Title: Military Health System Information Management Information Technology Management Control Program
1Military Health SystemInformation
Management/Information TechnologyManagement
Control Program
HEALTH AFFAIRS
Sharon A. Larson Program Manager
2Agenda
- Purpose
- Federal and DoD Guidance
- Management Control Program
- Management Control Purpose
- Impact of Risk on Mission
- Costs/Benefits
- Management Control Program (Annual Processes)
- Management Control Program (Process Details)
- Review the MC Program Annually and Update, as
required - Operational/Functional Breakdown
- Risk Assessment
- Annual MC Plan
- MC Evaluation
- MC Corrective Actions
- Annual Reports
- Annual MC Schedule
- Backup
3Purpose
- To provide an overview of the Management
Control (MC) Program for the Information
Management, Technology and Reengineering
Directorate (IMTR) and the Joint Medical
Information Systems (JMIS) Office. -
4Federal and DoD Guidance
Federal Managers Financial Integrity Act (FMFIA)
of 1982 - Requires Federal agencies to (1)
Establish internal management controls (2)
Develop evaluation guidelines and (3) Provide an
annual statement of assurance.
OMB Circular No. A-123, Management
Accountability and Control, June 21, 1995 -
Requires Federal organizations and individual
Federal managers to take systematic and proactive
measures to (1) Develop and implement
appropriate, cost-effective management controls
for results-oriented management (2) Assess the
adequacy of management controls in Federal
programs and operations (3) Identify needed
improvements (4) Take corresponding corrective
action and (5) Report annually on management
controls.
DoD Directive 5010.38, Management Control
Program, August 26, 1996 - Requires DoD
Components to (1) Implement a comprehensive
strategy for MCs (2) Address all significant
operations and mission responsibilities and not
limit evaluations to operations applicable to the
financial management community and (3) Involve
management at all levels and provide for the
assignment of overall responsibility for program
design, direction, and implementation to a
designated senior management official who is, or
is directly accountable to, the DoD Component
Head.
5Federal and DoD Guidance
DoD Instruction 5010.40, Management Control
Program Procedures August 28, 1996 - Requires
DoD components to establish a MC process that
will conclude with the reporting of managements
opinion about the effectiveness of its MCs. This
process includes, as appropriate (1) Assigning
responsibilities and providing personnel for
planning, directing and executing the MC Program
(2) Developing internal reporting and tracking
capabilities (3) Ensuring periodic evaluations
of MCs and (4) Maintaining appropriate
documentation.
GAO Standards for Internal Control in the
Federal Government,"November 1999 - Issues five
standards for the evaluation of internal control,
as required by FMFIA (1) Control Environment
(2) Risk Assessment (3) Control Activities (4)
Information and Communications and (5)
Monitoring.
6Management Control Program MC Purpose
- MC Programs ensure
- Mission and program objectives are efficiently
and effectively accomplished - Programs and resources are protected from waste,
fraud, abuse, mismanagement, and misappropriation
of funds - Laws and regulations are followed
- Financial reporting is reliable
- Reliable information is obtained and used for
decision making -
7 Management Control Program (Impact of Risks on
Mission)
Mission Activities
Mission Activities
Ineffective Management Control
Effective and Efficient Management Control
Risk
Risk
Risk
Risk
Risk
Risk
HIGH VULNERABILITY LOW
- RISK Probable or potential adverse effects from
inadequate management controls - VULNERABILITY Degree of susceptibility to a
risk -
8Management Control Program (Costs/Benefits)
- Management Controls provide reasonable
assurance, not absolute assurance, recognizing
that - The cost of control should not exceed the
benefits likely to be derived - Evaluation of cost and benefits requires
