Completion of the AssessableUnit Forms

Anthony Rainey, Business Manager,U.S. Office of Personnel Management

April 17, 2013

1 – Fiscal Year (FY) 2012 Accessable Unit(AU) Form

• The purpose of this slide deck is to provide userswith some background as to:

– WHY the FIS’ accessable units require a form to becompleted, and

– WHAT the information on the form for

2

2 - Legal/Regulatory Framework

Federal Managers’ FinancialIntegrity Act of 1982

(FMFIA)

OMB Circular A-123“Management’s

Responsibility for InternalControl”

ICONO ICOFR ICOFS

Annual Statement ofAssurance

ICONO: Internal Controls Over Non-financial OperationsICOFR: Internal Controls Over Financial ReportingICOFS: Internal Controls Over Financial Systems

From FMFIA:“…internal accounting and administrative controls of each

executive agency shall be established IAW standardsprescribed by the Comptroller General…”

~ Head of each agency must prepare an annual statementcertifying whether the agency’s systems of internal

accounting and administrative control comply with FMFIA

Goal: Effective Internal Controls

From OMB Circular A-123:~ Implementing guidance for federal agencies~ Establishes 3 objectives of internal controls

~ Outlines 5 standards of internal control activities

3 Levels of Assurance:~ Unqualified: no material weaknesses (MWs)

~ Qualified: MWs identified with corrective actionplan developed

~ No Assurance: no assessment done or MWs arepervasive

3

3 -Federal Manager's Financial IntegrityAct (FMFIA)

• Became law in 1982 to respond to concern about fraud, waste,and abuse

• Required annual agency self assessments of internal controleffectiveness and reporting material weaknesses in controls

• The Act focused on the following problem areas:

o Mismanagement

o Erroneous Reports of Data

o Unauthorized Use of Resources

o Illegal or Unethical Acts

o Adverse or Unfavorable Public Opinion 4

4 - FMFIA Annual Assurance Process inOPM

5

Goal: Annual Assurance of Internal Controls

Effective & EfficientOperations

Compliance with Laws andRegulations

Financial Reporting

DailyOperations

OtherSources Audits

ManagementReviews

RiskAssessments

SeniorAssessment

TeamOMB Circular A-123, Appendix A

Associate Directors and Heads of OfficesAssessable Unit (AU) Internal Control Form Update

OPM DirectorManagement’s Assurance in the Annual Performance and Accountability Report

OPM Chief Financial OfficerAssessment of Internal Control over Financial Reporting

5 - OMB Circular A-123, Management’sResponsibility for Internal Control

• Revision Issued: December 2004

• Effective: Beginning in Fiscal Year 2006

• Purpose: Provides guidance to Federal managers on improving theaccountability and effectiveness of Federal programs and operationsby:

- establishing,

- assessing,

- correcting, and

- reporting

on internal control.

• Authority: Includes but is not limited to Federal Managers’ FinancialIntegrity Act of 1982 as codified in 31 U.S.C. 3512

6

6 – Characteristics of OMB Circular A-123

• OMB Circular No. A-123, Management’s Responsibility forInternal Control, is the implementing guidance for FMFIA.

• The last update for A-123, in December 2004, made majorchanges, including:• Requiring agency management to attest to internal controls over

financial reporting (ICFR) through testing and evaluation; patternedafter the Sarbanes-Oxley Act requirements for the private sector.

• Requiring a separate annual assurance statement on ICFR as of June30 each year as sub-set of overall assurance. Agencies cannot relysolely on their financial statement auditors for those controls.

• Required agencies to integrate internal control assessments with otherrelated activities

• Realigning standards.

• Providing an additional level of control weaknesses (now calledsignificant deficiency) below a material weakness.

