Upload
buidung
View
224
Download
4
Embed Size (px)
Citation preview
Office of the Under Secretary
of Defense - Comptrollerrsquos
Managersrsquo Internal Control Program
American Society of Military Comptrollers
Professional Development Institute 2016
Workshop 76
3 June 2016
ldquoBuilding a Culture Focused on Accountability Through Continuous
Business Process Improvementrdquo
- Unclassified -
OSD MICP POC (Robert) Steve Silverstein
OUSD-Comptroller
Financial Improvement and Audit Readiness Directorate
Email Addresses RobertSSilversteincivmailmil
Phone 571-256-2207 (DSN314-260-2207)
MICP Mail Box osdpentagonousd-cmbxmicpmailmil
MICP Web Site httpcomptrollerdefensegovfiarmicpaspx
If you rely upon an outside auditor to advise on risk it is too late
Commanderrsquos priorities become the MICP priorities for execution assessment and sustainment
Need framework to ensure ldquocontinuous business process improvementrdquo ndash (sustainment of corrective actions)
Steps to a Value-Added ldquoCommanderDirectorrsquos Programrdquo
bull Brief Leadership on Purpose of MICP ndash Identify prioritize report and mitigate
bull Create and Issue ldquoTone-At-The-Toprdquo Memorandum
bull Initiate Review of Entity Level Controls (Assess Organizational Culture)
bull Select MICP Coordinator and DefineRedefine Their Role
bull Review Organizational Chart and Identify Key Functional and Sub Functional Areas (eg Assessable Units)
bull Select and Appoint Assessable Unit Managers
bull Conduct MICP Kick-Off Conference
bull Develop Communication Framework To Ensure Leadershiprsquos Mission Requirements Align with Assessments of Operational and
Financial Risk
bull Identify Leadershiprsquos Mission Requirements
bull Interface with Assessable Unit Managers to Identify Operational and Financial Risk
bull Communicate With Leadership Risk Priorities for Mitigation (CostBenefit)
2
GAO ndash ldquoHigh Risksrdquo
bull Business Transformation
bull Business System Modernization
bull Financial Management
bull Supply Chain Management
bull Weapon System Acquisition
If you rely upon an outside auditor to advise on risk it is too late
Commanderrsquos priorities become the MICP priorities for execution assessment and sustainment
Need framework to ensure ldquocontinuous business process improvementrdquo ndash (sustainment of corrective actions)
DoD Inspector General ndash ldquoChallengesrdquo
bull Financial Management
bull Acquisition Processes and Contract Mgt
bull Joint Warfighter and Readiness
bull Cyber Security
bull Health Care
bull Equipping and Training Afghan National Security Forces
bull The Nuclear Enterprise
Risk ndash
Embarrassment to the Command -
(Loss of Life Loss of Dollars Loss of Credibility)
Military Services
bull Sexual Harassment
bull Suicide
bull Contracting
bull Procurement
bull Negligent Discharge of Sensitive
Information
3
The Federal Managersrsquo Financial Integrity Act of 1982 (FMFIA)
Revised OMB Circular A-123
The Federal Financial Management Improvement Act of 1996OMB
Circular No A-127
Requires agencies to establish and
maintain and assert to the effectiveness of
internal controls over operations and
compliance with laws and regulations
Included Managementrsquos Responsibility of
Internal Controls over financial reporting
The Chief Financial Officers Act of 1990 (CFO Act)
Statutory Requirements
Requires agency CFOs to develop and
maintain an integrated agency accounting and
financial management system including
financial reporting and internal controls
Instructs agencies to maintain integrated
financial management systems complying
with Federal systems requirements Federal
financial accounting standards and USSGL at
the transaction level
End State is Not Auditable Financial Statements But a Culture That Supports Continuous Business Process
Improvement --- That Will Result and Sustain Accurate Timely and Complete Financial Information 4
bull Reliance upon auditors
bull Impact ndash Mitigation of risk after the mission negatively impacted
PastReview and Reporting of Risk ndash ldquoPaper Drillrdquo
bullReliance upon internal expertise
bullImpact - Identification and mitigation of inefficiencies beforeCommand negatively impacted
FutureReview and Reporting of Risk ndash Part of
Componentrsquos Culture - Value Added
So What
Limited Scope
Emphasis on
Requirement
One point in time
Coverage of all functions
Emphasis on most
efficient and effect
way to meet
requirement
Daily review
Emphasis Upon Auditable Financial Statements
How do we minimize risk to the Component ndash Risk is defined as ldquothe potential that a chosen
action or activity will lead to a lossrdquo
Loss Life funds reputation (embarrassment) timeliness accuracy security
privacy and completeness
If you rely upon an outside audit service to identify and report on control
deficiencies ndash it is to late (eg embarrassment and negative impact to mission) 5
The MICP Assessments Includes Functions
of an Organization
Appendix A
MICP Addresses
Risk For All Key
Operational and
Financial
Functions
DoDI
501040
Provides
Definitions
RDTampE
Major System Acq
Procurement
Contract Admin
Commo
Intel amp Secur
Property
Mgmt
SupplyMfg Maint amp
Repair
Force Readiness
Comptroller amp RM
Personnel amp Org
Info Tech
FMFIA Over
Financial Reporting
Support
Svcs
Security
Assist
6
7
Roles and Responsibilities
OUSD (DCFOampPSAs)bull Provides StrategyGuidance
bull Monitors progress to include
NFR tracking
bull Leads critical capabilities
(eg DoD-wide policies
UOT)
bull Provides Audit Infrastructurebull Audit liaison
bull End to end process
documentation
bull Internal control program
bull Training
Service Providers (DFAS)bull Fund balance with Treasury
Reconciliation for 4th Estate
bull Journal Voucher root cause analysis
bull Implement corrective actions for audit
findings and support 4th Estate
auditsexams
4th Estate Componentsbull Develop and implement
corrective actions
bull Establish internal policies
and procedures
bull Monitor internal control
compliance
bull Establish MOUs and
engage with the Service
Providers
bull Establish internal audit
liaison team to support
auditsexams
Critical Capability Success Requires Stable Support
DF
AS
8
DoD Consolidated Audit Strategy Overview
9
High Level Observations and Common Themes
10
Common Themes Challenges Questions to Consider
Documentation bull Missing documentation to support
transactions (eg bills timesheets)
bull Do I know what documents support what transactions throughout a transaction
lifecycle
bull Does the documentation contain the appropriate approvals
bull Who or what system can they be obtained from
bull Can they be retrieved timely (ie in many cases within 3 business days) for the
audit
bull Are they retained for the required amount of time
Standard
Operating
Procures End-to-
End Process
Documentation
bull Lack of understanding of the entire
process life-cycle and the beginning to end
business processes to include functions
performed by another organization on your
behalf
bull Documented business processes do not
always align to actual business processes
bull Are my policies and procedures up to date bull Do they accurately reflect what I am doing and the controlssafegaurds in place throughout
the process bull Who participates in doing my business ( eg Service Providers What do they do for me
What systems are key Have I written down their roles and responsibilities anywhere Do we have an agreement documenting the specific activities and controls they perform on my behalf and what documentation is to be provided during auditexaminations
Systems bull Inability to support that all transactions
from source systems (eg Contract Writing
System)
bull Information Technology controls (security
measures) were ineffective or not in place
such as unauthorized users having access
to system
bull Have system controls been tested using FISCAM bull Can I generate user listings bull Do the access forms match a userrsquos role
Property bull Lack of progress on counting and
recording of assets
bull Do I have a complete repositoryinventory listing of my assets types bull Does it reconcile to my accounting system bull Are the assets depreciated properly bull Are capitalization thresholds correct bull Are my asset values correct
Develop a plan to move forward that (1) identifies and addresses the root cause of the issue (2) monitors and report son progress (3) provides
evidence that the problem has been fixed and (4) will they be implemented prior to the audit
1111
bull Integration of FIAR and MICP
bull The OUSD FIAR MICP Team will collaborate with SAOrsquos Action Officers throughout the
fiscal year regarding outputs obtained from on-going audit readiness efforts and
previously reported material internal control deficiencies to
- Provide oversight for MICP operations across TI-97 Entities (Fourth Estate)
- Monitor remediation activities Corrective Action Plan (CAP) progress throughout the
fiscal year and status via the Notification of Findings and Recommendations (NFR)
Tracker Tool
- Validate test results and implementation of CAPs
- Standup status working groups eg Tiger Team to provide focused resources for
assessments and development of corrective actions and
- Engage SAOs Action Officers and Component MICP Coordinators to ensure
prioritization of remediation efforts of material weaknesses previously self reported in
the annual SOA and subsequently identified during the fiscal year by SAOs and
FIAR 12
14
(Defense Security Cooperation Agency (DSCA))
bull Senior Oversight amp Involvement
ndash ldquoTone-at-the-Toprdquo and regular Senior Leader involvement
ndash Frequent communication with leaders at all levels
bull Partnership with FIAR amp Audit Liaison Offices
ndash Independent MICP and FIAR offices closely collaborate
ndash Mutual validation of control testing and corrective action plans
ndash External audits inform assessments and resource prioritization
bull Focus on Sustainment
ndash Phased approach to document process risks control activities and test procedures
ndash Group and Individual training on documentation assessment and reporting
ndash Corrective Action Plans include stakeholders actions dates and target end-state
ndash Empower AUMs to assess identify improve fix and report on program health
ndash Recognize AUMs and leaders for thorough documentation and improvements
bull MICP Library
ndash SharePoint document library is accessible to AUMs leadership entire agency
ndash All documents from process to control test results easy to locate
ndash Central repository for AUM assessment reporting simplifies SOA preparation13
1414
15
The OMB has recently launched a major reassessment of the governmentrsquos
approach ndash encouraging the use of Enterprise Risk Management (ERM) +
Strengthen Decision Making
Improvement Information Flow
Why How
Sustainment of Support From the Top
Addressing Power Concentrated in Silos
Overcoming Culture of Caution
Integration of Risk Management into Organizational Decision
Processes
1 Creates and protects value
2 Integral part of all organizational processes
3 Part of decision making
4 Addresses uncertainty
5 Systemic structured and timely
6 Based on best information available
7 Tailored and responsive to evolving risk profile of agency
8 Takes human and cultural factors into account
9 Transparent and inclusive
10 Dynamic iterative and responsive to change
11 Facilitates continual improvement
Benefits
16
Risk Profiles Should Include
Seven Components
Purpose of a Risk Profile is to provide an analysis of the risks
when developing strategic objectives related to activities and
operations - Prioritization of the most significant risks
1 Identification of Objectives
2 Identification of Risk
3 Inherent Risk Assessment
4 Risk Response
5 Residual Risk Assessment
6 Proposed Action
7 Proposed Action Category
17
A-123 defines managementrsquos responsibilities for Enterprise Risk Management and includes
requirements for identifying and managing risks related to mission-support and other
operations as determined by management
bull Agencies are required to develop Risk Profiles which identify risks arising from
mission-support and other operations
bull Management of risk at strategic program and operational levels needs to be integrated so
that levels of activity support each other as depicted below
The Federal Enterprise Risk Management Framework
18
bull Risk Profile is the documented and prioritized overall assessment of the range of specific risks faced by an Agency
bull Inherent Risk is the risk that an activity would pose if no controls or other mitigating factors were in place
(the gross risk or risk before controls)
bull Residual Risk is the risk that remains after controls are taken into account (the net risk or risk after controls)
19
While a major portion of the revised A-123 requirements still require agencies to evaluate and
report on the effectiveness of internal controls over operations and financial reporting the
revised circular now requires agencies to
bull Provide documented evidence to substantiate compliance with the GAO Green Book ndash ie prove that the
agency has met the 17 internal control principles
bull Document the effectiveness of the agencyrsquos system of internal control as defined by the GAO Green Book
bull Adopt an Enterprise Risk Management framework to manage risks across the agency
⁻ In FY 2016 develop and document an annual documented risk profilerisk inventory
⁻ In FY 2017 build on this risk profile and create a methodology to continually build capabilities around identifying new or emerging risks while also monitoring changes to existing risks
bull Leverage current Senior Management Council (SMC) or create a SMC to provide governance in
establishing risk profiles and overseeing operation of an effective system of internal control Specifically to
more holistically manage agency risk OMB recommends
- Agencies include the Senior Accountable Officials (as members of the SMC) for mission-support
functions including but not limited to the Chief Financial Officer Chief Information Officer Chief
Information Security Officer Chief Acquisitions Officer the Agency Official for Privacy and the
Performance Improvement Officer
bull Statements of Assurance should now include a summary of the agencyrsquos risk profile
bull The DoD has a mission and objectives and formulates strategic plans to achieve those
objectives
bull Internal control is a process executed by DoD management that provides reasonable
assurance that the agencyrsquos mission and objectives (operations reporting compliance)
will be achieved
bull Entity Level Controls
- Have a pervasive effect on the DoDrsquos internal control system
- Include oversight bodies risk assessments communication identifying problems
and solutions and monitoring results
bull The Entity Level Controls of the Department of Defense must be documented
bull OUSD(C) DCFO developed a template (attached separately) to document entity-level
controls that exist
bull Requirement Identify action officer populate the template and fill any gaps that exist20
bull Requires entities to demonstrate and assess whether 17 principles are present and functioning in determining if their systems are present and working as intended
bull Provides baseline for Inspector General independent auditors and other related oversight groups in their evaluation of an agencyrsquos entire system of internal control and not just specific activities or transactions (which typically occurred in the past)
bull Requires CFOs to place more scrutiny over their entity level controls
bull Greater emphasis on the risk assessment process for financial and operational
bull Provides responsibilities for shared service providerrsquos internal controls and impact on entityrsquos system of internal controls (ie service provider and the complementary user entity controls)
bull Sets minimum documentation requirements to substantiate the effective design implementation and operating effectiveness of an agencyrsquos system of internal controls
Bottom Line Up
Front
GAOrsquos Green Book
21
22
bull Section 3512 (c) and (d) of the
United States Code
bull Requires that Federal agency
executives periodically review and
annually report on the agencyrsquos
internal controls
bull FMFIA requires the Comptroller
General to prescribe internal control
standards
GAOrsquos ldquoGreen BookrdquoFederal Managersrsquo
Financial Integrity Act (FMFIA)
bull Provides the internal control standards for
federal agencies for both program and financial
management
bull The standards provide management criteria for
designing implementing and operating an
internal control system
bull The standards retain the five components of
internal control but introduce 17 principles
bull These principles were adopted from the
Committee of Sponsoring Operations of the
Treadway Commission (COSO)1
1 Committee of Sponsoring Operations of the Treadway Commission (COSO) - On May 14 2013 the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) released its revisions and updates to the 1992 document
Internal Control - Integrated Framework COSOrsquos goal in updating the framework was to increase its relevance in the
increasingly complex and global business environment so that organizations worldwide can better design implement and
assess internal control COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management internal control and fraud
deterrence The AICPA is a member of COSO 22
1 Demonstrates commitment to integrity and ethical values
2 Exercises oversight responsibilities
3 Establishes structure authority and responsibility
4 Demonstrates commitment to competence
5 Enforces accountability
Control Environment
6 Defines objectives and risk tolerances
7 Identifies analyzes and responds to risk
8 Assesses fraud risk
9 Identifies analyzes and responds to change
Risk Assessment
23
Control Activities
10Designs control activities
11Selects and develops general controls for the information system
12Deploys and implements control activities
Information and Communication
13Uses relevant quality information
14Communicates internally
15Communicates externally
Monitoring Activities
16Performs ongoing monitoring activities
17Evaluates issues and remediates deficiencies
Provides Criteria for Designing Implementing and Operating an Effective Internal
Control System
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
If you rely upon an outside auditor to advise on risk it is too late
Commanderrsquos priorities become the MICP priorities for execution assessment and sustainment
Need framework to ensure ldquocontinuous business process improvementrdquo ndash (sustainment of corrective actions)
Steps to a Value-Added ldquoCommanderDirectorrsquos Programrdquo
bull Brief Leadership on Purpose of MICP ndash Identify prioritize report and mitigate
bull Create and Issue ldquoTone-At-The-Toprdquo Memorandum
bull Initiate Review of Entity Level Controls (Assess Organizational Culture)
bull Select MICP Coordinator and DefineRedefine Their Role
bull Review Organizational Chart and Identify Key Functional and Sub Functional Areas (eg Assessable Units)
bull Select and Appoint Assessable Unit Managers
bull Conduct MICP Kick-Off Conference
bull Develop Communication Framework To Ensure Leadershiprsquos Mission Requirements Align with Assessments of Operational and
Financial Risk
bull Identify Leadershiprsquos Mission Requirements
bull Interface with Assessable Unit Managers to Identify Operational and Financial Risk
bull Communicate With Leadership Risk Priorities for Mitigation (CostBenefit)
2
GAO ndash ldquoHigh Risksrdquo
bull Business Transformation
bull Business System Modernization
bull Financial Management
bull Supply Chain Management
bull Weapon System Acquisition
If you rely upon an outside auditor to advise on risk it is too late
Commanderrsquos priorities become the MICP priorities for execution assessment and sustainment
Need framework to ensure ldquocontinuous business process improvementrdquo ndash (sustainment of corrective actions)
DoD Inspector General ndash ldquoChallengesrdquo
bull Financial Management
bull Acquisition Processes and Contract Mgt
bull Joint Warfighter and Readiness
bull Cyber Security
bull Health Care
bull Equipping and Training Afghan National Security Forces
bull The Nuclear Enterprise
Risk ndash
Embarrassment to the Command -
(Loss of Life Loss of Dollars Loss of Credibility)
Military Services
bull Sexual Harassment
bull Suicide
bull Contracting
bull Procurement
bull Negligent Discharge of Sensitive
Information
3
The Federal Managersrsquo Financial Integrity Act of 1982 (FMFIA)
Revised OMB Circular A-123
The Federal Financial Management Improvement Act of 1996OMB
Circular No A-127
Requires agencies to establish and
maintain and assert to the effectiveness of
internal controls over operations and
compliance with laws and regulations
Included Managementrsquos Responsibility of
Internal Controls over financial reporting
The Chief Financial Officers Act of 1990 (CFO Act)
Statutory Requirements
Requires agency CFOs to develop and
maintain an integrated agency accounting and
financial management system including
financial reporting and internal controls
Instructs agencies to maintain integrated
financial management systems complying
with Federal systems requirements Federal
financial accounting standards and USSGL at
the transaction level
End State is Not Auditable Financial Statements But a Culture That Supports Continuous Business Process
Improvement --- That Will Result and Sustain Accurate Timely and Complete Financial Information 4
bull Reliance upon auditors
bull Impact ndash Mitigation of risk after the mission negatively impacted
PastReview and Reporting of Risk ndash ldquoPaper Drillrdquo
bullReliance upon internal expertise
bullImpact - Identification and mitigation of inefficiencies beforeCommand negatively impacted
FutureReview and Reporting of Risk ndash Part of
Componentrsquos Culture - Value Added
So What
Limited Scope
Emphasis on
Requirement
One point in time
Coverage of all functions
Emphasis on most
efficient and effect
way to meet
requirement
Daily review
Emphasis Upon Auditable Financial Statements
How do we minimize risk to the Component ndash Risk is defined as ldquothe potential that a chosen
action or activity will lead to a lossrdquo
Loss Life funds reputation (embarrassment) timeliness accuracy security
privacy and completeness
If you rely upon an outside audit service to identify and report on control
deficiencies ndash it is to late (eg embarrassment and negative impact to mission) 5
The MICP Assessments Includes Functions
of an Organization
Appendix A
MICP Addresses
Risk For All Key
Operational and
Financial
Functions
DoDI
501040
Provides
Definitions
RDTampE
Major System Acq
Procurement
Contract Admin
Commo
Intel amp Secur
Property
Mgmt
SupplyMfg Maint amp
Repair
Force Readiness
Comptroller amp RM
Personnel amp Org
Info Tech
FMFIA Over
Financial Reporting
Support
Svcs
Security
Assist
6
7
Roles and Responsibilities
OUSD (DCFOampPSAs)bull Provides StrategyGuidance
bull Monitors progress to include
NFR tracking
bull Leads critical capabilities
(eg DoD-wide policies
UOT)
bull Provides Audit Infrastructurebull Audit liaison
bull End to end process
documentation
bull Internal control program
bull Training
Service Providers (DFAS)bull Fund balance with Treasury
Reconciliation for 4th Estate
bull Journal Voucher root cause analysis
bull Implement corrective actions for audit
findings and support 4th Estate
auditsexams
4th Estate Componentsbull Develop and implement
corrective actions
bull Establish internal policies
and procedures
bull Monitor internal control
compliance
bull Establish MOUs and
engage with the Service
Providers
bull Establish internal audit
liaison team to support
auditsexams
Critical Capability Success Requires Stable Support
DF
AS
8
DoD Consolidated Audit Strategy Overview
9
High Level Observations and Common Themes
10
Common Themes Challenges Questions to Consider
Documentation bull Missing documentation to support
transactions (eg bills timesheets)
bull Do I know what documents support what transactions throughout a transaction
lifecycle
bull Does the documentation contain the appropriate approvals
bull Who or what system can they be obtained from
bull Can they be retrieved timely (ie in many cases within 3 business days) for the
audit
bull Are they retained for the required amount of time
Standard
Operating
Procures End-to-
End Process
Documentation
bull Lack of understanding of the entire
process life-cycle and the beginning to end
business processes to include functions
performed by another organization on your
behalf
bull Documented business processes do not
always align to actual business processes
bull Are my policies and procedures up to date bull Do they accurately reflect what I am doing and the controlssafegaurds in place throughout
the process bull Who participates in doing my business ( eg Service Providers What do they do for me
What systems are key Have I written down their roles and responsibilities anywhere Do we have an agreement documenting the specific activities and controls they perform on my behalf and what documentation is to be provided during auditexaminations
Systems bull Inability to support that all transactions
from source systems (eg Contract Writing
System)
bull Information Technology controls (security
measures) were ineffective or not in place
such as unauthorized users having access
to system
bull Have system controls been tested using FISCAM bull Can I generate user listings bull Do the access forms match a userrsquos role
Property bull Lack of progress on counting and
recording of assets
bull Do I have a complete repositoryinventory listing of my assets types bull Does it reconcile to my accounting system bull Are the assets depreciated properly bull Are capitalization thresholds correct bull Are my asset values correct
Develop a plan to move forward that (1) identifies and addresses the root cause of the issue (2) monitors and report son progress (3) provides
evidence that the problem has been fixed and (4) will they be implemented prior to the audit
1111
bull Integration of FIAR and MICP
bull The OUSD FIAR MICP Team will collaborate with SAOrsquos Action Officers throughout the
fiscal year regarding outputs obtained from on-going audit readiness efforts and
previously reported material internal control deficiencies to
- Provide oversight for MICP operations across TI-97 Entities (Fourth Estate)
- Monitor remediation activities Corrective Action Plan (CAP) progress throughout the
fiscal year and status via the Notification of Findings and Recommendations (NFR)
Tracker Tool
- Validate test results and implementation of CAPs
- Standup status working groups eg Tiger Team to provide focused resources for
assessments and development of corrective actions and
- Engage SAOs Action Officers and Component MICP Coordinators to ensure
prioritization of remediation efforts of material weaknesses previously self reported in
the annual SOA and subsequently identified during the fiscal year by SAOs and
FIAR 12
14
(Defense Security Cooperation Agency (DSCA))
bull Senior Oversight amp Involvement
ndash ldquoTone-at-the-Toprdquo and regular Senior Leader involvement
ndash Frequent communication with leaders at all levels
bull Partnership with FIAR amp Audit Liaison Offices
ndash Independent MICP and FIAR offices closely collaborate
ndash Mutual validation of control testing and corrective action plans
ndash External audits inform assessments and resource prioritization
bull Focus on Sustainment
ndash Phased approach to document process risks control activities and test procedures
ndash Group and Individual training on documentation assessment and reporting
ndash Corrective Action Plans include stakeholders actions dates and target end-state
ndash Empower AUMs to assess identify improve fix and report on program health
ndash Recognize AUMs and leaders for thorough documentation and improvements
bull MICP Library
ndash SharePoint document library is accessible to AUMs leadership entire agency
ndash All documents from process to control test results easy to locate
ndash Central repository for AUM assessment reporting simplifies SOA preparation13
1414
15
The OMB has recently launched a major reassessment of the governmentrsquos
approach ndash encouraging the use of Enterprise Risk Management (ERM) +
Strengthen Decision Making
Improvement Information Flow
Why How
Sustainment of Support From the Top
Addressing Power Concentrated in Silos
Overcoming Culture of Caution
Integration of Risk Management into Organizational Decision
Processes
1 Creates and protects value
2 Integral part of all organizational processes
3 Part of decision making
4 Addresses uncertainty
5 Systemic structured and timely
6 Based on best information available
7 Tailored and responsive to evolving risk profile of agency
8 Takes human and cultural factors into account
9 Transparent and inclusive
10 Dynamic iterative and responsive to change
11 Facilitates continual improvement
Benefits
16
Risk Profiles Should Include
Seven Components
Purpose of a Risk Profile is to provide an analysis of the risks
when developing strategic objectives related to activities and
operations - Prioritization of the most significant risks
1 Identification of Objectives
2 Identification of Risk
3 Inherent Risk Assessment
4 Risk Response
5 Residual Risk Assessment
6 Proposed Action
7 Proposed Action Category
17
A-123 defines managementrsquos responsibilities for Enterprise Risk Management and includes
requirements for identifying and managing risks related to mission-support and other
operations as determined by management
bull Agencies are required to develop Risk Profiles which identify risks arising from
mission-support and other operations
bull Management of risk at strategic program and operational levels needs to be integrated so
that levels of activity support each other as depicted below
The Federal Enterprise Risk Management Framework
18
bull Risk Profile is the documented and prioritized overall assessment of the range of specific risks faced by an Agency
bull Inherent Risk is the risk that an activity would pose if no controls or other mitigating factors were in place
(the gross risk or risk before controls)
bull Residual Risk is the risk that remains after controls are taken into account (the net risk or risk after controls)
19
While a major portion of the revised A-123 requirements still require agencies to evaluate and
report on the effectiveness of internal controls over operations and financial reporting the
revised circular now requires agencies to
bull Provide documented evidence to substantiate compliance with the GAO Green Book ndash ie prove that the
agency has met the 17 internal control principles
bull Document the effectiveness of the agencyrsquos system of internal control as defined by the GAO Green Book
bull Adopt an Enterprise Risk Management framework to manage risks across the agency
⁻ In FY 2016 develop and document an annual documented risk profilerisk inventory
⁻ In FY 2017 build on this risk profile and create a methodology to continually build capabilities around identifying new or emerging risks while also monitoring changes to existing risks
bull Leverage current Senior Management Council (SMC) or create a SMC to provide governance in