estimates and judgements by management - Resources must be used consistent with agency
mission, in compliance with laws and regulations,
and with minimal potential for waste, fraud, and
mismanagement
BENEFITS
COSTS
9Management Control Program (Annual Processes)
(4) Develop Annual Management Control Plan
(1) Review the MC Program Annually and
Update, as required
(5) Conduct or Assess Existing Management
Control Reviews and Perform Testing, as
required
(2) Review/Update Assessable Units of the
organization, as required
(6) Develop and Execute corrective actions
(3) Conduct Risk Assessments
(7) Monitor Management Control Corrective
Actions
(8) Provide MC Program Reports
10Management Control Program (Process Detail)
- Review the MC Program Annually and Update,
as required - Incorporate Lessons Learned
- Develop Annual MC Program Schedule
- Operational/Functional Breakdown
- Review/Identify Assessable Units (AU's)
- Review/Identify Functions
- Review/Identify Activities
- Risk Assessment
- Review/Identify Risks
- Review/Document MC Objectives
- Review/Document MC Techniques
- Review/Identify Ranking of Risks
- Annual MC Plan
- Determine MC Priorities
- Develop MC Schedule
- MC Evaluation
- Conduct MC Reviews
- Perform MC Testing
- MC Corrective Actions
- (If Required)
- Develop MC Corrective Actions
- Monitor MC Corrective Actions
Assessable Unit Vulnerability Assessment
Annual Reporting
Annual Statement of Assurance
11Management Control Program (Operational
Activities)
- Review the MC Program Annually and Update,
as required - Incorporate Lessons Learned
- Develop Annual MC Program Schedule
- Operational/Functional Breakdown
- Review/Identify Assessable Units (AU's)
- Review/Identify Functions
- Review/Identify Activities
- Risk Assessment
- Review/Identify Risks
- Review/Document MC Objectives
- Review/Document MC Techniques
- Review/Identify Ranking of Risks
- Annual MC Plan
- Determine MC Priorities
- Develop MC Schedule
- MC Evaluation
- Conduct MC Reviews
- Perform MC Testing
- MC Corrective Actions
- (If Required)
- Develop MC Corrective Actions
- Monitor MC Corrective Actions
Assessable Unit Vulnerability Assessment
Annual Reporting
Annual Statement of Assurance
12Review the MC Program Annually and Update, as
required
Develop Annual MC Program Schedule
Incorporate Lessons Learned
- Review documented lessons learned
- Incorporate changes to address MC Program issues
and problems
- Identify Annual MC Program activities required
- Establish schedules for each activity
13Management Control Program (Operational
Activities)
- Review the MC Program Annually and Update,
as required - Incorporate Lessons Learned
- Develop Annual MC Program Schedule
- Operational/Functional Breakdown
- Review/Identify Assessable Units (AU's)
- Review/Identify Functions
- Review/Identify Activities
- Risk Assessment
- Review/Identify Risks
- Review/Document MC Objectives
- Review/Document MC Techniques
- Review/Identify Ranking of Risks
- Annual MC Plan
- Determine MC Priorities
- Develop MC Schedule
- MC Evaluation
- Conduct MC Reviews
- Perform MC Testing
- MC Corrective Actions
- (If Required)
- Develop MC Corrective Actions
- Monitor MC Corrective Actions
Assessable Unit Vulnerability Assessment
Annual Reporting
Annual Statement of Assurance
14Operational/Functional Breakdown
EACH DOD COMPONENT SHALL ESTABLISH AND MAINTAIN
AN INVENTORY OF ITS ASSESSABLE UNITS OR
ALTERNATIVES. ALL ELEMENTS OF EACH DOD
COMPONENT SHOULD BE CONTAINED IN ONE OR MORE
ASSESSABLE UNITS (OR EQUIVALENT). DODD 5010.40-
PARA 5.1.2
Activities
Assessable Units
Functions
- Each Assessable Unit has one or more functions
- Any function performed contains such processes
used to start and perform related activities - DODI 5010.40 - E2.1.7
- Segment along organizational, functional, or
programmatic lines into assessable units - DODI 5010.40 - Para 5.1.2
- Each Function consists of one or more activities
- DODI 5010.40 - E2.1.7
15Proposed Assessable Units
Additional
TMA - 8 Standard Assessable Units
Assessable Units
IMTR Directorate
JMIS Office
