U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Breadcrumb

  1. Home
  2. Defense Acquisition Magazine
  3. Defense Acquisition May-June 2019
  4. The Managers’ Internal Control Program

The Managers’ Internal Control Program

The Managers’ Internal Control Program

Stephen Speciale, CFE


How does your organization manage risks while meeting its objectives? Across the public sector, including the Department of Defense (DoD), organizations should have in place a Managers’ Internal Control Program (MICP). Whether a Major Defense Acquisition Program (MDAP) or an administrative office, all organizations and their personnel can find value from the MICP.

An effective MICP is extremely vital to the DoD now more than ever. Why? The overall budget is growing, operations are expanding or emerging, and several major enterprise-wide weaknesses and risks exist that could negatively impact those operations. DoD must ensure sound controls exist to achieve and sustain efficient and affordable operations. The 2018 National Defense Strategy (NDS) identifies the DoD’s need for greater performance and affordability while conducting operations, and it states, “We will put in place a management system where leadership can harness opportunities and ensure effective stewardship of taxpayer resources. We have a responsibility to gain full value from every taxpayer dollar spent on defense, thereby earning the trust of Congress and the American people.” DoD’s organizations must deploy effective MICPs to support the NDS. Ineffective MICPs could result in organizations not meeting objectives and prevent accountability to U.S. taxpayers.

While working within the DoD, I performed a variety of MICP functions that contributed to programs’ successful MICP efforts. This article provides an overview of the MICP, along with best practices and lessons learned from past experience, to allow for increased understanding and application across the DoD.

There is no one “right” way for organizations to create and maintain assessable units so long as major functions are covered adequately. Regardless, all DoD organizations are required to report annually on ICs, including any known deficiencies or weaknesses.

What is the MICP?

The Government Accountability Office (GAO) says the MICP is “a process used by management to help an entity achieve its objectives.” Objectives consist of: (1) efficient and effective operations; (2) reliable reporting for both internal or external use; and (3) compliance with laws and regulations. The MICP enables organizations to establish a continuous process to implement internal controls (ICs) and evaluate the effectiveness and efficiency of those ICs. Type of ICs include, but are not limited to, processes, policies, systems, personnel, and facilities. ICs ultimately assist organizations meet objectives and prevent fraud, waste, abuse or mismanagement of resources.

Risk management also is a key component of the MICP since risks are unique to each organization based on their specific mission and objectives. Risk management involves proactive efforts to identify, analyze, mitigate and monitor risks. Risks can be categorized as technical, programmatic or business-related—all of them are potential future events or conditions that may have a negative effect on organizations achieving objectives. Examples of risks are policies, processes, systems, strategies, plans, schedules, customers and weather. ICs should be implemented or maintained based on the risks facing an organization or assessable unit. More information on risk management is available within the DoD’s Risk, Issue, and Opportunity Management Guide for Defense Acquisition Programs (2017).

The MICP is an internal function customized for each organization based on multiple factors (mission, functions, size, and structure). Some organizations could have dozens of assessable units based on its functions while other organizations could have only a few. There is no one “right” way for organizations to create and maintain assessable units so long as major functions are covered adequately. Regardless, all DoD organizations are required to report annually on ICs, including any known deficiencies or weaknesses. The formal report, known as the Statement of Assurance (SOA), must be submitted to the Secretary of Defense (SecDef) after an assessment of operations, financial reporting and financial systems. These reports are critical and consolidated as a part of DoD’s overall SOA with results published annually in DoD’s Agency Financial Report (AFR). Table 1 summarizes the basic MICP process for DoD organizations.

Why Is the MICP Important, Specifically, to DoD?

The MICP is required by law and assists organizations meet their objectives. MICP efforts support senior leadership decisions within and across organizations to assess what is working properly and what is not. It also provides reasonable assurance to Congress and U.S. taxpayers that public-entrusted resources are used appropriately. The MICP is specifically important to DoD for several reasons. First, DoD is the largest U.S. employer. Second, DoD’s Fiscal Year (FY) 2019 budget of $716 billion is the largest amount ever for DoD and it represents over half of the government’s total discretionary spending. The MICP should be a top priority for DoD’s acquisition programs since they execute the majority of DoD’s budget.

