control system’s design, implementation, and operation — Section 4: Additional considerations that apply to all components in an internal control system A discussion of the requirements for each of the five components and 17 principles, as well as discussion of the related attributes, including documentation requirements 152 © Management Concepts. See inside front cover for additional details. MODULE 3 | MANAGEMENT’S RESPONSIBILITY FOR ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL The Green Book defines internal control as "a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved."2 These objectives and related risks can be broadly classified into one or more of the following three categories: Effectiveness and efficiency of operations including the use of the entity’s resources Reliability of financial reporting, including reports on budget execution, financial statements, and other reports for internal and external use Compliance with applicable laws and regulations Internal control serves as the first line of defense in safeguarding assets. In short, internal control helps managers achieve desired results through effective stewardship of public resources. Internal control should be designed to provide reasonable assurance regarding prevention of, or prompt detection of, unauthorized acquisition, use, or disposition of an agency’s assets, but no internal control can provide absolute assurance that all agency objectives will be met. An internal control system is a continuous built-in component of operations, effected by people, that provides reasonable assurance, not absolute assurance, that an entity’s objectives will be achieved. Factors outside the control or influence of management can affect the entity’s ability to achieve all of its objectives. For example, a natural disaster can affect an organization’s ability to achieve its objectives. Therefore, once in place, effective internal control provides reasonable, not absolute, assurance that an organization will achieve its objectives. To help ensure that controls are appropriate and cost-effective, agencies should consider the extent and cost of controls relative to the importance and risk associated with a given program. The Green Book applies to all of an entity’s objectives: operations, reporting, and compliance. However, these standards are not intended to limit or interfere with duly granted authority related to legislation, rulemaking, or other discretionary policy making in an organization. In implementing the standards in the Green Book, management is responsible for designing the policies and procedures to fit an entity’s circumstances and building them in as an integral part of the entity’s operations. 2 GAO 2014 © Management Concepts. See inside front cover for additional details. 153 LESSON 2 | INTERNAL CONTROL GUIDELINES GAO Framework for Internal Control THE COMPONENTS, OBJECTIVES, AND ORGANIZATIONAL STRUCTURE OF INTERNAL CONTROL GAO’S framework for internal control includes five components, which represent the highest level of the hierarchy of standards for internal control in the federal government. They must be effectively designed, implemented, and operating together in an integrated manner for an internal control system to be effective. The five components of internal control are:3 1. Control environment. The foundation for an internal control system. It provides the discipline and structure to help an entity achieve its objectives. 2. Risk assessment. Assesses the risks facing the entity as it seeks to achieve its objectives. This assessment provides the basis for developing appropriate risk responses. 3. Control activities. The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system, which includes the entity’s information system. 4. Information and communication. The quality information management and personnel communicate and use to support the internal control system. 5. Monitoring. Activities management establishes and operates to assess the quality of performance over time and promptly resolve the findings of audits and other reviews. The framework also includes 17 internal control principles, aligned under the five components. The Green Book contains additional information regarding internal control standards in the form of attributes, which further explain the principle and documentation requirements and may explain 3 GAO 2014 154 © Management Concepts. See inside front cover for additional details. MODULE 3 | MANAGEMENT’S RESPONSIBILITY FOR ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL more precisely what a requirement means and what it is intended to cover, or include examples of procedures that may be appropriate for an entity. Management has a responsibility to understand the attributes and exercise judgment in fulfilling the requirements of the standards. The Green Book, however, does not prescribe how management designs, implements, and operates an internal control system. Next, we'll review the 17 GAO internal control principles aligned under the respective internal control component. 2.3.1 Control Environment The control environment component includes principles 1–5: 1. The oversight body and management should demonstrate a commitment to integrity and ethical values. 2. The oversight body should oversee the entity’s internal control system. 3. Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives. 4. Management should demonstrate a commitment to recruit, develop, and retain competent individuals. 5. Management should evaluate performance and hold individuals accountable for their internal control responsibilities. 2.3.2 Risk Assessment The risk assessment component includes principles 6–9: 6. Management should define objectives clearly to enable the identification of risk and define risk tolerances. 