establishing risk profiles and overseeing operation of an effective system of internal control Specifically to
more holistically manage agency risk OMB recommends
- Agencies include the Senior Accountable Officials (as members of the SMC) for mission-support
functions including but not limited to the Chief Financial Officer Chief Information Officer Chief
Information Security Officer Chief Acquisitions Officer the Agency Official for Privacy and the
Performance Improvement Officer
bull Statements of Assurance should now include a summary of the agencyrsquos risk profile
bull The DoD has a mission and objectives and formulates strategic plans to achieve those
objectives
bull Internal control is a process executed by DoD management that provides reasonable
assurance that the agencyrsquos mission and objectives (operations reporting compliance)
will be achieved
bull Entity Level Controls
- Have a pervasive effect on the DoDrsquos internal control system
- Include oversight bodies risk assessments communication identifying problems
and solutions and monitoring results
bull The Entity Level Controls of the Department of Defense must be documented
bull OUSD(C) DCFO developed a template (attached separately) to document entity-level
controls that exist
bull Requirement Identify action officer populate the template and fill any gaps that exist20
bull Requires entities to demonstrate and assess whether 17 principles are present and functioning in determining if their systems are present and working as intended
bull Provides baseline for Inspector General independent auditors and other related oversight groups in their evaluation of an agencyrsquos entire system of internal control and not just specific activities or transactions (which typically occurred in the past)
bull Requires CFOs to place more scrutiny over their entity level controls
bull Greater emphasis on the risk assessment process for financial and operational
bull Provides responsibilities for shared service providerrsquos internal controls and impact on entityrsquos system of internal controls (ie service provider and the complementary user entity controls)
bull Sets minimum documentation requirements to substantiate the effective design implementation and operating effectiveness of an agencyrsquos system of internal controls
Bottom Line Up
Front
GAOrsquos Green Book
21
22
bull Section 3512 (c) and (d) of the
United States Code
bull Requires that Federal agency
executives periodically review and
annually report on the agencyrsquos
internal controls
bull FMFIA requires the Comptroller
General to prescribe internal control
standards
GAOrsquos ldquoGreen BookrdquoFederal Managersrsquo
Financial Integrity Act (FMFIA)
bull Provides the internal control standards for
federal agencies for both program and financial
management
bull The standards provide management criteria for
designing implementing and operating an
internal control system
bull The standards retain the five components of
internal control but introduce 17 principles
bull These principles were adopted from the
Committee of Sponsoring Operations of the
Treadway Commission (COSO)1
1 Committee of Sponsoring Operations of the Treadway Commission (COSO) - On May 14 2013 the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) released its revisions and updates to the 1992 document
Internal Control - Integrated Framework COSOrsquos goal in updating the framework was to increase its relevance in the
increasingly complex and global business environment so that organizations worldwide can better design implement and
assess internal control COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management internal control and fraud
deterrence The AICPA is a member of COSO 22
1 Demonstrates commitment to integrity and ethical values
2 Exercises oversight responsibilities
3 Establishes structure authority and responsibility
4 Demonstrates commitment to competence
5 Enforces accountability
Control Environment
6 Defines objectives and risk tolerances
7 Identifies analyzes and responds to risk
8 Assesses fraud risk
9 Identifies analyzes and responds to change
Risk Assessment
23
Control Activities
10Designs control activities
11Selects and develops general controls for the information system
12Deploys and implements control activities
Information and Communication
13Uses relevant quality information
14Communicates internally
15Communicates externally
Monitoring Activities
16Performs ongoing monitoring activities
17Evaluates issues and remediates deficiencies
Provides Criteria for Designing Implementing and Operating an Effective Internal
Control System
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
GAO ndash ldquoHigh Risksrdquo
bull Business Transformation
bull Business System Modernization
bull Financial Management
bull Supply Chain Management
bull Weapon System Acquisition
If you rely upon an outside auditor to advise on risk it is too late
Commanderrsquos priorities become the MICP priorities for execution assessment and sustainment
Need framework to ensure ldquocontinuous business process improvementrdquo ndash (sustainment of corrective actions)
DoD Inspector General ndash ldquoChallengesrdquo
bull Financial Management
bull Acquisition Processes and Contract Mgt
bull Joint Warfighter and Readiness
bull Cyber Security
bull Health Care
bull Equipping and Training Afghan National Security Forces
bull The Nuclear Enterprise
Risk ndash
Embarrassment to the Command -
(Loss of Life Loss of Dollars Loss of Credibility)
Military Services
bull Sexual Harassment
bull Suicide
bull Contracting
bull Procurement
bull Negligent Discharge of Sensitive
Information
3
The Federal Managersrsquo Financial Integrity Act of 1982 (FMFIA)
Revised OMB Circular A-123
The Federal Financial Management Improvement Act of 1996OMB
Circular No A-127
Requires agencies to establish and
maintain and assert to the effectiveness of
internal controls over operations and
compliance with laws and regulations
Included Managementrsquos Responsibility of
Internal Controls over financial reporting
The Chief Financial Officers Act of 1990 (CFO Act)
Statutory Requirements
Requires agency CFOs to develop and
maintain an integrated agency accounting and
financial management system including
financial reporting and internal controls
Instructs agencies to maintain integrated
financial management systems complying
with Federal systems requirements Federal
financial accounting standards and USSGL at
the transaction level
End State is Not Auditable Financial Statements But a Culture That Supports Continuous Business Process
Improvement --- That Will Result and Sustain Accurate Timely and Complete Financial Information 4
bull Reliance upon auditors
bull Impact ndash Mitigation of risk after the mission negatively impacted
PastReview and Reporting of Risk ndash ldquoPaper Drillrdquo
bullReliance upon internal expertise
bullImpact - Identification and mitigation of inefficiencies beforeCommand negatively impacted
FutureReview and Reporting of Risk ndash Part of
Componentrsquos Culture - Value Added
So What
Limited Scope
Emphasis on
Requirement
One point in time
Coverage of all functions
Emphasis on most
efficient and effect
way to meet
requirement
Daily review
Emphasis Upon Auditable Financial Statements
How do we minimize risk to the Component ndash Risk is defined as ldquothe potential that a chosen
action or activity will lead to a lossrdquo
Loss Life funds reputation (embarrassment) timeliness accuracy security
privacy and completeness
If you rely upon an outside audit service to identify and report on control
deficiencies ndash it is to late (eg embarrassment and negative impact to mission) 5
The MICP Assessments Includes Functions
of an Organization
Appendix A
MICP Addresses
Risk For All Key
Operational and
Financial
Functions
DoDI
501040
Provides
Definitions
RDTampE
Major System Acq
Procurement
Contract Admin
Commo
Intel amp Secur
Property
Mgmt
SupplyMfg Maint amp
Repair
Force Readiness
Comptroller amp RM
Personnel amp Org
Info Tech
FMFIA Over
Financial Reporting
Support
Svcs
Security
Assist
6
7
Roles and Responsibilities
OUSD (DCFOampPSAs)bull Provides StrategyGuidance
bull Monitors progress to include
NFR tracking
bull Leads critical capabilities
(eg DoD-wide policies
UOT)
bull Provides Audit Infrastructurebull Audit liaison
bull End to end process
documentation
bull Internal control program
bull Training
Service Providers (DFAS)bull Fund balance with Treasury
Reconciliation for 4th Estate
bull Journal Voucher root cause analysis
bull Implement corrective actions for audit
findings and support 4th Estate
auditsexams
4th Estate Componentsbull Develop and implement
corrective actions
bull Establish internal policies
and procedures
bull Monitor internal control
compliance
bull Establish MOUs and
engage with the Service
Providers
bull Establish internal audit
liaison team to support
auditsexams
Critical Capability Success Requires Stable Support
DF
AS
8
DoD Consolidated Audit Strategy Overview
9
High Level Observations and Common Themes
10
Common Themes Challenges Questions to Consider
Documentation bull Missing documentation to support
transactions (eg bills timesheets)
bull Do I know what documents support what transactions throughout a transaction
lifecycle
bull Does the documentation contain the appropriate approvals
bull Who or what system can they be obtained from
bull Can they be retrieved timely (ie in many cases within 3 business days) for the
audit
bull Are they retained for the required amount of time
Standard
Operating
Procures End-to-
End Process
Documentation
bull Lack of understanding of the entire
process life-cycle and the beginning to end
business processes to include functions
performed by another organization on your
behalf
bull Documented business processes do not
always align to actual business processes
bull Are my policies and procedures up to date bull Do they accurately reflect what I am doing and the controlssafegaurds in place throughout
the process bull Who participates in doing my business ( eg Service Providers What do they do for me
What systems are key Have I written down their roles and responsibilities anywhere Do we have an agreement documenting the specific activities and controls they perform on my behalf and what documentation is to be provided during auditexaminations
Systems bull Inability to support that all transactions
from source systems (eg Contract Writing
System)
bull Information Technology controls (security
measures) were ineffective or not in place
such as unauthorized users having access
to system
bull Have system controls been tested using FISCAM bull Can I generate user listings bull Do the access forms match a userrsquos role
Property bull Lack of progress on counting and
recording of assets
bull Do I have a complete repositoryinventory listing of my assets types bull Does it reconcile to my accounting system bull Are the assets depreciated properly bull Are capitalization thresholds correct bull Are my asset values correct
Develop a plan to move forward that (1) identifies and addresses the root cause of the issue (2) monitors and report son progress (3) provides
evidence that the problem has been fixed and (4) will they be implemented prior to the audit
1111
bull Integration of FIAR and MICP
bull The OUSD FIAR MICP Team will collaborate with SAOrsquos Action Officers throughout the
fiscal year regarding outputs obtained from on-going audit readiness efforts and
previously reported material internal control deficiencies to
- Provide oversight for MICP operations across TI-97 Entities (Fourth Estate)
- Monitor remediation activities Corrective Action Plan (CAP) progress throughout the
fiscal year and status via the Notification of Findings and Recommendations (NFR)
Tracker Tool
- Validate test results and implementation of CAPs
- Standup status working groups eg Tiger Team to provide focused resources for
assessments and development of corrective actions and
- Engage SAOs Action Officers and Component MICP Coordinators to ensure
prioritization of remediation efforts of material weaknesses previously self reported in
the annual SOA and subsequently identified during the fiscal year by SAOs and
FIAR 12
14
(Defense Security Cooperation Agency (DSCA))
bull Senior Oversight amp Involvement
ndash ldquoTone-at-the-Toprdquo and regular Senior Leader involvement
ndash Frequent communication with leaders at all levels
bull Partnership with FIAR amp Audit Liaison Offices
ndash Independent MICP and FIAR offices closely collaborate
ndash Mutual validation of control testing and corrective action plans
ndash External audits inform assessments and resource prioritization
bull Focus on Sustainment
ndash Phased approach to document process risks control activities and test procedures
ndash Group and Individual training on documentation assessment and reporting
ndash Corrective Action Plans include stakeholders actions dates and target end-state
ndash Empower AUMs to assess identify improve fix and report on program health
ndash Recognize AUMs and leaders for thorough documentation and improvements
bull MICP Library
ndash SharePoint document library is accessible to AUMs leadership entire agency
ndash All documents from process to control test results easy to locate
ndash Central repository for AUM assessment reporting simplifies SOA preparation13
1414
15
The OMB has recently launched a major reassessment of the governmentrsquos
approach ndash encouraging the use of Enterprise Risk Management (ERM) +
Strengthen Decision Making
Improvement Information Flow
Why How
Sustainment of Support From the Top
Addressing Power Concentrated in Silos
Overcoming Culture of Caution
Integration of Risk Management into Organizational Decision
Processes
1 Creates and protects value
2 Integral part of all organizational processes
3 Part of decision making
4 Addresses uncertainty
5 Systemic structured and timely
6 Based on best information available
7 Tailored and responsive to evolving risk profile of agency
8 Takes human and cultural factors into account
9 Transparent and inclusive
10 Dynamic iterative and responsive to change
11 Facilitates continual improvement
Benefits
16
Risk Profiles Should Include
Seven Components
Purpose of a Risk Profile is to provide an analysis of the risks
when developing strategic objectives related to activities and
operations - Prioritization of the most significant risks
1 Identification of Objectives
2 Identification of Risk
3 Inherent Risk Assessment
4 Risk Response
5 Residual Risk Assessment
6 Proposed Action
7 Proposed Action Category
17
A-123 defines managementrsquos responsibilities for Enterprise Risk Management and includes
requirements for identifying and managing risks related to mission-support and other
operations as determined by management
bull Agencies are required to develop Risk Profiles which identify risks arising from
mission-support and other operations
bull Management of risk at strategic program and operational levels needs to be integrated so
that levels of activity support each other as depicted below
The Federal Enterprise Risk Management Framework
18
bull Risk Profile is the documented and prioritized overall assessment of the range of specific risks faced by an Agency
bull Inherent Risk is the risk that an activity would pose if no controls or other mitigating factors were in place
(the gross risk or risk before controls)
bull Residual Risk is the risk that remains after controls are taken into account (the net risk or risk after controls)
19
While a major portion of the revised A-123 requirements still require agencies to evaluate and
report on the effectiveness of internal controls over operations and financial reporting the
revised circular now requires agencies to
bull Provide documented evidence to substantiate compliance with the GAO Green Book ndash ie prove that the
agency has met the 17 internal control principles
bull Document the effectiveness of the agencyrsquos system of internal control as defined by the GAO Green Book
bull Adopt an Enterprise Risk Management framework to manage risks across the agency
⁻ In FY 2016 develop and document an annual documented risk profilerisk inventory
⁻ In FY 2017 build on this risk profile and create a methodology to continually build capabilities around identifying new or emerging risks while also monitoring changes to existing risks
bull Leverage current Senior Management Council (SMC) or create a SMC to provide governance in
establishing risk profiles and overseeing operation of an effective system of internal control Specifically to
more holistically manage agency risk OMB recommends
- Agencies include the Senior Accountable Officials (as members of the SMC) for mission-support
functions including but not limited to the Chief Financial Officer Chief Information Officer Chief
Information Security Officer Chief Acquisitions Officer the Agency Official for Privacy and the
Performance Improvement Officer
bull Statements of Assurance should now include a summary of the agencyrsquos risk profile
bull The DoD has a mission and objectives and formulates strategic plans to achieve those
objectives
bull Internal control is a process executed by DoD management that provides reasonable
assurance that the agencyrsquos mission and objectives (operations reporting compliance)
will be achieved
bull Entity Level Controls
- Have a pervasive effect on the DoDrsquos internal control system
- Include oversight bodies risk assessments communication identifying problems
and solutions and monitoring results
bull The Entity Level Controls of the Department of Defense must be documented
bull OUSD(C) DCFO developed a template (attached separately) to document entity-level
controls that exist
bull Requirement Identify action officer populate the template and fill any gaps that exist20
bull Requires entities to demonstrate and assess whether 17 principles are present and functioning in determining if their systems are present and working as intended
bull Provides baseline for Inspector General independent auditors and other related oversight groups in their evaluation of an agencyrsquos entire system of internal control and not just specific activities or transactions (which typically occurred in the past)
bull Requires CFOs to place more scrutiny over their entity level controls
bull Greater emphasis on the risk assessment process for financial and operational
bull Provides responsibilities for shared service providerrsquos internal controls and impact on entityrsquos system of internal controls (ie service provider and the complementary user entity controls)
bull Sets minimum documentation requirements to substantiate the effective design implementation and operating effectiveness of an agencyrsquos system of internal controls
Bottom Line Up
Front
GAOrsquos Green Book
21
22
bull Section 3512 (c) and (d) of the
United States Code
bull Requires that Federal agency
executives periodically review and
annually report on the agencyrsquos
internal controls
bull FMFIA requires the Comptroller
General to prescribe internal control
standards
GAOrsquos ldquoGreen BookrdquoFederal Managersrsquo
Financial Integrity Act (FMFIA)
bull Provides the internal control standards for
federal agencies for both program and financial
management
bull The standards provide management criteria for
designing implementing and operating an
internal control system
bull The standards retain the five components of
internal control but introduce 17 principles
bull These principles were adopted from the
Committee of Sponsoring Operations of the
Treadway Commission (COSO)1
1 Committee of Sponsoring Operations of the Treadway Commission (COSO) - On May 14 2013 the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) released its revisions and updates to the 1992 document
Internal Control - Integrated Framework COSOrsquos goal in updating the framework was to increase its relevance in the
increasingly complex and global business environment so that organizations worldwide can better design implement and
assess internal control COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management internal control and fraud
deterrence The AICPA is a member of COSO 22
1 Demonstrates commitment to integrity and ethical values
2 Exercises oversight responsibilities
3 Establishes structure authority and responsibility
4 Demonstrates commitment to competence
5 Enforces accountability
Control Environment
6 Defines objectives and risk tolerances
7 Identifies analyzes and responds to risk
8 Assesses fraud risk
9 Identifies analyzes and responds to change
Risk Assessment
23
Control Activities
10Designs control activities
11Selects and develops general controls for the information system
12Deploys and implements control activities
Information and Communication
13Uses relevant quality information
14Communicates internally
15Communicates externally
Monitoring Activities
16Performs ongoing monitoring activities
17Evaluates issues and remediates deficiencies
Provides Criteria for Designing Implementing and Operating an Effective Internal
Control System
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
The Federal Managersrsquo Financial Integrity Act of 1982 (FMFIA)
Revised OMB Circular A-123
The Federal Financial Management Improvement Act of 1996OMB
Circular No A-127
Requires agencies to establish and
maintain and assert to the effectiveness of
internal controls over operations and
compliance with laws and regulations
Included Managementrsquos Responsibility of
Internal Controls over financial reporting
The Chief Financial Officers Act of 1990 (CFO Act)
Statutory Requirements
Requires agency CFOs to develop and
maintain an integrated agency accounting and
financial management system including
financial reporting and internal controls
Instructs agencies to maintain integrated
financial management systems complying
with Federal systems requirements Federal
financial accounting standards and USSGL at
the transaction level
End State is Not Auditable Financial Statements But a Culture That Supports Continuous Business Process
Improvement --- That Will Result and Sustain Accurate Timely and Complete Financial Information 4
bull Reliance upon auditors
bull Impact ndash Mitigation of risk after the mission negatively impacted
PastReview and Reporting of Risk ndash ldquoPaper Drillrdquo
bullReliance upon internal expertise
bullImpact - Identification and mitigation of inefficiencies beforeCommand negatively impacted
FutureReview and Reporting of Risk ndash Part of
Componentrsquos Culture - Value Added
So What
Limited Scope
Emphasis on
Requirement
One point in time
Coverage of all functions
Emphasis on most
efficient and effect
way to meet
requirement
Daily review
Emphasis Upon Auditable Financial Statements
How do we minimize risk to the Component ndash Risk is defined as ldquothe potential that a chosen
action or activity will lead to a lossrdquo
Loss Life funds reputation (embarrassment) timeliness accuracy security
privacy and completeness
If you rely upon an outside audit service to identify and report on control
deficiencies ndash it is to late (eg embarrassment and negative impact to mission) 5
The MICP Assessments Includes Functions
of an Organization
Appendix A
MICP Addresses
Risk For All Key
Operational and
Financial
Functions
DoDI
501040
Provides
Definitions
RDTampE
Major System Acq
Procurement
Contract Admin
Commo
Intel amp Secur
Property
Mgmt
SupplyMfg Maint amp
Repair
Force Readiness
Comptroller amp RM
Personnel amp Org
Info Tech
FMFIA Over
Financial Reporting
Support
Svcs
Security
Assist
6
7
Roles and Responsibilities
OUSD (DCFOampPSAs)bull Provides StrategyGuidance
bull Monitors progress to include
NFR tracking
bull Leads critical capabilities
(eg DoD-wide policies
UOT)
bull Provides Audit Infrastructurebull Audit liaison
bull End to end process
documentation
bull Internal control program
bull Training
Service Providers (DFAS)bull Fund balance with Treasury
Reconciliation for 4th Estate
bull Journal Voucher root cause analysis
bull Implement corrective actions for audit
findings and support 4th Estate
auditsexams
4th Estate Componentsbull Develop and implement
corrective actions
bull Establish internal policies
and procedures
bull Monitor internal control
compliance
bull Establish MOUs and
engage with the Service
Providers
bull Establish internal audit
liaison team to support
auditsexams
Critical Capability Success Requires Stable Support
DF
AS
8
DoD Consolidated Audit Strategy Overview
9
High Level Observations and Common Themes
10
Common Themes Challenges Questions to Consider
Documentation bull Missing documentation to support
transactions (eg bills timesheets)
bull Do I know what documents support what transactions throughout a transaction
lifecycle
bull Does the documentation contain the appropriate approvals
bull Who or what system can they be obtained from
bull Can they be retrieved timely (ie in many cases within 3 business days) for the
audit
bull Are they retained for the required amount of time
Standard
Operating
Procures End-to-
End Process
Documentation
bull Lack of understanding of the entire
process life-cycle and the beginning to end
business processes to include functions
performed by another organization on your
behalf
bull Documented business processes do not
always align to actual business processes
bull Are my policies and procedures up to date bull Do they accurately reflect what I am doing and the controlssafegaurds in place throughout
the process bull Who participates in doing my business ( eg Service Providers What do they do for me
What systems are key Have I written down their roles and responsibilities anywhere Do we have an agreement documenting the specific activities and controls they perform on my behalf and what documentation is to be provided during auditexaminations
Systems bull Inability to support that all transactions
from source systems (eg Contract Writing
System)
bull Information Technology controls (security
measures) were ineffective or not in place
such as unauthorized users having access
to system
bull Have system controls been tested using FISCAM bull Can I generate user listings bull Do the access forms match a userrsquos role
Property bull Lack of progress on counting and
recording of assets
bull Do I have a complete repositoryinventory listing of my assets types bull Does it reconcile to my accounting system bull Are the assets depreciated properly bull Are capitalization thresholds correct bull Are my asset values correct
Develop a plan to move forward that (1) identifies and addresses the root cause of the issue (2) monitors and report son progress (3) provides
evidence that the problem has been fixed and (4) will they be implemented prior to the audit
1111
bull Integration of FIAR and MICP
bull The OUSD FIAR MICP Team will collaborate with SAOrsquos Action Officers throughout the
fiscal year regarding outputs obtained from on-going audit readiness efforts and
previously reported material internal control deficiencies to
- Provide oversight for MICP operations across TI-97 Entities (Fourth Estate)
- Monitor remediation activities Corrective Action Plan (CAP) progress throughout the
fiscal year and status via the Notification of Findings and Recommendations (NFR)
Tracker Tool
- Validate test results and implementation of CAPs
- Standup status working groups eg Tiger Team to provide focused resources for
assessments and development of corrective actions and
- Engage SAOs Action Officers and Component MICP Coordinators to ensure
prioritization of remediation efforts of material weaknesses previously self reported in
the annual SOA and subsequently identified during the fiscal year by SAOs and
FIAR 12
14
(Defense Security Cooperation Agency (DSCA))
bull Senior Oversight amp Involvement
ndash ldquoTone-at-the-Toprdquo and regular Senior Leader involvement
ndash Frequent communication with leaders at all levels
bull Partnership with FIAR amp Audit Liaison Offices
ndash Independent MICP and FIAR offices closely collaborate
ndash Mutual validation of control testing and corrective action plans
ndash External audits inform assessments and resource prioritization
bull Focus on Sustainment
ndash Phased approach to document process risks control activities and test procedures
ndash Group and Individual training on documentation assessment and reporting
ndash Corrective Action Plans include stakeholders actions dates and target end-state
ndash Empower AUMs to assess identify improve fix and report on program health
ndash Recognize AUMs and leaders for thorough documentation and improvements
bull MICP Library
ndash SharePoint document library is accessible to AUMs leadership entire agency
ndash All documents from process to control test results easy to locate
ndash Central repository for AUM assessment reporting simplifies SOA preparation13
1414
15
The OMB has recently launched a major reassessment of the governmentrsquos
approach ndash encouraging the use of Enterprise Risk Management (ERM) +
Strengthen Decision Making
Improvement Information Flow
Why How
Sustainment of Support From the Top
Addressing Power Concentrated in Silos
Overcoming Culture of Caution
Integration of Risk Management into Organizational Decision
Processes
1 Creates and protects value
2 Integral part of all organizational processes
3 Part of decision making
4 Addresses uncertainty
5 Systemic structured and timely
6 Based on best information available
7 Tailored and responsive to evolving risk profile of agency
8 Takes human and cultural factors into account
9 Transparent and inclusive
10 Dynamic iterative and responsive to change
11 Facilitates continual improvement
Benefits
16
Risk Profiles Should Include
Seven Components
Purpose of a Risk Profile is to provide an analysis of the risks
when developing strategic objectives related to activities and
operations - Prioritization of the most significant risks
1 Identification of Objectives
2 Identification of Risk
3 Inherent Risk Assessment
4 Risk Response
5 Residual Risk Assessment
6 Proposed Action
7 Proposed Action Category
17
A-123 defines managementrsquos responsibilities for Enterprise Risk Management and includes
requirements for identifying and managing risks related to mission-support and other
operations as determined by management
bull Agencies are required to develop Risk Profiles which identify risks arising from
mission-support and other operations
bull Management of risk at strategic program and operational levels needs to be integrated so
that levels of activity support each other as depicted below
The Federal Enterprise Risk Management Framework
18
bull Risk Profile is the documented and prioritized overall assessment of the range of specific risks faced by an Agency
bull Inherent Risk is the risk that an activity would pose if no controls or other mitigating factors were in place
(the gross risk or risk before controls)
bull Residual Risk is the risk that remains after controls are taken into account (the net risk or risk after controls)
19
While a major portion of the revised A-123 requirements still require agencies to evaluate and
report on the effectiveness of internal controls over operations and financial reporting the
revised circular now requires agencies to
bull Provide documented evidence to substantiate compliance with the GAO Green Book ndash ie prove that the