- Acquisition Category (ACAT) I Major Automated
Information System Programs (MAIS) Life Cycle
Management - Acquisition Category (ACAT) III (Non MAIS) Life
Cycle Management - Information Technology Product Support
- PEO, MHS IT Financial Management Oversight
- MHS IM/IT Infrastructure Management
- MHS IM/IT Systems Architecture
-
-
- Computer/Electronic Accommodations Program
- IMTR Financial Management Oversight
- MHS IM/IT Annual Performance Management
- MHS IM/IT Capital Investment Management
- MHS IM/IT Information Assurance
- MHS IM/IT Interagency Program Integration
- MHS IM/IT Enterprise Architecture
- MHS IM/IT Program Oversight
- MHS IM/IT Requirements Management
- MHS IM/IT Strategic Planning
- MHS IM/IT Technical Standards and Architecture
- Office Automation
16IMTR Organizational Chart
jgmaz
jgmaz
jgmaz
jgmaz
Director, Program Analysis Evaluation Clarissa
Reberkenny (Acting) Chief, Enterprise Architect
Ms. Connie Gladding
Charles M. Campbell, Col, USAF, MSC Director
(Acting)
Planning Performance Management Dr. Phillip
Velthuis
Capital Asset Management Oversight Ms. Sharon
Larson
Computer/Electronic Accommodations Program Ms.
Dinah Cohen
Information Management CAPT Robert Wah, MC, USN
- Defines, collects, and integrates MHS functional
requirements - Manages MHS functional requirements repository
- Manages portfolio
- Manages Capital Investment Plan
- Capital Asset Management Oversight
- Financial Management Oversight
- Acquisition Oversight
- Management Control Program Oversight
- IM/IT Policy Compliance Review
- Develops IM/IT Strategic Plan
- Develops IM/IT Annual Performance Plan
- Develops IM/IT Performance Management Program
- IM/IT Acquisition Process Improvement
Implementation support
- Serves as DoD Executive Agent for the CAP Program
- Manages CAPTEC
- Provides assistive technology to DoD and other
Federal agencies staff and patients with
disabilities
Network Operations Mr. Keith Simmons
Enterprise Architecture, Interagency
Communication Ms. Connie Gladding
Technology Management, Integration
Standards Lt Col Ray Green, USAF, BSC (Acting)
- Manages Office Automation
- Manages Video Teleconferencing
- Manages World Wide Web
- Oversees IM/IT Conference Support
- Manages IM/IT Contract Management and procurement
- Develops MHS technical architecture
- Executes DITSCAP certification and accreditation
- Develops MHS technical standards
- Establishes and maintains MHS Information
Assurance/Security Policies
- Coordinates/oversees interagency integration
projects w/VA and other Federal agencies - Promotes IM/IT programs through product
demonstrations, etc. - Tracks congressional reporting requirements
- Manages GAO and IG audits
- Enterprise Architecture
17Joint Medical Information Systems Organizational
Chart
Chief of Staff
Human Resources Manpower
Program Support
Programs/ Budget
Integration Security
CLINICAL INFORMATION TECHNOLOGY PROGRAM OFFICE
EXECUTIVE INFORMATION / DECISION SUPPORT
DEFENSE MEDICAL LOGISTICS STANDARD SUPPORT
RESOURCES INFORMATION TECHNOLOGY PROGRAM OFFICE
THEATER MEDICAL INFORMATION PROGRAM OFFICE
TRI-SERVICE INFRASTRUCTURE MANAGEMENT PROGRAM
OFFICE
18Assessable Units Functions and Activities
19Management Control Program (Operational
Activities)
- Review the MC Program Annually and Update,
as required - Incorporate Lessons Learned
- Develop Annual MC Program Schedule
- Operational/Functional Breakdown
- Review/Identify Assessable Units (AU's)
- Review/Identify Functions
- Review/Identify Activities
- Risk Assessment
- Review/Identify Risks
- Review/Document MC Objectives
- Review/Document MC Techniques
- Review/Identify Ranking of Risks
- Annual MC Plan
- Determine MC Priorities
- Develop MC Schedule
- MC Evaluation
- Conduct MC Reviews
- Perform MC Testing
- MC Corrective Actions
- (If Required)
- Develop MC Corrective Actions
- Monitor MC Corrective Actions
Assessable Unit Vulnerability Assessment
Annual Reporting
Annual Statement of Assurance
20Risk Assessment
RISK ASSESSMENT IS AN EVALUATION OF THE
SUSCEPTIBILITY OF AN ACTIVITY TO WASTE, FRAUD,
AND MISMANAGEMENT.