DoD’s FY 2018 AFR (November 2018) identified many material weaknesses affecting DoD operations. One major and long-standing weakness was DoD’s inability to produce auditable financial statements. The DoD remains the only department unable to achieve an “audit-ready” stance since 1990. Other weaknesses were reported in areas of contract administration, information technology, and personnel and organizational management. All reported weaknesses were attributed to nonexistent or ineffective ICs. DoD’s top challenges and risk are reported annually. Table 2 lists the top 10 challenges as identified by the DoD Office of the Inspector General (DoD OIG) for FY 2019.

In addition to DoD’s reported challenges, the GAO has long reported DoD at a high risk of fraud, waste, abuse and mismanagement because of ineffective processes, systems and controls. The importance and benefits of the MICP are clear, especially given the current environment the DoD faces.

Who Is Involved With the MICP?

The MICP applies to all DoD organizations. This includes, per DoD Instruction 5010.40, the Office of the Secretary of Defense, Military Departments, Joint Chiefs of Staff, Combatant Commands, DoD Office of the Inspector General, DoD agencies and DoD field activities. The DoD’s annual AFR includes DoD’s SOA and is summarized based on the SOAs submitted by each of these organizations. Each organization’s MICP coordinator shall separate major activities (or assessable units) organizationally, functionally or other form so long as there is adequate coverage to perform assessments of all major organization functions.

Everyone within each DoD organization, regardless of rank, function or expertise, has a responsibility. This applies to personnel supporting a MDAP or an office performing purely administrative tasks. Working-level staff members perform day-to-day operations based on current ICs, identify risks and IC deficiencies or weaknesses to managers, and provide input for their assessable unit managers to complete MICP products. Managers, responsible for a defined assessable unit or functional area, assess risks, identify IC objectives, document and test ICs, develop and monitor progress of corrective actions plans (CAPs) and report to the organization’s MICP coordinator. An MICP coordinator manages the organization’s MICP (establishes assessable units that provide adequate coverage of major functions), coordinates with managers and senior leaders, monitors the progress of CAPs and maintains documentation to support the organization’s SOA. The DoD organization head establishes the organization’s MICP, designates an MICP coordinator to manage the MICP, submits an annual SOA to the SecDeF and reports on the progress of CAPs. The Office of the Under Secretary of Defense (Comptroller)/Chief Financial Officer provides MICP guidance to DoD organizations based on laws, develops DoD’s annual SOA based on SOAs submitted by each DoD organization and ensures that DoD adheres to annual reporting requirements. The SecDef reports DoD’s annual SOA to the President, Congress and the public (and the annual SOA is included in DoD’s annual AFR).

The Origins of the MICP

MICP-related laws, policies and references are plentiful and widely available. Some have existed for several decades while others have been released in recent years. Some resources that can assist organizations with their MICP are listed in the sidebar above.

Best Practices and Lessons Learned

This section outlines best practices and lessons learned from past experience that can assist DoD organizations and personnel with MICP efforts.

Leadership Support and Early Incorporation

Every DoD organization’s senior leadership must support its MICP. Besides being required by law, the MICP can greatly assist organizations with meeting objectives. Leadership support both allows for MICP efforts to be prioritized across the enterprise and provides the greatest chance for effort effectiveness. Organizations should also incorporate its MICP across all functional areas or assessable units as early as possible. This applies to new organizations with new functions, existing organizations with new functions, or existing organizations with modified functions. Regardless, organizations must have appropriate MICP coverage based on current operations and assessable units. Leadership support and early incorporation are necessary ingredients for an effective MICP.

The Missile Defense Agency’s (MDA’s) leadership prioritized its overall MICP and the annual requirements each year. This produced a highly supportive environment that directly contributed to successful efforts across the enterprise, whether training of key personnel or major products such as risk assessments and SOAs.

Ensure That All Personnel Have Access to Training and Resources

Organizations must ensure that personnel have access to MICP training and resources. If personnel do not have access to or are unaware of applicable processes, responsibilities and products, they will have difficulties completing effective efforts. Tailored training to each organization also is extremely beneficial since all organizations have differing missions and functions and unique processes for completing the MICP requirements.

The MDA has a standalone office responsible for managing the organization’s MICP. This office supports all MDA assessable units and completes several valuable functions. For example, it develops MICP guidance (streamlined processes and defined areas of responsibility), organizes and conducts training and maintains MICP resources for all MDA personnel to access. The office essentially provides MICP customer service on demand for the entire organization. In addition, MDA teamed with DAU to create customized workshops on the MICP and risk management for MDA personnel.