agency has met the 17 internal control principles
bull Document the effectiveness of the agencyrsquos system of internal control as defined by the GAO Green Book
bull Adopt an Enterprise Risk Management framework to manage risks across the agency
⁻ In FY 2016 develop and document an annual documented risk profilerisk inventory
⁻ In FY 2017 build on this risk profile and create a methodology to continually build capabilities around identifying new or emerging risks while also monitoring changes to existing risks
bull Leverage current Senior Management Council (SMC) or create a SMC to provide governance in
establishing risk profiles and overseeing operation of an effective system of internal control Specifically to
more holistically manage agency risk OMB recommends
- Agencies include the Senior Accountable Officials (as members of the SMC) for mission-support
functions including but not limited to the Chief Financial Officer Chief Information Officer Chief
Information Security Officer Chief Acquisitions Officer the Agency Official for Privacy and the
Performance Improvement Officer
bull Statements of Assurance should now include a summary of the agencyrsquos risk profile
bull The DoD has a mission and objectives and formulates strategic plans to achieve those
objectives
bull Internal control is a process executed by DoD management that provides reasonable
assurance that the agencyrsquos mission and objectives (operations reporting compliance)
will be achieved
bull Entity Level Controls
- Have a pervasive effect on the DoDrsquos internal control system
- Include oversight bodies risk assessments communication identifying problems
and solutions and monitoring results
bull The Entity Level Controls of the Department of Defense must be documented
bull OUSD(C) DCFO developed a template (attached separately) to document entity-level
controls that exist
bull Requirement Identify action officer populate the template and fill any gaps that exist20
bull Requires entities to demonstrate and assess whether 17 principles are present and functioning in determining if their systems are present and working as intended
bull Provides baseline for Inspector General independent auditors and other related oversight groups in their evaluation of an agencyrsquos entire system of internal control and not just specific activities or transactions (which typically occurred in the past)
bull Requires CFOs to place more scrutiny over their entity level controls
bull Greater emphasis on the risk assessment process for financial and operational
bull Provides responsibilities for shared service providerrsquos internal controls and impact on entityrsquos system of internal controls (ie service provider and the complementary user entity controls)
bull Sets minimum documentation requirements to substantiate the effective design implementation and operating effectiveness of an agencyrsquos system of internal controls
Bottom Line Up
Front
GAOrsquos Green Book
21
22
bull Section 3512 (c) and (d) of the
United States Code
bull Requires that Federal agency
executives periodically review and
annually report on the agencyrsquos
internal controls
bull FMFIA requires the Comptroller
General to prescribe internal control
standards
GAOrsquos ldquoGreen BookrdquoFederal Managersrsquo
Financial Integrity Act (FMFIA)
bull Provides the internal control standards for
federal agencies for both program and financial
management
bull The standards provide management criteria for
designing implementing and operating an
internal control system
bull The standards retain the five components of
internal control but introduce 17 principles
bull These principles were adopted from the
Committee of Sponsoring Operations of the
Treadway Commission (COSO)1
1 Committee of Sponsoring Operations of the Treadway Commission (COSO) - On May 14 2013 the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) released its revisions and updates to the 1992 document
Internal Control - Integrated Framework COSOrsquos goal in updating the framework was to increase its relevance in the
increasingly complex and global business environment so that organizations worldwide can better design implement and
assess internal control COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management internal control and fraud
deterrence The AICPA is a member of COSO 22
1 Demonstrates commitment to integrity and ethical values
2 Exercises oversight responsibilities
3 Establishes structure authority and responsibility
4 Demonstrates commitment to competence
5 Enforces accountability
Control Environment
6 Defines objectives and risk tolerances
7 Identifies analyzes and responds to risk
8 Assesses fraud risk
9 Identifies analyzes and responds to change
Risk Assessment
23
Control Activities
10Designs control activities
11Selects and develops general controls for the information system
12Deploys and implements control activities
Information and Communication
13Uses relevant quality information
14Communicates internally
15Communicates externally
Monitoring Activities
16Performs ongoing monitoring activities
17Evaluates issues and remediates deficiencies
Provides Criteria for Designing Implementing and Operating an Effective Internal
Control System
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
bull Reliance upon auditors
bull Impact ndash Mitigation of risk after the mission negatively impacted
PastReview and Reporting of Risk ndash ldquoPaper Drillrdquo
bullReliance upon internal expertise
bullImpact - Identification and mitigation of inefficiencies beforeCommand negatively impacted
FutureReview and Reporting of Risk ndash Part of
Componentrsquos Culture - Value Added
So What
Limited Scope
Emphasis on
Requirement
One point in time
Coverage of all functions
Emphasis on most
efficient and effect
way to meet
requirement
Daily review
Emphasis Upon Auditable Financial Statements
How do we minimize risk to the Component ndash Risk is defined as ldquothe potential that a chosen
action or activity will lead to a lossrdquo
Loss Life funds reputation (embarrassment) timeliness accuracy security
privacy and completeness
If you rely upon an outside audit service to identify and report on control
deficiencies ndash it is to late (eg embarrassment and negative impact to mission) 5
The MICP Assessments Includes Functions
of an Organization
Appendix A
MICP Addresses
Risk For All Key
Operational and
Financial
Functions
DoDI
501040
Provides
Definitions
RDTampE
Major System Acq
Procurement
Contract Admin
Commo
Intel amp Secur
Property
Mgmt
SupplyMfg Maint amp
Repair
Force Readiness
Comptroller amp RM
Personnel amp Org
Info Tech
FMFIA Over
Financial Reporting
Support
Svcs
Security
Assist
6
7
Roles and Responsibilities
OUSD (DCFOampPSAs)bull Provides StrategyGuidance
bull Monitors progress to include
NFR tracking
bull Leads critical capabilities
(eg DoD-wide policies
UOT)
bull Provides Audit Infrastructurebull Audit liaison
bull End to end process
documentation
bull Internal control program
bull Training
Service Providers (DFAS)bull Fund balance with Treasury
Reconciliation for 4th Estate
bull Journal Voucher root cause analysis
bull Implement corrective actions for audit
findings and support 4th Estate
auditsexams
4th Estate Componentsbull Develop and implement
corrective actions
bull Establish internal policies
and procedures
bull Monitor internal control
compliance
bull Establish MOUs and
engage with the Service
Providers
bull Establish internal audit
liaison team to support
auditsexams
Critical Capability Success Requires Stable Support
DF
AS
8
DoD Consolidated Audit Strategy Overview
9
High Level Observations and Common Themes
10
Common Themes Challenges Questions to Consider
Documentation bull Missing documentation to support
transactions (eg bills timesheets)
bull Do I know what documents support what transactions throughout a transaction
lifecycle
bull Does the documentation contain the appropriate approvals
bull Who or what system can they be obtained from
bull Can they be retrieved timely (ie in many cases within 3 business days) for the
audit
bull Are they retained for the required amount of time
Standard
Operating
Procures End-to-
End Process
Documentation
bull Lack of understanding of the entire
process life-cycle and the beginning to end
business processes to include functions
performed by another organization on your
behalf
bull Documented business processes do not
always align to actual business processes
bull Are my policies and procedures up to date bull Do they accurately reflect what I am doing and the controlssafegaurds in place throughout
the process bull Who participates in doing my business ( eg Service Providers What do they do for me
What systems are key Have I written down their roles and responsibilities anywhere Do we have an agreement documenting the specific activities and controls they perform on my behalf and what documentation is to be provided during auditexaminations
Systems bull Inability to support that all transactions
from source systems (eg Contract Writing
System)
bull Information Technology controls (security
measures) were ineffective or not in place
such as unauthorized users having access
to system
bull Have system controls been tested using FISCAM bull Can I generate user listings bull Do the access forms match a userrsquos role
Property bull Lack of progress on counting and
recording of assets
bull Do I have a complete repositoryinventory listing of my assets types bull Does it reconcile to my accounting system bull Are the assets depreciated properly bull Are capitalization thresholds correct bull Are my asset values correct
Develop a plan to move forward that (1) identifies and addresses the root cause of the issue (2) monitors and report son progress (3) provides
evidence that the problem has been fixed and (4) will they be implemented prior to the audit
1111
bull Integration of FIAR and MICP
bull The OUSD FIAR MICP Team will collaborate with SAOrsquos Action Officers throughout the
fiscal year regarding outputs obtained from on-going audit readiness efforts and
previously reported material internal control deficiencies to
- Provide oversight for MICP operations across TI-97 Entities (Fourth Estate)
- Monitor remediation activities Corrective Action Plan (CAP) progress throughout the
fiscal year and status via the Notification of Findings and Recommendations (NFR)
Tracker Tool
- Validate test results and implementation of CAPs
- Standup status working groups eg Tiger Team to provide focused resources for
assessments and development of corrective actions and
- Engage SAOs Action Officers and Component MICP Coordinators to ensure
prioritization of remediation efforts of material weaknesses previously self reported in
the annual SOA and subsequently identified during the fiscal year by SAOs and
FIAR 12
14
(Defense Security Cooperation Agency (DSCA))
bull Senior Oversight amp Involvement
ndash ldquoTone-at-the-Toprdquo and regular Senior Leader involvement
ndash Frequent communication with leaders at all levels
bull Partnership with FIAR amp Audit Liaison Offices
ndash Independent MICP and FIAR offices closely collaborate
ndash Mutual validation of control testing and corrective action plans
ndash External audits inform assessments and resource prioritization
bull Focus on Sustainment
ndash Phased approach to document process risks control activities and test procedures
ndash Group and Individual training on documentation assessment and reporting
ndash Corrective Action Plans include stakeholders actions dates and target end-state
ndash Empower AUMs to assess identify improve fix and report on program health
ndash Recognize AUMs and leaders for thorough documentation and improvements
bull MICP Library
ndash SharePoint document library is accessible to AUMs leadership entire agency
ndash All documents from process to control test results easy to locate
ndash Central repository for AUM assessment reporting simplifies SOA preparation13
1414
15
The OMB has recently launched a major reassessment of the governmentrsquos
approach ndash encouraging the use of Enterprise Risk Management (ERM) +
Strengthen Decision Making
Improvement Information Flow
Why How
Sustainment of Support From the Top
Addressing Power Concentrated in Silos
Overcoming Culture of Caution
Integration of Risk Management into Organizational Decision
Processes
1 Creates and protects value
2 Integral part of all organizational processes
3 Part of decision making
4 Addresses uncertainty
5 Systemic structured and timely
6 Based on best information available
7 Tailored and responsive to evolving risk profile of agency
8 Takes human and cultural factors into account
9 Transparent and inclusive
10 Dynamic iterative and responsive to change
11 Facilitates continual improvement
Benefits
16
Risk Profiles Should Include
Seven Components
Purpose of a Risk Profile is to provide an analysis of the risks
when developing strategic objectives related to activities and
operations - Prioritization of the most significant risks
1 Identification of Objectives
2 Identification of Risk
3 Inherent Risk Assessment
4 Risk Response
5 Residual Risk Assessment
6 Proposed Action
7 Proposed Action Category
17
A-123 defines managementrsquos responsibilities for Enterprise Risk Management and includes
requirements for identifying and managing risks related to mission-support and other
operations as determined by management
bull Agencies are required to develop Risk Profiles which identify risks arising from
mission-support and other operations
bull Management of risk at strategic program and operational levels needs to be integrated so
that levels of activity support each other as depicted below
The Federal Enterprise Risk Management Framework
18
bull Risk Profile is the documented and prioritized overall assessment of the range of specific risks faced by an Agency
bull Inherent Risk is the risk that an activity would pose if no controls or other mitigating factors were in place
(the gross risk or risk before controls)
bull Residual Risk is the risk that remains after controls are taken into account (the net risk or risk after controls)
19
While a major portion of the revised A-123 requirements still require agencies to evaluate and
report on the effectiveness of internal controls over operations and financial reporting the
revised circular now requires agencies to
bull Provide documented evidence to substantiate compliance with the GAO Green Book ndash ie prove that the
agency has met the 17 internal control principles
bull Document the effectiveness of the agencyrsquos system of internal control as defined by the GAO Green Book
bull Adopt an Enterprise Risk Management framework to manage risks across the agency
⁻ In FY 2016 develop and document an annual documented risk profilerisk inventory
⁻ In FY 2017 build on this risk profile and create a methodology to continually build capabilities around identifying new or emerging risks while also monitoring changes to existing risks
bull Leverage current Senior Management Council (SMC) or create a SMC to provide governance in
establishing risk profiles and overseeing operation of an effective system of internal control Specifically to
more holistically manage agency risk OMB recommends
- Agencies include the Senior Accountable Officials (as members of the SMC) for mission-support
functions including but not limited to the Chief Financial Officer Chief Information Officer Chief
Information Security Officer Chief Acquisitions Officer the Agency Official for Privacy and the
Performance Improvement Officer
bull Statements of Assurance should now include a summary of the agencyrsquos risk profile
bull The DoD has a mission and objectives and formulates strategic plans to achieve those
objectives
bull Internal control is a process executed by DoD management that provides reasonable
assurance that the agencyrsquos mission and objectives (operations reporting compliance)
will be achieved
bull Entity Level Controls
- Have a pervasive effect on the DoDrsquos internal control system
- Include oversight bodies risk assessments communication identifying problems
and solutions and monitoring results
bull The Entity Level Controls of the Department of Defense must be documented
bull OUSD(C) DCFO developed a template (attached separately) to document entity-level
controls that exist
bull Requirement Identify action officer populate the template and fill any gaps that exist20
bull Requires entities to demonstrate and assess whether 17 principles are present and functioning in determining if their systems are present and working as intended
bull Provides baseline for Inspector General independent auditors and other related oversight groups in their evaluation of an agencyrsquos entire system of internal control and not just specific activities or transactions (which typically occurred in the past)
bull Requires CFOs to place more scrutiny over their entity level controls
bull Greater emphasis on the risk assessment process for financial and operational
bull Provides responsibilities for shared service providerrsquos internal controls and impact on entityrsquos system of internal controls (ie service provider and the complementary user entity controls)
bull Sets minimum documentation requirements to substantiate the effective design implementation and operating effectiveness of an agencyrsquos system of internal controls
Bottom Line Up
Front
GAOrsquos Green Book
21
22
bull Section 3512 (c) and (d) of the
United States Code
bull Requires that Federal agency
executives periodically review and
annually report on the agencyrsquos
internal controls
bull FMFIA requires the Comptroller
General to prescribe internal control
standards
GAOrsquos ldquoGreen BookrdquoFederal Managersrsquo
Financial Integrity Act (FMFIA)
bull Provides the internal control standards for
federal agencies for both program and financial
management
bull The standards provide management criteria for
designing implementing and operating an
internal control system
bull The standards retain the five components of
internal control but introduce 17 principles
bull These principles were adopted from the
Committee of Sponsoring Operations of the
Treadway Commission (COSO)1
1 Committee of Sponsoring Operations of the Treadway Commission (COSO) - On May 14 2013 the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) released its revisions and updates to the 1992 document
Internal Control - Integrated Framework COSOrsquos goal in updating the framework was to increase its relevance in the
increasingly complex and global business environment so that organizations worldwide can better design implement and
assess internal control COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management internal control and fraud
deterrence The AICPA is a member of COSO 22
1 Demonstrates commitment to integrity and ethical values
2 Exercises oversight responsibilities
3 Establishes structure authority and responsibility
4 Demonstrates commitment to competence
5 Enforces accountability
Control Environment
6 Defines objectives and risk tolerances
7 Identifies analyzes and responds to risk
8 Assesses fraud risk
9 Identifies analyzes and responds to change
Risk Assessment
23
Control Activities
10Designs control activities
11Selects and develops general controls for the information system
12Deploys and implements control activities
Information and Communication
13Uses relevant quality information
14Communicates internally
15Communicates externally
Monitoring Activities
16Performs ongoing monitoring activities
17Evaluates issues and remediates deficiencies
Provides Criteria for Designing Implementing and Operating an Effective Internal
Control System
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
The MICP Assessments Includes Functions
of an Organization
Appendix A
MICP Addresses
Risk For All Key
Operational and
Financial
Functions
DoDI
501040
Provides
Definitions
RDTampE
Major System Acq
Procurement
Contract Admin
Commo
Intel amp Secur
Property
Mgmt
SupplyMfg Maint amp
Repair
Force Readiness
Comptroller amp RM
Personnel amp Org
Info Tech
FMFIA Over
Financial Reporting
Support
Svcs
Security
Assist
6
7
Roles and Responsibilities
OUSD (DCFOampPSAs)bull Provides StrategyGuidance
bull Monitors progress to include
NFR tracking
bull Leads critical capabilities
(eg DoD-wide policies
UOT)
bull Provides Audit Infrastructurebull Audit liaison
bull End to end process
documentation
bull Internal control program
bull Training
Service Providers (DFAS)bull Fund balance with Treasury
Reconciliation for 4th Estate
bull Journal Voucher root cause analysis
bull Implement corrective actions for audit
findings and support 4th Estate
auditsexams
4th Estate Componentsbull Develop and implement
corrective actions
bull Establish internal policies
and procedures
bull Monitor internal control
compliance
bull Establish MOUs and
engage with the Service
Providers
bull Establish internal audit
liaison team to support
auditsexams
Critical Capability Success Requires Stable Support
DF
AS
8
DoD Consolidated Audit Strategy Overview
9
High Level Observations and Common Themes
10
Common Themes Challenges Questions to Consider
Documentation bull Missing documentation to support
transactions (eg bills timesheets)
bull Do I know what documents support what transactions throughout a transaction
lifecycle
bull Does the documentation contain the appropriate approvals
bull Who or what system can they be obtained from
bull Can they be retrieved timely (ie in many cases within 3 business days) for the
audit
bull Are they retained for the required amount of time
Standard
Operating
Procures End-to-
End Process
Documentation
bull Lack of understanding of the entire
process life-cycle and the beginning to end
business processes to include functions
performed by another organization on your
behalf
bull Documented business processes do not
always align to actual business processes
bull Are my policies and procedures up to date bull Do they accurately reflect what I am doing and the controlssafegaurds in place throughout
the process bull Who participates in doing my business ( eg Service Providers What do they do for me
What systems are key Have I written down their roles and responsibilities anywhere Do we have an agreement documenting the specific activities and controls they perform on my behalf and what documentation is to be provided during auditexaminations
Systems bull Inability to support that all transactions
from source systems (eg Contract Writing
System)
bull Information Technology controls (security
measures) were ineffective or not in place
such as unauthorized users having access
to system
bull Have system controls been tested using FISCAM bull Can I generate user listings bull Do the access forms match a userrsquos role
Property bull Lack of progress on counting and
recording of assets
bull Do I have a complete repositoryinventory listing of my assets types bull Does it reconcile to my accounting system bull Are the assets depreciated properly bull Are capitalization thresholds correct bull Are my asset values correct
Develop a plan to move forward that (1) identifies and addresses the root cause of the issue (2) monitors and report son progress (3) provides
evidence that the problem has been fixed and (4) will they be implemented prior to the audit
1111
bull Integration of FIAR and MICP
bull The OUSD FIAR MICP Team will collaborate with SAOrsquos Action Officers throughout the
fiscal year regarding outputs obtained from on-going audit readiness efforts and
previously reported material internal control deficiencies to
- Provide oversight for MICP operations across TI-97 Entities (Fourth Estate)
- Monitor remediation activities Corrective Action Plan (CAP) progress throughout the
fiscal year and status via the Notification of Findings and Recommendations (NFR)
Tracker Tool
- Validate test results and implementation of CAPs
- Standup status working groups eg Tiger Team to provide focused resources for
assessments and development of corrective actions and
- Engage SAOs Action Officers and Component MICP Coordinators to ensure
prioritization of remediation efforts of material weaknesses previously self reported in
the annual SOA and subsequently identified during the fiscal year by SAOs and
FIAR 12
14
(Defense Security Cooperation Agency (DSCA))
bull Senior Oversight amp Involvement
ndash ldquoTone-at-the-Toprdquo and regular Senior Leader involvement
ndash Frequent communication with leaders at all levels
bull Partnership with FIAR amp Audit Liaison Offices
ndash Independent MICP and FIAR offices closely collaborate
ndash Mutual validation of control testing and corrective action plans
ndash External audits inform assessments and resource prioritization
bull Focus on Sustainment
ndash Phased approach to document process risks control activities and test procedures
ndash Group and Individual training on documentation assessment and reporting
ndash Corrective Action Plans include stakeholders actions dates and target end-state
ndash Empower AUMs to assess identify improve fix and report on program health
ndash Recognize AUMs and leaders for thorough documentation and improvements
bull MICP Library
ndash SharePoint document library is accessible to AUMs leadership entire agency
ndash All documents from process to control test results easy to locate
ndash Central repository for AUM assessment reporting simplifies SOA preparation13
1414
15
The OMB has recently launched a major reassessment of the governmentrsquos
approach ndash encouraging the use of Enterprise Risk Management (ERM) +
Strengthen Decision Making
Improvement Information Flow
Why How
Sustainment of Support From the Top
Addressing Power Concentrated in Silos
Overcoming Culture of Caution
Integration of Risk Management into Organizational Decision
Processes
1 Creates and protects value
2 Integral part of all organizational processes
3 Part of decision making
4 Addresses uncertainty
5 Systemic structured and timely
6 Based on best information available
7 Tailored and responsive to evolving risk profile of agency
8 Takes human and cultural factors into account
9 Transparent and inclusive
10 Dynamic iterative and responsive to change
11 Facilitates continual improvement
Benefits
16
Risk Profiles Should Include
Seven Components
Purpose of a Risk Profile is to provide an analysis of the risks
when developing strategic objectives related to activities and
operations - Prioritization of the most significant risks
1 Identification of Objectives
2 Identification of Risk
3 Inherent Risk Assessment
4 Risk Response
5 Residual Risk Assessment
6 Proposed Action
7 Proposed Action Category
17
A-123 defines managementrsquos responsibilities for Enterprise Risk Management and includes
requirements for identifying and managing risks related to mission-support and other
operations as determined by management
bull Agencies are required to develop Risk Profiles which identify risks arising from
mission-support and other operations
bull Management of risk at strategic program and operational levels needs to be integrated so
that levels of activity support each other as depicted below
The Federal Enterprise Risk Management Framework
18
bull Risk Profile is the documented and prioritized overall assessment of the range of specific risks faced by an Agency
bull Inherent Risk is the risk that an activity would pose if no controls or other mitigating factors were in place
(the gross risk or risk before controls)
bull Residual Risk is the risk that remains after controls are taken into account (the net risk or risk after controls)
19
While a major portion of the revised A-123 requirements still require agencies to evaluate and
report on the effectiveness of internal controls over operations and financial reporting the
revised circular now requires agencies to
bull Provide documented evidence to substantiate compliance with the GAO Green Book ndash ie prove that the
agency has met the 17 internal control principles
bull Document the effectiveness of the agencyrsquos system of internal control as defined by the GAO Green Book
bull Adopt an Enterprise Risk Management framework to manage risks across the agency
⁻ In FY 2016 develop and document an annual documented risk profilerisk inventory
⁻ In FY 2017 build on this risk profile and create a methodology to continually build capabilities around identifying new or emerging risks while also monitoring changes to existing risks
bull Leverage current Senior Management Council (SMC) or create a SMC to provide governance in
establishing risk profiles and overseeing operation of an effective system of internal control Specifically to
more holistically manage agency risk OMB recommends
- Agencies include the Senior Accountable Officials (as members of the SMC) for mission-support
functions including but not limited to the Chief Financial Officer Chief Information Officer Chief
Information Security Officer Chief Acquisitions Officer the Agency Official for Privacy and the
Performance Improvement Officer
bull Statements of Assurance should now include a summary of the agencyrsquos risk profile
bull The DoD has a mission and objectives and formulates strategic plans to achieve those
objectives
bull Internal control is a process executed by DoD management that provides reasonable
assurance that the agencyrsquos mission and objectives (operations reporting compliance)
will be achieved
bull Entity Level Controls
- Have a pervasive effect on the DoDrsquos internal control system
- Include oversight bodies risk assessments communication identifying problems
and solutions and monitoring results
bull The Entity Level Controls of the Department of Defense must be documented
bull OUSD(C) DCFO developed a template (attached separately) to document entity-level
controls that exist
bull Requirement Identify action officer populate the template and fill any gaps that exist20
bull Requires entities to demonstrate and assess whether 17 principles are present and functioning in determining if their systems are present and working as intended
bull Provides baseline for Inspector General independent auditors and other related oversight groups in their evaluation of an agencyrsquos entire system of internal control and not just specific activities or transactions (which typically occurred in the past)
bull Requires CFOs to place more scrutiny over their entity level controls
bull Greater emphasis on the risk assessment process for financial and operational
bull Provides responsibilities for shared service providerrsquos internal controls and impact on entityrsquos system of internal controls (ie service provider and the complementary user entity controls)
bull Sets minimum documentation requirements to substantiate the effective design implementation and operating effectiveness of an agencyrsquos system of internal controls
Bottom Line Up
Front
GAOrsquos Green Book
21
22
bull Section 3512 (c) and (d) of the
United States Code
bull Requires that Federal agency
executives periodically review and
annually report on the agencyrsquos
internal controls
bull FMFIA requires the Comptroller
General to prescribe internal control
standards
GAOrsquos ldquoGreen BookrdquoFederal Managersrsquo
Financial Integrity Act (FMFIA)
bull Provides the internal control standards for
federal agencies for both program and financial
management
