Evolution of DON Internal Controls

Document Sample
Evolution of DON Internal Controls Powered By Docstoc
					                                                                                                                                            1




                    TARGETING INTERNAL CONTROLS

                                                                                                                                Fall 2009

FOrEwOrD                                                                       Evolution of DON
By Mr. Dennis Taitano, Deputy Assistant Secretary of the Navy (Financial
                                                                               Internal Controls
Operations)
                                                                               The Future of Testing Internal Controls Over
   It’s GREAT to be back home in the Department of the Navy after nearly a     Financial Reporting.
decade at the Department of Agriculture. I’m grateful for the many
“welcome back” greetings offered by my DON financial management                By Richard Raimondo
colleagues. And, I’m really impressed with the changes occurring in the
                                                                                    The Department of the Navy (DON) Financial
DON comptroller landscape during my absence. As I survey the progress in
the Managers’ Internal Control and the Financial Improvement Program…          Improvement Program (FIP) has been working
and as I mark the continued roll-out of Navy ERP as our new business-          since 2005 to help document and test financial
financial backbone…I know that none of this could have happened without        processes and controls. Hundreds of people
the hard work and professionalism of the people responsible for DON’s          have been involved at many levels to do this,
financial and operational processes. A dedicated DON workforce…that            with the ultimate objective of audit readiness
certainly hasn’t changed in the last decade.                                   for the DON’s financial statements. Today, with
   At Agriculture, we achieved a clean opinion on our financial                some business processes asserted (Environmental
statements…and the organization has kept the unqualified opinion in recent     Liabilities) and others getting closer (Civilian Pay),
successive years. I know now that instituting a strong, effective scheme of    what is the Department’s plan beyond assertion?
internal controls is possible in a large Federal agency. Moreover, I know           When the Office of Management and Budget
that maintaining a clean opinion is a source of pride for the workforce, as
                                                                               (OMB) re-issued Circular A-123 in late 2004,
well as a sign of credibility and stewardship in handling the taxpayers’
                                                                               its new Appendix A underscored that Internal
dollars.
                                                                               Controls Over Financial Reporting (ICOFR) are to
   Sustaining the opinion by maintaining the operating effectiveness of
internal controls and validating this through regular testing…that is the      be monitored and tested continually. Controls
continuing challenge. I’m excited to embark on a similar journey with you      testing should form the basis of a certification of
here in DON, even though I know the waters will be trickier to navigate        reasonable assurance that internal controls are
because of the size and complexity of our department. And, at the risk of      in place and effective, and in the case of financial
being redundant, we must remember that achieving auditablity is not a          statements, that these are free of material
one-time goal…since it then becomes our ongoing task to sustain that           misstatements.
readiness.                                                                          Most people involved with the Managers’
   DON efforts are gathering momentum. The Marine Corps has “taken the         Internal Control (MIC) program or the DON
point” (as is customary) by achieving audit readiness on their Statement of    FIP recognize that documentation and testing
Budgetary Resources (SBR). Independent outside auditors are now on             of internal controls is not a one-time event.
board reviewing their documentation and preparing for an extensive audit
                                                                               Processes, systems and requirements change,
culminating in an opinion. Meanwhile, we’ve signed up for achieving audit
                                                                               so controls must be monitored and periodically
readiness on the SBR for the rest of DON…by the end of 2012. This is a
department-wide goal, and we’ll all have to do our part in improving our       tested for effectiveness. Good governance
financial management operations to approach auditability.                      requires a systematic, thorough way to do this,
    SPAWAR’s ERP implementation on October 1st was a milestone for the         allowing management to have reasonable
Navy, as this “go-live” officially marked the point where more of the Navy’s   assurance that controls are in place and effective.
Total Obligation Authority is now managed inside Navy ERP than is                   The Department is planning a multi-level
managed by all other financial systems combined. Continued ERP roll-outs       approach to the monitoring and testing of ICOFR.
will be important because Navy ERP is an enabler…a valuable tool on our        This approach will maintain accountability for
way to audit readiness…and a system which offers strong controls over its      internal controls over financial reporting at
transactions.                                                                  the commands where they occur, while also
   I look forward to working with you all on the many challenges we’ll face    providing for a “Department-level” overview of
together…as we manage and account for the resources to support our
                                                                                              Cover Story…continued on page 2
fabulous Navy-Marine Corps warriors.
2
    Cover Story…continued from page 1