7

7 - Internal Controls- A Brief Definition

•Internal controls are all the methods by which an organizationgoverns its activities to accomplish its defined purpose. InternalControls are:

• Pervasive and inherent in the way management runs anorganization

• "Built into" not "added onto" an OPM entity's activities

• Integrated part of management and execution of a program

• Critical to a OPM entity's mission and outcomes8

8 - Internal Controls Are a Combination of

• Plans and Policies = Control Objectives

and

• Procedures = Control Activities

• Control Objectives - The positive things that FIS managerswant to have happen.

• Control Activities - The procedures that FIS managers use to

provide reasonable assurance that

the control objectives are achieved.

9

9 – Three Objectives of Internal Controls

10

• Organization, policies and procedures to help program andfinancial managers achieve results and safeguard the integrity oftheir programs.

– Ensure what should occur in daily activities does occur.

• 3 objectives:

– Effectiveness and efficiency of operations

– Reliability of non-financial reporting

– Compliance with applicable laws and

regulations

• Support performance-based management

• Incorporate into every business process

• Further, not hinder, mission accomplishment– Cost/benefit analysis should be used when implementing controls

Goal: provide reasonable assurance 3 objectives are met

Safeguardingof assets is a

subset

10 - How Does the OCFO Conduct Evaluations ofOPM’s Internal Controls?

• Chapter 22 – Internal Control Program – of the OPM Financial Management Manual,establishes the policy, requirements and responsibilities for the Office of PersonnelManagement’s (OPM) Internal Control Program. The objectives of the Internal ControlProgram are to:

1. Ensure OPM has effective and efficient systems of internal control as required by the“Federal Managers’ Financial Integrity Act (FMFIA) of 1982,” revised OMB Circular A-123, “Management’s Responsibility for Internal Control,” and related guidance.

2. Evaluate systems of internal control using existing information and day-to-day knowledgeto the maximum extent possible.

3. Provide “reasonable assurance” that OPM’s programs and functions are protected fromwaste, abuse, loss, and misuse of resources.

4. Focus attention on resolving reportable conditions and “material” weaknesses in internalcontrol.

5. Help achieve OPM’s mission, goals, and objectives.

11

11 - Internal Oversight and Compliance (IOC) and What IsTheir Role Regarding Non-Financial Reporting Unit Internal

Controls?

• Internal Oversight and Compliance (IOC) is an independentorganization within OPM that proactively provides internal oversight whileholding OPM officials accountable for operating effectively and efficientlyin accordance with applicable policy, regulations and other criteria asfurther defined by the Director of OPM.

• IOC responds to GAO Reports, other external evaluative entities, asapplicable, and the OPM OIG that require an official response on behalfof the OPM Director.

• IOC collaborates with FIS to select an external auditor to conduct anaudit of FIS’ Assessable Unit (AU) Internal Controls by reviewing andauditing the Fiscal Year 2012 AU Internal Control Forms for Non-Financial Units. It is important that the forms are carefully constructedand reviewed.

• The completed forms are due to the IOC on September 13, 2013.

12

12 - "The" Internal Control (IC) Flow in OPM

• 1. Financial Managers’ Financial Integrity Act (FMFIA)

1A. OMB Circular A-123 – discussed earlier

1B. OMB Circulars A-127 and A-130 – guidance on IT systems and

processes

1C. GAO Standards for Internal Control in the Federal Government

• 2. Other OPM policies and procedures like the OPM FinancialManagement Manual (FMM)

• 3. OPM Associate Directors, Office Heads and IC Coordinators (generallyResource Management Officers - RMO)

• 4. Assessable Unit (AU) Managers

• 5. All FIS Employees 13

13 - Completing your Assessable Unit Documentationand Performing Internal Control Reviews (ICR)

• An ICR is a detailed evaluation of existing internal controlswithin an AU to determine whether necessary controls are inplace and producing the intended results. These reviews aredocumented and are designed to provide reasonableassurance in critical risk areas that the controls are effective.

