Which Of The Following Could Be Management Internal Control Program Actions

How does your organisation manage risks while meeting its objectives? Across the public sector, including the Department of Defence (DoD), organizations should take in identify a Managers' Internal Control Program (MICP). Whether a Major Defense Acquisition Program (MDAP) or an administrative office, all organizations and their personnel tin find value from the MICP.

An effective MICP is extremely vital to the DoD at present more than e'er. Why? The overall budget is growing, operations are expanding or emerging, and several major enterprise-wide weaknesses and risks exist that could negatively impact those operations. DoD must ensure sound controls exist to achieve and sustain efficient and affordable operations. The 2018 National Defense Strategy (NDS) identifies the DoD'southward need for greater performance and affordability while conducting operations, and it states, "We will put in place a management organisation where leadership can harness opportunities and ensure effective stewardship of taxpayer resources. Nosotros have a responsibleness to proceeds full value from every taxpayer dollar spent on defense, thereby earning the trust of Congress and the American people." DoD'due south organizations must deploy effective MICPs to support the NDS. Ineffective MICPs could result in organizations not meeting objectives and foreclose accountability to U.Southward. taxpayers.

While working within the DoD, I performed a variety of MICP functions that contributed to programs' successful MICP efforts. This article provides an overview of the MICP, along with best practices and lessons learned from by experience, to let for increased understanding and awarding across the DoD.

What is the MICP?

The Government Accountability Part (GAO) says the MICP is "a process used by direction to assistance an entity achieve its objectives." Objectives consist of: (i) efficient and effective operations; (two) reliable reporting for both internal or external use; and (iii) compliance with laws and regulations. The MICP enables organizations to establish a continuous procedure to implement internal controls (ICs) and evaluate the effectiveness and efficiency of those ICs. Type of ICs include, but are not limited to, processes, policies, systems, personnel, and facilities. ICs ultimately assist organizations encounter objectives and foreclose fraud, waste, abuse or mismanagement of resources.

Take a chance direction too is a key component of the MICP since risks are unique to each organization based on their specific mission and objectives. Risk management involves proactive efforts to identify, analyze, mitigate and monitor risks. Risks can be categorized as technical, programmatic or business-related—all of them are potential future events or conditions that may take a negative effect on organizations achieving objectives. Examples of risks are policies, processes, systems, strategies, plans, schedules, customers and weather. ICs should be implemented or maintained based on the risks facing an organization or assessable unit of measurement. More information on take chances management is available within the DoD's Risk, Issue, and Opportunity Management Guide for Defense Acquisition Programs (2017).

The MICP is an internal function customized for each system based on multiple factors (mission, functions, size, and structure). Some organizations could have dozens of assessable units based on its functions while other organizations could have but a few. In that location is no one "right" way for organizations to create and maintain assessable units so long every bit major functions are covered adequately. Regardless, all DoD organizations are required to study annually on ICs, including any known deficiencies or weaknesses. The formal report, known as the Statement of Assurance (SOA), must be submitted to the Secretary of Defense (SecDef) after an assessment of operations, financial reporting and fiscal systems. These reports are critical and consolidated as a part of DoD's overall SOA with results published annually in DoD's Agency Financial Written report (AFR). Table 1 summarizes the basic MICP process for DoD organizations.

Why Is the MICP Important, Specifically, to DoD?

The MICP is required by law and assists organizations meet their objectives. MICP efforts support senior leadership decisions within and across organizations to assess what is working properly and what is not. Information technology too provides reasonable assurance to Congress and U.Due south. taxpayers that public-entrusted resources are used appropriately. The MICP is specifically important to DoD for several reasons. First, DoD is the largest U.S. employer. Second, DoD's Fiscal Yr (FY) 2019 upkeep of $716 billion is the largest amount ever for DoD and information technology represents over half of the government's total discretionary spending. The MICP should exist a top priority for DoD'southward acquisition programs since they execute the majority of DoD'southward budget.