7. Management should identify, analyze, and respond to risks related to achieving the defined objectives. 8. Management should consider the potential for fraud when identifying, analyzing, and responding to risks. 9. Management should identify, analyze, and respond to significant changes that could impact the internal control system. © Management Concepts. See inside front cover for additional details. 155 LESSON 2 | INTERNAL CONTROL GUIDELINES THE RISK ASSESSMENT UMBRELLA 2.3.3 Control Activities The control activities component includes principles 10–12: 10. Management should design control activities to achieve objectives and respond to risks. 11. Management should design the entity’s information system and related control activities to achieve objectives and respond to risks. 12. Management should implement control activities through policies. 2.3.4 Information and Communication The information and communication component includes principles 13–15: 13. Management should use quality information to achieve entity’s objectives. 14. Management should internally communicate the necessary quality information to achieve the entity’s objectives. 15. Management should externally communicate the necessary quality information to achieve the entity’s objectives. 2.3.5 Monitoring The monitoring component includes principles 16 and 17: 16. Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. 17. Management should remediate identified internal control deficiencies on a timely basis. 156 © Management Concepts. See inside front cover for additional details. MODULE 3 | MANAGEMENT’S RESPONSIBILITY FOR ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL 2.3.6 EXERCISE: ANALYSIS OF THE GAO INTERNAL CONTROL STANDARDS Directions 1. Review each description of a GAO internal control standard. 2. Choose the corresponding component or principle that matches the description. Questions 1. The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system, which includes the entity’s information system. Examples of this include documenting transactions and internal control, controls over information processing, and quality control procedures. a. Information and communication b. Control activities c. Risk assessment 2. The quality information management and personnel communicate and use to support the internal control system. Management should use quality information to achieve the entity’s objectives. Examples of this include obtaining relevant data from reliable sources and processing the data into information. a. Monitoring b. Risk assessment c. Information and communication 3. This component involves assessing the risks facing the entity as it seeks to achieve its objectives. This assessment provides the basis for developing appropriate risk responses. Management should identify, analyze, and respond to risks related to achieving the defined objectives. a. Control environment b. Information and communication c. Risk assessment 4. This component discusses activities management establishes and operates to assess the quality of performance over time and promptly resolve the findings of audits and other reviews. Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. a. Information and communication b. Monitoring c. Risk assessment © Management Concepts. See inside front cover for additional details. 157 LESSON 2 | INTERNAL CONTROL GUIDELINES 5. The foundation for an internal control system. It provides the discipline and structure to help an entity achieve its objectives. Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives. Management uses this component to set a positive attitude toward internal control. a. Risk assessment b. Control environment c. Control activities 6. What is a principle of the risk assessment component in the GAO framework? a. Management should define objectives clearly to enable the identification of risk and define risk tolerances b. Management should not consider the potential for fraud when identifying, analyzing, and responding to risks c. Management should evaluate performance and hold individuals accountable for their internal control responsibilities 7. What is a principle of the control environment component in the GAO framework? a. Management should identify, analyze, and respond to risks related to achieving the defined objectives b. Management should design control activities to achieve objectives and respond to risks c. The oversight body and management should demonstrate a commitment to integrity and ethical values 8. What is the principle of the information and communication component in the GAO framework? a. Management should identify, analyze, and respond to significant changes that could impact the internal control system b. Management should internally communicate the necessary quality information to achieve the entity’s objectives c. Management should identify, analyze, and respond to risks related to achieving the defined objectives 158 © Management Concepts. See inside front cover for additional details. MODULE 3 | MANAGEMENT’S RESPONSIBILITY FOR ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL 2.4 ASSESSING AND IMPROVING INTERNAL CONTROL Agency managers must continuously monitor, assess, and improve the effectiveness of internal control associated with those internal control objectives identified as part of their risk profile. This continuous monitoring, and other periodic evaluations, provide the basis for the agency head’s annual assessment and report on internal control as required by the FMFIA. Agency management must determine the appropriate level of documentation needed to support this assessment. The Green Book provides documentation requirements that are a necessary part of an effective internal control system. The level and nature of documentation vary based on the size of the entity and the complexity of the operational processes the entity performs. Management uses judgment in determining the extent of documentation that is needed. Documentation is required to demonstrate the design, implementation, and operating effectiveness of an entity’s internal control system. OMB Circular A-123 also provides a list of sources of information, such as results of testing of internal controls, organization strategic plans and performance reviews, program reviews, IG inspection reports, audits of annual financial statements, other internal and external audits and review reports, etc., that management can use in assessing and documenting the effectiveness of agency internal controls. 