• This type of periodic evaluation focuses directly on thecontrols' effectiveness at a specific time. The scope andfrequency of ICRs are a function of the assessment of risksand the effectiveness of the constant monitoring procedures.To the extent possible, ICRs should be built into your activitiesand not added on at year end. The final review should focuson summarizing and reporting ICR results.

14

14 – Clearly Identifies What Comprises YourAssessable Unit (AUs)

• Accessable Units are organized functionally

• Reviewed and updated annually with input from programmanagers/subject matter experts

• Supplemented by FIS specific identified manuals,procedures or published business rules

• Assessable Units (AU) – Have clear limits and boundaries; Aresmall enough to be measured; Are large enough to be meaningful;Provide for

• -clear lines of communication

• -reporting up through the chain of command

• -accurate aggregation responsibilities

Goal: Identify control deficiencies and implementactions to minimize risks

15

15 - What is meant by the term “InternalControls”?

• Internal controls are the OPM and FIS, policies, procedures, actions,and activities that management implements to ensure that goals andobjectives are met.

• Effective internal control provides assurance that significantweaknesses in the design or operation of internal control, that couldadversely affect the agency’s ability to meet its objectives, would beprevented or detected in a timely manner.

• Internal control should be an integral part of the entire cycle of planning,budgeting, management, accounting, and auditing. It should support theeffectiveness and the integrity of every step of the process and providecontinual feedback to management.

• Internal control – OPM and FIS, policies, and procedures – are tools tohelp managers achieve results and safeguard the integrity of theirprograms and it applies to program, operational, and administrative areasnot just accounting and financial management. 16

16 - What are the Objectives of “InternalControls”?

• Internal control is an integral component of an FIS’smanagement that provides reasonable assurance that thefollowing objectives are being achieved:

- Effectiveness and efficiency of program activities

and operations

- Reliable, complete, and timely data are maintained

- Compliance with applicable laws and regulations

- Programs and resources are protected from waste,

fraud, and mismanagement

17

17 - What Are the Legislative Requirements?

• OPM produces an Annual Financial Report (AFR) that is one in a series of reportsused to convey budget, performance and financial information to OPM’sconstituents. An AFR is a requirement of OMB Circular A-136, Financial ReportingRequirements.

One of the responsibilities of OPM’s Office of the Chief Financial Officer (OCFO) isto manage and oversee OPM internal control and financial policy functions whichenable the Agency to meet the objectives of the Federal Managers’ FinancialIntegrity Act (FMFIA).

OPM conducts its assessment of internal control over the effectiveness andefficiency of operations and compliance with applicable laws and regulations inaccordance with OMB Circular A-123, Management’s Responsibility for InternalControl. Based on the results of this evaluation, OPM can provide qualifiedassurance, that its internal control over the effectiveness and efficiency ofoperations and compliance with applicable laws and regulations and financialmanagement systems

18

18 - The Role of the OPM Assessable Unit (AU)

• An Assessable Unit (AU) is the lowest level of functionalresponsibility on which to be assessed, tracked, and reported.

• The AU should have a single person designated as the AUmanager. However, one person can be the manager for morethan one AU – but their name, title, and area of responsibilityshould be clearly designated.

• The AU should have clearly defined objectives that tie toOPM’s overall mission and strategic goals and objectives.

• Additionally, an AU should be defined in terms of clearlyidentifiable risks, controls to help mitigate those risks, andmonitoring to ensure the effectiveness of the controls.

19

19 - Chapter 22 – Internal Control Program – ofthe OPM Financial Management Manual

• Chapter 22.6 of the OPM Financial Management Manual requires annualreviews of internal controls as required by FMFIA. To meet therequirements of the annual review of internal controls, FIS should:

1. Appoint Control Owners to manage each FIS Accessable Unit’s planning,evaluating, and reporting activities related to each Business Process, ControlObjective, Risk, and Control identified on the Accessible Unit Internal ControlForm.

2. Complete the Accessable Unit Internal Control Form for all assessable units.

3. Develop Management Self Assessments reflecting the timely and effectivereview of controls, the person conducting the review, results of the self-assessment, and determining whether any corrective action is required..

