Military Health System Information Management Information Technology Management Control Program

1
Military Health SystemInformation
Management/Information TechnologyManagement
Control Program

HEALTH AFFAIRS
Sharon A. Larson Program Manager

2
Agenda

• Purpose
• Federal and DoD Guidance
• Management Control Program
• Management Control Purpose
• Impact of Risk on Mission
• Costs/Benefits
• Management Control Program (Annual Processes)
• Management Control Program (Process Details)
• Review the MC Program Annually and Update, as
  required
• Operational/Functional Breakdown
• Risk Assessment
• Annual MC Plan
• MC Evaluation
• MC Corrective Actions
• Annual Reports
• Annual MC Schedule
• Backup

3
Purpose

• To provide an overview of the Management
  Control (MC) Program for the Information
  Management, Technology and Reengineering
  Directorate (IMTR) and the Joint Medical
  Information Systems (JMIS) Office.

4
Federal and DoD Guidance
Federal Managers Financial Integrity Act (FMFIA)
of 1982 - Requires Federal agencies to (1)
Establish internal management controls (2)
Develop evaluation guidelines and (3) Provide an
annual statement of assurance.
OMB Circular No. A-123, Management
Accountability and Control, June 21, 1995 -
Requires Federal organizations and individual
Federal managers to take systematic and proactive
measures to (1) Develop and implement
appropriate, cost-effective management controls
for results-oriented management (2) Assess the
adequacy of management controls in Federal
programs and operations (3) Identify needed
improvements (4) Take corresponding corrective
action and (5) Report annually on management
controls.
DoD Directive 5010.38, Management Control
Program, August 26, 1996 - Requires DoD
Components to (1) Implement a comprehensive
strategy for MCs (2) Address all significant
operations and mission responsibilities and not
limit evaluations to operations applicable to the
financial management community and (3) Involve
management at all levels and provide for the
assignment of overall responsibility for program
design, direction, and implementation to a
designated senior management official who is, or
is directly accountable to, the DoD Component
Head.
5
Federal and DoD Guidance
DoD Instruction 5010.40, Management Control
Program Procedures August 28, 1996 - Requires
DoD components to establish a MC process that
will conclude with the reporting of managements
opinion about the effectiveness of its MCs. This
process includes, as appropriate (1) Assigning
responsibilities and providing personnel for
planning, directing and executing the MC Program
(2) Developing internal reporting and tracking
capabilities (3) Ensuring periodic evaluations
of MCs and (4) Maintaining appropriate
documentation.
GAO Standards for Internal Control in the
Federal Government,"November 1999 - Issues five
standards for the evaluation of internal control,
as required by FMFIA (1) Control Environment
(2) Risk Assessment (3) Control Activities (4)
Information and Communications and (5)
Monitoring.
6
Management Control Program MC Purpose

• MC Programs ensure
• Mission and program objectives are efficiently
  and effectively accomplished
• Programs and resources are protected from waste,
  fraud, abuse, mismanagement, and misappropriation
  of funds
• Laws and regulations are followed
• Financial reporting is reliable
• Reliable information is obtained and used for
  decision making

7

Management Control Program (Impact of Risks on
Mission)
Mission Activities
Mission Activities
Ineffective Management Control
Effective and Efficient Management Control
Risk
Risk
Risk
Risk
Risk
Risk
HIGH VULNERABILITY LOW

• RISK Probable or potential adverse effects from
  inadequate management controls
• VULNERABILITY Degree of susceptibility to a
  risk

8
Management Control Program (Costs/Benefits)

• Management Controls provide reasonable
  assurance, not absolute assurance, recognizing
  that
• The cost of control should not exceed the
  benefits likely to be derived
• Evaluation of cost and benefits requires
  estimates and judgements by management
• Resources must be used consistent with agency
  mission, in compliance with laws and regulations,
  and with minimal potential for waste, fraud, and
  mismanagement

BENEFITS
COSTS
9
Management Control Program (Annual Processes)
(4) Develop Annual Management Control Plan
(1) Review the MC Program Annually and
Update, as required
(5) Conduct or Assess Existing Management
Control Reviews and Perform Testing, as
required
(2) Review/Update Assessable Units of the
organization, as required
(6) Develop and Execute corrective actions
(3) Conduct Risk Assessments
(7) Monitor Management Control Corrective
Actions
(8) Provide MC Program Reports
10
Management Control Program (Process Detail)