2.4.1 Internal Control Evaluation Approach Management is responsible for evaluating whether a system of internal control reduces the risk of not achieving the entity’s objectives related to operations, reporting, or compliance to an acceptable level. Circular A-123 provides a construct for the conduct of an evaluation of the effectiveness of internal controls based upon a risk-based assessment approach recommended by COSO. It consists of the following activities:4 1. Conduct an assessment of internal control. 2. Prepare a summary of internal control deficiencies. 3. Conclude on internal control principle evaluation. 4. Conclude on internal control component evaluation. 5. Conclude on overall assessment of a system of internal control. Circular A-123 also provides an illustrative example of the conduct of an internal control evaluation related to considerations regarding internal components and principles and the agency’s overall system of internal control. 2.4.2 Identification of Deficiencies Agency managers and employees should identify deficiencies in internal control from the sources mentioned in Circular A-123 and from the results of their assessment process. The assessment process must include an assessment of compliance with each of the Green Book components and principles. In addition, the identification of deficiencies must include all management and operational functions and processes that support mission delivery. Agency employees and managers report control deficiencies, at a minimum to the next supervisory level, which allows the chain of command structure to determine the relative importance of each deficiency. Reporting of deficiencies should also include reporting deficiencies to the agency Inspector General. 4 OMB 2016 © Management Concepts. See inside front cover for additional details. 159 LESSON 2 | INTERNAL CONTROL GUIDELINES Deficiencies are categorized as control deficiencies, significant deficiencies, or material weaknesses. Agency managers and staff are encouraged to identify control deficiencies, as this reflects positively on the agency’s commitment to recognizing and addressing management problems. Failing to report a known material weakness or significant deficiency reflects adversely on the agency and continues to place the agency’s mission support operations at risk. Agencies must carefully consider whether systemic weaknesses exist that adversely affect internal control across organizational or program lines. 2.4.2.1 Categories and Reporting of Internal Control Deficiencies Categories of internal control deficiencies include: Control deficiency. This type of deficiency exists when the design, implementation, or operation of a control does not allow management or personnel, in the normal course of performing their assigned functions, to achieve control objectives and address related risks. As the definition suggests, control deficiencies can be classified as deficiencies in design, implementation, or operation. Control deficiencies are reported internally within the organization and not externally. Progress against corrective action plans must be periodically assessed and reported to agency management. Significant deficiency. A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance. Significant deficiencies are also reported internally within the organization and not externally and progress against corrective action plans must be periodically assessed and reported to agency management. Material weakness. A significant deficiency that the agency head determines to be significant enough to report outside of the Agency as a material weakness. In the context of the Green Book, non-achievement of a relevant internal control principle and related component results in a material weakness. Material weaknesses and a summary of corrective actions must be reported to OMB and Congress through the AFR, PAR, or other management reports. Progress against corrective action plans must be periodically assessed and reported to agency management. Circular A-123 also describes material weaknesses in internal control over certain areas. A material weakness in internal control over operations might include, but is not limited to, conditions that: Impact the operating effectiveness of entity-level controls Impair fulfillment of essential operations or mission Deprive the public of needed services Significantly weaken established safeguards against fraud, waste, loss, unauthorized use, or misappropriation of funds, property, other assets, or conflicts of interest A material weakness in internal control over reporting is a significant deficiency, in which the agency head determines significant enough to impact internal or external decision-making and reports outside of the agency as a material weakness. A material weakness in internal control over external financial reporting is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis. 160 © Management Concepts. See inside front cover for additional details. MODULE 3 | MANAGEMENT’S RESPONSIBILITY FOR ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL A material weakness in internal