bull The standards provide management criteria for
designing implementing and operating an
internal control system
bull The standards retain the five components of
internal control but introduce 17 principles
bull These principles were adopted from the
Committee of Sponsoring Operations of the
Treadway Commission (COSO)1
1 Committee of Sponsoring Operations of the Treadway Commission (COSO) - On May 14 2013 the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) released its revisions and updates to the 1992 document
Internal Control - Integrated Framework COSOrsquos goal in updating the framework was to increase its relevance in the
increasingly complex and global business environment so that organizations worldwide can better design implement and
assess internal control COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management internal control and fraud
deterrence The AICPA is a member of COSO 22
1 Demonstrates commitment to integrity and ethical values
2 Exercises oversight responsibilities
3 Establishes structure authority and responsibility
4 Demonstrates commitment to competence
5 Enforces accountability
Control Environment
6 Defines objectives and risk tolerances
7 Identifies analyzes and responds to risk
8 Assesses fraud risk
9 Identifies analyzes and responds to change
Risk Assessment
23
Control Activities
10Designs control activities
11Selects and develops general controls for the information system
12Deploys and implements control activities
Information and Communication
13Uses relevant quality information
14Communicates internally
15Communicates externally
Monitoring Activities
16Performs ongoing monitoring activities
17Evaluates issues and remediates deficiencies
Provides Criteria for Designing Implementing and Operating an Effective Internal
Control System
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
7
Roles and Responsibilities
OUSD (DCFOampPSAs)bull Provides StrategyGuidance
bull Monitors progress to include
NFR tracking
bull Leads critical capabilities
(eg DoD-wide policies
UOT)
bull Provides Audit Infrastructurebull Audit liaison
bull End to end process
documentation
bull Internal control program
bull Training
Service Providers (DFAS)bull Fund balance with Treasury
Reconciliation for 4th Estate
bull Journal Voucher root cause analysis
bull Implement corrective actions for audit
findings and support 4th Estate
auditsexams
4th Estate Componentsbull Develop and implement
corrective actions
bull Establish internal policies
and procedures
bull Monitor internal control
compliance
bull Establish MOUs and
engage with the Service
Providers
bull Establish internal audit
liaison team to support
auditsexams
Critical Capability Success Requires Stable Support
DF
AS
8
DoD Consolidated Audit Strategy Overview
9
High Level Observations and Common Themes
10
Common Themes Challenges Questions to Consider
Documentation bull Missing documentation to support
transactions (eg bills timesheets)
bull Do I know what documents support what transactions throughout a transaction
lifecycle
bull Does the documentation contain the appropriate approvals
bull Who or what system can they be obtained from
bull Can they be retrieved timely (ie in many cases within 3 business days) for the
audit
bull Are they retained for the required amount of time
Standard
Operating
Procures End-to-
End Process
Documentation
bull Lack of understanding of the entire
process life-cycle and the beginning to end
business processes to include functions
performed by another organization on your
behalf
bull Documented business processes do not
always align to actual business processes
bull Are my policies and procedures up to date bull Do they accurately reflect what I am doing and the controlssafegaurds in place throughout
the process bull Who participates in doing my business ( eg Service Providers What do they do for me
What systems are key Have I written down their roles and responsibilities anywhere Do we have an agreement documenting the specific activities and controls they perform on my behalf and what documentation is to be provided during auditexaminations
Systems bull Inability to support that all transactions
from source systems (eg Contract Writing
System)
bull Information Technology controls (security
measures) were ineffective or not in place
such as unauthorized users having access
to system
bull Have system controls been tested using FISCAM bull Can I generate user listings bull Do the access forms match a userrsquos role
Property bull Lack of progress on counting and
recording of assets
bull Do I have a complete repositoryinventory listing of my assets types bull Does it reconcile to my accounting system bull Are the assets depreciated properly bull Are capitalization thresholds correct bull Are my asset values correct
Develop a plan to move forward that (1) identifies and addresses the root cause of the issue (2) monitors and report son progress (3) provides
evidence that the problem has been fixed and (4) will they be implemented prior to the audit
1111
bull Integration of FIAR and MICP
bull The OUSD FIAR MICP Team will collaborate with SAOrsquos Action Officers throughout the
fiscal year regarding outputs obtained from on-going audit readiness efforts and
previously reported material internal control deficiencies to
- Provide oversight for MICP operations across TI-97 Entities (Fourth Estate)
- Monitor remediation activities Corrective Action Plan (CAP) progress throughout the
fiscal year and status via the Notification of Findings and Recommendations (NFR)
Tracker Tool
- Validate test results and implementation of CAPs
- Standup status working groups eg Tiger Team to provide focused resources for
assessments and development of corrective actions and
- Engage SAOs Action Officers and Component MICP Coordinators to ensure
prioritization of remediation efforts of material weaknesses previously self reported in
the annual SOA and subsequently identified during the fiscal year by SAOs and
FIAR 12
14
(Defense Security Cooperation Agency (DSCA))
bull Senior Oversight amp Involvement
ndash ldquoTone-at-the-Toprdquo and regular Senior Leader involvement
ndash Frequent communication with leaders at all levels
bull Partnership with FIAR amp Audit Liaison Offices
ndash Independent MICP and FIAR offices closely collaborate
ndash Mutual validation of control testing and corrective action plans
ndash External audits inform assessments and resource prioritization
bull Focus on Sustainment
ndash Phased approach to document process risks control activities and test procedures
ndash Group and Individual training on documentation assessment and reporting
ndash Corrective Action Plans include stakeholders actions dates and target end-state
ndash Empower AUMs to assess identify improve fix and report on program health
ndash Recognize AUMs and leaders for thorough documentation and improvements
bull MICP Library
ndash SharePoint document library is accessible to AUMs leadership entire agency
ndash All documents from process to control test results easy to locate
ndash Central repository for AUM assessment reporting simplifies SOA preparation13
1414
15
The OMB has recently launched a major reassessment of the governmentrsquos
approach ndash encouraging the use of Enterprise Risk Management (ERM) +
Strengthen Decision Making
Improvement Information Flow
Why How
Sustainment of Support From the Top
Addressing Power Concentrated in Silos
Overcoming Culture of Caution
Integration of Risk Management into Organizational Decision
Processes
1 Creates and protects value
2 Integral part of all organizational processes
3 Part of decision making
4 Addresses uncertainty
5 Systemic structured and timely
6 Based on best information available
7 Tailored and responsive to evolving risk profile of agency
8 Takes human and cultural factors into account
9 Transparent and inclusive
10 Dynamic iterative and responsive to change
11 Facilitates continual improvement
Benefits
16
Risk Profiles Should Include
Seven Components
Purpose of a Risk Profile is to provide an analysis of the risks
when developing strategic objectives related to activities and
operations - Prioritization of the most significant risks
1 Identification of Objectives
2 Identification of Risk
3 Inherent Risk Assessment
4 Risk Response
5 Residual Risk Assessment
6 Proposed Action
7 Proposed Action Category
17
A-123 defines managementrsquos responsibilities for Enterprise Risk Management and includes
requirements for identifying and managing risks related to mission-support and other
operations as determined by management
bull Agencies are required to develop Risk Profiles which identify risks arising from
mission-support and other operations
bull Management of risk at strategic program and operational levels needs to be integrated so
that levels of activity support each other as depicted below
The Federal Enterprise Risk Management Framework
18
bull Risk Profile is the documented and prioritized overall assessment of the range of specific risks faced by an Agency
bull Inherent Risk is the risk that an activity would pose if no controls or other mitigating factors were in place
(the gross risk or risk before controls)
bull Residual Risk is the risk that remains after controls are taken into account (the net risk or risk after controls)
19
While a major portion of the revised A-123 requirements still require agencies to evaluate and
report on the effectiveness of internal controls over operations and financial reporting the
revised circular now requires agencies to
bull Provide documented evidence to substantiate compliance with the GAO Green Book ndash ie prove that the
agency has met the 17 internal control principles
bull Document the effectiveness of the agencyrsquos system of internal control as defined by the GAO Green Book
bull Adopt an Enterprise Risk Management framework to manage risks across the agency
⁻ In FY 2016 develop and document an annual documented risk profilerisk inventory
⁻ In FY 2017 build on this risk profile and create a methodology to continually build capabilities around identifying new or emerging risks while also monitoring changes to existing risks
bull Leverage current Senior Management Council (SMC) or create a SMC to provide governance in
establishing risk profiles and overseeing operation of an effective system of internal control Specifically to
more holistically manage agency risk OMB recommends
- Agencies include the Senior Accountable Officials (as members of the SMC) for mission-support
functions including but not limited to the Chief Financial Officer Chief Information Officer Chief
Information Security Officer Chief Acquisitions Officer the Agency Official for Privacy and the
Performance Improvement Officer
bull Statements of Assurance should now include a summary of the agencyrsquos risk profile
bull The DoD has a mission and objectives and formulates strategic plans to achieve those
objectives
bull Internal control is a process executed by DoD management that provides reasonable
assurance that the agencyrsquos mission and objectives (operations reporting compliance)
will be achieved
bull Entity Level Controls
- Have a pervasive effect on the DoDrsquos internal control system
- Include oversight bodies risk assessments communication identifying problems
and solutions and monitoring results
bull The Entity Level Controls of the Department of Defense must be documented
bull OUSD(C) DCFO developed a template (attached separately) to document entity-level
controls that exist
bull Requirement Identify action officer populate the template and fill any gaps that exist20
bull Requires entities to demonstrate and assess whether 17 principles are present and functioning in determining if their systems are present and working as intended
bull Provides baseline for Inspector General independent auditors and other related oversight groups in their evaluation of an agencyrsquos entire system of internal control and not just specific activities or transactions (which typically occurred in the past)
bull Requires CFOs to place more scrutiny over their entity level controls
bull Greater emphasis on the risk assessment process for financial and operational
bull Provides responsibilities for shared service providerrsquos internal controls and impact on entityrsquos system of internal controls (ie service provider and the complementary user entity controls)
bull Sets minimum documentation requirements to substantiate the effective design implementation and operating effectiveness of an agencyrsquos system of internal controls
Bottom Line Up
Front
GAOrsquos Green Book
21
22
bull Section 3512 (c) and (d) of the
United States Code
bull Requires that Federal agency
executives periodically review and
annually report on the agencyrsquos
internal controls
bull FMFIA requires the Comptroller
General to prescribe internal control
standards
GAOrsquos ldquoGreen BookrdquoFederal Managersrsquo
Financial Integrity Act (FMFIA)
bull Provides the internal control standards for
federal agencies for both program and financial
management
bull The standards provide management criteria for
designing implementing and operating an
internal control system
bull The standards retain the five components of
internal control but introduce 17 principles
bull These principles were adopted from the
Committee of Sponsoring Operations of the
Treadway Commission (COSO)1
1 Committee of Sponsoring Operations of the Treadway Commission (COSO) - On May 14 2013 the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) released its revisions and updates to the 1992 document
Internal Control - Integrated Framework COSOrsquos goal in updating the framework was to increase its relevance in the
increasingly complex and global business environment so that organizations worldwide can better design implement and
assess internal control COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management internal control and fraud
deterrence The AICPA is a member of COSO 22
1 Demonstrates commitment to integrity and ethical values
2 Exercises oversight responsibilities
3 Establishes structure authority and responsibility
4 Demonstrates commitment to competence
5 Enforces accountability
Control Environment
6 Defines objectives and risk tolerances
7 Identifies analyzes and responds to risk
8 Assesses fraud risk
9 Identifies analyzes and responds to change
Risk Assessment
23
Control Activities
10Designs control activities
11Selects and develops general controls for the information system
12Deploys and implements control activities
Information and Communication
13Uses relevant quality information
14Communicates internally
15Communicates externally
Monitoring Activities
16Performs ongoing monitoring activities
17Evaluates issues and remediates deficiencies
Provides Criteria for Designing Implementing and Operating an Effective Internal
Control System
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
Roles and Responsibilities
OUSD (DCFOampPSAs)bull Provides StrategyGuidance
bull Monitors progress to include
NFR tracking
bull Leads critical capabilities
(eg DoD-wide policies
UOT)
bull Provides Audit Infrastructurebull Audit liaison
bull End to end process
documentation
bull Internal control program
bull Training
Service Providers (DFAS)bull Fund balance with Treasury
Reconciliation for 4th Estate
bull Journal Voucher root cause analysis
bull Implement corrective actions for audit
findings and support 4th Estate
auditsexams
4th Estate Componentsbull Develop and implement
corrective actions
bull Establish internal policies
and procedures
bull Monitor internal control
compliance
bull Establish MOUs and
engage with the Service
Providers
bull Establish internal audit
liaison team to support
auditsexams
Critical Capability Success Requires Stable Support
DF
AS
8
DoD Consolidated Audit Strategy Overview
9
High Level Observations and Common Themes
10
Common Themes Challenges Questions to Consider
Documentation bull Missing documentation to support
transactions (eg bills timesheets)
bull Do I know what documents support what transactions throughout a transaction
lifecycle
bull Does the documentation contain the appropriate approvals
bull Who or what system can they be obtained from
bull Can they be retrieved timely (ie in many cases within 3 business days) for the
audit
bull Are they retained for the required amount of time
Standard
Operating
Procures End-to-
End Process
Documentation
bull Lack of understanding of the entire
process life-cycle and the beginning to end
business processes to include functions
performed by another organization on your
behalf
bull Documented business processes do not
always align to actual business processes
bull Are my policies and procedures up to date bull Do they accurately reflect what I am doing and the controlssafegaurds in place throughout
the process bull Who participates in doing my business ( eg Service Providers What do they do for me
What systems are key Have I written down their roles and responsibilities anywhere Do we have an agreement documenting the specific activities and controls they perform on my behalf and what documentation is to be provided during auditexaminations
Systems bull Inability to support that all transactions
from source systems (eg Contract Writing
System)
bull Information Technology controls (security
measures) were ineffective or not in place
such as unauthorized users having access
to system
bull Have system controls been tested using FISCAM bull Can I generate user listings bull Do the access forms match a userrsquos role
Property bull Lack of progress on counting and
recording of assets
bull Do I have a complete repositoryinventory listing of my assets types bull Does it reconcile to my accounting system bull Are the assets depreciated properly bull Are capitalization thresholds correct bull Are my asset values correct
Develop a plan to move forward that (1) identifies and addresses the root cause of the issue (2) monitors and report son progress (3) provides
evidence that the problem has been fixed and (4) will they be implemented prior to the audit
1111
bull Integration of FIAR and MICP
bull The OUSD FIAR MICP Team will collaborate with SAOrsquos Action Officers throughout the
fiscal year regarding outputs obtained from on-going audit readiness efforts and
previously reported material internal control deficiencies to
- Provide oversight for MICP operations across TI-97 Entities (Fourth Estate)
- Monitor remediation activities Corrective Action Plan (CAP) progress throughout the
fiscal year and status via the Notification of Findings and Recommendations (NFR)
Tracker Tool
- Validate test results and implementation of CAPs
- Standup status working groups eg Tiger Team to provide focused resources for
assessments and development of corrective actions and
- Engage SAOs Action Officers and Component MICP Coordinators to ensure
prioritization of remediation efforts of material weaknesses previously self reported in
the annual SOA and subsequently identified during the fiscal year by SAOs and
FIAR 12
14
(Defense Security Cooperation Agency (DSCA))
bull Senior Oversight amp Involvement
ndash ldquoTone-at-the-Toprdquo and regular Senior Leader involvement
ndash Frequent communication with leaders at all levels
bull Partnership with FIAR amp Audit Liaison Offices
ndash Independent MICP and FIAR offices closely collaborate
ndash Mutual validation of control testing and corrective action plans
ndash External audits inform assessments and resource prioritization
bull Focus on Sustainment
ndash Phased approach to document process risks control activities and test procedures
ndash Group and Individual training on documentation assessment and reporting
ndash Corrective Action Plans include stakeholders actions dates and target end-state
ndash Empower AUMs to assess identify improve fix and report on program health
ndash Recognize AUMs and leaders for thorough documentation and improvements
bull MICP Library
ndash SharePoint document library is accessible to AUMs leadership entire agency
ndash All documents from process to control test results easy to locate
ndash Central repository for AUM assessment reporting simplifies SOA preparation13
1414
15
The OMB has recently launched a major reassessment of the governmentrsquos
approach ndash encouraging the use of Enterprise Risk Management (ERM) +
Strengthen Decision Making
Improvement Information Flow
Why How
Sustainment of Support From the Top
Addressing Power Concentrated in Silos
Overcoming Culture of Caution
Integration of Risk Management into Organizational Decision
Processes
1 Creates and protects value
2 Integral part of all organizational processes
3 Part of decision making
4 Addresses uncertainty
5 Systemic structured and timely
6 Based on best information available
7 Tailored and responsive to evolving risk profile of agency
8 Takes human and cultural factors into account
9 Transparent and inclusive
10 Dynamic iterative and responsive to change
11 Facilitates continual improvement
Benefits
16
Risk Profiles Should Include
Seven Components
Purpose of a Risk Profile is to provide an analysis of the risks
when developing strategic objectives related to activities and
operations - Prioritization of the most significant risks
1 Identification of Objectives
2 Identification of Risk
3 Inherent Risk Assessment
4 Risk Response
5 Residual Risk Assessment
6 Proposed Action
7 Proposed Action Category
17
A-123 defines managementrsquos responsibilities for Enterprise Risk Management and includes
requirements for identifying and managing risks related to mission-support and other
operations as determined by management
bull Agencies are required to develop Risk Profiles which identify risks arising from
mission-support and other operations
bull Management of risk at strategic program and operational levels needs to be integrated so
that levels of activity support each other as depicted below
The Federal Enterprise Risk Management Framework
18
bull Risk Profile is the documented and prioritized overall assessment of the range of specific risks faced by an Agency
bull Inherent Risk is the risk that an activity would pose if no controls or other mitigating factors were in place
(the gross risk or risk before controls)
bull Residual Risk is the risk that remains after controls are taken into account (the net risk or risk after controls)
19
While a major portion of the revised A-123 requirements still require agencies to evaluate and
report on the effectiveness of internal controls over operations and financial reporting the
revised circular now requires agencies to
bull Provide documented evidence to substantiate compliance with the GAO Green Book ndash ie prove that the
agency has met the 17 internal control principles
bull Document the effectiveness of the agencyrsquos system of internal control as defined by the GAO Green Book
bull Adopt an Enterprise Risk Management framework to manage risks across the agency
⁻ In FY 2016 develop and document an annual documented risk profilerisk inventory
⁻ In FY 2017 build on this risk profile and create a methodology to continually build capabilities around identifying new or emerging risks while also monitoring changes to existing risks
bull Leverage current Senior Management Council (SMC) or create a SMC to provide governance in
establishing risk profiles and overseeing operation of an effective system of internal control Specifically to
more holistically manage agency risk OMB recommends
- Agencies include the Senior Accountable Officials (as members of the SMC) for mission-support
functions including but not limited to the Chief Financial Officer Chief Information Officer Chief
Information Security Officer Chief Acquisitions Officer the Agency Official for Privacy and the
Performance Improvement Officer
bull Statements of Assurance should now include a summary of the agencyrsquos risk profile
bull The DoD has a mission and objectives and formulates strategic plans to achieve those
objectives
bull Internal control is a process executed by DoD management that provides reasonable
assurance that the agencyrsquos mission and objectives (operations reporting compliance)
will be achieved
bull Entity Level Controls
- Have a pervasive effect on the DoDrsquos internal control system
- Include oversight bodies risk assessments communication identifying problems
and solutions and monitoring results
bull The Entity Level Controls of the Department of Defense must be documented
bull OUSD(C) DCFO developed a template (attached separately) to document entity-level
controls that exist
bull Requirement Identify action officer populate the template and fill any gaps that exist20
bull Requires entities to demonstrate and assess whether 17 principles are present and functioning in determining if their systems are present and working as intended
bull Provides baseline for Inspector General independent auditors and other related oversight groups in their evaluation of an agencyrsquos entire system of internal control and not just specific activities or transactions (which typically occurred in the past)
bull Requires CFOs to place more scrutiny over their entity level controls
bull Greater emphasis on the risk assessment process for financial and operational
bull Provides responsibilities for shared service providerrsquos internal controls and impact on entityrsquos system of internal controls (ie service provider and the complementary user entity controls)
bull Sets minimum documentation requirements to substantiate the effective design implementation and operating effectiveness of an agencyrsquos system of internal controls
Bottom Line Up
Front
GAOrsquos Green Book
21
22
bull Section 3512 (c) and (d) of the
United States Code
bull Requires that Federal agency
executives periodically review and
annually report on the agencyrsquos
internal controls
bull FMFIA requires the Comptroller
General to prescribe internal control
standards
GAOrsquos ldquoGreen BookrdquoFederal Managersrsquo
Financial Integrity Act (FMFIA)
bull Provides the internal control standards for
federal agencies for both program and financial
management
bull The standards provide management criteria for
designing implementing and operating an
internal control system
bull The standards retain the five components of
internal control but introduce 17 principles
bull These principles were adopted from the
Committee of Sponsoring Operations of the
Treadway Commission (COSO)1
1 Committee of Sponsoring Operations of the Treadway Commission (COSO) - On May 14 2013 the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) released its revisions and updates to the 1992 document
Internal Control - Integrated Framework COSOrsquos goal in updating the framework was to increase its relevance in the
increasingly complex and global business environment so that organizations worldwide can better design implement and
assess internal control COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management internal control and fraud
deterrence The AICPA is a member of COSO 22
1 Demonstrates commitment to integrity and ethical values
2 Exercises oversight responsibilities
3 Establishes structure authority and responsibility
4 Demonstrates commitment to competence
5 Enforces accountability
Control Environment
6 Defines objectives and risk tolerances
7 Identifies analyzes and responds to risk
8 Assesses fraud risk
9 Identifies analyzes and responds to change
Risk Assessment
23
Control Activities
10Designs control activities
11Selects and develops general controls for the information system
12Deploys and implements control activities
Information and Communication
13Uses relevant quality information
14Communicates internally
15Communicates externally
Monitoring Activities
16Performs ongoing monitoring activities
17Evaluates issues and remediates deficiencies
Provides Criteria for Designing Implementing and Operating an Effective Internal
Control System
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
DoD Consolidated Audit Strategy Overview
9
High Level Observations and Common Themes
10
Common Themes Challenges Questions to Consider
Documentation bull Missing documentation to support
transactions (eg bills timesheets)
bull Do I know what documents support what transactions throughout a transaction
lifecycle
bull Does the documentation contain the appropriate approvals
bull Who or what system can they be obtained from
bull Can they be retrieved timely (ie in many cases within 3 business days) for the
audit
bull Are they retained for the required amount of time
Standard
Operating
Procures End-to-
End Process
Documentation
bull Lack of understanding of the entire
process life-cycle and the beginning to end
business processes to include functions
performed by another organization on your
behalf
bull Documented business processes do not
always align to actual business processes
bull Are my policies and procedures up to date bull Do they accurately reflect what I am doing and the controlssafegaurds in place throughout
the process bull Who participates in doing my business ( eg Service Providers What do they do for me
What systems are key Have I written down their roles and responsibilities anywhere Do we have an agreement documenting the specific activities and controls they perform on my behalf and what documentation is to be provided during auditexaminations
Systems bull Inability to support that all transactions
from source systems (eg Contract Writing
System)
bull Information Technology controls (security
measures) were ineffective or not in place
such as unauthorized users having access
to system
bull Have system controls been tested using FISCAM bull Can I generate user listings bull Do the access forms match a userrsquos role
Property bull Lack of progress on counting and
recording of assets
bull Do I have a complete repositoryinventory listing of my assets types bull Does it reconcile to my accounting system bull Are the assets depreciated properly bull Are capitalization thresholds correct bull Are my asset values correct
Develop a plan to move forward that (1) identifies and addresses the root cause of the issue (2) monitors and report son progress (3) provides
evidence that the problem has been fixed and (4) will they be implemented prior to the audit
1111
bull Integration of FIAR and MICP
bull The OUSD FIAR MICP Team will collaborate with SAOrsquos Action Officers throughout the
fiscal year regarding outputs obtained from on-going audit readiness efforts and
previously reported material internal control deficiencies to
- Provide oversight for MICP operations across TI-97 Entities (Fourth Estate)
- Monitor remediation activities Corrective Action Plan (CAP) progress throughout the
fiscal year and status via the Notification of Findings and Recommendations (NFR)
Tracker Tool
- Validate test results and implementation of CAPs
- Standup status working groups eg Tiger Team to provide focused resources for
assessments and development of corrective actions and
- Engage SAOs Action Officers and Component MICP Coordinators to ensure
prioritization of remediation efforts of material weaknesses previously self reported in
the annual SOA and subsequently identified during the fiscal year by SAOs and
FIAR 12
14
(Defense Security Cooperation Agency (DSCA))
bull Senior Oversight amp Involvement
