DEPARTMENT OF THE NAVY COMMANDER NAVY RESERVE FORCE 1915 FORRESTAL DRIVE NORFOLK, VIRGINIA 23551-4615 COMNAVRESFORINST 5200.8C N002 29 Apr 2019 COMNAVRESFOR INSTRUCTION 5200.8C From: Commander, Navy Reserve Force Subj: NAVY RESERVE MANAGERS’ INTERNAL CONTROL PROGRAM Ref: (a) DoD Instruction 5010.40 of 30 May 2013 (b) SECNAVINST 5200.35F (c) SECNAV M-5200.35 of June 2008 (d) OPNAVINST 5200.25E (e) OPNAVINST 3500.39C (f) SECNAVINST 5210.16 Encl: (1) Department of Defense Internal Control Reporting Categories (2) COMNAVRESFORCOM Assessable Unit Inventory (3) COMNAVAIRFORES Assessable Unit Inventory (4) COMNAVIFORES Assessable Unit Inventory (5) Managers’ Internal Control Program Risk Assessment (6) Managers’ Internal Control Assessment (7) Managers’ Internal Control Corrective Action (8) Commanding Officer’s Managers’ Internal Control Program Spot Check (9) Managers' Internal Control Program Assessment 1. Purpose. This instruction reflects the requirements of references (a) through (f). It has been provided as a supplement to reference (c), in order to further delineate Navy Reserve Managers’ Internal Control Program (MICP) requirements. This instruction is a complete revision and should be read in its entirety. 2. Cancellation. COMNAVRESFORINST 5200.8B. 3. Background. The Secretary of the Navy (SECNAV) requires compliance with the Federal Managers’ Financial Integrity Act (FMFIA) of 1982 (Public Law 97-255). The FMFIA requires all executive agencies to establish internal accounting and administrative controls which provide reasonable assurance of compliance, safeguards, and accountability. 4. Scope. This instruction applies to Commander, Navy Reserve Force (COMNAVRESFOR), Commander, Navy Reserve Forces Command (COMNAVRESFORCOM), and all Navy Reserve echelon 3 commands. 5. Discussion a. The Department of the Navy (DON) MICP is the Navy’s method for demonstrating and documenting compliance with FMFIA. SECNAV expects all managers to be active participants.
28
Embed
DEPARTMENT OF THE NAVY Navy... · department of the navy. commander navy reserve force . 1915 forrestal drive . norfolk, virginia 23551-4615 . comnavresforinst 5200.8c . n002 . 29
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
DEPARTMENT OF THE NAVY COMMANDER NAVY RESERVE FORCE
1915 FORRESTAL DRIVE NORFOLK, VIRGINIA 23551-4615
COMNAVRESFORINST 5200.8C N002 29 Apr 2019 COMNAVRESFOR INSTRUCTION 5200.8C From: Commander, Navy Reserve Force Subj: NAVY RESERVE MANAGERS’ INTERNAL CONTROL PROGRAM Ref: (a) DoD Instruction 5010.40 of 30 May 2013 (b) SECNAVINST 5200.35F (c) SECNAV M-5200.35 of June 2008 (d) OPNAVINST 5200.25E (e) OPNAVINST 3500.39C (f) SECNAVINST 5210.16 Encl: (1) Department of Defense Internal Control Reporting Categories (2) COMNAVRESFORCOM Assessable Unit Inventory (3) COMNAVAIRFORES Assessable Unit Inventory (4) COMNAVIFORES Assessable Unit Inventory (5) Managers’ Internal Control Program Risk Assessment (6) Managers’ Internal Control Assessment (7) Managers’ Internal Control Corrective Action (8) Commanding Officer’s Managers’ Internal Control Program Spot Check (9) Managers' Internal Control Program Assessment 1. Purpose. This instruction reflects the requirements of references (a) through (f). It has been provided as a supplement to reference (c), in order to further delineate Navy Reserve Managers’ Internal Control Program (MICP) requirements. This instruction is a complete revision and should be read in its entirety. 2. Cancellation. COMNAVRESFORINST 5200.8B. 3. Background. The Secretary of the Navy (SECNAV) requires compliance with the Federal Managers’ Financial Integrity Act (FMFIA) of 1982 (Public Law 97-255). The FMFIA requires all executive agencies to establish internal accounting and administrative controls which provide reasonable assurance of compliance, safeguards, and accountability. 4. Scope. This instruction applies to Commander, Navy Reserve Force (COMNAVRESFOR), Commander, Navy Reserve Forces Command (COMNAVRESFORCOM), and all Navy Reserve echelon 3 commands. 5. Discussion a. The Department of the Navy (DON) MICP is the Navy’s method for demonstrating and documenting compliance with FMFIA. SECNAV expects all managers to be active participants.
