Internal Controls
Internal Control Assessment
A documented review performed...to determine whether internal control techniques are effectively implemented to accomplish administrative, operational, and mission objectives.
MICP Hierarchy
Assessable Units Managers (AUMs) Basic unit for the entire MICP Assigned at all levels Form the framework for the Air Force's MICP SECAF, SAF/FM and SAF/FMF SECAF signs and submits an annual SoA to the SecDef on the assessment of the Air Force's internal controls SAF/FM ensures the evaluation, improvement, and reporting on the AF internal control system meet the requirements of law and DoD instructions SAF/FMF provides overall guidance and direction for MICP implementation throughout the AF Wing, Base, Center, Group Squadron, Flight
Material Weakness
"A deficiency in internal controls that the agency head determines to be significant enough to be reported outside the agency (OMB Definition)" • Are reported in the Annual Statement of Assurance • Could be the result of an external audit finding or a reaction to a public report or incident
Comptroller Access Guide (CAG)
- Addressed our base level FM offices requirement to support multiple system access with limited manpower. - DFAS will support multiple access to FM systems based on the Comptroller's review and signature that FM will ensure adequate controls are in place".
Separation of Duties
- Authorizing, processing, recording, and reviewing transactions should be separated among individuals. - To reduce the risk of error, waste, or wrongful acts going undetected, no individual should control ALL key aspects of a transaction or event. - No one person should have access to an entire transaction from beginning to end.
Applicability and Procedures of the Comptroller Access Guide (CAG)
- CAG is concerned with internal controls associated to our FM systems - CAG provisions apply to Air Force FM systems users. - CAG is only concerned with the accesses, which update systems. - User will initiate request for system access on DD Form 2875.
Government Accountability Office (GAO)
- Define the minimum level of quality acceptable for internal control in government. - Provide the basis against which internal control should be evaluated - Apply to all aspects of an agency's operations...programmatic, financial, and compliance. - Provide a general framework and in implementing these standards, management is responsible for developing the detailed policies, procedures, and practices to fit their operations.
The Office of Management and Budget (OMB)
- Evaluates the effectiveness of agency programs, policies, and procedures. - Ensures agency reports, rules, testimony, and proposed legislation are consistent with the President's Budget and with Administration policies. - Oversees and coordinates the Administration's procurement, financial management, information, and regulatory policies.
Information and Communication
- For an entity to run and control its operations, it must have relevant, reliable, and timely communications relating to internal as well as external events. - Effective communications should occur in a broad sense with information flowing down, across, and up the organization. - Effective information technology management is critical to achieving useful, reliable, and continuous recording and communication of information.
QA Manager
- If system conflicts exist, QAM assists the user and management to explore all alternatives - Will work with management to complete the "Request for Multiple Access" form.
Control Activities
- Policies, procedures, techniques, mechanisms that enforce management's directives. - Help ensure that actions are taken to address risks. - Are an integral part of an organization's planning, implementing, reviewing, and accountability for stewardship of government resources and achieving effective results. - Occur at all levels and functions of the entity. - Include a wide range of diverse activities.
Terminal Area Security Officer (TASO)
- Reviews the request - Will not allow excessive system access. - Coordinates request with QAM to ensure no system conflicts are present
Examples of institutionalized monitoring activities
- Self inspection program - Compliance Inspections - Operational Readiness Inspections - Staff Assistance Visits - AFAA, DoD IG, and GAO audits, inspections, or investigations - Environmental, Safety and Occupational Health Compliance Assessments and Management Programs.