Risks Associated with each Activity
MC Objectives
MC Techniques (Risk Mitigation)
Risk Ranking
- Probable or potential adverse effects from
inadequate management controls that may result in
fraud, error, or mismanagement. - DODI 5010.40 - E2.1.20.
- A specific aim, goal, condition, or level of
control that provides reasonable assurance that
resources are protected against waste, fraud, or
mismanagement.
- A system of guidance, instructions, regulations,
procedures, rules or other organization
instructions that will help to mitigate risks
identified - DODI 5010.40 - E2.1.9
- A general risk assessment, to include
- Probability of Risk Occurrence
- Consequence of Risk Occurrence
21Risk Management Model
- RISK IDENTIFICATION(Activity Level)
- Identify functions within each AU
- Identify activities within each function
- Identify risks associated with each activity
- Document management control objectives
- Document management control techniques
- Identify Vital and Non-Vital MCs
- RISK ASSESSMENT (Activity Level)
- Analyze probability of risk occurrence associated
with each activity - Analyze consequence of risk occurrence associated
with each activity - Analyze risks associated with each activity
within each function - Analyze risks associated with each activity for
all AU's
Management Control Objectives A specific aim,
goal, condition, or level of control established
by a manager for an assessable unit.
Management Control Techniques Any form of
organization procedure or document flow that is
being relied on to accomplish a control
objective. Vital Management Controls MCs
that are most important to the accomplishment of
the mission. Non-compliance would have
undesirable impact on the accomplishment of the
mission and require management to disclose this
non-compliance, or its impact, to more senior
management. Non-Vital Management Controls MCs
may be classified as non-vital because minor
non-compliance would not have a significant
impact on the accomplishment of the mission.
22Risk Identification/Assessment (Sample Report)
AU - MHS IM/IT Program Management Oversight
23Risk Assessment Model Ranking of Risks
CONSEQUENCE OF RISK OCCURRENCE
PROBABILITY OF RISK OCCURRENCE
Legend Low Rank Moderate
Rank High Rank
Probability of Occurrence 0-10 - Very
Unlikely 11-40 - Low Likelihood 41-60 -
Likely 61-90 - Highly likely 91-100 - Near
Certainty
24Risk Identification/Assessment (Sample Report)
AU - MHS IM/IT Program Management Oversight
25Management Control Program (Operational
Activities)
- Review the MC Program Annually and Update,
as required - Incorporate Lessons Learned
- Develop Annual MC Program Schedule
- Operational/Functional Breakdown
- Review/Identify Assessable Units (AU's)
- Review/Identify Functions
- Review/Identify Activities
- Risk Assessment
- Review/Identify Risks
- Review/Document MC Objectives
- Review/Document MC Techniques
- Review/Identify Ranking of Risks
- Annual MC Plan
- Determine MC Priorities
- Develop MC Schedule
- MC Evaluation
- Conduct MC Reviews
- Perform MC Testing
- MC Corrective Actions
- (If Required)
- Develop MC Corrective Actions
- Monitor MC Corrective Actions
Assessable Unit Vulnerability Assessment
Annual Reporting
Annual Statement of Assurance
26Annual MC Plan
Evaluation Schedules
MC Techniques
MC Priorities
- A system of guidance, instructions, regulations,
procedures, rules or other organization
instructions that will help to mitigate risks
identified. - DODI 5010.40 - E2.1.9.