4. Report the status of internal controls to the CFO to support the Director’sannual assurance to the President and Congress by means of an annualassurance statement.

5. Track progress on completing any corrective actions identified.20

20- FIS Priority Goals, Outcome & Target,Strategy & Goals, Measures

• Determine where your Accessable Unit fits withinthe following:

21

21- Four Sections of the AU Form

• Your internal controls are identified through the Assessable UnitInternal Control Forms

• Section 1 – General Information

• Section 2 – Accessible Unit (AU) Internal Controls– Subsection 2.1 AU Description

– Subsection 2.2 Major Business Processes

– Subsection 2.3 Control Objectives

– Subsection 2.4 Management Self Assessment of Risk

– Subsection 2.5 Control Activities

• Section 3 – Management Self Assessment

• Section 4 – Corrective Actions

22

Goal: Clear definition of the AU, major business processes,Control objectives, what management believes are the major risks,and the control activities management uses to manage these risks

22 – The Assessable Units (AU)

• Assessable Units (AU) - Any FIS organizationalfunctional , programmatic or other applicablesubdivision, whose internal controls are capable ofbeing evaluated.

• An assessable unit should be a subdivision of a FISorganization (have an Org Code) that ensures areasonable level of span of control to allow for adequatecontrol analysis.

23

23 – Filling Out the Assessable Units (AU)Form

• Provide an Assessable Unit NAME.

• Identify the NAME and TITLE of the Assessable UnitManager(s). These are the senior managers with primary anddirect responsibility for accomplishing a function in an assessableunit

• Identify the NAME and TITLE of each Assessable UnitSupervisor or Team Leader. They have responsibility forimplementing and sustaining internal controls in their assessableunit.

• Provide a unique Assessable Unit ID.

• Identify the Performance Period – the begin and end date thatthis for will cover.

24

24 - AU Internal Control Form – Non-FinancialReporting Unit – Section 1 – General Information

• Section 1 provides the following General Information about the Accessable Unit:

The name of the FIS organization should be listed for all names along with acontact telephone number and email.

25

25 - Assessable Units (AU) Questions toConsider

• How would your organization best be segmented – organizational,functional, or program lines?

• How many segments does the organization have? Identify these segments.Describe the objectives/function of each.

• Note again that Assessable Units (AU)-

• Have clear limits and boundaries

• Are small enough to be measured

• Are large enough to be meaningful

• Provide for

-clear lines of communication

-reporting up through the chain of command

-accurate aggregation

26

26 – Keep in Mind How Your AU Supports OPM’sMission and Strategic Goals

27

27 – Consider How Your AU Supports the OPM’s TwoStrategic Goals: Expect the Best and Hire the Best

28

28 – Think About How Your AU Helps OPMaccomplish its Mission

• Review OPM’s Mission Statement

and think about how your Assessable Unit helpOPM accomplish its mission.

29

29 - Identify Your AU’s Customers, Partners,Products and Services

CUSTOMERSWHO RECEIVE

YOUR AU’SPRODUCTS OR

SERVICES

PARTNERS WHOASSIST IN THEPROVISION OF

PRODUCTS ANDSERVICES BY

YOUR AU

MAJORPRODUCTSPROVIDED

MAJORSERVICESPROVIDED

30

30 - AU Internal Control Form – Non-FinancialReporting Unit – Section 2.1 – AU Description

• Section 2.1 provides an Accessable Unit Description:

Remember that the information here may be reviewed by an internal or externalauditor to verify and validate the information presented. It should be written to enablea person outside of the Accessible Unit to easily comprehend who your customersand partners are and what the major services and products are. 31

31 - Business Processes

• A business process is a set of activities - anysystem used or procedures followed - that your AUuses to provide a product and/or service to yourcustomer.

• A business process executes a set of actions thattransform physical or informational things in the AUfrom an INPUT state to and OUTPUT state.