    internal controls. As always, input from audit agencies, to include the         example, if you look at Civilian Pay segment, there are 13 key controls
    Naval Audit Service (NAVAUDSVC), Department of Defense Inspector                that occur in the DON’s high-level process, regardless of the command
    General (DODIG) and Government Accountability Office (GAO),                     in which an employee works. For a process like this, the population
    will remain valuable in reviewing internal controls and highlighting            of transactions is considered to be the entire civilian workforce of the
    specific deficiencies.                                                          DON, and samples for testing will be taken from this universe. Testing
        To start, documentation and testing efforts at individual                   will be performed by a centralized function, taking a sample that is
    commands will continue. The DON FIP has been working to ensure                  representative of the DON.
    that personnel at major commands gain experience in testing their                   Combined with the command-level testing and the commands’
    controls and obtain a standard set of processes and key controls to             resulting certification statements, DON-level testing of controls
    test. Currently, Commands are expected to monitor internal controls             will provide a comprehensive view of the Department’s internal
    over financial reporting, as applicable to their specific business              controls allowing the Secretary of the Navy to provide a Statement
    processes. Some level of connection with the existing command MIC               of Assurance for Internal Controls over Financial Reporting, as well
    programs is to be expected, although this is left to the commands               as certification of the Department’s quarterly and annual financial
    to determine. As testing matures, Major Commands will submit a                  statements.
    separate certification statement over financial reporting, initiated                The DON’s approach to ICOFR testing is still taking shape. There
    by their comptroller’s office, but signed, like their MIC certification         are many details still to be worked in its execution, and many
    statement, by the head or principal deputy of the organization.                 questions to be answered. If you have comments or questions as
        Beyond that, DON is instituting a Department-level program                  to where you or your organization fit into this approach, they are
    of testing to supplement command-level efforts. This will be a                  welcome at FMO_Arrow_Newsletter@navy.mil .
    centralized way to test standard key controls across the DON. For



    DON NEwS
    Audit readiness in Action: Environmental Liabilities
    By Greg Koval

    Organization:                                        Lessons Learned:                                      Business Value:
    Naval Facilities Engineering Command (NAVFAC)             - Source documentation needs to not only            According to Nanette R. Herbst, Director,
    Defense Environmental Restoration Program            be available, but must be retrieved timely.           Environmental Resources at Naval Facilities
    (DERP)                                               Individuals across the organization may hold          Engineering Command, HQ:
                                                         critical audit evidence, and these individuals             “NAVFAC’s participation in Navy’s
    Accomplishment:                                      need to be identified and trained early in            Financial Improvement Program (FIP) has
    Based on evidence obtained from the NAVFAC           the process. The FM Organization cannot               been invaluable in pursuing audit readiness
    DERP Program, DON asserted the audit                 accomplish audit readiness on its own.                for the Environmental Restoration (ER)
    readiness of approximately $3.2 Billion in               - Headquarters-issued guidance is only            program. The continual dialogue with FIP
    environmental liabilities. The DERP portion          one step in improving processes and making            support staff has helped NAVFAC work
    of environmental liabilities represents the cost     the organization more auditable. Process              through existing processes, identify potential
    to correct legacy cleanup sites that are funded      executors must be properly trained on                 weaknesses, and develop testable and
    from the Environmental Restoration Accounts in       new procedures, and testing of compliance             sustainable internal controls that maintain
    accordance with “Management Guidance for the         must take place on a regular basis to keep            audit readiness. The ER program’s $3
    Defense Environmental Restoration Program.”          compliance in line with expectations.                 billion dollar projected cost represents a
                                                             - The field activities are key to auditability.   large segment of Navy’s financial liability.
    The assertion process verified that the underlying
                                                         In an organization as large and diverse as the        Having worked toward audit readiness
    information upon which the DERP environmental
                                                         Department of the Navy, a significant number          collaboratively with many of the Navy’s
    liabilities are based is complete, accurate, and
                                                         of transactions occur outside of headquarters         financial stakeholders, NAVFAC has
    the associated liability is properly disclosed.                                                            confidence that the values reported for ER
                                                         at field level activities, thereby increasing
    Audit readiness was determined through the test                                                            Liability on the Navy’s financial statements
                                                         the importance of processes performed by
    of design and operating effectiveness of the key                                                           and the documentation and internal controls
                                                         field personnel. Everyone needs to be on the
    controls identified, and results were analyzed to                                                          behind them are sound.”
                                                         same page to be “audit ready”.
    identify weaknesses and impediments to success.