ndash ldquoTone-at-the-Toprdquo and regular Senior Leader involvement
ndash Frequent communication with leaders at all levels
bull Partnership with FIAR amp Audit Liaison Offices
ndash Independent MICP and FIAR offices closely collaborate
ndash Mutual validation of control testing and corrective action plans
ndash External audits inform assessments and resource prioritization
bull Focus on Sustainment
ndash Phased approach to document process risks control activities and test procedures
ndash Group and Individual training on documentation assessment and reporting
ndash Corrective Action Plans include stakeholders actions dates and target end-state
ndash Empower AUMs to assess identify improve fix and report on program health
ndash Recognize AUMs and leaders for thorough documentation and improvements
bull MICP Library
ndash SharePoint document library is accessible to AUMs leadership entire agency
ndash All documents from process to control test results easy to locate
ndash Central repository for AUM assessment reporting simplifies SOA preparation13
1414
15
The OMB has recently launched a major reassessment of the governmentrsquos
approach ndash encouraging the use of Enterprise Risk Management (ERM) +
Strengthen Decision Making
Improvement Information Flow
Why How
Sustainment of Support From the Top
Addressing Power Concentrated in Silos
Overcoming Culture of Caution
Integration of Risk Management into Organizational Decision
Processes
1 Creates and protects value
2 Integral part of all organizational processes
3 Part of decision making
4 Addresses uncertainty
5 Systemic structured and timely
6 Based on best information available
7 Tailored and responsive to evolving risk profile of agency
8 Takes human and cultural factors into account
9 Transparent and inclusive
10 Dynamic iterative and responsive to change
11 Facilitates continual improvement
Benefits
16
Risk Profiles Should Include
Seven Components
Purpose of a Risk Profile is to provide an analysis of the risks
when developing strategic objectives related to activities and
operations - Prioritization of the most significant risks
1 Identification of Objectives
2 Identification of Risk
3 Inherent Risk Assessment
4 Risk Response
5 Residual Risk Assessment
6 Proposed Action
7 Proposed Action Category
17
A-123 defines managementrsquos responsibilities for Enterprise Risk Management and includes
requirements for identifying and managing risks related to mission-support and other
operations as determined by management
bull Agencies are required to develop Risk Profiles which identify risks arising from
mission-support and other operations
bull Management of risk at strategic program and operational levels needs to be integrated so
that levels of activity support each other as depicted below
The Federal Enterprise Risk Management Framework
18
bull Risk Profile is the documented and prioritized overall assessment of the range of specific risks faced by an Agency
bull Inherent Risk is the risk that an activity would pose if no controls or other mitigating factors were in place
(the gross risk or risk before controls)
bull Residual Risk is the risk that remains after controls are taken into account (the net risk or risk after controls)
19
While a major portion of the revised A-123 requirements still require agencies to evaluate and
report on the effectiveness of internal controls over operations and financial reporting the
revised circular now requires agencies to
bull Provide documented evidence to substantiate compliance with the GAO Green Book ndash ie prove that the
agency has met the 17 internal control principles
bull Document the effectiveness of the agencyrsquos system of internal control as defined by the GAO Green Book
bull Adopt an Enterprise Risk Management framework to manage risks across the agency
⁻ In FY 2016 develop and document an annual documented risk profilerisk inventory
⁻ In FY 2017 build on this risk profile and create a methodology to continually build capabilities around identifying new or emerging risks while also monitoring changes to existing risks
bull Leverage current Senior Management Council (SMC) or create a SMC to provide governance in
establishing risk profiles and overseeing operation of an effective system of internal control Specifically to
more holistically manage agency risk OMB recommends
- Agencies include the Senior Accountable Officials (as members of the SMC) for mission-support
functions including but not limited to the Chief Financial Officer Chief Information Officer Chief
Information Security Officer Chief Acquisitions Officer the Agency Official for Privacy and the
Performance Improvement Officer
bull Statements of Assurance should now include a summary of the agencyrsquos risk profile
bull The DoD has a mission and objectives and formulates strategic plans to achieve those
objectives
bull Internal control is a process executed by DoD management that provides reasonable
assurance that the agencyrsquos mission and objectives (operations reporting compliance)
will be achieved
bull Entity Level Controls
- Have a pervasive effect on the DoDrsquos internal control system
- Include oversight bodies risk assessments communication identifying problems
and solutions and monitoring results
bull The Entity Level Controls of the Department of Defense must be documented
bull OUSD(C) DCFO developed a template (attached separately) to document entity-level
controls that exist
bull Requirement Identify action officer populate the template and fill any gaps that exist20
bull Requires entities to demonstrate and assess whether 17 principles are present and functioning in determining if their systems are present and working as intended
bull Provides baseline for Inspector General independent auditors and other related oversight groups in their evaluation of an agencyrsquos entire system of internal control and not just specific activities or transactions (which typically occurred in the past)
bull Requires CFOs to place more scrutiny over their entity level controls
bull Greater emphasis on the risk assessment process for financial and operational
bull Provides responsibilities for shared service providerrsquos internal controls and impact on entityrsquos system of internal controls (ie service provider and the complementary user entity controls)
bull Sets minimum documentation requirements to substantiate the effective design implementation and operating effectiveness of an agencyrsquos system of internal controls
Bottom Line Up
Front
GAOrsquos Green Book
21
22
bull Section 3512 (c) and (d) of the
United States Code
bull Requires that Federal agency
executives periodically review and
annually report on the agencyrsquos
internal controls
bull FMFIA requires the Comptroller
General to prescribe internal control
standards
GAOrsquos ldquoGreen BookrdquoFederal Managersrsquo
Financial Integrity Act (FMFIA)
bull Provides the internal control standards for
federal agencies for both program and financial
management
bull The standards provide management criteria for
designing implementing and operating an
internal control system
bull The standards retain the five components of
internal control but introduce 17 principles
bull These principles were adopted from the
Committee of Sponsoring Operations of the
Treadway Commission (COSO)1
1 Committee of Sponsoring Operations of the Treadway Commission (COSO) - On May 14 2013 the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) released its revisions and updates to the 1992 document
Internal Control - Integrated Framework COSOrsquos goal in updating the framework was to increase its relevance in the
increasingly complex and global business environment so that organizations worldwide can better design implement and
assess internal control COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management internal control and fraud
deterrence The AICPA is a member of COSO 22
1 Demonstrates commitment to integrity and ethical values
2 Exercises oversight responsibilities
3 Establishes structure authority and responsibility
4 Demonstrates commitment to competence
5 Enforces accountability
Control Environment
6 Defines objectives and risk tolerances
7 Identifies analyzes and responds to risk
8 Assesses fraud risk
9 Identifies analyzes and responds to change
Risk Assessment
23
Control Activities
10Designs control activities
11Selects and develops general controls for the information system
12Deploys and implements control activities
Information and Communication
13Uses relevant quality information
14Communicates internally
15Communicates externally
Monitoring Activities
16Performs ongoing monitoring activities
17Evaluates issues and remediates deficiencies
Provides Criteria for Designing Implementing and Operating an Effective Internal
Control System
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
High Level Observations and Common Themes
10
Common Themes Challenges Questions to Consider
Documentation bull Missing documentation to support
transactions (eg bills timesheets)
bull Do I know what documents support what transactions throughout a transaction
lifecycle
bull Does the documentation contain the appropriate approvals
bull Who or what system can they be obtained from
bull Can they be retrieved timely (ie in many cases within 3 business days) for the
audit
bull Are they retained for the required amount of time
Standard
Operating
Procures End-to-
End Process
Documentation
bull Lack of understanding of the entire
process life-cycle and the beginning to end
business processes to include functions
performed by another organization on your
behalf
bull Documented business processes do not
always align to actual business processes
bull Are my policies and procedures up to date bull Do they accurately reflect what I am doing and the controlssafegaurds in place throughout
the process bull Who participates in doing my business ( eg Service Providers What do they do for me
What systems are key Have I written down their roles and responsibilities anywhere Do we have an agreement documenting the specific activities and controls they perform on my behalf and what documentation is to be provided during auditexaminations
Systems bull Inability to support that all transactions
from source systems (eg Contract Writing
System)
bull Information Technology controls (security
measures) were ineffective or not in place
such as unauthorized users having access
to system
bull Have system controls been tested using FISCAM bull Can I generate user listings bull Do the access forms match a userrsquos role
Property bull Lack of progress on counting and
recording of assets
bull Do I have a complete repositoryinventory listing of my assets types bull Does it reconcile to my accounting system bull Are the assets depreciated properly bull Are capitalization thresholds correct bull Are my asset values correct
Develop a plan to move forward that (1) identifies and addresses the root cause of the issue (2) monitors and report son progress (3) provides
evidence that the problem has been fixed and (4) will they be implemented prior to the audit
1111
bull Integration of FIAR and MICP
bull The OUSD FIAR MICP Team will collaborate with SAOrsquos Action Officers throughout the
fiscal year regarding outputs obtained from on-going audit readiness efforts and
previously reported material internal control deficiencies to
- Provide oversight for MICP operations across TI-97 Entities (Fourth Estate)
- Monitor remediation activities Corrective Action Plan (CAP) progress throughout the
fiscal year and status via the Notification of Findings and Recommendations (NFR)
Tracker Tool
- Validate test results and implementation of CAPs
- Standup status working groups eg Tiger Team to provide focused resources for
assessments and development of corrective actions and
- Engage SAOs Action Officers and Component MICP Coordinators to ensure
prioritization of remediation efforts of material weaknesses previously self reported in
the annual SOA and subsequently identified during the fiscal year by SAOs and
FIAR 12
14
(Defense Security Cooperation Agency (DSCA))
bull Senior Oversight amp Involvement
ndash ldquoTone-at-the-Toprdquo and regular Senior Leader involvement
ndash Frequent communication with leaders at all levels
bull Partnership with FIAR amp Audit Liaison Offices
ndash Independent MICP and FIAR offices closely collaborate
ndash Mutual validation of control testing and corrective action plans
ndash External audits inform assessments and resource prioritization
bull Focus on Sustainment
ndash Phased approach to document process risks control activities and test procedures
ndash Group and Individual training on documentation assessment and reporting
ndash Corrective Action Plans include stakeholders actions dates and target end-state
ndash Empower AUMs to assess identify improve fix and report on program health
ndash Recognize AUMs and leaders for thorough documentation and improvements
bull MICP Library
ndash SharePoint document library is accessible to AUMs leadership entire agency
ndash All documents from process to control test results easy to locate
ndash Central repository for AUM assessment reporting simplifies SOA preparation13
1414
15
The OMB has recently launched a major reassessment of the governmentrsquos
approach ndash encouraging the use of Enterprise Risk Management (ERM) +
Strengthen Decision Making
Improvement Information Flow
Why How
Sustainment of Support From the Top
Addressing Power Concentrated in Silos
Overcoming Culture of Caution
Integration of Risk Management into Organizational Decision
Processes
1 Creates and protects value
2 Integral part of all organizational processes
3 Part of decision making
4 Addresses uncertainty
5 Systemic structured and timely
6 Based on best information available
7 Tailored and responsive to evolving risk profile of agency
8 Takes human and cultural factors into account
9 Transparent and inclusive
10 Dynamic iterative and responsive to change
11 Facilitates continual improvement
Benefits
16
Risk Profiles Should Include
Seven Components
Purpose of a Risk Profile is to provide an analysis of the risks
when developing strategic objectives related to activities and
operations - Prioritization of the most significant risks
1 Identification of Objectives
2 Identification of Risk
3 Inherent Risk Assessment
4 Risk Response
5 Residual Risk Assessment
6 Proposed Action
7 Proposed Action Category
17
A-123 defines managementrsquos responsibilities for Enterprise Risk Management and includes
requirements for identifying and managing risks related to mission-support and other
operations as determined by management
bull Agencies are required to develop Risk Profiles which identify risks arising from
mission-support and other operations
bull Management of risk at strategic program and operational levels needs to be integrated so
that levels of activity support each other as depicted below
The Federal Enterprise Risk Management Framework
18
bull Risk Profile is the documented and prioritized overall assessment of the range of specific risks faced by an Agency
bull Inherent Risk is the risk that an activity would pose if no controls or other mitigating factors were in place
(the gross risk or risk before controls)
bull Residual Risk is the risk that remains after controls are taken into account (the net risk or risk after controls)
19
While a major portion of the revised A-123 requirements still require agencies to evaluate and
report on the effectiveness of internal controls over operations and financial reporting the
revised circular now requires agencies to
bull Provide documented evidence to substantiate compliance with the GAO Green Book ndash ie prove that the
agency has met the 17 internal control principles
bull Document the effectiveness of the agencyrsquos system of internal control as defined by the GAO Green Book
bull Adopt an Enterprise Risk Management framework to manage risks across the agency
⁻ In FY 2016 develop and document an annual documented risk profilerisk inventory
⁻ In FY 2017 build on this risk profile and create a methodology to continually build capabilities around identifying new or emerging risks while also monitoring changes to existing risks
bull Leverage current Senior Management Council (SMC) or create a SMC to provide governance in
establishing risk profiles and overseeing operation of an effective system of internal control Specifically to
more holistically manage agency risk OMB recommends
- Agencies include the Senior Accountable Officials (as members of the SMC) for mission-support
functions including but not limited to the Chief Financial Officer Chief Information Officer Chief
Information Security Officer Chief Acquisitions Officer the Agency Official for Privacy and the
Performance Improvement Officer
bull Statements of Assurance should now include a summary of the agencyrsquos risk profile
bull The DoD has a mission and objectives and formulates strategic plans to achieve those
objectives
bull Internal control is a process executed by DoD management that provides reasonable
assurance that the agencyrsquos mission and objectives (operations reporting compliance)
will be achieved
bull Entity Level Controls
- Have a pervasive effect on the DoDrsquos internal control system
- Include oversight bodies risk assessments communication identifying problems
and solutions and monitoring results
bull The Entity Level Controls of the Department of Defense must be documented
bull OUSD(C) DCFO developed a template (attached separately) to document entity-level
controls that exist
bull Requirement Identify action officer populate the template and fill any gaps that exist20
bull Requires entities to demonstrate and assess whether 17 principles are present and functioning in determining if their systems are present and working as intended
bull Provides baseline for Inspector General independent auditors and other related oversight groups in their evaluation of an agencyrsquos entire system of internal control and not just specific activities or transactions (which typically occurred in the past)
bull Requires CFOs to place more scrutiny over their entity level controls
bull Greater emphasis on the risk assessment process for financial and operational
bull Provides responsibilities for shared service providerrsquos internal controls and impact on entityrsquos system of internal controls (ie service provider and the complementary user entity controls)
bull Sets minimum documentation requirements to substantiate the effective design implementation and operating effectiveness of an agencyrsquos system of internal controls
Bottom Line Up
Front
GAOrsquos Green Book
21
22
bull Section 3512 (c) and (d) of the
United States Code
bull Requires that Federal agency
executives periodically review and
annually report on the agencyrsquos
internal controls
bull FMFIA requires the Comptroller
General to prescribe internal control
standards
GAOrsquos ldquoGreen BookrdquoFederal Managersrsquo
Financial Integrity Act (FMFIA)
bull Provides the internal control standards for
federal agencies for both program and financial
management
bull The standards provide management criteria for
designing implementing and operating an
internal control system
bull The standards retain the five components of
internal control but introduce 17 principles
bull These principles were adopted from the
Committee of Sponsoring Operations of the
Treadway Commission (COSO)1
1 Committee of Sponsoring Operations of the Treadway Commission (COSO) - On May 14 2013 the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) released its revisions and updates to the 1992 document
Internal Control - Integrated Framework COSOrsquos goal in updating the framework was to increase its relevance in the
increasingly complex and global business environment so that organizations worldwide can better design implement and
assess internal control COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management internal control and fraud
deterrence The AICPA is a member of COSO 22
1 Demonstrates commitment to integrity and ethical values
2 Exercises oversight responsibilities
3 Establishes structure authority and responsibility
4 Demonstrates commitment to competence
5 Enforces accountability
Control Environment
6 Defines objectives and risk tolerances
7 Identifies analyzes and responds to risk
8 Assesses fraud risk
9 Identifies analyzes and responds to change
Risk Assessment
23
Control Activities
10Designs control activities
11Selects and develops general controls for the information system
12Deploys and implements control activities
Information and Communication
13Uses relevant quality information
14Communicates internally
15Communicates externally
Monitoring Activities
16Performs ongoing monitoring activities
17Evaluates issues and remediates deficiencies
Provides Criteria for Designing Implementing and Operating an Effective Internal
Control System
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
1111
bull Integration of FIAR and MICP
bull The OUSD FIAR MICP Team will collaborate with SAOrsquos Action Officers throughout the
fiscal year regarding outputs obtained from on-going audit readiness efforts and
previously reported material internal control deficiencies to
- Provide oversight for MICP operations across TI-97 Entities (Fourth Estate)
- Monitor remediation activities Corrective Action Plan (CAP) progress throughout the
fiscal year and status via the Notification of Findings and Recommendations (NFR)
Tracker Tool
- Validate test results and implementation of CAPs
- Standup status working groups eg Tiger Team to provide focused resources for
assessments and development of corrective actions and
- Engage SAOs Action Officers and Component MICP Coordinators to ensure
prioritization of remediation efforts of material weaknesses previously self reported in
the annual SOA and subsequently identified during the fiscal year by SAOs and
FIAR 12
14
(Defense Security Cooperation Agency (DSCA))
bull Senior Oversight amp Involvement
ndash ldquoTone-at-the-Toprdquo and regular Senior Leader involvement
ndash Frequent communication with leaders at all levels
bull Partnership with FIAR amp Audit Liaison Offices
ndash Independent MICP and FIAR offices closely collaborate
ndash Mutual validation of control testing and corrective action plans
ndash External audits inform assessments and resource prioritization
bull Focus on Sustainment
ndash Phased approach to document process risks control activities and test procedures
ndash Group and Individual training on documentation assessment and reporting
ndash Corrective Action Plans include stakeholders actions dates and target end-state
ndash Empower AUMs to assess identify improve fix and report on program health
ndash Recognize AUMs and leaders for thorough documentation and improvements
bull MICP Library
ndash SharePoint document library is accessible to AUMs leadership entire agency
ndash All documents from process to control test results easy to locate
ndash Central repository for AUM assessment reporting simplifies SOA preparation13
1414
15
The OMB has recently launched a major reassessment of the governmentrsquos
approach ndash encouraging the use of Enterprise Risk Management (ERM) +
Strengthen Decision Making
Improvement Information Flow
Why How
Sustainment of Support From the Top
Addressing Power Concentrated in Silos
Overcoming Culture of Caution
Integration of Risk Management into Organizational Decision
Processes
1 Creates and protects value
2 Integral part of all organizational processes
3 Part of decision making
4 Addresses uncertainty
5 Systemic structured and timely
6 Based on best information available
7 Tailored and responsive to evolving risk profile of agency
8 Takes human and cultural factors into account
9 Transparent and inclusive
10 Dynamic iterative and responsive to change
11 Facilitates continual improvement
Benefits
16
Risk Profiles Should Include
Seven Components
Purpose of a Risk Profile is to provide an analysis of the risks
when developing strategic objectives related to activities and
operations - Prioritization of the most significant risks
1 Identification of Objectives
2 Identification of Risk
3 Inherent Risk Assessment
4 Risk Response
5 Residual Risk Assessment
6 Proposed Action
7 Proposed Action Category
17
A-123 defines managementrsquos responsibilities for Enterprise Risk Management and includes
requirements for identifying and managing risks related to mission-support and other
operations as determined by management
bull Agencies are required to develop Risk Profiles which identify risks arising from
mission-support and other operations
bull Management of risk at strategic program and operational levels needs to be integrated so
that levels of activity support each other as depicted below
The Federal Enterprise Risk Management Framework
18
bull Risk Profile is the documented and prioritized overall assessment of the range of specific risks faced by an Agency
bull Inherent Risk is the risk that an activity would pose if no controls or other mitigating factors were in place
(the gross risk or risk before controls)
bull Residual Risk is the risk that remains after controls are taken into account (the net risk or risk after controls)
19
While a major portion of the revised A-123 requirements still require agencies to evaluate and
report on the effectiveness of internal controls over operations and financial reporting the
revised circular now requires agencies to
bull Provide documented evidence to substantiate compliance with the GAO Green Book ndash ie prove that the
agency has met the 17 internal control principles
bull Document the effectiveness of the agencyrsquos system of internal control as defined by the GAO Green Book
bull Adopt an Enterprise Risk Management framework to manage risks across the agency
⁻ In FY 2016 develop and document an annual documented risk profilerisk inventory
⁻ In FY 2017 build on this risk profile and create a methodology to continually build capabilities around identifying new or emerging risks while also monitoring changes to existing risks
bull Leverage current Senior Management Council (SMC) or create a SMC to provide governance in
establishing risk profiles and overseeing operation of an effective system of internal control Specifically to
more holistically manage agency risk OMB recommends
- Agencies include the Senior Accountable Officials (as members of the SMC) for mission-support
functions including but not limited to the Chief Financial Officer Chief Information Officer Chief
Information Security Officer Chief Acquisitions Officer the Agency Official for Privacy and the
Performance Improvement Officer
bull Statements of Assurance should now include a summary of the agencyrsquos risk profile
bull The DoD has a mission and objectives and formulates strategic plans to achieve those
objectives
bull Internal control is a process executed by DoD management that provides reasonable
assurance that the agencyrsquos mission and objectives (operations reporting compliance)
will be achieved
bull Entity Level Controls
- Have a pervasive effect on the DoDrsquos internal control system
- Include oversight bodies risk assessments communication identifying problems
and solutions and monitoring results
bull The Entity Level Controls of the Department of Defense must be documented
bull OUSD(C) DCFO developed a template (attached separately) to document entity-level
controls that exist
bull Requirement Identify action officer populate the template and fill any gaps that exist20
bull Requires entities to demonstrate and assess whether 17 principles are present and functioning in determining if their systems are present and working as intended
bull Provides baseline for Inspector General independent auditors and other related oversight groups in their evaluation of an agencyrsquos entire system of internal control and not just specific activities or transactions (which typically occurred in the past)
bull Requires CFOs to place more scrutiny over their entity level controls
bull Greater emphasis on the risk assessment process for financial and operational
bull Provides responsibilities for shared service providerrsquos internal controls and impact on entityrsquos system of internal controls (ie service provider and the complementary user entity controls)
bull Sets minimum documentation requirements to substantiate the effective design implementation and operating effectiveness of an agencyrsquos system of internal controls
Bottom Line Up
Front
GAOrsquos Green Book
21
22
bull Section 3512 (c) and (d) of the
United States Code
bull Requires that Federal agency
executives periodically review and
annually report on the agencyrsquos
internal controls
bull FMFIA requires the Comptroller
General to prescribe internal control
standards
GAOrsquos ldquoGreen BookrdquoFederal Managersrsquo
Financial Integrity Act (FMFIA)
bull Provides the internal control standards for
federal agencies for both program and financial
management
bull The standards provide management criteria for
designing implementing and operating an
internal control system
bull The standards retain the five components of
internal control but introduce 17 principles
bull These principles were adopted from the
Committee of Sponsoring Operations of the
Treadway Commission (COSO)1
1 Committee of Sponsoring Operations of the Treadway Commission (COSO) - On May 14 2013 the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) released its revisions and updates to the 1992 document
Internal Control - Integrated Framework COSOrsquos goal in updating the framework was to increase its relevance in the
increasingly complex and global business environment so that organizations worldwide can better design implement and
assess internal control COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management internal control and fraud
deterrence The AICPA is a member of COSO 22
1 Demonstrates commitment to integrity and ethical values
2 Exercises oversight responsibilities
3 Establishes structure authority and responsibility
4 Demonstrates commitment to competence
5 Enforces accountability
Control Environment
6 Defines objectives and risk tolerances
7 Identifies analyzes and responds to risk
8 Assesses fraud risk
9 Identifies analyzes and responds to change
Risk Assessment
23
Control Activities
10Designs control activities
11Selects and develops general controls for the information system
12Deploys and implements control activities
Information and Communication
13Uses relevant quality information
14Communicates internally
15Communicates externally
Monitoring Activities
16Performs ongoing monitoring activities
17Evaluates issues and remediates deficiencies
Provides Criteria for Designing Implementing and Operating an Effective Internal
Control System
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
bull Integration of FIAR and MICP
bull The OUSD FIAR MICP Team will collaborate with SAOrsquos Action Officers throughout the
fiscal year regarding outputs obtained from on-going audit readiness efforts and
previously reported material internal control deficiencies to
- Provide oversight for MICP operations across TI-97 Entities (Fourth Estate)
- Monitor remediation activities Corrective Action Plan (CAP) progress throughout the