• Anything that is not a set of actions is not abusiness process including a role, an organizationalunit, a facility or a technology.

32

32 - Example of a Simple Business Process

• Steps involved when a vendor sells an item to acustomer

• Several steps involved in one process.

33 - Partner Involvement

• Partners are the external parties that areinvolved in the business process.

• The partner (e.g. vendor, supplier, contractor,federal agency) may provide the AU withsomething (activity, product) that is part ofyour business process. This should be clearlyidentified.

34 - AU Internal Control Form – Non-Financial ReportingUnit – Section 2.2 – Major Business Processes

• Section 2.2 provides the following information about the Major BusinessProcesses:

“Descriptions” should include the names of tangible products produced or servicesprovided along with the “purpose” of the process. Systems Used should spell outacronyms and Document References should include version numbers and/or dates ifpossible. 35

35 - Efficiency and Effectiveness of Processes

• HOW DO YOU ASSESS WHETHER THE OPERATIONS AREEFFICIENT? Efficiency means how fast one can do somethingcorrectly. Hence testing efficiency can be “# of casescompleted per month or per person day". This explains howefficient (i.e. fast) the person is at properly completingassigned cases.

• EFFECTIVNESS is a quality metric meaning how good aperson is at completing assigned cases without missing anyitems. Hence if the quality metric is a 0% missing items rate,then case effectiveness metrics can be “# of incomplete itemsidentified by a reviewer of in a given item / Total # of itemsreviewed".

36

36 - AU Internal Control Form – Non-Financial ReportingUnit – Section 2.3 – Control Objectives

• Section 2.3 identifies the Control Objectives of the Accessable Unit:

Please contact Business Management for the Account Code identifications. Impactsshould be tied to a FIS “Strategy and Goals” and “Measures” that are part of the“Strategic Goal: Expect the Best and Hire the Best”. 37

37 - SMART OBJECTIVES

Specific Use specific terms ratherthan vague abstract ones

Measurable Include some method forobjectively measuring theirachievement

Achievable Are challenging but realistic

Relevant Follow the business strategyof the organization

Timely Specify a time period

38

38 - What Is Meant By the Assessment ofRisk?

• Risk is “the possibility that an event willoccur and adversely affect the achievementof objectives.”

• Thereby decreasing value for the AU’scustomers.

39

39 - Management Self-Assessment of Risk -Tips

- Risks should be analyzed and assessed as totheir likelihood and impact

- Management should consider the mix of futureevents, both expected & unexpected

- Useful first step – often a “brainstorming”session with AU staff

- What is the “worst that could happen,” or the“worst that happened?”

40

40 - Consider Your Appetite for Risk

• Broadly defined as amount of risk an AU iswilling to accept in pursuing its objectives.

• For most government entities: risk appetiteis fairly low!

• Related is risk tolerance: “tolerable level ofvariation associated w/ a particularobjective.”

41

41 - Consider Both Inherent & Residual Risk

• Inherent – Riskwithout anymanagement activityor before controls arein place.

• Example: inherentrisk mitigated bypayment card’spolicies andprocedures.

• Residual – level ofrisk that remains aftermanagement has aplan in place to dealwith the risk.

• Example: residual riskremains afterpayment card policiesare in place.

42

42 - Consider both the Likelihood and Impact of Risk

• Likelihood of Occurrence: possibility anevent will occur, measured in “low,medium, high,’ percentage or somefrequency of occurrence.

• Potential Impact: Effect on an agency onothers.

• Risk Magnitude:

43

43 - AU Internal Control Form – Non-Financial ReportingUnit – Section 2.4 – Management Self Assessment of Risk

• Section 2.4 portrays Management’s Self Assessment of Risk for the AccessableUnit:

44

44 - Control Activities Are Risk Responses

Control activities generally are establishedto ensure risk responses are carried out.However, control activities themselves arerisk responses.