control over compliance is a condition where management lacks a process that reasonably ensures preventing a violation of law or regulation that has a direct and material effect on financial reporting or significant effect on other reporting or achieving agency objectives. Additional Information Used to Help Determine a Material Weakness Management makes the final determination to categorize an internal control weakness as material. For example, scoring each of the following considerations as significant or insignificant might help a manager determine that a material weakness exists: Actual or potential loss of resources Sensitivity of the resources involved Magnitude of funds, property, or other resources involved Frequency of actual and/or potential loss Current or probable media interest (adverse publicity) Current or probable congressional interest (adverse publicity) Unreliable information causing unsound management decisions Diminished credibility or reputation of management Impaired fulfillment of essential mission or operations Violation of statutory or regulatory requirements Impact on information security Public’s deprivation of needed government services Monetary value impact generally shall be considered material when the weakness has caused or might cause loss of control over a significant amount of resources for which an organization is responsible (including money, personnel, equipment, etc.). Open audit findings on internal control from any source, agreed to by management, are candidates for a material weakness at the applicable level, until all corrective actions are complete. Managers will determine whether a weakness meets the criteria and report accordingly. The dollar threshold for a material weakness will vary depending on the nature and characteristic of the weakness and the level in the organization where the problem is identified. DoD Material Weaknesses DoD material weaknesses are considered at four levels: DoD level. When a weakness is serious enough to merit attention from the Office of the Secretary of Defense (OSD) or exists in a majority of DoD components. Component level. When a weakness exists throughout a DoD component, or at one or more of its major commands or activities requiring DoD component head attention. Major command or field activity level. When a weakness exists throughout a major command or at one or more of its installations. Installation or activity level. When a weakness requires the attention of the head of an installation. © Management Concepts. See inside front cover for additional details. 161 LESSON 2 | INTERNAL CONTROL GUIDELINES Tip Material weaknesses that cannot be resolved at the SECDEF level are reported in the annual DoD statement of assurance. 2.4.2.2 Correcting Internal Control Deficiencies—Corrective Action Plan Requirements Agency managers are responsible for taking timely and effective action to correct internal control deficiencies. Promptly correcting deficiencies is an integral part of management accountability and must be considered an agency priority. Agencies should perform a root-cause analysis of each deficiency to ensure that subsequent strategies and plans address the root of the problem and not just the symptoms. Identifying and developing an understanding of the root cause of control deficiencies is management’s responsibility. Management should incorporate IG and GAO audit findings as part of its identification process; however, auditors are not responsible for identifying root causes of control deficiencies. Management should also consider alternative risk mitigation strategies and perform cost-benefit analysis to determine the best or most cost-effective solution. Agency managers should develop corrective action plans for all material weaknesses. Further, agencies should periodically assess progress against those plans and report to agency management, who should track progress to ensure timely and effective results. For control deficiencies (management detected) and significant deficiencies (auditor detected), management should develop corrective action plans and track them internally at the appropriate level. A summary of the corrective action plans for material weaknesses that have not been fully mitigated at the time of reporting must be included in the AFR, PAR, or other management report. The agency should determine that a deficiency has been corrected only when the agency has taken sufficient corrective action and achieved the desired results. This determination should be in writing, and, along with other appropriate documentation, should be available for review by the appropriate officials. 2.5 DOD INSTRUCTION 5010.40, MANAGER’S INTERNAL CONTROL PROGRAM PROCEDURES DODI 5010.40 provides the full scope of management responsibility for internal control within the Department of Defense. That responsibility extends from management’s development of effective internal control, through evaluation and correction of internal control deficiencies, to the reporting requirements for internal control. The instruction assigned the Under Secretary of Defense (Comptroller)/Chief Financial Officer the following responsibilities:5 Monitor compliance with the Instruction Provide internal control guidance, as needed to the department regarding conduct and reporting of internal control assessments 5 DoD 2020b 162 © Management Concepts. See inside front cover for additional details. MODULE 3 | MANAGEMENT’S RESPONSIBILITY FOR ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL Establish and support a Senior Management Council to provide oversight and accountability for the DoD’s Managers’ Internal Control Program Co-chair a Financial Improvement and Audit Remediation (FIAR) Governance Board with the DoD Deputy Chief Management Officer (DCMO) to provide