DoD's FY 2018 AFR (November 2018) identified many material weaknesses affecting DoD operations. One major and long-standing weakness was DoD'south inability to produce auditable financial statements. The DoD remains the only section unable to achieve an "audit-ready" stance since 1990. Other weaknesses were reported in areas of contract administration, information technology, and personnel and organizational management. All reported weaknesses were attributed to nonexistent or ineffective ICs. DoD's top challenges and risk are reported annually. Tabular array ii lists the peak ten challenges as identified by the DoD Role of the Inspector General (DoD OIG) for FY 2019.
In addition to DoD's reported challenges, the GAO has long reported DoD at a loftier risk of fraud, waste, corruption and mismanagement considering of ineffective processes, systems and controls. The importance and benefits of the MICP are clear, especially given the current environs the DoD faces.

Who Is Involved With the MICP?

The MICP applies to all DoD organizations. This includes, per DoD Teaching 5010.xl, the Function of the Secretary of Defense, Military Departments, Articulation Chiefs of Staff, Combatant Commands, DoD Office of the Inspector General, DoD agencies and DoD field activities. The DoD's almanac AFR includes DoD'southward SOA and is summarized based on the SOAs submitted by each of these organizations. Each organization'south MICP coordinator shall separate major activities (or assessable units) organizationally, functionally or other form so long as there is adequate coverage to perform assessments of all major arrangement functions.

Everyone within each DoD organization, regardless of rank, function or expertise, has a responsibleness. This applies to personnel supporting a MDAP or an office performing purely administrative tasks. Working-level staff members perform day-to-day operations based on current ICs, identify risks and IC deficiencies or weaknesses to managers, and provide input for their assessable unit of measurement managers to complete MICP products. Managers, responsible for a defined assessable unit of measurement or functional area, assess risks, identify IC objectives, document and test ICs, develop and monitor progress of corrective deportment plans (CAPs) and report to the organization'south MICP coordinator. An MICP coordinator manages the arrangement's MICP (establishes assessable units that provide adequate coverage of major functions), coordinates with managers and senior leaders, monitors the progress of CAPs and maintains documentation to support the organisation'due south SOA. The DoD system head establishes the organization'south MICP, designates an MICP coordinator to manage the MICP, submits an annual SOA to the SecDeF and reports on the progress of CAPs. The Function of the Under Secretary of Defense force (Comptroller)/Principal Financial Officeholder provides MICP guidance to DoD organizations based on laws, develops DoD's almanac SOA based on SOAs submitted by each DoD organization and ensures that DoD adheres to annual reporting requirements. The SecDef reports DoD's almanac SOA to the President, Congress and the public (and the annual SOA is included in DoD's annual AFR).

The Origins of the MICP

MICP-related laws, policies and references are plentiful and widely available. Some have existed for several decades while others have been released in recent years. Some resources that can assist organizations with their MICP are listed in the sidebar to a higher place.

All-time Practices and Lessons Learned

This section outlines all-time practices and lessons learned from past experience that tin assist DoD organizations and personnel with MICP efforts.

Leadership Support and Early Incorporation

Every DoD system's senior leadership must support its MICP. Too being required by law, the MICP can profoundly assist organizations with meeting objectives. Leadership support both allows for MICP efforts to be prioritized across the enterprise and provides the greatest chance for try effectiveness. Organizations should besides incorporate its MICP across all functional areas or assessable units as early as possible. This applies to new organizations with new functions, existing organizations with new functions, or existing organizations with modified functions. Regardless, organizations must take advisable MICP coverage based on current operations and assessable units. Leadership back up and early on incorporation are necessary ingredients for an constructive MICP.

The Missile Defense force Bureau's (MDA's) leadership prioritized its overall MICP and the annual requirements each year. This produced a highly supportive surroundings that directly contributed to successful efforts across the enterprise, whether training of primal personnel or major products such equally risk assessments and SOAs.

Ensure That All Personnel Have Access to Training and Resources

Organizations must ensure that personnel take access to MICP training and resources. If personnel do not accept access to or are unaware of applicable processes, responsibilities and products, they will have difficulties completing effective efforts. Tailored preparation to each organisation also is extremely benign since all organizations accept differing missions and functions and unique processes for completing the MICP requirements.

The MDA has a standalone office responsible for managing the arrangement'southward MICP. This role supports all MDA assessable units and completes several valuable functions. For instance, it develops MICP guidance (streamlined processes and divers areas of responsibility), organizes and conducts training and maintains MICP resources for all MDA personnel to admission. The function essentially provides MICP client service on demand for the entire organization. In addition, MDA teamed with DAU to create customized workshops on the MICP and risk management for MDA personnel.