- Annual IMTR MC Plan is based on the severity of
the ranking of related risks - Vital MCs only (at the Dir. IMTR level).
- Annual MC Plan will address Schedule for
evaluation or testing.
27Annual MC PlanSample for Training Purposes
28Management Control Program (Operational
Activities)
- Review the MC Program Annually and Update,
as required - Incorporate Lessons Learned
- Develop Annual MC Program Schedule
- Operational/Functional Breakdown
- Review/Identify Assessable Units (AU's)
- Review/Identify Functions
- Review/Identify Activities
- Risk Assessment
- Review/Identify Risks
- Review/Document MC Objectives
- Review/Document MC Techniques
- Review/Identify Ranking of Risks
- Annual MC Plan
- Determine MC Priorities
- Develop MC Schedule
- MC Evaluation
- Conduct MC Reviews
- Perform MC Testing
- MC Corrective Actions
- (If Required)
- Develop MC Corrective Actions
- Monitor MC Corrective Actions
Assessable Unit Vulnerability Assessment
Annual Reporting
Annual Statement of Assurance
29MC Evaluation
WHENEVER EXISTING DATA DOES NOT PROVIDE FOR
ADEQUATE REVIEW OF MCs, THEN APPROPRIATE REVIEWS
SHOULD BE PLANNED AND PROVIDED THAT WILL ENABLE
MANAGEMENT TO MAKE REASONABLE JUDGMENTS ABOUT
THE EFFECTIVENESS OF THE MCs. DODD 5010.38 -
PARA 4.2.4
MC Testing
MC Reviews
MC Plan
IF REQUIRED 2.4
- A documented evaluation of the MCs to determine
whether adequate MCs exist and are implemented to
achieve cost-effective compliance - MC reviews may utilize IG, GAO or internal
audits, inspections, or investigations. - DODI 5010.40 - Para E2.1.10.
- Procedures to determine, through observation,
examination, verification, sampling, or other
procedures whether MC systems are working as
intended (in accordance with management's MC
objectives). - DODI 5010.40 - E2.1.23.
Annual MC Plan will address (1) What is to be
evaluated and tested (2) Who evaluates and
tests (3) Which type of evaluation or testing
to be used and (4) Schedule for evaluation or
testing.
30MC Evaluation MC Reviews
- Management Control Evaluation - A documented
evaluation of the MCs of an assessable unit to
determine whether adequate control techniques
exist and are implemented. - Management Control Review - Detailed examination
of a system of MCs in an assessable unit using
the methodology specific for that purpose.
Reviews should be conducted only when a reliable
alternative source of information is not
available. - Alternative Management Control Review - Detailed
examination of a system of MCs in an assessable
unit, based upon existing documentation such as
computer security reviews quality assessments,
financial systems reviews IG, GAO or DoD
Component audits, inspections, or investigations
internal review studies and management and/or
consulting reviews. - Testing of Management Controls - Test management
controls, if required, using techniques such as
Walk-Through Flowcharting Individual and/or
Group Interviews Sampling Analysis of Source
Document Processing or a combination of test
procedures.
31Management Control Program (Operational
Activities)
- Review the MC Program Annually and Update,
as required - Incorporate Lessons Learned
- Develop Annual MC Program Schedule
- Operational/Functional Breakdown
- Review/Identify Assessable Units (AU's)
- Review/Identify Functions
- Review/Identify Activities
- Risk Assessment
- Review/Identify Risks
- Review/Document MC Objectives
- Review/Document MC Techniques
- Review/Identify Ranking of Risks
- Annual MC Plan
- Determine MC Priorities
- Develop MC Schedule
- MC Evaluation
- Conduct MC Reviews
- Perform MC Testing
- MC Corrective Actions
- (If Required)
- Develop MC Corrective Actions
- Monitor MC Corrective Actions
Assessable Unit Vulnerability Assessment
Annual Reporting
Annual Statement of Assurance
32MC Corrective Actions (If Required)
OMB CIRCULAR A-123 REQUIRES DOD COMPONENT
MANAGERS TO TAKE TIMELY AND EFFECTIVE ACTIONS TO
CORRECT WEAKNESSES IN THEIR MCs.