COMNAVRESFORINST 5200.8C 29 Apr 2019
2
During audits and inspections, external agencies (Government Accountability Office, Department of Defense (DoD) Inspector General, Naval Inspector General, and Naval Audit Service) review command compliance with this program. b. The MICP stresses using a variety of existing methods to gauge the effectiveness, efficiency, and economy of work processes. A process is defined as the manner in which resources are employed in generating a product, performing a responsibility, or rendering a service in support of the Navy’s mission. It consists of starting and ending points that are connected by a series of decision points, which include metrics/controls and various work related steps. c. The former Command Evaluation Program has been absorbed into the MICP by Director, Navy Staff action memo of 11 January 2013. The processes and policies of former OPNAVINST 5000.52B and COMNAVRESFORINST 5232.1D are governed by references (b) and (d), and this instruction. d. The MICP encompasses three lines of effort: Internal Control over Operations (ICO), Internal Control over Financial Reporting (ICOFR), and Internal Controls over Financial Systems (ICOFS). The Navy Reserve Forces Command Inspector General (NAVRESFOR IG) will assure all three lines of effort conform to required timelines set by higher authority. The NAVRESFOR IG through the MICP coordinator will compile and submit with approval the yearly Certification Statements for ICO. The COMNAVRESFORCOM N8 Directorate will compile and submit with approval the yearly Certification Statements for ICOFR and ICOFS. 6. Policy. To ensure compliance with references (a) through (d), commands must complete the following: a. Maintain an Assessable Unit Inventory. The command will be segmented into organizational or functional units. The sum of the assessable units must equal the entire organization. The inventory shall include the name of the Assessable Unit, a list of Sub-Assessable Units, the DoD Internal Control Reporting Category associated with the Assessable Unit, and the responsible Stakeholder and Unit Manager identified by name and billet title. The MICP coordinator will maintain the inventory and make necessary changes to personnel as required. b. Maintain a MICP Plan. The MICP plan is an executive summary of a command’s MICP. The plan captures the organization’s approach to implementing an effective internal control program and serves as the first resource MICP coordinators use to understand the organization’s program. MICP plans are described in detail in reference (c). c. Perform Risk Assessments. Reference (e) outlines the DON Operational Risk Assessment process. This process will be used when performing risk assessments for work processes. Reference (c) also provides additional information to consider when performing risk assessments. One-page linear flowcharts or process mapping may assist in preparing risk assessments for major and essential operations or processes. Though each command is afforded the flexibility to produce a format of their own for conducting, producing, tracking assessments,
COMNAVRESFORINST 5200.8C 29 Apr 2019
3
and corrective action, a standardized “MICP Tool,” enclosures (1) to (7) are recommended. Enclosure (8) is provided to allow a commanding officer to spot check the major or essential processes within Assessable Units while enclosure (9) provides a ready format for personnel to conduct periodic “testing” of internal control effectiveness. d. Perform Internal Control Assessments. Ensure major or essential processes are examined for efficiency, effectiveness, and economy. Enclosure (6) is used to document the Internal Control Assessment. Two or three key metrics will be used to measure performance. These key metrics should provide a quick look as to how well a process is progressing in achieving its intended purpose. To be viable, internal controls must be periodically tested. Test results should be reviewed, recorded, and filed to allow for external review or audit of the process and test results. Correctly documented internal control assessments should: (1) Relate each control to a specific risk. Describe the design of the control that will be tested. (2) Identify the control test objective to validate the assumed level of control risk. (3) Describe how the operation of the control was tested. (4) State