fiscal year and status via the Notification of Findings and Recommendations (NFR)
Tracker Tool
- Validate test results and implementation of CAPs
- Standup status working groups eg Tiger Team to provide focused resources for
assessments and development of corrective actions and
- Engage SAOs Action Officers and Component MICP Coordinators to ensure
prioritization of remediation efforts of material weaknesses previously self reported in
the annual SOA and subsequently identified during the fiscal year by SAOs and
FIAR 12
14
(Defense Security Cooperation Agency (DSCA))
bull Senior Oversight amp Involvement
ndash ldquoTone-at-the-Toprdquo and regular Senior Leader involvement
ndash Frequent communication with leaders at all levels
bull Partnership with FIAR amp Audit Liaison Offices
ndash Independent MICP and FIAR offices closely collaborate
ndash Mutual validation of control testing and corrective action plans
ndash External audits inform assessments and resource prioritization
bull Focus on Sustainment
ndash Phased approach to document process risks control activities and test procedures
ndash Group and Individual training on documentation assessment and reporting
ndash Corrective Action Plans include stakeholders actions dates and target end-state
ndash Empower AUMs to assess identify improve fix and report on program health
ndash Recognize AUMs and leaders for thorough documentation and improvements
bull MICP Library
ndash SharePoint document library is accessible to AUMs leadership entire agency
ndash All documents from process to control test results easy to locate
ndash Central repository for AUM assessment reporting simplifies SOA preparation13
1414
15
The OMB has recently launched a major reassessment of the governmentrsquos
approach ndash encouraging the use of Enterprise Risk Management (ERM) +
Strengthen Decision Making
Improvement Information Flow
Why How
Sustainment of Support From the Top
Addressing Power Concentrated in Silos
Overcoming Culture of Caution
Integration of Risk Management into Organizational Decision
Processes
1 Creates and protects value
2 Integral part of all organizational processes
3 Part of decision making
4 Addresses uncertainty
5 Systemic structured and timely
6 Based on best information available
7 Tailored and responsive to evolving risk profile of agency
8 Takes human and cultural factors into account
9 Transparent and inclusive
10 Dynamic iterative and responsive to change
11 Facilitates continual improvement
Benefits
16
Risk Profiles Should Include
Seven Components
Purpose of a Risk Profile is to provide an analysis of the risks
when developing strategic objectives related to activities and
operations - Prioritization of the most significant risks
1 Identification of Objectives
2 Identification of Risk
3 Inherent Risk Assessment
4 Risk Response
5 Residual Risk Assessment
6 Proposed Action
7 Proposed Action Category
17
A-123 defines managementrsquos responsibilities for Enterprise Risk Management and includes
requirements for identifying and managing risks related to mission-support and other
operations as determined by management
bull Agencies are required to develop Risk Profiles which identify risks arising from
mission-support and other operations
bull Management of risk at strategic program and operational levels needs to be integrated so
that levels of activity support each other as depicted below
The Federal Enterprise Risk Management Framework
18
bull Risk Profile is the documented and prioritized overall assessment of the range of specific risks faced by an Agency
bull Inherent Risk is the risk that an activity would pose if no controls or other mitigating factors were in place
(the gross risk or risk before controls)
bull Residual Risk is the risk that remains after controls are taken into account (the net risk or risk after controls)
19
While a major portion of the revised A-123 requirements still require agencies to evaluate and
report on the effectiveness of internal controls over operations and financial reporting the
revised circular now requires agencies to
bull Provide documented evidence to substantiate compliance with the GAO Green Book ndash ie prove that the
agency has met the 17 internal control principles
bull Document the effectiveness of the agencyrsquos system of internal control as defined by the GAO Green Book
bull Adopt an Enterprise Risk Management framework to manage risks across the agency
⁻ In FY 2016 develop and document an annual documented risk profilerisk inventory
⁻ In FY 2017 build on this risk profile and create a methodology to continually build capabilities around identifying new or emerging risks while also monitoring changes to existing risks
bull Leverage current Senior Management Council (SMC) or create a SMC to provide governance in
establishing risk profiles and overseeing operation of an effective system of internal control Specifically to
more holistically manage agency risk OMB recommends
- Agencies include the Senior Accountable Officials (as members of the SMC) for mission-support
functions including but not limited to the Chief Financial Officer Chief Information Officer Chief
Information Security Officer Chief Acquisitions Officer the Agency Official for Privacy and the
Performance Improvement Officer
bull Statements of Assurance should now include a summary of the agencyrsquos risk profile
bull The DoD has a mission and objectives and formulates strategic plans to achieve those
objectives
bull Internal control is a process executed by DoD management that provides reasonable
assurance that the agencyrsquos mission and objectives (operations reporting compliance)
will be achieved
bull Entity Level Controls
- Have a pervasive effect on the DoDrsquos internal control system
- Include oversight bodies risk assessments communication identifying problems
and solutions and monitoring results
bull The Entity Level Controls of the Department of Defense must be documented
bull OUSD(C) DCFO developed a template (attached separately) to document entity-level
controls that exist
bull Requirement Identify action officer populate the template and fill any gaps that exist20
bull Requires entities to demonstrate and assess whether 17 principles are present and functioning in determining if their systems are present and working as intended
bull Provides baseline for Inspector General independent auditors and other related oversight groups in their evaluation of an agencyrsquos entire system of internal control and not just specific activities or transactions (which typically occurred in the past)
bull Requires CFOs to place more scrutiny over their entity level controls
bull Greater emphasis on the risk assessment process for financial and operational
bull Provides responsibilities for shared service providerrsquos internal controls and impact on entityrsquos system of internal controls (ie service provider and the complementary user entity controls)
bull Sets minimum documentation requirements to substantiate the effective design implementation and operating effectiveness of an agencyrsquos system of internal controls
Bottom Line Up
Front
GAOrsquos Green Book
21
22
bull Section 3512 (c) and (d) of the
United States Code
bull Requires that Federal agency
executives periodically review and
annually report on the agencyrsquos
internal controls
bull FMFIA requires the Comptroller
General to prescribe internal control
standards
GAOrsquos ldquoGreen BookrdquoFederal Managersrsquo
Financial Integrity Act (FMFIA)
bull Provides the internal control standards for
federal agencies for both program and financial
management
bull The standards provide management criteria for
designing implementing and operating an
internal control system
bull The standards retain the five components of
internal control but introduce 17 principles
bull These principles were adopted from the
Committee of Sponsoring Operations of the
Treadway Commission (COSO)1
1 Committee of Sponsoring Operations of the Treadway Commission (COSO) - On May 14 2013 the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) released its revisions and updates to the 1992 document
Internal Control - Integrated Framework COSOrsquos goal in updating the framework was to increase its relevance in the
increasingly complex and global business environment so that organizations worldwide can better design implement and
assess internal control COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management internal control and fraud
deterrence The AICPA is a member of COSO 22
1 Demonstrates commitment to integrity and ethical values
2 Exercises oversight responsibilities
3 Establishes structure authority and responsibility
4 Demonstrates commitment to competence
5 Enforces accountability
Control Environment
6 Defines objectives and risk tolerances
7 Identifies analyzes and responds to risk
8 Assesses fraud risk
9 Identifies analyzes and responds to change
Risk Assessment
23
Control Activities
10Designs control activities
11Selects and develops general controls for the information system
12Deploys and implements control activities
Information and Communication
13Uses relevant quality information
14Communicates internally
15Communicates externally
Monitoring Activities
16Performs ongoing monitoring activities
17Evaluates issues and remediates deficiencies
Provides Criteria for Designing Implementing and Operating an Effective Internal
Control System
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
14
(Defense Security Cooperation Agency (DSCA))
bull Senior Oversight amp Involvement
ndash ldquoTone-at-the-Toprdquo and regular Senior Leader involvement
ndash Frequent communication with leaders at all levels
bull Partnership with FIAR amp Audit Liaison Offices
ndash Independent MICP and FIAR offices closely collaborate
ndash Mutual validation of control testing and corrective action plans
ndash External audits inform assessments and resource prioritization
bull Focus on Sustainment
ndash Phased approach to document process risks control activities and test procedures
ndash Group and Individual training on documentation assessment and reporting
ndash Corrective Action Plans include stakeholders actions dates and target end-state
ndash Empower AUMs to assess identify improve fix and report on program health
ndash Recognize AUMs and leaders for thorough documentation and improvements
bull MICP Library
ndash SharePoint document library is accessible to AUMs leadership entire agency
ndash All documents from process to control test results easy to locate
ndash Central repository for AUM assessment reporting simplifies SOA preparation13
1414
15
The OMB has recently launched a major reassessment of the governmentrsquos
approach ndash encouraging the use of Enterprise Risk Management (ERM) +
Strengthen Decision Making
Improvement Information Flow
Why How
Sustainment of Support From the Top
Addressing Power Concentrated in Silos
Overcoming Culture of Caution
Integration of Risk Management into Organizational Decision
Processes
1 Creates and protects value
2 Integral part of all organizational processes
3 Part of decision making
4 Addresses uncertainty
5 Systemic structured and timely
6 Based on best information available
7 Tailored and responsive to evolving risk profile of agency
8 Takes human and cultural factors into account
9 Transparent and inclusive
10 Dynamic iterative and responsive to change
11 Facilitates continual improvement
Benefits
16
Risk Profiles Should Include
Seven Components
Purpose of a Risk Profile is to provide an analysis of the risks
when developing strategic objectives related to activities and
operations - Prioritization of the most significant risks
1 Identification of Objectives
2 Identification of Risk
3 Inherent Risk Assessment
4 Risk Response
5 Residual Risk Assessment
6 Proposed Action
7 Proposed Action Category
17
A-123 defines managementrsquos responsibilities for Enterprise Risk Management and includes
requirements for identifying and managing risks related to mission-support and other
operations as determined by management
bull Agencies are required to develop Risk Profiles which identify risks arising from
mission-support and other operations
bull Management of risk at strategic program and operational levels needs to be integrated so
that levels of activity support each other as depicted below
The Federal Enterprise Risk Management Framework
18
bull Risk Profile is the documented and prioritized overall assessment of the range of specific risks faced by an Agency
bull Inherent Risk is the risk that an activity would pose if no controls or other mitigating factors were in place
(the gross risk or risk before controls)
bull Residual Risk is the risk that remains after controls are taken into account (the net risk or risk after controls)
19
While a major portion of the revised A-123 requirements still require agencies to evaluate and
report on the effectiveness of internal controls over operations and financial reporting the
revised circular now requires agencies to
bull Provide documented evidence to substantiate compliance with the GAO Green Book ndash ie prove that the
agency has met the 17 internal control principles
bull Document the effectiveness of the agencyrsquos system of internal control as defined by the GAO Green Book
bull Adopt an Enterprise Risk Management framework to manage risks across the agency
⁻ In FY 2016 develop and document an annual documented risk profilerisk inventory
⁻ In FY 2017 build on this risk profile and create a methodology to continually build capabilities around identifying new or emerging risks while also monitoring changes to existing risks
bull Leverage current Senior Management Council (SMC) or create a SMC to provide governance in
establishing risk profiles and overseeing operation of an effective system of internal control Specifically to
more holistically manage agency risk OMB recommends
- Agencies include the Senior Accountable Officials (as members of the SMC) for mission-support
functions including but not limited to the Chief Financial Officer Chief Information Officer Chief
Information Security Officer Chief Acquisitions Officer the Agency Official for Privacy and the
Performance Improvement Officer
bull Statements of Assurance should now include a summary of the agencyrsquos risk profile
bull The DoD has a mission and objectives and formulates strategic plans to achieve those
objectives
bull Internal control is a process executed by DoD management that provides reasonable
assurance that the agencyrsquos mission and objectives (operations reporting compliance)
will be achieved
bull Entity Level Controls
- Have a pervasive effect on the DoDrsquos internal control system
- Include oversight bodies risk assessments communication identifying problems
and solutions and monitoring results
bull The Entity Level Controls of the Department of Defense must be documented
bull OUSD(C) DCFO developed a template (attached separately) to document entity-level
controls that exist
bull Requirement Identify action officer populate the template and fill any gaps that exist20
bull Requires entities to demonstrate and assess whether 17 principles are present and functioning in determining if their systems are present and working as intended
bull Provides baseline for Inspector General independent auditors and other related oversight groups in their evaluation of an agencyrsquos entire system of internal control and not just specific activities or transactions (which typically occurred in the past)
bull Requires CFOs to place more scrutiny over their entity level controls
bull Greater emphasis on the risk assessment process for financial and operational
bull Provides responsibilities for shared service providerrsquos internal controls and impact on entityrsquos system of internal controls (ie service provider and the complementary user entity controls)
bull Sets minimum documentation requirements to substantiate the effective design implementation and operating effectiveness of an agencyrsquos system of internal controls
Bottom Line Up
Front
GAOrsquos Green Book
21
22
bull Section 3512 (c) and (d) of the
United States Code
bull Requires that Federal agency
executives periodically review and
annually report on the agencyrsquos
internal controls
bull FMFIA requires the Comptroller
General to prescribe internal control
standards
GAOrsquos ldquoGreen BookrdquoFederal Managersrsquo
Financial Integrity Act (FMFIA)
bull Provides the internal control standards for
federal agencies for both program and financial
management
bull The standards provide management criteria for
designing implementing and operating an
internal control system
bull The standards retain the five components of
internal control but introduce 17 principles
bull These principles were adopted from the
Committee of Sponsoring Operations of the
Treadway Commission (COSO)1
1 Committee of Sponsoring Operations of the Treadway Commission (COSO) - On May 14 2013 the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) released its revisions and updates to the 1992 document
Internal Control - Integrated Framework COSOrsquos goal in updating the framework was to increase its relevance in the
increasingly complex and global business environment so that organizations worldwide can better design implement and
assess internal control COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management internal control and fraud
deterrence The AICPA is a member of COSO 22
1 Demonstrates commitment to integrity and ethical values
2 Exercises oversight responsibilities
3 Establishes structure authority and responsibility
4 Demonstrates commitment to competence
5 Enforces accountability
Control Environment
6 Defines objectives and risk tolerances
7 Identifies analyzes and responds to risk
8 Assesses fraud risk
9 Identifies analyzes and responds to change
Risk Assessment
23
Control Activities
10Designs control activities
11Selects and develops general controls for the information system
12Deploys and implements control activities
Information and Communication
13Uses relevant quality information
14Communicates internally
15Communicates externally
Monitoring Activities
16Performs ongoing monitoring activities
17Evaluates issues and remediates deficiencies
Provides Criteria for Designing Implementing and Operating an Effective Internal
Control System
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
1414
15
The OMB has recently launched a major reassessment of the governmentrsquos
approach ndash encouraging the use of Enterprise Risk Management (ERM) +
Strengthen Decision Making
Improvement Information Flow
Why How
Sustainment of Support From the Top
Addressing Power Concentrated in Silos
Overcoming Culture of Caution
Integration of Risk Management into Organizational Decision
Processes
1 Creates and protects value
2 Integral part of all organizational processes
3 Part of decision making
4 Addresses uncertainty
5 Systemic structured and timely
6 Based on best information available
7 Tailored and responsive to evolving risk profile of agency
8 Takes human and cultural factors into account
9 Transparent and inclusive
10 Dynamic iterative and responsive to change
11 Facilitates continual improvement
Benefits
16
Risk Profiles Should Include
Seven Components
Purpose of a Risk Profile is to provide an analysis of the risks
when developing strategic objectives related to activities and
operations - Prioritization of the most significant risks
1 Identification of Objectives
2 Identification of Risk
3 Inherent Risk Assessment
4 Risk Response
5 Residual Risk Assessment
6 Proposed Action
7 Proposed Action Category
17
A-123 defines managementrsquos responsibilities for Enterprise Risk Management and includes
requirements for identifying and managing risks related to mission-support and other
operations as determined by management
bull Agencies are required to develop Risk Profiles which identify risks arising from
mission-support and other operations
bull Management of risk at strategic program and operational levels needs to be integrated so
that levels of activity support each other as depicted below
The Federal Enterprise Risk Management Framework
18
bull Risk Profile is the documented and prioritized overall assessment of the range of specific risks faced by an Agency
bull Inherent Risk is the risk that an activity would pose if no controls or other mitigating factors were in place
(the gross risk or risk before controls)
bull Residual Risk is the risk that remains after controls are taken into account (the net risk or risk after controls)
19
While a major portion of the revised A-123 requirements still require agencies to evaluate and
report on the effectiveness of internal controls over operations and financial reporting the
revised circular now requires agencies to
bull Provide documented evidence to substantiate compliance with the GAO Green Book ndash ie prove that the
agency has met the 17 internal control principles
bull Document the effectiveness of the agencyrsquos system of internal control as defined by the GAO Green Book
bull Adopt an Enterprise Risk Management framework to manage risks across the agency
⁻ In FY 2016 develop and document an annual documented risk profilerisk inventory
⁻ In FY 2017 build on this risk profile and create a methodology to continually build capabilities around identifying new or emerging risks while also monitoring changes to existing risks
bull Leverage current Senior Management Council (SMC) or create a SMC to provide governance in
establishing risk profiles and overseeing operation of an effective system of internal control Specifically to
more holistically manage agency risk OMB recommends
- Agencies include the Senior Accountable Officials (as members of the SMC) for mission-support
functions including but not limited to the Chief Financial Officer Chief Information Officer Chief
Information Security Officer Chief Acquisitions Officer the Agency Official for Privacy and the
Performance Improvement Officer
bull Statements of Assurance should now include a summary of the agencyrsquos risk profile
bull The DoD has a mission and objectives and formulates strategic plans to achieve those
objectives
bull Internal control is a process executed by DoD management that provides reasonable
assurance that the agencyrsquos mission and objectives (operations reporting compliance)
will be achieved
bull Entity Level Controls
- Have a pervasive effect on the DoDrsquos internal control system
- Include oversight bodies risk assessments communication identifying problems
and solutions and monitoring results
bull The Entity Level Controls of the Department of Defense must be documented
bull OUSD(C) DCFO developed a template (attached separately) to document entity-level
controls that exist
bull Requirement Identify action officer populate the template and fill any gaps that exist20
bull Requires entities to demonstrate and assess whether 17 principles are present and functioning in determining if their systems are present and working as intended
bull Provides baseline for Inspector General independent auditors and other related oversight groups in their evaluation of an agencyrsquos entire system of internal control and not just specific activities or transactions (which typically occurred in the past)
bull Requires CFOs to place more scrutiny over their entity level controls
bull Greater emphasis on the risk assessment process for financial and operational
bull Provides responsibilities for shared service providerrsquos internal controls and impact on entityrsquos system of internal controls (ie service provider and the complementary user entity controls)
bull Sets minimum documentation requirements to substantiate the effective design implementation and operating effectiveness of an agencyrsquos system of internal controls
Bottom Line Up
Front
GAOrsquos Green Book
21
22
bull Section 3512 (c) and (d) of the
United States Code
bull Requires that Federal agency
executives periodically review and
annually report on the agencyrsquos
internal controls
bull FMFIA requires the Comptroller
General to prescribe internal control
standards
GAOrsquos ldquoGreen BookrdquoFederal Managersrsquo
Financial Integrity Act (FMFIA)
bull Provides the internal control standards for
federal agencies for both program and financial
management
bull The standards provide management criteria for
designing implementing and operating an
internal control system
bull The standards retain the five components of
internal control but introduce 17 principles
bull These principles were adopted from the
Committee of Sponsoring Operations of the
Treadway Commission (COSO)1
1 Committee of Sponsoring Operations of the Treadway Commission (COSO) - On May 14 2013 the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) released its revisions and updates to the 1992 document
Internal Control - Integrated Framework COSOrsquos goal in updating the framework was to increase its relevance in the
increasingly complex and global business environment so that organizations worldwide can better design implement and
assess internal control COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management internal control and fraud
deterrence The AICPA is a member of COSO 22
1 Demonstrates commitment to integrity and ethical values
2 Exercises oversight responsibilities
3 Establishes structure authority and responsibility
4 Demonstrates commitment to competence
5 Enforces accountability
Control Environment
6 Defines objectives and risk tolerances
7 Identifies analyzes and responds to risk
8 Assesses fraud risk
9 Identifies analyzes and responds to change
Risk Assessment
23
Control Activities
10Designs control activities
11Selects and develops general controls for the information system
12Deploys and implements control activities
Information and Communication
13Uses relevant quality information
14Communicates internally
15Communicates externally
Monitoring Activities
16Performs ongoing monitoring activities
17Evaluates issues and remediates deficiencies
Provides Criteria for Designing Implementing and Operating an Effective Internal
Control System
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
15
The OMB has recently launched a major reassessment of the governmentrsquos
approach ndash encouraging the use of Enterprise Risk Management (ERM) +
Strengthen Decision Making
Improvement Information Flow
Why How
Sustainment of Support From the Top
Addressing Power Concentrated in Silos
Overcoming Culture of Caution
Integration of Risk Management into Organizational Decision
Processes
1 Creates and protects value
2 Integral part of all organizational processes
3 Part of decision making
4 Addresses uncertainty
5 Systemic structured and timely
6 Based on best information available
7 Tailored and responsive to evolving risk profile of agency
8 Takes human and cultural factors into account
9 Transparent and inclusive
10 Dynamic iterative and responsive to change
11 Facilitates continual improvement
Benefits
16
Risk Profiles Should Include
Seven Components
Purpose of a Risk Profile is to provide an analysis of the risks
when developing strategic objectives related to activities and
operations - Prioritization of the most significant risks
1 Identification of Objectives
2 Identification of Risk
3 Inherent Risk Assessment
4 Risk Response
5 Residual Risk Assessment
6 Proposed Action
7 Proposed Action Category
17
A-123 defines managementrsquos responsibilities for Enterprise Risk Management and includes
requirements for identifying and managing risks related to mission-support and other
operations as determined by management
bull Agencies are required to develop Risk Profiles which identify risks arising from
mission-support and other operations
bull Management of risk at strategic program and operational levels needs to be integrated so
that levels of activity support each other as depicted below
The Federal Enterprise Risk Management Framework
18
bull Risk Profile is the documented and prioritized overall assessment of the range of specific risks faced by an Agency
bull Inherent Risk is the risk that an activity would pose if no controls or other mitigating factors were in place
(the gross risk or risk before controls)
bull Residual Risk is the risk that remains after controls are taken into account (the net risk or risk after controls)
19
While a major portion of the revised A-123 requirements still require agencies to evaluate and
report on the effectiveness of internal controls over operations and financial reporting the
revised circular now requires agencies to
bull Provide documented evidence to substantiate compliance with the GAO Green Book ndash ie prove that the
agency has met the 17 internal control principles
bull Document the effectiveness of the agencyrsquos system of internal control as defined by the GAO Green Book
bull Adopt an Enterprise Risk Management framework to manage risks across the agency
⁻ In FY 2016 develop and document an annual documented risk profilerisk inventory
⁻ In FY 2017 build on this risk profile and create a methodology to continually build capabilities around identifying new or emerging risks while also monitoring changes to existing risks
bull Leverage current Senior Management Council (SMC) or create a SMC to provide governance in
establishing risk profiles and overseeing operation of an effective system of internal control Specifically to
more holistically manage agency risk OMB recommends
- Agencies include the Senior Accountable Officials (as members of the SMC) for mission-support
functions including but not limited to the Chief Financial Officer Chief Information Officer Chief
Information Security Officer Chief Acquisitions Officer the Agency Official for Privacy and the
Performance Improvement Officer
bull Statements of Assurance should now include a summary of the agencyrsquos risk profile
bull The DoD has a mission and objectives and formulates strategic plans to achieve those
objectives
bull Internal control is a process executed by DoD management that provides reasonable
assurance that the agencyrsquos mission and objectives (operations reporting compliance)
will be achieved
bull Entity Level Controls
- Have a pervasive effect on the DoDrsquos internal control system
- Include oversight bodies risk assessments communication identifying problems
and solutions and monitoring results
bull The Entity Level Controls of the Department of Defense must be documented
bull OUSD(C) DCFO developed a template (attached separately) to document entity-level
controls that exist
bull Requirement Identify action officer populate the template and fill any gaps that exist20
bull Requires entities to demonstrate and assess whether 17 principles are present and functioning in determining if their systems are present and working as intended
bull Provides baseline for Inspector General independent auditors and other related oversight groups in their evaluation of an agencyrsquos entire system of internal control and not just specific activities or transactions (which typically occurred in the past)
bull Requires CFOs to place more scrutiny over their entity level controls
bull Greater emphasis on the risk assessment process for financial and operational
bull Provides responsibilities for shared service providerrsquos internal controls and impact on entityrsquos system of internal controls (ie service provider and the complementary user entity controls)