Complete Appropriate Risk Management

Risk management is a significant part of the MICP because all organizations have risks. Risk management is not a once-per-year event; however, it is a dynamic and constant activity to prevent potential issues from becoming actual issues. Risks can emerge from various sources and are unique to each organization or assessable unit. As such, assessable units and organizations shall mitigate existing risks and continuously identify and analyze any new risks that may affect operations. Organizations must complete appropriate risk management efforts so they can properly implement or modify ICs to accomplish objectives.

Risk management is not a once-per-year event; however, it is a dynamic and constant activity to prevent potential issues from becoming actual issues.

I had an opportunity to improve our office’s risk management process when supporting the MDA. The office had never completed risk assessments because it believed no risks existed. Without any identified risks, the office could not perform a legitimate evaluation of its ICs to ensure their effectiveness or identify if operations prevented fraud, waste, abuse or mismanagement. I led a team to complete the office’s first risk assessment. This allowed the office to adequately identify, analyze, test and report on applicable risks. The team plotted each identified risk on a chart based on the potential likelihood and consequence. Further, the office successfully modified ICs based on the results of the risk assessment and used the risk assessment as a regular part of operations moving forward. Successful MICP efforts require appropriate risk management efforts.

Apply “Team” Approach and Share Information

Managers and staff members must work in unison and share information to complete effective MICP efforts and products. If MICP efforts are completed by only one or a few people, it is highly unlikely that the organization will complete a true evaluation of ICs and risks. The MICP efforts should involve many personnel (new and experienced) across each assessable unit or functional area. Also, organizations’ MICP products should be accessible by all personnel supporting that organization or assessable unit. If personnel have access to program evaluations, risk assessments and SOAs, they can utilize the information to help strengthen ICs and better assist organizations achieve their objectives. This includes personnel who are new to their organization or responsibilities.

While working within various DoD organizations, some programs that I supported applied a team approach and some did not. Also, while some programs made the MICP products available to all personnel supporting that functional area or assessable unit, some did not. Programs that applied a team approach and actively shared information achieved the best outcomes. Organizations will undoubtedly strengthen their MICP and associated outcomes if they apply a team approach and share information.

Maintain Adequate Documentation

Documentation and the MICP are synonymous. Key documents include processes, procedures, organization structure, functions, risks assessments, SOAs and other organization-specific documents. Organizations may encounter issues if they do not maintain adequate documentation. Documentation is important to internal and external stakeholders. Internally, documentation helps organizations complete and report their MICP efforts. Documentation is also beneficial for everyone in an organization (from staff members to senior leadership) as personnel can be aware of controls and risks with respect to operations. External stakeholders also have interest in documentation. First, DoD reports to the public annually on its ICs. All DoD organizations must maintain adequate documentation since the DoD’s AFR covers MICP efforts completed by all DoD organizations. Second, auditor entities (such as the GAO, the DoD OIG and independent auditors) are very interested in MICP documents. During audits or other reviews, auditors regularly seek IC documentation when assessing program effectiveness or compliance with laws. The importance of MICP documentation cannot be overstated.

The MDA’s MICP office was exceptional at ensuring all programs and assessable units maintained adequate documentation. They actively supported programs to validate all key supporting documents were current and readily available. Such efforts backed MDA’s MICP efforts reported in their annual SOA submitted to the SecDef.

Conclusion

The DoD is an extremely unique entity, given the magnitude of operations. The DoD also has multiple enterprise-wide weaknesses and risks that affect those operations. As such, the DoD owes it to Congress and U.S. taxpayers to efficiently complete missions in view of the abundant resources we are provided, including resolution of weaknesses and sound risk management. All DoD organizations—specifically, DoD acquisition programs—must implement and maintain effective MICPs. Despite the title including the word “managers,” effective MICPs require input from everyone within an organization. DAU has resources available to assist DoD organizations with their MICP and risk management efforts—including customized workshops, training events and job support tools.


Read the full issue of
Defense Acquisition magazine

 

 


SPECIALE, a professor of Financial Management at the Defense Acquisition University, formerly worked at the Missile Defense Agency (MDA) and performed Managers’ Internal Control Program (MICP) functions in several programs. Those MICP functions at MDA included creating processes, completing reports and risk assessments, and training. He is a Certified Fraud Examiner.

The author can be contacted at [email protected].


The views expressed in this article are those of the author alone and not the Department of Defense. Reproduction or reposting of articles from Defense Acquisition magazine should credit the authors and the magazine.


Subscribe LinkPrint Button