45

45 - Risk Assessment: Likelihood of Occurrence

♦ High Likelihood

Rating: 3

Guideline: Very likely to occur

♦ Medium Likelihood

Rating: 2

Guideline: May occur

♦ Low Likelihood

Rating: 1

Guideline: Unlikely to occur

46

46 - Risk Assessment: Degree of Impact

• High Impact - Rating: 3

Guideline: Risk occurrence (1) may result in the highly costlyloss of major tangible assets or resources; (2) maysignificantly violate, harm, or impede an organization’smission, reputation, or interest; or (3) may result in humandeath or serious injury.

• Medium Impact - Rating: 2Guideline: Risk occurrence (1) may result in the costly loss of tangibleassets or resources; (2) may violate, harm , or impede an organization’smission, reputation, or interest; or (3) may result in human injury

• Low Impact - Rating: 1Guideline: risk occurrence (1) may result in the loss of some tangibleassets or resources, or (2) may noticeably affect an organization’s mission,reputation, or interest. 47

47 - Risk Assessment: Risk Magnitude (Likelihoodtimes Impact)

High Likelihood (3) x Low Impact (1) = Low Risk Magnitude (3)

Medium Likelihood (2) x Low Impact (1) = Low Risk Magnitude (2)

Low Likelihood (1) x Low Impact (1) = Low Risk Magnitude (1)

High Likelihood (3) x Medium Impact (2) = Medium Risk Magnitude (6)

Medium Likelihood (2) x Medium Impact (2) = Medium Risk Magnitude (4)

Low Likelihood (1) x Medium Impact (2) = Low Risk Magnitude (2)

High Likelihood (3) x High Impact (3) = High Risk Magnitude (9)

Medium Likelihood (2) x High Impact (3) = Medium Risk Magnitude (6)

Low Likelihood (1) x High Impact (3) = Low Risk Magnitude (3)

48

48 - Control Activity Questions

• For each of the AUs, what types of policies govern the operations? Arethere documented procedures that describe the operations to beaccomplished and how to accomplish them? Reference these policies andprocedures in the form.

• How does management track the organization’s accomplishments andcompare these to its plans, goals, and objectives? How does managementcompare actual results with planned or expected results and analyzesignificant differences?

• What major reviews are conducted by managers and supervisors?

49

49 - Control Activity Questions (cont’d)

• Are roles and responsibilities clearly defined and accountabilityestablished? If so, please describe.

• How are duties assigned systematically to a number ofindividuals to ensure that effective checks and balances exist?

• How are physical and data assets safeguarded?

• What type of performance measures and indicators (i.e., specificmetrics) has your organization established to measure progress inaccomplishing its objectives and goals?

•♦ How are controls and significant events documented?50

50 – SINGLE AND MULTIPLE CONTROLACTIVITIES

• A single control activity can addressmultiple risk responses or

• Multiple control activities may be neededfor one risk response.

51

Types of Control Activities

o Preventive

o Detective

o Manual (People Based)

o Automated (System Based)

51 - Categorize Your Type of Control Activities

52

52 - Assess Reliability of Your Control Activities

LESS RELIABLE

Detective Preventive Detective PreventivePeople Based Automated

MORE RELIABLE

53

53 - Preventive Control Activities

• Preventive Controls

1. Prevents errors

2. Proactive approach – frees up peopleresources

54

• Approval/Authorizations (Preventive)

– Policies and procedures

– Limits to authority

– Supporting documentation

– Question unusual items

54 - Preventative Control Activities –Approval/Authorizations

55

Reconciliations (Detective)

Personnel approving or executing transactionsshould not perform reconciliations.

Reviews (Detective)

Budget to Actual

Current to prior period comparisons

Performance measurements

Note the frequency of reconciliations or reviews.