whether the design of the control is effective, based upon the testing performed. (5) State whether the operation of the control is effective based upon the testing performed. e. Submit MICP Certification Statement. COMNAVRESFOR will submit a force-wide consolidated annual MICP certification statement. The required date of submission will be determined by the immediate superior in command. Further guidance for filling out and submitting the MICP certification statement is contained in reference (c). Echelon 3 commands will submit classified risks via Secret Internet Protocol Router Network (SIPR) to the COMNAVRESFOR MICP coordinator. f. Provide Corrective Actions for Reportable Conditions and Material Weaknesses. Corrective action plans for all material weaknesses and reportable conditions shall be included as an enclosure to the MICP certification statement. Formatting instructions are outlined in reference (c) and the web-based tool. 7. Action a. COMNAVRESFOR will: (1) Assign a MICP coordinator. (2) Ensure the Navy Reserve is trained and in compliance with the DON MICP.
COMNAVRESFORINST 5200.8C 29 Apr 2019
4
(3) Ensure subordinate commands are in compliance with the MICP for the Command Assessment Program. b. All echelon 3 commanders will: (1) Designate a command MICP coordinator in writing.
(2) Provide current MICP coordinator point of contact and phone number to respective ISIC, as directed. (3) Follow the policies and procedures set forth in this instruction. (4) Establish command instruction to define Assessable and Sub-Assessable Units, and assign stakeholders and unit managers. (5) Provide input as directed to the MICP coordinator in support of the annual MICP certification statement. (6) Ensure subordinate commands are in compliance with the MICP for the CAP.
c. MICP coordinators will: (1) Be designated in writing and complete the “Managers’ Internal Control Program for Managers,” a web-based MICP training found in Navy e-Learning (NeL). (2) Ensure the stakeholders and unit managers complete the “Managers’ Internal Control Program Training,” a web-based MICP training found in NeL. (3) Follow the policies and procedures set forth in this instruction. (4) Develop command instruction to define the Assessable and Sub-Assessable Units. (5) Coordinate managers for each Assessable and Sub-Assessable Units as required. (6) Provide quality assurance for the program for the command. (7) Maintain SIPR access to allow for the submission and/or receipt of classified risks. d. Stakeholders will: (1) Follow the policies and procedures set forth in this instruction. (2) Designate unit managers as required for Assessable and Sub-Assessable Units. (3) Manage the controls created to mitigate risks.
COMNAVRESFORINST 5200.8C 29 Apr 2019
5
(4) Complete the “Managers’ Internal Control Program for Managers,” a web-based MICP training found in NeL. e. Unit managers will (1) Assess areas of risk for assigned Assessable and Sub-Assessable Units. (2) Develop and implement controls to mitigate known risks. (3) Complete the “Managers’ Internal Control Program training,” a web-based MICP training found in NeL. 8. Records Management. Records created as a result of this instruction, regardless of media or format, must be managed per SECNAV Manual 5210.1 of January 2012. The reporting requirements in paragraphs 6 and 7 are exempt from reports control per reference (f). 9. Review and Effective Date. Per OPNAVINST 5215.17A, COMNAVRESFOR will review this instruction annually on the anniversary of its issuance date to ensure applicability, currency, and consistency with Federal, DoD, SECNAV, and Navy policy and statutory authority using OPNAV 5215/40. This instruction will automatically expire 10 years after effective date unless reissued or canceled prior to the 10-year anniversary date, or an extension has been granted. T. W. LUSCHER By direction Releasability and distribution: This instruction is cleared for public release and is available electronically only via COMNAVRESFOR Web site, https://www.mynrh.navy.mil
DEPARTMENT OF DEFENSE INTERNAL CONTROL REPORTING CATEGORIES
1. Detailed Department of Defense (DoD) internal controls reporting category descriptions are contained within enclosure (5) of reference (a). The DoD will designate each operational internal control deficiency into one of the following reporting categories: a. Communications.