• Review the MC Program Annually and Update,
  as required
• Incorporate Lessons Learned
• Develop Annual MC Program Schedule

• Process (1)

• Operational/Functional Breakdown
• Review/Identify Assessable Units (AU's)
• Review/Identify Functions
• Review/Identify Activities

• Process (2)

• Risk Assessment
• Review/Identify Risks
• Review/Document MC Objectives
• Review/Document MC Techniques
• Review/Identify Ranking of Risks

• Process (3)

• Annual MC Plan
• Determine MC Priorities
• Develop MC Schedule

• Process (4)

• MC Evaluation
• Conduct MC Reviews
• Perform MC Testing

• Process (5)

• MC Corrective Actions
• (If Required)
• Develop MC Corrective Actions
• Monitor MC Corrective Actions

• Process (67)

Assessable Unit Vulnerability Assessment

• Process (8)

Annual Reporting
Annual Statement of Assurance
11
Management Control Program (Operational
Activities)

• Review the MC Program Annually and Update,
  as required
• Incorporate Lessons Learned
• Develop Annual MC Program Schedule

• Process (1)

• Operational/Functional Breakdown
• Review/Identify Assessable Units (AU's)
• Review/Identify Functions
• Review/Identify Activities

• Process (2)

• Risk Assessment
• Review/Identify Risks
• Review/Document MC Objectives
• Review/Document MC Techniques
• Review/Identify Ranking of Risks

• Process (3)

• Annual MC Plan
• Determine MC Priorities
• Develop MC Schedule

• Process (4)

• MC Evaluation
• Conduct MC Reviews
• Perform MC Testing

• Process (5)

• MC Corrective Actions
• (If Required)
• Develop MC Corrective Actions
• Monitor MC Corrective Actions

• Process (67)

Assessable Unit Vulnerability Assessment

• Process (8)

Annual Reporting
Annual Statement of Assurance
12
Review the MC Program Annually and Update, as
required

Develop Annual MC Program Schedule
Incorporate Lessons Learned

• Review documented lessons learned
• Incorporate changes to address MC Program issues
  and problems

• Identify Annual MC Program activities required
• Establish schedules for each activity

13
Management Control Program (Operational
Activities)

• Review the MC Program Annually and Update,
  as required
• Incorporate Lessons Learned
• Develop Annual MC Program Schedule

• Process (1)

• Operational/Functional Breakdown
• Review/Identify Assessable Units (AU's)
• Review/Identify Functions
• Review/Identify Activities

• Process (2)

• Risk Assessment
• Review/Identify Risks
• Review/Document MC Objectives
• Review/Document MC Techniques
• Review/Identify Ranking of Risks

• Process (3)

• Annual MC Plan
• Determine MC Priorities
• Develop MC Schedule

• Process (4)

• MC Evaluation
• Conduct MC Reviews
• Perform MC Testing

• Process (5)

• MC Corrective Actions
• (If Required)
• Develop MC Corrective Actions
• Monitor MC Corrective Actions

• Process (67)

Assessable Unit Vulnerability Assessment

• Process (8)

Annual Reporting
Annual Statement of Assurance
14
Operational/Functional Breakdown
EACH DOD COMPONENT SHALL ESTABLISH AND MAINTAIN
AN INVENTORY OF ITS ASSESSABLE UNITS OR
ALTERNATIVES. ALL ELEMENTS OF EACH DOD
COMPONENT SHOULD BE CONTAINED IN ONE OR MORE
ASSESSABLE UNITS (OR EQUIVALENT). DODD 5010.40-
PARA 5.1.2

Activities
Assessable Units
Functions

• Each Assessable Unit has one or more functions
• Any function performed contains such processes
  used to start and perform related activities
• DODI 5010.40 - E2.1.7

• Segment along organizational, functional, or
  programmatic lines into assessable units
• DODI 5010.40 - Para 5.1.2

• Each Function consists of one or more activities
• DODI 5010.40 - E2.1.7

15
Proposed Assessable Units
Additional
TMA - 8 Standard Assessable Units
Assessable Units

IMTR Directorate
JMIS Office

• Acquisition Category (ACAT) I Major Automated
  Information System Programs (MAIS) Life Cycle
  Management
• Acquisition Category (ACAT) III (Non MAIS) Life
  Cycle Management
• Information Technology Product Support
• PEO, MHS IT Financial Management Oversight
• MHS IM/IT Infrastructure Management
• MHS IM/IT Systems Architecture