Comptroller Access Guide (CAG) Initial Approvers/Key Players
- Terminal Area Security Officer (TASO) - QA Manager
AF Annual Statement of Assurance (SOA)
- The statement will provide the Secretary of the Air Force's level of reasonable assurance of the effectiveness of Air Force internal controls. - State whether or not there is reasonable assurance that the Air Force's internal controls are in place and operating effectively in three distinct processes. - Internal control over non-financial operations (ICONO) con - Internal control over financial reporting (ICOFR). - Internal control over financial systems (ICOFS)
Government Accountability Office (GAO) 5 standards
1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information/Communication 5. Monitoring
Control Environment
A positive control environment is the foundation for all other standards. Management and employees should establish and maintain an environment throughout the organization that sets a positive and supportive attitude toward internal control and conscientious management. A positive control environment provides: - Discipline, structure, and a climate influencing the quality of internal controls - Integrity and ethical values - Commitment to competence
Assessable Unit (AU)
Basic segment for which internal controls are evaluated....capable of being evaluated by internal control assessment procedures.
Federal Managers Financial Integrity Act (FMFIA) of 1982
Enacted to ensure Federal agencies establish, assess and report on their internal control programs, processes and systems.
Unqualified SoA
Green. Provides reasonable assurance that internal controls are effective with no material weakness(es) reported or that the Integrated FM System (IFMS) is in conformance with Federal requirements.
Monitoring
Internal control monitoring should assess the quality of Performance over time and ensure that the findings of audits and other reviews are promptly resolved.
Risk Assessment
Internal control should provide for an assessment of the risks the agency faces from both external and internal sources. - Risk assessment is the identification and analysis of relevant risks associated with achieving the Air Force mission and objectives.
What is Key in Internal Controls?
Leadership/Supervision involvement
Material Weaknesses: Monitoring and Tracking
Must annually update the material weakness report for all weaknesses previously reported The update will provide the status of management's progress in correcting/mitigating the material internal control weakness, as of the date their SoA is signed Program OPRs will, in turn, provide guidance to their subordinate units on completing the update during the preparation of their annual SoA
Excessive System Access
Not waiverable under Comptroller Access Guide (CAG) provisions.
Why Do We Have Internal Controls?
OMB Circular A-123
The Office of Management and Budget (OMB) Circular A-123
OMB publishes the key Circulars that the Department of Defense (DoD) use to implement their internal control programs OMB Circular A-123 Provides guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on internal control States that agency managers should: Continuously monitor and improve the effectiveness of internal control associated with their programs. Perform an annual assessment and report on the effectiveness of internal control. Determine the appropriate level of documentation needed to support this assessment.
Internal Controls Directives
PL 97-255, Federal Managers' Financial Integrity Act (FMFIA), 31 U.S.C. 3512, September 8, 1982
MICP
Prescribed to meet the requirements of the FMFIA, which is the all heads of agencies will establish internal controls to provide reasonable assurance that: 1. Efficient and Effective 2. Safeguard assets 3. Compliant 4. Properly records revenue and expenditures.
No Assurance SoA
Red. Provides no reasonable assurance that internal controls are effective because no assessments were conducted, the noted material weakness(es) are pervasive across many key operations or the IFMS is substantially noncompliant with Federal requirements.
Statement of Assurance (SOA)
Represents the agency head's informed judgment as to the overall adequacy and effectiveness of management controls within the agency.
The Office of Management and Budget (OMB)
Ultimately, the OMB seeks to improve administration management, develop better performance measures and coordinating mechanisms, and reduce any unnecessary burden on the public.
Qualified SoA
Yellow. Provides reasonable assurance that the internal controls are effective with the exception of one or more material weakness(es) or the IFMS is not fully compliant with Federal requirements reported.
Internal Control
organization, policies, procedures, and instructions adopted by management to reasonably ensure mission or operational objectives are met, programs achieved intended results, and managers safeguard the integrity of their programs.
Material Weaknesses: Reporting
• Reporting of a material weakness is an agency's opportunity to declare that its management has become aware of a significant internal control weakness by using its management control program prior to an external audit or process failure. • Material Weakness reports should include the responsible offices and corrective actions that will be taken to mitigate the weakness. • Effectively identifying and rapidly mitigating potential material weaknesses is evidence of an effective MICP and strong management oversight of the organization.