bull Sets minimum documentation requirements to substantiate the effective design implementation and operating effectiveness of an agencyrsquos system of internal controls
Bottom Line Up
Front
GAOrsquos Green Book
21
22
bull Section 3512 (c) and (d) of the
United States Code
bull Requires that Federal agency
executives periodically review and
annually report on the agencyrsquos
internal controls
bull FMFIA requires the Comptroller
General to prescribe internal control
standards
GAOrsquos ldquoGreen BookrdquoFederal Managersrsquo
Financial Integrity Act (FMFIA)
bull Provides the internal control standards for
federal agencies for both program and financial
management
bull The standards provide management criteria for
designing implementing and operating an
internal control system
bull The standards retain the five components of
internal control but introduce 17 principles
bull These principles were adopted from the
Committee of Sponsoring Operations of the
Treadway Commission (COSO)1
1 Committee of Sponsoring Operations of the Treadway Commission (COSO) - On May 14 2013 the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) released its revisions and updates to the 1992 document
Internal Control - Integrated Framework COSOrsquos goal in updating the framework was to increase its relevance in the
increasingly complex and global business environment so that organizations worldwide can better design implement and
assess internal control COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management internal control and fraud
deterrence The AICPA is a member of COSO 22
1 Demonstrates commitment to integrity and ethical values
2 Exercises oversight responsibilities
3 Establishes structure authority and responsibility
4 Demonstrates commitment to competence
5 Enforces accountability
Control Environment
6 Defines objectives and risk tolerances
7 Identifies analyzes and responds to risk
8 Assesses fraud risk
9 Identifies analyzes and responds to change
Risk Assessment
23
Control Activities
10Designs control activities
11Selects and develops general controls for the information system
12Deploys and implements control activities
Information and Communication
13Uses relevant quality information
14Communicates internally
15Communicates externally
Monitoring Activities
16Performs ongoing monitoring activities
17Evaluates issues and remediates deficiencies
Provides Criteria for Designing Implementing and Operating an Effective Internal
Control System
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
16
Risk Profiles Should Include
Seven Components
Purpose of a Risk Profile is to provide an analysis of the risks
when developing strategic objectives related to activities and
operations - Prioritization of the most significant risks
1 Identification of Objectives
2 Identification of Risk
3 Inherent Risk Assessment
4 Risk Response
5 Residual Risk Assessment
6 Proposed Action
7 Proposed Action Category
17
A-123 defines managementrsquos responsibilities for Enterprise Risk Management and includes
requirements for identifying and managing risks related to mission-support and other
operations as determined by management
bull Agencies are required to develop Risk Profiles which identify risks arising from
mission-support and other operations
bull Management of risk at strategic program and operational levels needs to be integrated so
that levels of activity support each other as depicted below
The Federal Enterprise Risk Management Framework
18
bull Risk Profile is the documented and prioritized overall assessment of the range of specific risks faced by an Agency
bull Inherent Risk is the risk that an activity would pose if no controls or other mitigating factors were in place
(the gross risk or risk before controls)
bull Residual Risk is the risk that remains after controls are taken into account (the net risk or risk after controls)
19
While a major portion of the revised A-123 requirements still require agencies to evaluate and
report on the effectiveness of internal controls over operations and financial reporting the
revised circular now requires agencies to
bull Provide documented evidence to substantiate compliance with the GAO Green Book ndash ie prove that the
agency has met the 17 internal control principles
bull Document the effectiveness of the agencyrsquos system of internal control as defined by the GAO Green Book
bull Adopt an Enterprise Risk Management framework to manage risks across the agency
⁻ In FY 2016 develop and document an annual documented risk profilerisk inventory
⁻ In FY 2017 build on this risk profile and create a methodology to continually build capabilities around identifying new or emerging risks while also monitoring changes to existing risks
bull Leverage current Senior Management Council (SMC) or create a SMC to provide governance in
establishing risk profiles and overseeing operation of an effective system of internal control Specifically to
more holistically manage agency risk OMB recommends
- Agencies include the Senior Accountable Officials (as members of the SMC) for mission-support
functions including but not limited to the Chief Financial Officer Chief Information Officer Chief
Information Security Officer Chief Acquisitions Officer the Agency Official for Privacy and the
Performance Improvement Officer
bull Statements of Assurance should now include a summary of the agencyrsquos risk profile
bull The DoD has a mission and objectives and formulates strategic plans to achieve those
objectives
bull Internal control is a process executed by DoD management that provides reasonable
assurance that the agencyrsquos mission and objectives (operations reporting compliance)
will be achieved
bull Entity Level Controls
- Have a pervasive effect on the DoDrsquos internal control system
- Include oversight bodies risk assessments communication identifying problems
and solutions and monitoring results
bull The Entity Level Controls of the Department of Defense must be documented
bull OUSD(C) DCFO developed a template (attached separately) to document entity-level
controls that exist
bull Requirement Identify action officer populate the template and fill any gaps that exist20
bull Requires entities to demonstrate and assess whether 17 principles are present and functioning in determining if their systems are present and working as intended
bull Provides baseline for Inspector General independent auditors and other related oversight groups in their evaluation of an agencyrsquos entire system of internal control and not just specific activities or transactions (which typically occurred in the past)
bull Requires CFOs to place more scrutiny over their entity level controls
bull Greater emphasis on the risk assessment process for financial and operational
bull Provides responsibilities for shared service providerrsquos internal controls and impact on entityrsquos system of internal controls (ie service provider and the complementary user entity controls)
bull Sets minimum documentation requirements to substantiate the effective design implementation and operating effectiveness of an agencyrsquos system of internal controls
Bottom Line Up
Front
GAOrsquos Green Book
21
22
bull Section 3512 (c) and (d) of the
United States Code
bull Requires that Federal agency
executives periodically review and
annually report on the agencyrsquos
internal controls
bull FMFIA requires the Comptroller
General to prescribe internal control
standards
GAOrsquos ldquoGreen BookrdquoFederal Managersrsquo
Financial Integrity Act (FMFIA)
bull Provides the internal control standards for
federal agencies for both program and financial
management
bull The standards provide management criteria for
designing implementing and operating an
internal control system
bull The standards retain the five components of
internal control but introduce 17 principles
bull These principles were adopted from the
Committee of Sponsoring Operations of the
Treadway Commission (COSO)1
1 Committee of Sponsoring Operations of the Treadway Commission (COSO) - On May 14 2013 the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) released its revisions and updates to the 1992 document
Internal Control - Integrated Framework COSOrsquos goal in updating the framework was to increase its relevance in the
increasingly complex and global business environment so that organizations worldwide can better design implement and
assess internal control COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management internal control and fraud
deterrence The AICPA is a member of COSO 22
1 Demonstrates commitment to integrity and ethical values
2 Exercises oversight responsibilities
3 Establishes structure authority and responsibility
4 Demonstrates commitment to competence
5 Enforces accountability
Control Environment
6 Defines objectives and risk tolerances
7 Identifies analyzes and responds to risk
8 Assesses fraud risk
9 Identifies analyzes and responds to change
Risk Assessment
23
Control Activities
10Designs control activities
11Selects and develops general controls for the information system
12Deploys and implements control activities
Information and Communication
13Uses relevant quality information
14Communicates internally
15Communicates externally
Monitoring Activities
16Performs ongoing monitoring activities
17Evaluates issues and remediates deficiencies
Provides Criteria for Designing Implementing and Operating an Effective Internal
Control System
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
17
A-123 defines managementrsquos responsibilities for Enterprise Risk Management and includes
requirements for identifying and managing risks related to mission-support and other
operations as determined by management
bull Agencies are required to develop Risk Profiles which identify risks arising from
mission-support and other operations
bull Management of risk at strategic program and operational levels needs to be integrated so
that levels of activity support each other as depicted below
The Federal Enterprise Risk Management Framework
18
bull Risk Profile is the documented and prioritized overall assessment of the range of specific risks faced by an Agency
bull Inherent Risk is the risk that an activity would pose if no controls or other mitigating factors were in place
(the gross risk or risk before controls)
bull Residual Risk is the risk that remains after controls are taken into account (the net risk or risk after controls)
19
While a major portion of the revised A-123 requirements still require agencies to evaluate and
report on the effectiveness of internal controls over operations and financial reporting the
revised circular now requires agencies to
bull Provide documented evidence to substantiate compliance with the GAO Green Book ndash ie prove that the
agency has met the 17 internal control principles
bull Document the effectiveness of the agencyrsquos system of internal control as defined by the GAO Green Book
bull Adopt an Enterprise Risk Management framework to manage risks across the agency
⁻ In FY 2016 develop and document an annual documented risk profilerisk inventory
⁻ In FY 2017 build on this risk profile and create a methodology to continually build capabilities around identifying new or emerging risks while also monitoring changes to existing risks
bull Leverage current Senior Management Council (SMC) or create a SMC to provide governance in
establishing risk profiles and overseeing operation of an effective system of internal control Specifically to
more holistically manage agency risk OMB recommends
- Agencies include the Senior Accountable Officials (as members of the SMC) for mission-support
functions including but not limited to the Chief Financial Officer Chief Information Officer Chief
Information Security Officer Chief Acquisitions Officer the Agency Official for Privacy and the
Performance Improvement Officer
bull Statements of Assurance should now include a summary of the agencyrsquos risk profile
bull The DoD has a mission and objectives and formulates strategic plans to achieve those
objectives
bull Internal control is a process executed by DoD management that provides reasonable
assurance that the agencyrsquos mission and objectives (operations reporting compliance)
will be achieved
bull Entity Level Controls
- Have a pervasive effect on the DoDrsquos internal control system
- Include oversight bodies risk assessments communication identifying problems
and solutions and monitoring results
bull The Entity Level Controls of the Department of Defense must be documented
bull OUSD(C) DCFO developed a template (attached separately) to document entity-level
controls that exist
bull Requirement Identify action officer populate the template and fill any gaps that exist20
bull Requires entities to demonstrate and assess whether 17 principles are present and functioning in determining if their systems are present and working as intended
bull Provides baseline for Inspector General independent auditors and other related oversight groups in their evaluation of an agencyrsquos entire system of internal control and not just specific activities or transactions (which typically occurred in the past)
bull Requires CFOs to place more scrutiny over their entity level controls
bull Greater emphasis on the risk assessment process for financial and operational
bull Provides responsibilities for shared service providerrsquos internal controls and impact on entityrsquos system of internal controls (ie service provider and the complementary user entity controls)
bull Sets minimum documentation requirements to substantiate the effective design implementation and operating effectiveness of an agencyrsquos system of internal controls
Bottom Line Up
Front
GAOrsquos Green Book
21
22
bull Section 3512 (c) and (d) of the
United States Code
bull Requires that Federal agency
executives periodically review and
annually report on the agencyrsquos
internal controls
bull FMFIA requires the Comptroller
General to prescribe internal control
standards
GAOrsquos ldquoGreen BookrdquoFederal Managersrsquo
Financial Integrity Act (FMFIA)
bull Provides the internal control standards for
federal agencies for both program and financial
management
bull The standards provide management criteria for
designing implementing and operating an
internal control system
bull The standards retain the five components of
internal control but introduce 17 principles
bull These principles were adopted from the
Committee of Sponsoring Operations of the
Treadway Commission (COSO)1
1 Committee of Sponsoring Operations of the Treadway Commission (COSO) - On May 14 2013 the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) released its revisions and updates to the 1992 document
Internal Control - Integrated Framework COSOrsquos goal in updating the framework was to increase its relevance in the
increasingly complex and global business environment so that organizations worldwide can better design implement and
assess internal control COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management internal control and fraud
deterrence The AICPA is a member of COSO 22
1 Demonstrates commitment to integrity and ethical values
2 Exercises oversight responsibilities
3 Establishes structure authority and responsibility
4 Demonstrates commitment to competence
5 Enforces accountability
Control Environment
6 Defines objectives and risk tolerances
7 Identifies analyzes and responds to risk
8 Assesses fraud risk
9 Identifies analyzes and responds to change
Risk Assessment
23
Control Activities
10Designs control activities
11Selects and develops general controls for the information system
12Deploys and implements control activities
Information and Communication
13Uses relevant quality information
14Communicates internally
15Communicates externally
Monitoring Activities
16Performs ongoing monitoring activities
17Evaluates issues and remediates deficiencies
Provides Criteria for Designing Implementing and Operating an Effective Internal
Control System
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
18
bull Risk Profile is the documented and prioritized overall assessment of the range of specific risks faced by an Agency
bull Inherent Risk is the risk that an activity would pose if no controls or other mitigating factors were in place
(the gross risk or risk before controls)
bull Residual Risk is the risk that remains after controls are taken into account (the net risk or risk after controls)
19
While a major portion of the revised A-123 requirements still require agencies to evaluate and
report on the effectiveness of internal controls over operations and financial reporting the
revised circular now requires agencies to
bull Provide documented evidence to substantiate compliance with the GAO Green Book ndash ie prove that the
agency has met the 17 internal control principles
bull Document the effectiveness of the agencyrsquos system of internal control as defined by the GAO Green Book
bull Adopt an Enterprise Risk Management framework to manage risks across the agency
⁻ In FY 2016 develop and document an annual documented risk profilerisk inventory
⁻ In FY 2017 build on this risk profile and create a methodology to continually build capabilities around identifying new or emerging risks while also monitoring changes to existing risks
bull Leverage current Senior Management Council (SMC) or create a SMC to provide governance in
establishing risk profiles and overseeing operation of an effective system of internal control Specifically to
more holistically manage agency risk OMB recommends
- Agencies include the Senior Accountable Officials (as members of the SMC) for mission-support
functions including but not limited to the Chief Financial Officer Chief Information Officer Chief
Information Security Officer Chief Acquisitions Officer the Agency Official for Privacy and the
Performance Improvement Officer
bull Statements of Assurance should now include a summary of the agencyrsquos risk profile
bull The DoD has a mission and objectives and formulates strategic plans to achieve those
objectives
bull Internal control is a process executed by DoD management that provides reasonable
assurance that the agencyrsquos mission and objectives (operations reporting compliance)
will be achieved
bull Entity Level Controls
- Have a pervasive effect on the DoDrsquos internal control system
- Include oversight bodies risk assessments communication identifying problems
and solutions and monitoring results
bull The Entity Level Controls of the Department of Defense must be documented
bull OUSD(C) DCFO developed a template (attached separately) to document entity-level
controls that exist
bull Requirement Identify action officer populate the template and fill any gaps that exist20
bull Requires entities to demonstrate and assess whether 17 principles are present and functioning in determining if their systems are present and working as intended
bull Provides baseline for Inspector General independent auditors and other related oversight groups in their evaluation of an agencyrsquos entire system of internal control and not just specific activities or transactions (which typically occurred in the past)
bull Requires CFOs to place more scrutiny over their entity level controls
bull Greater emphasis on the risk assessment process for financial and operational
bull Provides responsibilities for shared service providerrsquos internal controls and impact on entityrsquos system of internal controls (ie service provider and the complementary user entity controls)
bull Sets minimum documentation requirements to substantiate the effective design implementation and operating effectiveness of an agencyrsquos system of internal controls
Bottom Line Up
Front
GAOrsquos Green Book
21
22
bull Section 3512 (c) and (d) of the
United States Code
bull Requires that Federal agency
executives periodically review and
annually report on the agencyrsquos
internal controls
bull FMFIA requires the Comptroller
General to prescribe internal control
standards
GAOrsquos ldquoGreen BookrdquoFederal Managersrsquo
Financial Integrity Act (FMFIA)
bull Provides the internal control standards for
federal agencies for both program and financial
management
bull The standards provide management criteria for
designing implementing and operating an
internal control system
bull The standards retain the five components of
internal control but introduce 17 principles
bull These principles were adopted from the
Committee of Sponsoring Operations of the
Treadway Commission (COSO)1
1 Committee of Sponsoring Operations of the Treadway Commission (COSO) - On May 14 2013 the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) released its revisions and updates to the 1992 document
Internal Control - Integrated Framework COSOrsquos goal in updating the framework was to increase its relevance in the
increasingly complex and global business environment so that organizations worldwide can better design implement and
assess internal control COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management internal control and fraud
deterrence The AICPA is a member of COSO 22
1 Demonstrates commitment to integrity and ethical values
2 Exercises oversight responsibilities
3 Establishes structure authority and responsibility
4 Demonstrates commitment to competence
5 Enforces accountability
Control Environment
6 Defines objectives and risk tolerances
7 Identifies analyzes and responds to risk
8 Assesses fraud risk
9 Identifies analyzes and responds to change
Risk Assessment
23
Control Activities
10Designs control activities
11Selects and develops general controls for the information system
12Deploys and implements control activities
Information and Communication
13Uses relevant quality information
14Communicates internally
15Communicates externally
Monitoring Activities
16Performs ongoing monitoring activities
17Evaluates issues and remediates deficiencies
Provides Criteria for Designing Implementing and Operating an Effective Internal
Control System
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
19
While a major portion of the revised A-123 requirements still require agencies to evaluate and
report on the effectiveness of internal controls over operations and financial reporting the
revised circular now requires agencies to
bull Provide documented evidence to substantiate compliance with the GAO Green Book ndash ie prove that the
agency has met the 17 internal control principles
bull Document the effectiveness of the agencyrsquos system of internal control as defined by the GAO Green Book
bull Adopt an Enterprise Risk Management framework to manage risks across the agency
⁻ In FY 2016 develop and document an annual documented risk profilerisk inventory
⁻ In FY 2017 build on this risk profile and create a methodology to continually build capabilities around identifying new or emerging risks while also monitoring changes to existing risks
bull Leverage current Senior Management Council (SMC) or create a SMC to provide governance in
establishing risk profiles and overseeing operation of an effective system of internal control Specifically to
more holistically manage agency risk OMB recommends
- Agencies include the Senior Accountable Officials (as members of the SMC) for mission-support
functions including but not limited to the Chief Financial Officer Chief Information Officer Chief
Information Security Officer Chief Acquisitions Officer the Agency Official for Privacy and the
Performance Improvement Officer
bull Statements of Assurance should now include a summary of the agencyrsquos risk profile
bull The DoD has a mission and objectives and formulates strategic plans to achieve those
objectives
bull Internal control is a process executed by DoD management that provides reasonable
assurance that the agencyrsquos mission and objectives (operations reporting compliance)
will be achieved
bull Entity Level Controls
- Have a pervasive effect on the DoDrsquos internal control system
- Include oversight bodies risk assessments communication identifying problems
and solutions and monitoring results
bull The Entity Level Controls of the Department of Defense must be documented
bull OUSD(C) DCFO developed a template (attached separately) to document entity-level
controls that exist
bull Requirement Identify action officer populate the template and fill any gaps that exist20
bull Requires entities to demonstrate and assess whether 17 principles are present and functioning in determining if their systems are present and working as intended
bull Provides baseline for Inspector General independent auditors and other related oversight groups in their evaluation of an agencyrsquos entire system of internal control and not just specific activities or transactions (which typically occurred in the past)
bull Requires CFOs to place more scrutiny over their entity level controls
bull Greater emphasis on the risk assessment process for financial and operational
bull Provides responsibilities for shared service providerrsquos internal controls and impact on entityrsquos system of internal controls (ie service provider and the complementary user entity controls)
bull Sets minimum documentation requirements to substantiate the effective design implementation and operating effectiveness of an agencyrsquos system of internal controls
Bottom Line Up
Front
GAOrsquos Green Book
21
22
bull Section 3512 (c) and (d) of the
United States Code
bull Requires that Federal agency
executives periodically review and
annually report on the agencyrsquos
internal controls
bull FMFIA requires the Comptroller
General to prescribe internal control
standards
GAOrsquos ldquoGreen BookrdquoFederal Managersrsquo
Financial Integrity Act (FMFIA)
bull Provides the internal control standards for
federal agencies for both program and financial
management
bull The standards provide management criteria for
designing implementing and operating an
internal control system
bull The standards retain the five components of
internal control but introduce 17 principles
bull These principles were adopted from the
Committee of Sponsoring Operations of the
Treadway Commission (COSO)1
1 Committee of Sponsoring Operations of the Treadway Commission (COSO) - On May 14 2013 the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) released its revisions and updates to the 1992 document
Internal Control - Integrated Framework COSOrsquos goal in updating the framework was to increase its relevance in the
increasingly complex and global business environment so that organizations worldwide can better design implement and
assess internal control COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management internal control and fraud
deterrence The AICPA is a member of COSO 22
1 Demonstrates commitment to integrity and ethical values
2 Exercises oversight responsibilities
3 Establishes structure authority and responsibility
4 Demonstrates commitment to competence
5 Enforces accountability
Control Environment
6 Defines objectives and risk tolerances
7 Identifies analyzes and responds to risk
8 Assesses fraud risk
9 Identifies analyzes and responds to change
Risk Assessment
23
Control Activities
10Designs control activities
11Selects and develops general controls for the information system
12Deploys and implements control activities
Information and Communication
13Uses relevant quality information
14Communicates internally
15Communicates externally
Monitoring Activities
16Performs ongoing monitoring activities
17Evaluates issues and remediates deficiencies
Provides Criteria for Designing Implementing and Operating an Effective Internal
Control System
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
bull The DoD has a mission and objectives and formulates strategic plans to achieve those
objectives
bull Internal control is a process executed by DoD management that provides reasonable
assurance that the agencyrsquos mission and objectives (operations reporting compliance)
will be achieved
bull Entity Level Controls
- Have a pervasive effect on the DoDrsquos internal control system
- Include oversight bodies risk assessments communication identifying problems
and solutions and monitoring results
bull The Entity Level Controls of the Department of Defense must be documented
bull OUSD(C) DCFO developed a template (attached separately) to document entity-level
controls that exist
bull Requirement Identify action officer populate the template and fill any gaps that exist20
bull Requires entities to demonstrate and assess whether 17 principles are present and functioning in determining if their systems are present and working as intended
bull Provides baseline for Inspector General independent auditors and other related oversight groups in their evaluation of an agencyrsquos entire system of internal control and not just specific activities or transactions (which typically occurred in the past)
bull Requires CFOs to place more scrutiny over their entity level controls
bull Greater emphasis on the risk assessment process for financial and operational
bull Provides responsibilities for shared service providerrsquos internal controls and impact on entityrsquos system of internal controls (ie service provider and the complementary user entity controls)
bull Sets minimum documentation requirements to substantiate the effective design implementation and operating effectiveness of an agencyrsquos system of internal controls
Bottom Line Up
Front
GAOrsquos Green Book
21
22
bull Section 3512 (c) and (d) of the
United States Code
bull Requires that Federal agency
executives periodically review and
annually report on the agencyrsquos
internal controls
bull FMFIA requires the Comptroller
General to prescribe internal control
standards
GAOrsquos ldquoGreen BookrdquoFederal Managersrsquo
Financial Integrity Act (FMFIA)
bull Provides the internal control standards for
federal agencies for both program and financial
management
bull The standards provide management criteria for
designing implementing and operating an
internal control system
bull The standards retain the five components of
internal control but introduce 17 principles
bull These principles were adopted from the
Committee of Sponsoring Operations of the
Treadway Commission (COSO)1
1 Committee of Sponsoring Operations of the Treadway Commission (COSO) - On May 14 2013 the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) released its revisions and updates to the 1992 document
Internal Control - Integrated Framework COSOrsquos goal in updating the framework was to increase its relevance in the
increasingly complex and global business environment so that organizations worldwide can better design implement and
assess internal control COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management internal control and fraud
deterrence The AICPA is a member of COSO 22
1 Demonstrates commitment to integrity and ethical values
2 Exercises oversight responsibilities
3 Establishes structure authority and responsibility
4 Demonstrates commitment to competence
5 Enforces accountability
Control Environment
6 Defines objectives and risk tolerances
7 Identifies analyzes and responds to risk
8 Assesses fraud risk
9 Identifies analyzes and responds to change
Risk Assessment
23