b. Intelligence.
c. Security.
d. Comptroller and Resource Management.
e. Contract Administration.
f. Force Readiness.
g. Information Technology.
h. Acquisition.
i. Manufacturing, Maintenance and Repair.
j. Other (Primarily Transportation).
k. Personnel and Organizational Management.
l. Procurement.
m. Property Management.
n. Research, Development, Test and Evaluation.
o. Security Assistance.
p. Supply Operations.
q. Support Services.
2. Managers’ Internal Control Program coordinators shall create assessable units tied to the list above. It is not required to use all of the categories above; only use those categories which apply to the efforts conducted by the respective command structure. Assessable units shall also reflect the Command Assessment Guide.
COMNAVRESFORINST 5200.8C 29 Apr 2019
2 Enclosure (1)
3. When reporting financial reporting or financial system internal control material weakness according to evaluations conducted, the DoD and Office of the Secretary of Defense component will classify the end-to-end business processes affected by the control weakness. The following IC categories will be used to classify the material weakness: a. Budget-to-Report. b. Hire-to-Retire. c. Order-to-Cash. d. Procure-to-Pay. e. Acquire-to-Retire. f. Plan-to-Stock.
COMNAVRESFORINST 5200.8C 29 Apr 2019
Enclosure (2)
COMNAVRESFORCOM ASSESSABLE UNIT INVENTORY
# Assessable Unit Sub-Assessable Unit DoD Functional Categories Stakeholder
1 Command Master Chief
Command Master Chief Command Assessment Program Force Readiness N00
2 Human Resources HR Programs Assessment Personnel and Organization Management N00CP
Labor/Employee Relations Management/Advice
Personnel and Organization Management N00CP
Awards Personnel and Organization Management N00CP
Mandatory Training Personnel and Organization Management N00CP
Civilian Personnel Performance Personnel and Organization Management N00CP
Equal Employment Opportunity Programs
Personnel and Organization Management N00CP
Drug Free Workplace Programs Personnel and Organization Management N00CP
Request for Personnel Actions Validation
Personnel and Organization Management N00CP
DCPDS/TFMMS Data Integrity Personnel and Organization Management N00CP
Civilian Wage and Classification Personnel and Organization Management N00CP
3 Force Judge Advocate
Ethics/Standards of Conduct Training Support Services N00J
Administrative Separation-Military Support Services N00J
Ethics/Standards of Conduct Advice Support Services N00J
Freedom of Information/Privacy Act Support Services N00J
Courts Martial Support Services N00J
Non-Judicial Punishment Support Services N00J
JAGMAN Investigations Support Services N00J
Article 138, UCMJ Article 1150, Navy Regulations, Complains of Wrongdoing
Support Services N00J
Detachment for Cause Support Services N00J
Federal or U.S. Government Inspector General (IG) Investigations Support Services N00J
COMNAVRESFORINST 5200.8C 29 Apr 2019
2 Enclosure (2)
# Assessable Unit Sub-Assessable Unit DoD Functional Categories Stakeholder
Federal or U.S. Government fiscal and comptroller law Support Services N00J
General business and commercial law Support Services N00J
Legal Training/Oversight (U.S. Navy Reserve Component/Force) Support Services N00J
4 Inspector General Audit Follow-Up Liaison Other N002 Command Evaluation Program Other N002 Command Inspection Program Other N002 Investigations (i.e., Hotlines) Other N002 IG Command Assessment programs Other N002 Manager's Internal Control Program Other N002
5 Public Affairs Office
Provide PAO Support to Echelon 2, 3, 4 Staffs, Echelon 5 Commands, and SELRES
Support Services N00P
Publish, Distribute "TNR" Support Services N00P
Manage, Coordinate Naval Reserve Force Page on the Navy NewsStand Web site