oversight and accountability for the DoD financial reporting and financial systems Instruct the Director of Financial Improvement and Audit Remediation (DFIAR) to: — Manage and oversee operations of the DoD’s Managers’ Internal Control Program — Provide guidance, as needed, for proper execution of the Managers’ Internal Control Program and publish guidance for the preparation and submission of the annual statement of assurance to the Secretary of Defense — Develop the DoD’s statement of assurance — Ensure the DoD adheres to annual reporting requirements — Provide quarterly status reports on all material weaknesses to the USD(C)/CFO and the DCMO and, as appropriate, under secretaries and assistant secretaries of Defense, and DoD and OSD component heads Additionally, DODI 5010.40 directed each DoD and OSD component head to: Establish a Managers' Internal Control Program to: — Assess inherent risks in mission-essential processes — Document and design internal controls — Test the design and operating effectiveness of existing internal controls — Identify and classify control deficiencies and promptly prepare and execute corrective action plans — Monitor and report the status of corrective action plans until testing confirms resolution of identified deficiencies Designate in writing the Managers’ Internal Control Program Coordinator of the DoD and OSD component within 90 days of a vacated position, and oversee the Managers’ Internal Control Program coordinator’s implementation of procedures Conduct a formal assessment of the acquisition functions requirements outlined in Reference (m), and provide a summary of the assessment in the statement of assurance Submit the annual statement of assurance to the Secretary of Defense and provide separate explicit levels of assurance in a statement of assurance for each of the following three IC assessments required: — Operational and administrative controls relevant to all mission-essential functions throughout their DoD and OSD component — Financial reporting functions, as assessed under the oversight of the senior assessment team — Integrated financial management systems (IFMS) conformance with federal requirements 2.6 REPORTING ON INTERNAL CONTROLS OMB Circular A-123 details internal control reporting requirements. © Management Concepts. See inside front cover for additional details. 163 LESSON 2 | INTERNAL CONTROL GUIDELINES OMB Circular A-123, VI. Reporting on Internal Controls6 A. Annual Assurance Statement. The assurance statement and summary information related to Section 2 and Section 4 of the FMFIA must be provided in a single report section of the annual AFR, PAR, or other management report labeled “Analysis of Entity’s Systems, Controls and Legal Compliance." The section must include the annual assurance statement, a summary of the Agency’s process for assessing internal control effectiveness and resulting material weaknesses and corrective action plans as of September 30 of a given fiscal year. B. Reporting Pursuant to Integration of Enterprise Risk Management and Internal Control. Management has discretion in determining the scope of operations, reporting, and compliance objectives based on the Agency’s risk profile as described in Section II of this document. Agencies are required to provide assurances on their process to identify risks and establish controls or integrate existing controls to the identified risk. Some of these internal control systems may have been operating effectively prior to integration of these risks. These assurances should be built out over time following a maturity model approach and reported in the AFR along with a report on identified material weaknesses and corrective actions. Until an Agency has fully implemented an ERM approach to risk management they may continue to provide the existing risk assurance statements to their OIG and/or private accounting firms. C. Reporting Pursuant to OMB Circular No. A-123, Appendix A. Appendix A of OMB Circular No. A-123 provides a methodology for agency management to assess, document and report on internal controls over reporting. This document also encourages an integrated approach to assess the internal controls over reporting considering the current legislative and regulatory environment in which Federal entities operate. Management’s assessment of internal control over external financial reporting must follow the assessment methodology provided in Appendix A to Circular No. A-123, Internal Control Over Reporting. D. Reporting Pursuant to OMB Circular No. A-130, Appendix I. Appendix I of OMB Circular No. A-130, Responsibilities for Protecting and Managing Federal Information Resources, establishes minimum requirements for Federal information security programs, assigns Federal Agency responsibilities for the security of information and information systems, and links Agency information security programs and Agency management control systems established in accordance with OMB Circular No. A-123. The appendix also establishes requirements for Federal privacy programs, assigns responsibilities for privacy 6 OMB 2016 164 © Management Concepts. See inside front cover for additional details. MODULE 3 | MANAGEMENT’S RESPONSIBILITY FOR ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL program management, and describes how agencies must take a coordinated approach to implementing information security and privacy controls. E. Reporting Pursuant to Section 2—31 U.S.C. 3512(d)(2). Section 2—31 U.S.C 3512(d)(2), commonly referred to as Section 2 of the FMFIA requires that the head of each Executive Agency annually submit to the President and the Congress (i) a statement on whether there is reasonable assurance that the Agency's controls are achieving their intended objectives; and (ii) a report on material weaknesses in