Control Activities
10Designs control activities
11Selects and develops general controls for the information system
12Deploys and implements control activities
Information and Communication
13Uses relevant quality information
14Communicates internally
15Communicates externally
Monitoring Activities
16Performs ongoing monitoring activities
17Evaluates issues and remediates deficiencies
Provides Criteria for Designing Implementing and Operating an Effective Internal
Control System
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
bull Requires entities to demonstrate and assess whether 17 principles are present and functioning in determining if their systems are present and working as intended
bull Provides baseline for Inspector General independent auditors and other related oversight groups in their evaluation of an agencyrsquos entire system of internal control and not just specific activities or transactions (which typically occurred in the past)
bull Requires CFOs to place more scrutiny over their entity level controls
bull Greater emphasis on the risk assessment process for financial and operational
bull Provides responsibilities for shared service providerrsquos internal controls and impact on entityrsquos system of internal controls (ie service provider and the complementary user entity controls)
bull Sets minimum documentation requirements to substantiate the effective design implementation and operating effectiveness of an agencyrsquos system of internal controls
Bottom Line Up
Front
GAOrsquos Green Book
21
22
bull Section 3512 (c) and (d) of the
United States Code
bull Requires that Federal agency
executives periodically review and
annually report on the agencyrsquos
internal controls
bull FMFIA requires the Comptroller
General to prescribe internal control
standards
GAOrsquos ldquoGreen BookrdquoFederal Managersrsquo
Financial Integrity Act (FMFIA)
bull Provides the internal control standards for
federal agencies for both program and financial
management
bull The standards provide management criteria for
designing implementing and operating an
internal control system
bull The standards retain the five components of
internal control but introduce 17 principles
bull These principles were adopted from the
Committee of Sponsoring Operations of the
Treadway Commission (COSO)1
1 Committee of Sponsoring Operations of the Treadway Commission (COSO) - On May 14 2013 the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) released its revisions and updates to the 1992 document
Internal Control - Integrated Framework COSOrsquos goal in updating the framework was to increase its relevance in the
increasingly complex and global business environment so that organizations worldwide can better design implement and
assess internal control COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management internal control and fraud
deterrence The AICPA is a member of COSO 22
1 Demonstrates commitment to integrity and ethical values
2 Exercises oversight responsibilities
3 Establishes structure authority and responsibility
4 Demonstrates commitment to competence
5 Enforces accountability
Control Environment
6 Defines objectives and risk tolerances
7 Identifies analyzes and responds to risk
8 Assesses fraud risk
9 Identifies analyzes and responds to change
Risk Assessment
23
Control Activities
10Designs control activities
11Selects and develops general controls for the information system
12Deploys and implements control activities
Information and Communication
13Uses relevant quality information
14Communicates internally
15Communicates externally
Monitoring Activities
16Performs ongoing monitoring activities
17Evaluates issues and remediates deficiencies
Provides Criteria for Designing Implementing and Operating an Effective Internal
Control System
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
22
bull Section 3512 (c) and (d) of the
United States Code
bull Requires that Federal agency
executives periodically review and
annually report on the agencyrsquos
internal controls
bull FMFIA requires the Comptroller
General to prescribe internal control
standards
GAOrsquos ldquoGreen BookrdquoFederal Managersrsquo
Financial Integrity Act (FMFIA)
bull Provides the internal control standards for
federal agencies for both program and financial
management
bull The standards provide management criteria for
designing implementing and operating an
internal control system
bull The standards retain the five components of
internal control but introduce 17 principles
bull These principles were adopted from the
Committee of Sponsoring Operations of the
Treadway Commission (COSO)1
1 Committee of Sponsoring Operations of the Treadway Commission (COSO) - On May 14 2013 the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) released its revisions and updates to the 1992 document
Internal Control - Integrated Framework COSOrsquos goal in updating the framework was to increase its relevance in the
increasingly complex and global business environment so that organizations worldwide can better design implement and
assess internal control COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management internal control and fraud
deterrence The AICPA is a member of COSO 22
1 Demonstrates commitment to integrity and ethical values
2 Exercises oversight responsibilities
3 Establishes structure authority and responsibility
4 Demonstrates commitment to competence
5 Enforces accountability
Control Environment
6 Defines objectives and risk tolerances
7 Identifies analyzes and responds to risk
8 Assesses fraud risk
9 Identifies analyzes and responds to change
Risk Assessment
23
Control Activities
10Designs control activities
11Selects and develops general controls for the information system
12Deploys and implements control activities
Information and Communication
13Uses relevant quality information
14Communicates internally
15Communicates externally
Monitoring Activities
16Performs ongoing monitoring activities
17Evaluates issues and remediates deficiencies
Provides Criteria for Designing Implementing and Operating an Effective Internal
Control System
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
1 Demonstrates commitment to integrity and ethical values
2 Exercises oversight responsibilities
3 Establishes structure authority and responsibility
4 Demonstrates commitment to competence
5 Enforces accountability
Control Environment
6 Defines objectives and risk tolerances
7 Identifies analyzes and responds to risk
8 Assesses fraud risk
9 Identifies analyzes and responds to change
Risk Assessment
23
Control Activities
10Designs control activities
11Selects and develops general controls for the information system
12Deploys and implements control activities
Information and Communication
13Uses relevant quality information
14Communicates internally
15Communicates externally
Monitoring Activities
16Performs ongoing monitoring activities
17Evaluates issues and remediates deficiencies
Provides Criteria for Designing Implementing and Operating an Effective Internal
Control System
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
24
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
2525
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
What is the ldquoTone at the Toprdquo
ldquoTone at the Toprdquo is a term that is used to define managementrsquos leadership and commitment towards
openness honesty integrity and ethical behavior It is the most important component of the control
environment The tone at the top is set by all levels of management and has a trickle-down effect on all
employees
For a Managersrsquo Internal Control Program to be effective
Need Senior Managementrsquos Support Thru
bull Communication - Management must clearly communicate its ethics and values throughout the
area they manage These values could be communicated formally through written codes of conduct
and policies staff meetings memos etc or informally during day to day operations
bull Active Participation - Kick-Off and Quarter Meetings ndash Discussions relevant to internal controls
and associated risks
bull Reporting - Create and promote path for employees to self-report and feel safe from retaliation
bull Reward Active Participation - Creation of Commanderrsquos Award ndash Recognition of Successful Internal
Control Activity
26
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
USFOR-ACDR
February 2013
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT FY 2013 Managers Internal Control Program (MICP)
1 References
a Memorandum for Distribution titled FY 2013 Managers Internal Control Program 18 October 2012
b Army Regulation 11-2) Managers Internal Control Program 26 March 2012 c Department of Defense
Instruction 50104029 July 2010
2 Warfighting is our business and we must accomplish our mission in an environment where there is ever increasing pressure to effectively manage our
resources It is important that you understand my intent towards reliance upon the identification and implementation of fiscal and operational efficiencies
during this critical stage in our long-term commitment to Afghanistan and the region As Gen Allen communicated in his 18 October 2012 Memorandum
titled) FY 2013 Managers Internal Control Program (MICP) it is no longer business as usual in terms of allocation and spending for non-mission essential
resources We need to leverage the USFOR-A MICP to ensure our command maximizes each dollar spent) to execute its plans set priorities strengthen
management responsibilities gauge progress against goals and make adjustments as needed This is a time for continuity not change and I intend to
proceed on this same azimuth with even greater focus and attention
3 The DoD MICP has recently undergone a paradigm shift in focus This new direction takes a risk-based results-oriented approach It requires DoD
Components ensure all levels within their respective organizations are actively engaged in enhancing operational financial program and administrative
internal controls and in the mitigation of potential risk before it occurs instead of after the mission has been negatively impacted and reported by outside
audit agencies Our commitment and support aligns with our efforts to apply constant and vigorous effort in validating critical requirements We will apply
the paradigm shift in our spending behavior to include limitation on new construction projects drawdown of USFOR-A accompanied by a proportionate
reduction of supply requests limits in the number of civilian and contractor hires to only mission critical requirements identification and reduction of excess
property) supplies) and ammunition and the proper disposition of excess to include retrograde
HEADQUARTERS
UNITED STATES FORCES-AFGHANISTAN
KABUL AFGHANISTAN
APO AE 09356
27
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
USFOR-A CDRSUBJECT FY 2013 Managers Internal Control Program
4 Through our commitment to doing the right thing and being proactive in our identification of remediation of operational program administrative and financial inefficiencies we will activel y support USFOR-As efforts towards an-expeditionary posture as effectively and efficiently as possible By being proper stewards of the valuable taxpayers resources that we have been entrusted with to execute our mission it is imperative that we use candor in our communications We need to ensure that the execution of management decisions is based upon information our senior leadership need to hear versus information that is perceived to be desirable to hear
5 The USFOR-A Deputy Command i ng General -Support will continue to meet with the USFOR-A MJCP Coordinator each month to ensure the commands mission priorities are aligned with our internal MICP assessments of risk I will be kept abreast of the progress withthis very important requirement Your proactive participation with these assessments is essential as we identify potential efficiencies commensurate with the planned drawdown of personnel and other resources
6 The point of contact for this request is Mr R Steven Silverstein DoD Civilian GS-15 DSN 318-449-4027 or via e-mail RobertSSilversteinafghanswaarmymil
General US Marine CorpsCommanderInternational Security Assistance Force United States Forces ndash Afghanistan
DISTRIBUTIONDeputy Commander Support -Afghanistan (DCDR-S Afghanistan) United States Forces-Afghanistan Staff (USFOR-A STAFF)Commander Combined Security Transition Command-Afghanistan (CSTC-A CDR) Commander Combined Security Interagency Task Force 435 (CJIATF 435 CDR) Commander Special Operations Joint Task Force-Afghanistan (SOJTF-A CDR) Commander United States Forces-Afghanistan (USFOR-A CDR)Commander 1st Theater Sustainment Command (1TSC) V Corps Command (V Corps CDR)Military Information Support Operations (MISTF-A CDR) Deputy Commander USFOR-ACommander ISAF Joint Command (IJC CDR) 28
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
The DoD MICP has recently undergone a paradigm shift in focus This
new direction takes a risk-based results-oriented approach It requires
DoD Components ensure all levels within their respective
organizations are actively engaged in enhancing operational
financial program and administrative internal controls and in the
mitigation of potential risk before it occurs instead of after the
mission has been negatively impacted and reported by outside
audit agencieshelliphellip We need to ensure that the execution of
management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hear
2929
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
3030
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
31
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
ldquoMy intent is to move beyond checking the block and conduct detailed
analysis and an honest assessment when providing reasonable assurance
that financial operational and administrative controls are in placehelliphellipIt is ldquono
longer business as usualrdquo in terms of allocation and spending for non
mission essential resourcesrdquohellipI want you to remain proactive in the self-
identification of issues and self-reporting of internal control deficiencieshelliphellipto
prevent a problem before it occurs instead of after the mission has been
negatively impacted and reported by an ldquooutside audit agencyrdquohelliphellipIt is
imperative that we use candor in our communications to ensure that the
execution of management decisions is based upon information our senior
leadership need to hear versus information that is perceived to be
desirable to hearrdquo
3232
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
3333
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
Managersrsquo
Internal Control
Program
A Identify Functional
Areas
B Identify
Assessable Units
C Assign Assessable
Unit Manager(s)
D Document Key
Processes and
Controls
E AssessTest
Internal Controls F Communicate and
Prioritize Risk
G Align Risk with
Command Priorities
H Mitigate Risk
Through Remediation
I Report in SOA
ldquoMaterialrdquo
Findings
J Monitor Corrective
Plans
3434
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
An Effective MICP Is Dependent Upon Communication Through Chain-of-Command
Organizational Participation ndash
Communication Framework
bull Formal Communication Framework between senior leadership and
MICP
bull Clear focused communications of the Componentrsquos mission and
CommanderDirectorrsquos priorities and challenges
bull Provide status of operational and financial risk by key functional areas
bull Formal and informal access to CommanderDirectors Senior Managers Functional Leads
and Assessable Unit Managers
bull Provides support towards compliance with laws regulations and instructions and provides
guidance to Component staff on implementation of MICP
Formal
Communication
Framework
Built Upon
Trust and
Empowerment
bull Ongoing communications with MICP Program Manager in confirmation of assessable unit
process controls and related risks Receiver of feedback from management regarding prior
reporting of material risk and changes to requirements towards assessable units
Assessable Unit
Managers
MICP Coordinator
Direct Report to Chief of Staff
Commander Director
Senior Assessment Team Senior
Management Council
35
bull Provide oversight of the assessment of the design and effectiveness of internal controls over
financial reporting financial systems and operations in accordance with OMB Circular A-123
bull Review and comment on risk ratings and proposed recommendations for corrective action
bull Review status of mitigation of previously reported corrective actions
bull Determine those financial reporting deficiencies to be reported as material in the Departments
SOA
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
361
INTERNAL CONTROL EVALUATION
CERTIFICATION
1 REGULATION NUMBER
2 DATE OF REGULATION
3 ASSESSABLE UNIT 4 FUNCTION
6 METHOD OF EVALUATION Direct Observation _____ Review of Files or Documentation _____ Analysis ______
Sampling _____ Simulation _____ Interviews _____ Other ______ (Explain)
7 REMARKS (Describe the method used to test key controls the internal control weaknesses detected by the evaluation and
corrective action taken)
5 EVALUATION CONDUCTED BY (Name Last First MI)
8 EVALUATION RESULTS (Include specific items tested)
9 INTERNAL CONTROL DEFICIENCIES DETECTED
10 DESCRIBE CORRECTIVE ACTIONS TAKENTO BE TAKEN AND DESIGNATED RESPONSIBLE DIRECTOR
11 ASSESSABLE UNIT MANAGER (SignatureDate)
12 DIRECTORMANAGER RESPONSIBLE FOR CORRECTIVE ACTION (SignatureDate)
Documentation of Deficiency
36
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
3737
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
Mitigated Risk
Inherent RiskRisk Assessment Results - High RISK
bull Is required to ensure all personnel maintain
proper oversight and accountability of US
Government property in order to maintain
good stewardship of resources and avoid
issues of fraud waste or abuse
bull Loss or destruction of sensitive items
bull Loss or destruction of nonexpendable or
durable equipment
bull Provide hand receipts at the user level
bull Conduct monthly sensitive items
inventory by alternating officers
bull Provide leadership emphasis on properly
securing and using equipment
bull Spot checks on property accountability
Control Environment
Inherent Risks
Existing Management Controls
An Example ndash Risk Matrix
Level Likelihood of Occurrence
e Nearly Certain (15 to 20)
d Highly Likely (11 to 14)
c Likely (8 to 10)
b Unlikely (5 to 7)
a Remote (4)
Level Overall Risk Rating
Red ndash High
Yellow - Medium
Green ndash Low
Level Consequence of Occurrence
1 MinimalNo Impact (6)
2 Minor Impact (7 to 14)
3 Moderate Impact (15 to 19)
4 Severe Impact (20 to 24)
5Unacceptable Impact (25 to 30)
1 2 3 4 5
Y R R R R e
G Y R R R d
G Y Y R R c
G G Y Y R b
G G G Y Y a
Consequences
Lik
eli
ho
od
3838
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
3939
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
Groupthink
Candor
Groupthink is a psychological phenomenon that occurs within groups
of people Group members try to minimize conflict and reach a
consensus decision without critical evaluation of alternative ideas or
viewpoints Causes loss of individual creativity uniqueness and
independent thinking Also collective optimism and collective
avoidancerdquo
Candor is unstained purity
freedom from prejudice or malice fairness
Change
Status Quo
Status quo a commonly used form of the original
Latin statu quo ndash literally the state in which ndash is
a Latin term meaning the current or existing state
of affairs[1] To maintain the status quo is to keep
the things the way they presently are
Change in an organization is shiftingtransitioning
individuals teams and organizations from a
current state to a desired future state It is an
organizational process aimed at empowering
employees to recommend accept and embrace
changes in their current business environment 4040
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
Remarks delivered by Secretary
Robert M Gates to the US Air
Force Academy April 2 2010
ldquoChallenge conventional wisdom and call
things as you see them to subordinates and
superiors alikerdquo
ldquoAs an officer if you blunt truths or create an
environment where candor is not
encouraged then yoursquove done yourself
and the institution a disservicerdquo
ldquoIn the early days of the surge Gen Petraeuss
forthright candor with both superiors and
subordinates was an important part of the plans
successrdquo
He never offered unwarranted or sugar-coated
optimism His honesty -- and action -- in the face
of uncertainty won the loyalty of those around
himrdquo
Washington Post Article titled
ldquo Gen Petraeus No Sugar-Coated
Optimismrdquo by Col Michael E Haith
(Ret) United States Army July 6 2011
The hardest thing you may ever be called upon to do is stand alone among your peers and superior officersldquo ndash (leadership
is the courage and integrity to do the right thing and to communicate the message ndash of not what superiors want to hear but
rather what they need to hear to in order to effectively lead)
To stick out your neck after discussion becomes consensus and consensus ossifies into group thinkrdquo
American Forces Press Service ldquoGates Urges West Point Graduates to be Great Leadersrdquo May 25 2009
An effective Managersrsquo Internal Control Program ndash Empowers those that
are involved in the operational administrative and program processes and
procedures to self-report inefficiencies (ie risk) - Empowerment =
dependency upon candor and encouragement of self-reporting of risk
4141
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
Commanderrsquos Emergency
Response Program1
Assessable
Units
Internal
Controls
Identification Approval Funding Payment(s)Execution Closure
bull Prepare Letter
of Justification
bull Conduct
market
research
bull Solicit bits
bull Gather
required
documents
bull Legal review
bull Commander(s)
approval
bull Project
Purchasing
Officer
submits
Purchase
Requisition
and
Commitment
bull Comptroller
approves
Purchase
Requisition
and
Commitment
bull Project
Purchasing
Officer and
vendor sign
Memorandum of
Agreement
bull Project
Purchasing
Officer submits
signed
Memorandum of
Agreement to
Comptroller
bull Project
Purchasing
Officer monitors
work and
performance
bull Pay Agent
draws funds
from Finance
Officer
bull Pay Agent and
Project
Purchasing
Officer make
payments in
accordance
with
Memorandum
of Agreement
to Comptroller
Unit hands off
project to local
Afghans
bull Pay Agent
clears project
with finance
bull Project
Purchasing
Officer clears
project with
Commander
and Comptroller
Documentation of Processes
Controls and Risk
1 Special Inspector General for Iraq and Afghanistan Reconstruction Quarterly Report January 2011 42
42
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
Acquisition
Planning Funding
Acquisition
Methods
Contract
Types Competition
Full and
Open
Competition
Yes
No
Justification
Detailed
Description
Approval By
Contracting
Officer R-1
C
C
R-1
Justification provides a detailed
description of why it is not possible or
practical to obtain full and open
competition for the
procurementacquisition (to include
only one responsible source unusual
and compelling urgency authorization
or required by statue etc Contracting
Officer signs and dates justification
statement
Contracting Officer approves the
justification but does not review or
does not enforce the requirements
towards a detailed and complete
explanation
Need to Take Two Steps Back ndash
In order To Take One Step Forward
Function - ProcurementAcquisition
Assessable Unit ndash Competition Sole Source
Need to Document (at ldquotransaction lever) GRAP Related
Processes Controls and Risk
43
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
Historically ndash Reactive (What Does Management Want to Hear)
Current Emphasis ndash Proactive (What Does Management Need to Hear)
Reliance Upon Outside
Audit Agencies Focus on Timelines
and FormatldquoPaper-Drill Exerciserdquo
Self-Reporting ndash
Punitive Versus
Incentivized
Reliance Upon
Resources in
ComponentFocus on Risk
Report Supported by
Documentation of
MICP Process
Self-Reporting ndash
Incentivize Versus
Punish
bull Reliance upon GAO
DoDIG and Military Audit
Services to identify
material internal control
weaknesses
bull Candor not part of culture ndash
ie ldquogroup-thinkrdquo Threat of
retribution for self-reporting
ldquobad newsrdquo
bull Filtered communications
bull Score received by
Component based upon
timeliness of SOA
submission and
adherence to format not
substance of content
bull Ramp-up of submission of
SOA related activities
occur several weeks prior
to submission deadline
versus an ongoing activity
year-round
bull Reliance upon analysis
by ldquoresident expertsrdquo
analysis of assessable
units to identify material
internal control
weaknesses
bull Development of a ldquocost
culturerdquo
bull Reward self-reporting by
all levels of organization
regarding potential risks to
the mission and
recommendations for
mitigation
bull Based upon documentation of
segment of business processes
and procedures identify risk
rank risk and focus upon
greatest risks that may impact
organization
bull Develop SOA content
throughout the year based
upon documentation
internally generated
analyzed and agreed upon
44
44
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
bull Focus Upon Mission Priorities ndash Driven By Financial and
Operational Risk
bull Develop a Culture of Continuous Business Process
Operational Improvements ndash How
bull Tone-at-the-Top ndash Proactive and Ongoing Support By
Leadership
bull Coverage of Key Operational Financial Functions and
InformationFinancial Systems ndash Through Assignment of
SMEs Embedded in Organization
bull Formal Communication Framework That Ties
Leadership Mission Requirements with Implementation of
Continuous Business Process Improvements Activities
bull Reliance Upon SMErsquos Self-Reporting and Candor in
Communications of the Identification Prioritization
Reporting and Mitigation of Financial and Operational Risk
bull Development and Implementation of operational and
financial risk though ldquoquantifiablerdquo corrective actions
Basic Principles for the
Departmentrsquos Managersrsquo
Internal Control Program
End State
bull Continuous business process improvement
bull Identification prioritization and mitigation of operational and financial risk before it negatively impacts the mission of the Organization
bull Assessment of processes and procedures and related information systems at the transaction level
bull Documentation of assessments and corrective actions
bull Ongoing coordination of Componentrsquos mission priorities with prioritization and assessment of operational and financial risk
45
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
Purpose of the CFO Act of 1990
Bring More Effective General and Financial
Management Practices to the Federal Government
Through Statutory Provisions
Provide for the Production of Complete Reliable Timely and Consistent
Financial Information for Use By the Executive
Branch of the Government and the Congress in the Financing Management
and Evaluation of Federal Agencies
Provide for Improvement In Each Agency of the Federal Government of Systems of
Accounting Financial Management and Internal
Controls to Assure the Issuance of Reliable Financial
Information and to Deter Fraud Waste and Abuse of
Government Resources
ldquoClean Auditsrdquo ndash 1) Defense Finance and Accounting Service 2) Defense Contract Audit Agency
3) Defense Health Agency - Contract Resources Management 4) Medicare-Eligible Retiree Health Care Fund
5) Military Retirement Fund 6) US Army Corps of Engineers - Civil Works 7) DoD Inspector General
8) Defense Commissary Agency 9) Defense Information Systems Agency and 10) Marine Corps 46
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
ldquoGAO has made hundreds of recommendations to DoD held oversight hearings and
enacted specific legislation initiativeshelliphelliphowever eliminating these problems requires
that their underlying causes be addressedrdquo1
47
GAO ndash DoD High Risk Areas2
bull Business Transformation
bull Business Systems Modernization
bull Support Infrastructure Management
bull Financial Management
bull Supply Chain Management
bull Weapons Systems Acquisition
bull Contract Management
Underlying
Causes
1 Cultural Barriers and
Parochialism
2 Lack of Incentives to
Implement Change
3 Deficient Management
Data
4 Unclear Results-Oriented
Goals and Performance
Measures
5 Lack of Management
Accountability
Need for consistent and
proactive ldquotone-at-the-toprdquo
Empowerment irrespective of
grade or rank
Strengthening processes
controls and systems
Focus initially on accuracy and
reliability of management
information for mission critical
assets
Goals performance measures
and time frames for
completing corrective actions
ldquoTop-levelrdquo management held
accountable and have authority
and flexibility to achieve the
desired results
471 GAO testimony to Congress ldquoDoD High-Risk Areas Eliminating Underlying Causes Will Avoid Billions of Dollars in Wasterdquo May 01 1997 2 GAO report to congressional committees ldquoHigh-Risk Series An Updaterdquo (GAO-13-283) February 2013 47
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
bull Initially the OUSD(C) designated two priorities to kick-start audit readiness efforts
o budgetary information and
o mission critical asset information
bull OUSD(C) has expanded its priorities in support of its audit readiness goals for both
General Funds (GF) and Working Capital Funds (WCF) as follows
o Budgetary information
o Proprietary accounting data and information
o Mission critical asset information
o Valuation
Specific key milestone dates for various assertions have been identified that must be
met by the Components to stay on track
DoD FIAR1 Strategy Defines Focus Areas Set
Priorities and Serves as the Departmentrsquos
Roadmap for Becoming Audit Ready
1DoD OSD Comptroller - Financial Improvement and Audit Readiness Directorate 48
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
bull Identified Key Tasks focus reporting entities audit readiness efforts on improving their processes
controls systems and related documentation based on the results of the application of the
methodology noted below
bull Adherence to the Methodology will also enable the Department to comply with the most relevant laws
and regulations that have a direct and material impact on the Departmentrsquos consolidated financial
statements
49
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
To prepare for audit or examination
bull Reporting entities must fully analyze the financial statement line items
included in the scope of its assessable unit
bull Identify all applicable financial statement assertions relative to the line
items
50
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
51
Process Flow
R-1
R-1
51
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
52
Appointment Letter for Componentrsquos MICP Coordinator
52
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
53
Appointment Letter for Componentrsquos MICP Coordinator
53
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
54
Appointment Letter for Assessable Unit Manager
54
55
Appointment Letter for Assessable Unit Manager
55
55
Appointment Letter for Assessable Unit Manager
55