Develop MC Corrective Actions
Validate MC Corrective Actions
Monitor MC Corrective Actions
- Correcting MC weaknesses is an integral part of
management accountability. DODI 5010.40 -
5.1.4.3. - Sufficient corrective actions need to be taken to
achieve the desired results. OMB Cir. A-123 -
Section IV.
- Management should track progress to ensure timely
and effective results. OMB Cir. A-123 - Section
IV. - Tracking corrective actions should be
commensurate with the severity of the weakness.
DODI 5010.40 - 5.1.4.3.
- A determination that a weakness has been
corrected should be made only when sufficient
actions have been taken and the desired results
achieved. - Validation should be the last milestone. DODI
5010.40 - 5.1.4.3.
33MC Corrective Actions Sample Corrective Actions
Report - Date Jan. 23, 2003
34Management Control Program (Operational
Activities)
- Review the MC Program Annually and Update,
as required - Incorporate Lessons Learned
- Develop Annual MC Program Schedule
- Operational/Functional Breakdown
- Review/Identify Assessable Units (AU's)
- Review/Identify Functions
- Review/Identify Activities
- Risk Assessment
- Review/Identify Risks
- Review/Document MC Objectives
- Review/Document MC Techniques
- Review/Identify Ranking of Risks
- Annual MC Plan
- Determine MC Priorities
- Develop MC Schedule
- MC Evaluation
- Conduct MC Reviews
- Perform MC Testing
- MC Corrective Actions
- (If Required)
- Develop MC Corrective Actions
- Monitor MC Corrective Actions
Assessable Unit Vulnerability Assessment
Annual Reporting
Annual Statement of Assurance
35Annual Reporting
CONTINUOUS MONITORING, AND OTHER PERIODIC
EVALUATIONS, SHOULD PROVIDE THE BASIS FOR THE
ANNUAL STATEMENT ABOUT REASONABLE ASSURANCE.
DODD 5010.38 - PARA 4.2.3
Annual Statement of Assurance
TMA Vulnerability Assessment of AUs
- A statement of assurance indicates whether or not
the MC system meets the program standards, goals,
and objectives of sound and effectively
implemented MCs. - DODD 5010.38 - Para 4.3
- A general assessment of the effectiveness of MCs
within AUs that provides the basis for the
Annual Statement of Assurance. - DODI 5010.40 - Para E2.1.10
36FY05 Annual MC Program Schedule
37 38Definitions
- Assessable Units Organization segmented along
organizational, functional, or programmatic lines
into assessable units (or appropriate alternative
methodology providing equivalent results). Each
DoD Component shall establish and maintain an
inventory of its assessable units. This
inventory should be an aspect of every DoD
Components Management Control Plan. Each
Assessable Unit has one or more functions. DoD
Instruction 5010.40. - Functions Each Assessable Unit has one or more
functions. Any function performed contains such
processes used to start and perform related
activities. DODI 5010.40 - E2.1.7. - Activities Each function consists of one or
more activities. Activities represent detailed
operations that support functions.
39Definitions
- Management Control Program The process to
assist managers in establishing, assessing, and
reporting on management controls. - Management Control Plan A brief, written plan
(updated as necessary) that indicates the number
of scheduled and accomplished MC evaluations.
The data contained in, or summarized by, the MCP
shall be consistent with information reported in
the DoD Components Annual Statement of
Assurance. The MCP need not be lengthy and any
format may be used, so long as it addresses MC
evaluations throughout the organization and
conveys, with a reasonable certainty, the
knowledge that the objective has been
accomplished. DoD Instruction 5010.40.