Consummate Appropriate Risk Direction

Gamble management is a significant office of the MICP considering all organizations have risks. Risk management is not a one time-per-year event; however, it is a dynamic and abiding activeness to forbid potential issues from becoming actual issues. Risks can emerge from diverse sources and are unique to each organization or assessable unit. As such, assessable units and organizations shall mitigate existing risks and continuously place and clarify whatever new risks that may affect operations. Organizations must complete appropriate hazard management efforts so they can properly implement or change ICs to reach objectives.

I had an opportunity to ameliorate our office's risk management process when supporting the MDA. The office had never completed chance assessments because information technology believed no risks existed. Without any identified risks, the part could non perform a legitimate evaluation of its ICs to ensure their effectiveness or identify if operations prevented fraud, waste, abuse or mismanagement. I led a squad to complete the office's first take a chance assessment. This allowed the function to adequately identify, analyze, test and study on applicable risks. The squad plotted each identified risk on a nautical chart based on the potential likelihood and consequence. Further, the office successfully modified ICs based on the results of the risk cess and used the take a chance assessment as a regular part of operations moving forwards. Successful MICP efforts require appropriate risk management efforts.

Apply "Team" Arroyo and Share Information

Managers and staff members must work in unison and share information to complete effective MICP efforts and products. If MICP efforts are completed by only one or a few people, it is highly unlikely that the organization will consummate a true evaluation of ICs and risks. The MICP efforts should involve many personnel (new and experienced) across each assessable unit of measurement or functional area. Also, organizations' MICP products should be accessible by all personnel supporting that organization or assessable unit. If personnel have admission to program evaluations, risk assessments and SOAs, they can utilize the information to help strengthen ICs and better assist organizations achieve their objectives. This includes personnel who are new to their organization or responsibilities.

While working within various DoD organizations, some programs that I supported applied a team approach and some did non. As well, while some programs made the MICP products bachelor to all personnel supporting that functional area or assessable unit of measurement, some did not. Programs that practical a squad approach and actively shared information accomplished the best outcomes. Organizations volition undoubtedly strengthen their MICP and associated outcomes if they apply a team approach and share information.

Maintain Acceptable Documentation

Documentation and the MICP are synonymous. Key documents include processes, procedures, arrangement structure, functions, risks assessments, SOAs and other arrangement-specific documents. Organizations may encounter issues if they do non maintain adequate documentation. Documentation is of import to internal and external stakeholders. Internally, documentation helps organizations complete and report their MICP efforts. Documentation is besides beneficial for everyone in an organization (from staff members to senior leadership) as personnel can be aware of controls and risks with respect to operations. External stakeholders also accept interest in documentation. First, DoD reports to the public annually on its ICs. All DoD organizations must maintain acceptable documentation since the DoD'south AFR covers MICP efforts completed by all DoD organizations. 2nd, auditor entities (such equally the GAO, the DoD OIG and independent auditors) are very interested in MICP documents. During audits or other reviews, auditors regularly seek IC documentation when assessing programme effectiveness or compliance with laws. The importance of MICP documentation cannot be overstated.
The MDA's MICP office was exceptional at ensuring all programs and assessable units maintained acceptable documentation. They actively supported programs to validate all key supporting documents were current and readily bachelor. Such efforts backed MDA's MICP efforts reported in their almanac SOA submitted to the SecDef.

Determination

The DoD is an extremely unique entity, given the magnitude of operations. The DoD also has multiple enterprise-wide weaknesses and risks that affect those operations. As such, the DoD owes it to Congress and U.Due south. taxpayers to efficiently complete missions in view of the abundant resources we are provided, including resolution of weaknesses and audio chance direction. All DoD organizations—specifically, DoD acquisition programs—must implement and maintain effective MICPs. Despite the title including the word "managers," effective MICPs require input from anybody within an organization. DAU has resources available to assist DoD organizations with their MICP and risk management efforts—including customized workshops, training events and job support tools.

Speciale, a professor of Fiscal Management at the Defense Acquisition University, formerly worked at the Missile Defense Agency (MDA) and performed Managers' Internal Control Program (MICP) functions in several programs. Those MICP functions at MDA included creating processes, completing reports and risk assessments, and training. He is a Certified Fraud Examiner.

The author can be contacted at stephen.speciale@dau.mil.