the Agency's controls. Statement of Assurance. The statement of assurance represents the Agency head's informed judgment as to the overall adequacy and effectiveness of internal control within the Agency related to operations, reporting, and compliance. The statement must take one of the following forms: o unmodified statement of assurance (no material weaknesses or lack of compliance reported); o modified statement of assurance, considering the exceptions explicitly noted (one or more material weaknesses or lack of compliance reported); or o statement of no assurance (no processes in place or pervasive material weaknesses). In deciding on the type of assurance to provide, the Agency head should consider information from the assessment process described in Section IV of this Circular, with input from senior program and administrative officials. Management is precluded from concluding that the Agency’s internal control is effective (unmodified statement of assurance) if there are one or more material weaknesses. In support of a single assurance statement, a detailed summary of management assurances must also be provided in the “Other Information” section of the annual AFR, PAR, or other management report. The detailed assurances should mirror the single assurance statement and provide assurance over the effectiveness of internal controls in each supporting area of operations, reporting (including external financial reporting), and compliance. The Agency Head must sign the statement of assurance. DoD components are required to submit their annual statement of assurance to OSD by October 1 each year. The DoD then submits its annual statement of assurance as part of its Annual Financial Report to OMB by November 15. The DoD includes this assurance statement in its annual Performance and Accountability Report (PAR). The general statement of assurance will include: Reasonable assurance that the agency’s controls are achieving their intended results Summary of material weaknesses and non-conformances Summary of corrective action plans © Management Concepts. See inside front cover for additional details. 165 LESSON 2 | INTERNAL CONTROL GUIDELINES 2.6.1 DoD and OSD Statement of Assurance Report Contents All DoD and OSD components will annually provide: An operations statement of assurance that provides reasonable assurance of the effectiveness of internal controls over operations. The DoD and OSD components will consider internal control deficiencies disclosed by all sources including management studies; DoD component audits, inspections, investigations, or internal review reports; and Inspector General and GAO reports. This statement of assurance is based on management’s assessment of the effectiveness of their internal controls as of the date signed for that fiscal year. An explicit level of assurance on the effectiveness of internal controls over financial reporting as of June 30, for those DoD and OSD components specified in the Managers’ Internal Control Program and FIAR guidance An explicit level of assurance on the effectiveness of internal controls over financial systems, for those components specified in the Managers’ Internal Control Program guidance and FIAR guidance. The DoD and OSD component statement of assurance will have one cover memorandum. Those DoD and OSD components providing levels of assurance for financial reporting and financial systems will report assurance in subsections to the statement of assurance cover memorandum. Each assurance level explicitly stated in the statement of assurance must meet one of three levels of assurance: — Unmodified statement of assurance. An unmodified statement of assurance provides reasonable assurance that ICs are effective with no material weaknesses reported or that the IFMS is in conformance with federal requirements. Each unmodified statement should describe how the level of assurance is supported and how assessments were conducted. — Modified statement of assurance. A modified statement of assurance provides reasonable assurance that ICs are effective with the exception of one or more material weakness or the IFMS is not in conformance with federal requirements. The statement of assurance must cite the material weaknesses in internal management controls that preclude an unmodified statement. — Statement of no assurance. A statement of no assurance provides that no assurance can be provided that ICs are effective because few or no assessments were conducted, the noted material weaknesses are pervasive across many key operations, or the IFMS is substantially noncompliant with federal requirements. 166 © Management Concepts. See inside front cover for additional details. MODULE 3 | MANAGEMENT’S RESPONSIBILITY FOR ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL LEVELS OF ASSURANCE The DoD and OSD component statement of assurance will be in the format prescribed by the Managers’ Internal Control Program and FIAR guidance, which will describe how the level of assurance is supported and how assessments were conducted. When the level of assurance is modified for operations, the format provided by the Managers’ Internal Control Program guidance must include: Uncorrected material weaknesses (current year disclosures and prior year disclosures) and the summary of the corrective action plans for resolution. The summary will provide milestone timelines that will correct a material weakness. Although the actions that should correct the material weakness may still be in development, the material weaknesses must be reported with current status as of the date the statement of assurance is signed. Material weaknesses corrected in the current year (current year disclosures and prior year disclosures corrected in the current year) and the summary of the corrective actions taken. Eac