Support Services N00P
Oversee, Manage Content for All Reserve Force Public Web Sites Support Services N00P
Research and Coordinate Response to External Information Queries Support Services N00P
Assist in Coordinating Local Community Relations Events Support Services N00P
Coordinate Speakers and Speeches for External Community Groups Support Services N00P
6 Safety Safety Policy Development Support Services N00S Safety Training Support Services N00S
Investigation of Employee Reports of Unsafe/Unhealthful Working Conditions
Support Services N00S
Unsafe/Unhealthful Working Conditions Support Services N00S
NAVOSH Inspection Support Services N00S
NAVOSH Self-Assessment (PR&MS) Support Services N00S
Mishap Ivestigation/Reporting (WESS2) and ESAMS Support Services N00S
Record keeping Support Services N00S
OSHA Inspection/Liaison Support Services N00S
Oversight/Guidance/Command support of all Mission-Oriented Support Services N00S
COMNAVRESFORINST 5200.8C 29 Apr 2019
3 Enclosure (2)
# Assessable Unit Sub-Assessable Unit DoD Functional Categories Stakeholder
NAVOSH Programs at Lower Echelons
7 Command Services Correspondence Support Services N01A
Officer Fitness Reports/Enlisted Evaluations Support Services N01A
Directives Management Support Services N01A
Congressional Inquiries Support Services N01A
Personnel Identifiable Information Manager Support Services N01A
MWR Support Services N00
8 Force Chaplain Chaplain/Religious Program Specialists Assignments Support Services N01G
Fund Management and Execution Support Services N01G
Chaplain/Religious Program Specialists Mobilization Sourcing Support Services N01G
Chaplain/Religious Program Specialists Mobilization Processing Support Services N01G
9 Security Manager Information Security Program (Including Classified Material) Security N01S
Funds Receipt Distribution (FDR) Procurement N8 Reimbursables Grantor/Performer Procurement N8
Reserve Personnel Navy (RPN) Procurement N8 Accounting/Financial Integrity Procurement N8
O&MNR, Navy Reserve Procurement N8
RC Resources and Fund Management Force Readiness N8
Force Travel Force Readiness N8
16 Force Medical Medical/Dental Readiness Management Support Services N1H
Suicide Prevention Coordinator Support Services N1H
COMNAVRESFORINST 5200.8C 29 Apr 2019
Enclosure (5)
MANAGERS’ INTERNAL CONTROL PROGRAM RISK ASSESSMENT TEMPLATES
Sub-Assessable Unit (Assessable Unit) (Identify the unit above for which you are
assessing risk)
Identify risk by asking the following questions
Risk Questions Answers Action Person 1. What could go wrong with this process? 2. What processes require the most judgement? 3. What processes are the most complex? 4. What must happen for this process to work correctly?
5. How could we fail to accurately report the actual status?
6. How do we know whether we are achieving our objectives?
7. Where are the most vulnerable areas?
Identified Risks (Based on answers above articulate your risks) 1. 2. 3.
A risk that has little to no chance to occur. A risk that has very robust and/or long-standing mitigation and/or management strategies in place.
1 - Very Low Risk
Risks that have little or no impact on the business unit and/or area. Very low risks can hamper the ability of a business unit or area to achieve a goal or objective, usually one of lesser significance. Rarely will they rise to the level where they could actually prevent the business unit or area from achieving a goal or objective. They do not have any discernable impact on the business unit’s ability to achieve its mission. Usually, only a small percentage of risks fall into this category.
2 - Low Risk A risk that is not likely to occur. A risk that has strong mitigation and/or management strategies in place that are functioning as intended.