                                                                                     Get The Arrow Online...
                                                                                                                                                3



Understanding Levels of Control
By Mike Moreau, DON Managers’ Internal Control
(MIC) Program Coordinator
    We are all familiar with the term internal controls, and the
need to annually report on their effectiveness as laid out in
the Federal Managers Financial Integrity Act (FMFIA) of 1982.
Beyond that there are varying levels of understanding behind
the how, what and why of internal control. For instance, are you
familiar with the three levels of application: Entity, Process and
Transaction?
    Entity-level controls set the tone for how an organization          be tested to determine whether they were designed effectively
approaches the concept of applying an internal control based            and are functioning effectively. Internal controls, if effectively
program and serve as the logical starting point for an audit,           designed, should serve as a source of information, a pulse point,
or assessment, of a program’s effectiveness. Entity-level               for measuring process performance. The scope and frequency of
controls consist of five components, or standards: Control              tests will depend primarily on the effectiveness of the monitoring
Environment, Risk Assessment, Control Activities, Information and       procedures.
Communication, and Monitoring. According to the Government                  Process-level controls fall within the realm of the various
Accountability Office (GAO) these standards should be integrated        Quality Control/Continuous Process Improvement methodologies
in an organization’s management culture.                                currently available or previously implemented. The basics center
    Control Environment: The Control Environment sets the tone          on whether key business processes have been mapped and
of an organization, providing discipline, structure and influencing     narrated, potential opportunities for error identified, risk factors
the control consciousness of its people. Actions speak louder than      assigned, controls implemented, and a methodology for testing
words and management’s approach to business, i.e. how they              the controls established. Process-level controls are a primary
deal with ethical issues, tell the rest of the organization what it’s   source of reasonable assurance and should be the focus of most
priorities are and set the level of integrity for operations.           command-level efforts supporting the Managers’ Internal Control
    Risk Assessment: An aversion to risk has the potential to           and Financial Improvement Programs.
paralyze an organization. Our operating environment is in                   Transaction-level controls are the other source of
a constant state of change and change generates risk. Risk              information for assessing assurance. Transaction controls are
exists even without change, and every organization must                 implemented to ensure the effectiveness of the audit trail—can a
assess the impact a risk may have on it’s ability to meet               transaction or work order be traced back to the initiating event?
mission requirements. Risk is assessed by the frequency                 Transactions are not always financial. As an example, in the area
and potential impact an occurrence will have on the process             of contract management, there is the potential a contract may run
outcome. Managers must have a way to proactively evaluate               longer than the assigned Contracting Officer’s Representative’s
the opportunities or threats and determine how to mitigate the          (COR) tour of duty. Considering the COR responsibility is an
risks to allow the organization to stay current with the constantly     assigned duty, the outgoing COR may see it as management’s
changing operational environment.                                       responsibility to designate a replacement, and may not include the
    Control Activities: Control activities are the policies and         role, and its information, in the pass-down package. This break
procedures implemented to ensure what could go wrong                    in the monitoring chain could potentially result in the loss of the
doesn’t. They help to guide the actions of people and programs          contract’s historical record. An effective internal control would
to make certain the necessary actions are taken to counter              require the contracting officer to designate the responsibility to
potential chances of error. Control activities include approvals,       the billeted position, include the COR’s Permanent Change of
authorizations, performance reviews, or segregation of duties.          Station date in the letter of appointment, and require an out brief
    Communication and Information: Control activities are not           of the contract history as part of the departing member’s check-
a one-time fix, therefore they need to be well communicated,            out package.
especially to those who will have responsibility for implementing           To summarize, internal control is not a one-shot deal.
the control. Our annual Statement of Assurance is based upon            Effectively applied internal controls perform an integral role in the
the Department’s reasonable assurance of the effectiveness of           management process. Entity-level controls establish the corporate
the system of internal controls embedded in the key business            environment, process-level controls ensure the quality of business
processes. The point to emphasize is that the assurance must            operations, and transaction-level controls assure the accuracy
come from an informed and verifiable account of control                 of activities supporting business processes. It is this system of
performance, which requires a good flow of information down and         internal controls that supports the bottom-up flow of information
up the chain of command.                                                to provide our senior leaders with the reasonable assurance
    Monitoring: Internal control effectiveness is a process that        asserted in their annual Certification Statements to the Secretary
needs to be monitored over a period of time. Controls must              of the Navy.
4