55 - Detective Control Activities – Reconciliations andReviews

56

• Assets Security (Preventive and Detective)

– Physical safeguards

– Record retention

– Periodic counts/Inventories

56 - Preventive and Detective Control Activities

57

• Segregation of Duties (Preventive andDetective)

– The following functions should be segregated

• Approval

• Accounting/Reconciling

• Asset Custody

57 - Types of Controls – Segregation of Duties

58

• Separation of Duties (Preventive andDetective) – Custody, recording,reconciliation and authorization.

58 - Types of Controls – Separation of Duties

59

59 - Effectiveness and Efficiency of Control Activities

• Control activities must be tested to ensurethey are documented and there are noweaknesses or significant deficiencies.

• Management should also ensure thatcontrol activities are carried out in a timelyand frequent manner (e.g. review).

– External auditors may support managementby providing assurance on the effectivenessand efficiency of control activates.

60

60 - AU Internal Control Form – Non-Financial ReportingUnit – Section 2.5 – Control Activities

• Section 2.5 portrays Control Activities associated with each risk for theAccessable Unit:

Categorize the “control activity” as either preventive or detective, how it preventsand/or detects the “risk”, the “frequency” of its use, and applicable documentationso that an external auditor can easily trace what, where, and why.

61

61 - Management Self-Assessment – ExternalReviews

• Monitoring – External Reviews

• Does the organization undergo reviews (audits, inspections,investigations) by outside organizations? How are results of the reviewcommunicated up and down the organization?

• Control Activities:

- How do you ensure your controls are working? Do you buildcontrol reviews into your normal activities? Do you keep documentation ofyour control reviews?

- Have you developed corrective action plans with milestones forcontrols that are not working or where additional controls are needed?

62

62 - Management Self-Assessment Internal Reviews(Section 3 of AU Form)

• Monitoring – Internal Reviews (Section 3 of AU Form)

• How does your organization monitor its functions, operations, projects? Howoften? What is communicated up/down the organization?

• How does your organization measure progress in accomplishing its goalsand mission? How often? What is communicated up/down the organization?

• What types of self-assessments of identified control activities does yourorganization perform? How often?

• How does your organization identify problem areas? What action is taken?How is that corrective action communicated throughout the organization? Areproblems (and subsequent corrective action) routinely reported up the chain ofcommand?

63

63 - AU Internal Control Form – Non-Financial ReportingUnit – Section 3 – Management Self-Assessment

• Section 3 portrays the Self-Assessment Results and any requirements forCorrective Actions associated with each risk for the Accessable Unit:

In the control title, categorize whether the self-assessment was preventive ordetective, document and retain the “self-assessment” process itself by describing thetests and analyses undertaken, what the results were, and whether corrective actionwas required.

64

64 - Corrective Actions Are Based on the Finding ofa “Significant Deficiency” of a Control Activity

• Significant deficiencies are defined as conditions, orcombinations of conditions, that could adversely affect theAU’s ability to initiate, record, process, and report data thatmeets the following Control Objectives:

CO1 - Efficiency and Effectiveness of Operations

CO2 - Reliability of Financial Reporting

CO3 - Compliance with Laws and Regulations

CO-4 Safeguarding Assets against Waste, Fraud, Abuse and Misuse

• They are important enough to bring to the attention ofmanagement

– Absence of appropriate separation of duties.

– Absence of appropriate reviews and approvals of transactions.

– Evidence of failure of control procedures.

65

65 - AU Internal Control Form – Non-Financial ReportingUnit – Section 4 – Corrective Actions

• Section 4 portrays Corrective Actions associated with each risk, ManagementActions required, Who Will Implement these Corrective Actions and the DuesDates for Implementation for the Accessable Unit:

66

66 - CONCLUSION

• This slide pack is intended to serve as a “referencesheet” to examine the scope, purpose, andunderlying legal and regulatory requirements for thisaudit of internal controls. Please feel free to ask theAuditors questions and obtain clarification whenthey are on site. Please send Anthony Raineyanthony.rainey@opm.gov emails with questions,concerns or issues you may have regarding this“engagement”.

67