2 - Low Risk Risks that may have discernable impact on the business unit and/or area. Low risks can hamper the ability of a business unit or area to achieve one or more objectives, usually those of lesser significance. Occasionally they will rise to the level where they could actually prevent the achievement of a business unit’s goals or objectives, but are unlikely to have any impact on the business unit’s ability to achieve its mission. Many risks fall into this rating category.
3 - Medium Risk
A risk that has a chance to occur. Mitigation and/or management strategies are in place but may not be robust enough to prevent the risk from occurring. However, the mitigation/management strategies in place would most likely lessen the chance of occurrence.
3 - Medium Risk
Risks that have the potential to have considerable impact on the business unit and/or area. Medium risks can affect the achievement of one or more goals and objectives, but usually will not rise to the level of preventing an organization from achieving its mission. Significant risks may have substantial internal and/or external repercussions. A large percentage of risks fall into this rating category.
COMNAVRESFORINST 5200.8C 29 Apr 2019
3 Enclosure (5)
Risk Assessment Definitions Risk Likelihood Description Risk Impact Description 4 - High Risk A risk that is more likely to occur than not to
occur; a high degree of certainly that the risk will occur. A risk that has more than a 50% chance of occurring. Effective mitigation and/or management strategies are not in place or are not functioning as intended.
4 - High Risk Risks that are likely to have substantial impact on the agency, the business unit and/or area, in that order. High risks can significantly hamper an organization’s ability to achieve multiple and/or key goals and objectives. They could also rise to the level or preventing or impairing an organization from achieving its mission. Major risks often have serious internal and/or external repercussions. This is often the top rating category in terms of significance for the majority of business units. Usually, only a small percentage of risks fall into this category.
5 - Very High Risk
A risk that is occurring or is certain to occur given the environment or factors involved. Mitigation and/or management strategies are not in place or are not functioning as intended.
5 - Very High Risk
Risks that are likely to have critical impact on the agency and/or the business unit in that order. Very high risks are potentially business ending events, or at the very least could prevent the business unit from accomplishing its mission, not just a single goal or objective. Extreme risks have significant potential for grave consequences on an organization, its people, and/or processes. Very few risks fall in to this rating category, and many business units will not have any such risks.
Identified Risks Risk severity
Likelihood Impact
COMNAVRESFORINST 5200.8C 29 Apr 2019
4 Enclosure (5)
For Every Risk, List a Control Action for (Assessable Unit/ Sub-Assessable Unit) Risk Risk Severity Control Action Monitoring Activity Monitoring
Frequency Likelihood Impact List the risks identified in "Risk Assessment
tab" that are moderate or higher.
What are the steps taken
to control the risk? How is the risk
monitored?
How often is the risk monitored (weekly, monthly, quarterly)?
COMNAVRESFORINST 5200.8C 29 Apr 2019
Enclosure (6)
MANAGERS’ INTERNAL CONTROL PROGRAM CONTROL ASSESSMENT TEMPLATES
Internal Control Test for Assessable/Sub-Assessable Units List control action and have reasonably informed individual test/review your controls.
Risk Control Action Test/Review
Controls Was Control design
effective Residual Risk
Tester Likelihood Impact
COMNAVRESFORINST 5200.8C 29 Apr 2019
Enclosure (7)
MANAGERS’ INTERNAL CONTROL CORRECTIVE ACTION TEMPLATE
Corrective Actions for Sub-Assessable unit (Assessable Unit)
If controls are ineffective, criteria fits, submit Material Weakness or Reportable Condition to CNRF MIC Program Manager
Ineffective Control Threat to Mission,
Resource, or Image? Issue is Command
Wide?