    Department of the Navy (DON) Statement of Assurance (SOA) Update
    By Elizabeth McMahon

        As required by OMB Circular A-123,          Improvement Program (FIP) provides the           material weaknesses, reportable conditions
    Appendix A, the DON reported current            status of material weaknesses related to         or accomplishments in both soft copy –
    status of its ICOFR weaknesses and              financial reporting. The majority of this data   via the SOA tool – and hard copy. MAUs
    accomplishments in the FY 2009 Statement        was collected during the third quarter of FY     submitted their annual certifications by
    of Assurance (SOA). Submitted annually to       2009, as the Office of the Under Secretary       31 July. In August, the DON MIC program
    the Secretary of Defense on 1 September,        of Defense Comptroller (OUSD(C)) requires        team collaborated with the Naval Audit
    the SOA is a comprehensive document             draft submissions of financial reporting         Service (NAVAUDSVC) for the final time
    that details the DON’s financial and non-       weaknesses for the Navy and Marine Corps         of the MIC year to review weaknesses
    financial internal control efforts throughout   General Fund and the Navy Working Capital        discovered through their audits and to
    the year. For FY 2009, the DON reported         Fund (NWCF) in June. Financial reporting         finalize material weaknesses for the SOA.
    no new ICOFR material weaknesses. The           material weaknesses are reviewed and             Using all three avenues of information, the
    six uncorrected material weaknesses: (1)        approved by the DON Senior Assessment            DON MIC program team analyzed data and
    Collections and Disbursements, (2) Procure      Team (SAT) prior to submission.                  submissions for DON materiality. The final
    to Pay Processes, (3) General Equipment, (4)        Throughout July, the DON’s major             SOA was reviewed, approved and signed by
    Military Equipment, (5) Operating Materials     assessable units (MAUs) submitted                the Secretary of the Navy for submission to
    and Supplies, and (6) Real Property.            certification statements to the MIC              the Secretary of Defense by 1 September. To
        The Managers’ Internal Control (MIC)        Program team. MAUs, such as the Chief            view the FY 2009 Statement of Assurance
    team relies on three avenues of information     of Naval Operations (CNO) and the DON            please visit: http://www.fmo.navy.mil/mic/
    to collect our data. First, the DON Financial   Chief Information Officer (CIO), self-report     soa_index.htm




                                                                                                          Help Our Aim
                                                                                                          We want to hear from you! For more
                                                                                                          information regarding The Arrow, or the
                                                                                                          FIP or MIC program, email us at FMO_
                                                                                                          Arrow_Newsletter@navy.mil.

                                                                                                          EDITORIAL BOARD
                                                                                                          Russell Strother, Richard Raimondo,
                                                                                                          Michael Moreau, Michael Sullivan,
                                                                                                          William McCleary, Timothy Love




         Office of Financial Management
         Washington Navy Yard
         720 Kennon St SE Room 115
         Washington, DC 20374-5025