40Definitions
- Risk The probable or potential adverse effects
from inadequate management controls that may
result in the loss of Government resources or
cause an agency to fail to accomplish significant
mission objectives through fraud, error, or
mismanagement. DoD Instruction 5010.40. - Categories High, medium, and low risk
categories are defined as follows - High Risk - A high risk would cause major or
critical problems and would cause activity
failure because activity requirements would not
be met. - Medium Risk - A medium risk would cause
non-critical problems, however, activity
requirements would still be met. - Low Risk - A low risk would cause insignificant
problems, however, activity requirements would
still be met.
41Definitions
- Risk Assessment In a risk assessment, an
evaluation is made of the susceptibility to
waste, fraud, and mismanagement. A risk
assessment - is based on existing data and management
knowledge - is conducted on all responsibilities
- focuses on the the potential negative impact to
the unit or organization - is documented and
- provides the basis to identify and rate risks as
low, medium, or high which assists in scheduling
a more in-depth look at the status of the
management controls. - Source - Integrity Act Management
Accountability and Control, Management Concepts
Inc., Page 4-43.
42Definitions
- Types of Risks There are two main types of
risks - internal risks and external risks. - Internal Risks Risks generally due to the acts
of entities within an organization. For example,
employees - either intentionally or
unintentionally fail to adhere to established
policies and procedures. Internal risk can be
further categorized into inherent risks or
integrity-related risks. - Inherent Risks These risks are generally due to
the nature and characteristics of the mission,
functional area, or the type of activities of an
organization - Integrity-Related Risks These risks are
generally due to the acts of an organization's
employees who compromise integrity and ethical
values. - External Risks Risks generally related to
forces outside of an organization. For example
risks due to court decision Congressional
requirements and possible natural catastrophes
or criminal or terrorist actions.
43Definitions Risk Assessment
- CONSEQUENCE OF RISK OCCURENCE
- Critical - The consequence of a risk would be
critical if the impact of the resulting problems
could cause extremely urgent or very serious
activity failure - Serious - The consequence of a risk would be
serious if the impact of the resulting problems
could cause important or grave activity failure - Moderate (Major) - The consequence of a risk
would be major if the impact of the resulting
problems could cause significant (but not
serious) failure and activity requirements might
not be met - Minor - The consequence of a risk would be minor
if the impact of the resulting problems could not
cause any major failure and activity requirements
would still be met - Negligible - The consequence of a risk would be
negligible if the impact of the resulting
problems could not cause any activity failure and
activity requirements would still be met
44Definitions MC Evaluation/MC Testing Procedures
- Walk-Through A walk-through of operations is
made to observe how the control functions in
actual practice. During the walk-through,
determine how the control is meeting the
objective. Any facet of operations that raises a
concern should be identified for further analysis
as to whether a control deficiency exists. - Flowcharting Flowcharting provides a visual
depiction of functions being performed and the
flow of the transactions. This form of testing
is particularly useful in determining violations
of the separation of duties standard. - Individual and/or Group Interviews Interviews
are an important testing technique to facilitate
an understanding of how controls function.
Often, the best sources of information are
personnel performing the operation. Combining
inquiry and observation can often provide
valuable insights into problem areas, such as a
lack of financial and personnel resources
necessary to effectively meet control objectives. - Sampling If there are a considerable number of
documents or transactions performed, you may
review a sample of them. If no discrepancies are
noted, then a reasonable conclusion is that the
control is adequate. If discrepancies are
identified, you should examine additional
documents/transactions to confirm whether the
control is functioning as designed. - Analysis of Source Document Processing Select a
sample of source documents and follow them
through each step of the process. Source
document analysis can often disclose improper
procedures, failure to follow procedures, or
breakdowns among processing steps. - A combination of test procedures You may want
to combine several methods of testing procedures
to ensure that your controls are adequate.