Is It a Material Weakness or a
Reportable Condition
Have you reported to CNRF MIC Program
Manager for Submission
COMNAVRESFORINST 5200.8C 29 Apr 2019
Enclosure (8)
COMMANDING OFFICER’S MANAGERS’ INTERNAL CONTROL PROGRAM SPOT CHECK
Activity/Department: Work Process: Step 1. Identify Risks: Yes No N/A a. Has a flowchart been completed identifying major steps of the work process? Yes No N/A b. Have applicable risks of each step with possible causes for those risks been documented? If no, comment in, “Issues/Comments” section. NOTE: Risk includes: Financial, Human Resource (personnel), Reputation (image), Technology, Strategic, Operational, Resources, and Environmental. Step 2. Assess Risks: Each risk identified in Step 1 will be assigned. a. Risk Assessment Code (RAC) using the “Impact Severity Category” and “Likelihood of occurrence Rating.” The below matrices are a guide for assessing hazards. Yes No N/A b. Has each risk been assigned a RAC? Impact Category Matrix: Likelihood of occurrence:
I (severe impact to mission etc) A (likely to occur immediately) II (serious impact to mission etc) B (probably will occur in time) III (moderate impact to mission etc) C (may occur in time) IV (little to low impact to mission etc) D (unlikely to occur) Risk Assessment Code Risk Impact Likelihood Rating
1=Critical I A B C D 2=Serious II 1 1 2 3 3=Moderate III 1 2 3 4 4=Minor IV 2 3 4 5 5=Negligible 3 4 5 5 Step 3. Risk Decisions: Yes No N/A a. Have risks moderate and higher been prioritized and internal controls selected to reduce process risks? Yes No N/A b. Do selected internal controls provide benefits that outweigh risks?
COMNAVRESFORINST 5200.8C 29 Apr 2019
2 Enclosure (8)
Yes No N/A c. If risk outweighs benefit, does the process warrant reporting to higher authority as a material weakness? Discuss issues in “Issues/Comments” section. Step 4. Internal Control Implementation (more than one type internal control may apply): a. Have “Process Controls” been implemented that reduce risks Yes No N/A by design, software selection, or substitution when technically or economically feasible? b. Have “Administrative Controls” been implemented that reduce risks through specific administrative actions, such as: Yes No N/A (1) Establishing written policies, programs, Instructions and standard operating procedures? Yes No N/A (2) Training personnel to recognize risks and take appropriate measures? Yes No N/A c. Other. Step 5. Supervision: Yes No N/A a. Is there periodic supervisory oversight of internal controls for the work process? Are the controls tested for effectiveness? Yes No N/A b. Are risk assessments and internal control assessments reviewed at least once a year? Yes No N/A c. Are internal controls periodically tested, and are test results reviewed and filed for external review/audit? Yes No N/A d. Is a corrective action plan put in place for controls that no longer reduce risk to an appropriate level? Initial Risk Assessment conducted by: ____________________ Date: __________________ Assessment reviewed by: ______________________________ Date: ________________ Are test results reviewed and filed for external review/audit?
“Do our Controls work?” 1. Assessable Unit/Work Process: 2. Method(s) used? Physical inspection/walk-through. Review documents. Interviewed cognizant managers. Evaluated data. Conducted simulation. 3. Test Results Yes No a. Does the flowchart reflect the process? Yes No b. Is the process producing intended results? Yes No c. Are protections against fraud, waste, abuse and mismanagement practices adequate? Yes No d. Are laws and regulations followed? Yes No e. Is the process effective, efficient, and economical? Yes No f. Has an MICP Risk Assessment been completed? (1) Risk Assessment Code: 1 – Critical 2 – Serious 3 – Moderate 4 – Minor 5 – Negligible Yes No g. Are the internal controls acceptable for reducing risks? Yes No h. Are internal controls reviewed often enough to be effective?
COMNAVRESFORINST 5200.8C 29 Apr 2019
2 Enclosure (9)
Yes No i. Are internal control tests being conducted to validate internal controls and are the results filed for later review/audit? 4. For any “NO” response above, indicate the remedial action planned and expected completion date. Yes No 5. Does this process warrant reporting as a material weakness? 6. Spot check conducted by: ___________________________ Date: __________________