• Computer/Electronic Accommodations Program
• IMTR Financial Management Oversight
• MHS IM/IT Annual Performance Management
• MHS IM/IT Capital Investment Management
• MHS IM/IT Information Assurance
• MHS IM/IT Interagency Program Integration
• MHS IM/IT Enterprise Architecture
• MHS IM/IT Program Oversight
• MHS IM/IT Requirements Management
• MHS IM/IT Strategic Planning
• MHS IM/IT Technical Standards and Architecture
• Office Automation

16
IMTR Organizational Chart
jgmaz
jgmaz
jgmaz
jgmaz
Director, Program Analysis Evaluation Clarissa
Reberkenny (Acting) Chief, Enterprise Architect
Ms. Connie Gladding
Charles M. Campbell, Col, USAF, MSC Director
(Acting)
Planning Performance Management Dr. Phillip
Velthuis
Capital Asset Management Oversight Ms. Sharon
Larson
Computer/Electronic Accommodations Program Ms.
Dinah Cohen
Information Management CAPT Robert Wah, MC, USN

• Defines, collects, and integrates MHS functional
  requirements
• Manages MHS functional requirements repository
• Manages portfolio
• Manages Capital Investment Plan

• Capital Asset Management Oversight
• Financial Management Oversight
• Acquisition Oversight
• Management Control Program Oversight
• IM/IT Policy Compliance Review

• Develops IM/IT Strategic Plan
• Develops IM/IT Annual Performance Plan
• Develops IM/IT Performance Management Program
• IM/IT Acquisition Process Improvement
  Implementation support

• Serves as DoD Executive Agent for the CAP Program
• Manages CAPTEC
• Provides assistive technology to DoD and other
  Federal agencies staff and patients with
  disabilities

Network Operations Mr. Keith Simmons
Enterprise Architecture, Interagency
Communication Ms. Connie Gladding
Technology Management, Integration
Standards Lt Col Ray Green, USAF, BSC (Acting)

• Manages Office Automation
• Manages Video Teleconferencing
• Manages World Wide Web
• Oversees IM/IT Conference Support
• Manages IM/IT Contract Management and procurement

• Develops MHS technical architecture
• Executes DITSCAP certification and accreditation
• Develops MHS technical standards
• Establishes and maintains MHS Information
  Assurance/Security Policies

• Coordinates/oversees interagency integration
  projects w/VA and other Federal agencies
• Promotes IM/IT programs through product
  demonstrations, etc.
• Tracks congressional reporting requirements
• Manages GAO and IG audits
• Enterprise Architecture

17
Joint Medical Information Systems Organizational
Chart
Chief of Staff
Human Resources Manpower
Program Support
Programs/ Budget
Integration Security
CLINICAL INFORMATION TECHNOLOGY PROGRAM OFFICE
EXECUTIVE INFORMATION / DECISION SUPPORT
DEFENSE MEDICAL LOGISTICS STANDARD SUPPORT
RESOURCES INFORMATION TECHNOLOGY PROGRAM OFFICE
THEATER MEDICAL INFORMATION PROGRAM OFFICE
TRI-SERVICE INFRASTRUCTURE MANAGEMENT PROGRAM
OFFICE
18
Assessable Units Functions and Activities

19
Management Control Program (Operational
Activities)

• Review the MC Program Annually and Update,
  as required
• Incorporate Lessons Learned
• Develop Annual MC Program Schedule

• Process (1)

• Operational/Functional Breakdown
• Review/Identify Assessable Units (AU's)
• Review/Identify Functions
• Review/Identify Activities

• Process (2)

• Risk Assessment
• Review/Identify Risks
• Review/Document MC Objectives
• Review/Document MC Techniques
• Review/Identify Ranking of Risks

• Process (3)

• Annual MC Plan
• Determine MC Priorities
• Develop MC Schedule

• Process (4)

• MC Evaluation
• Conduct MC Reviews
• Perform MC Testing

• Process (5)

• MC Corrective Actions
• (If Required)
• Develop MC Corrective Actions
• Monitor MC Corrective Actions

• Process (67)

Assessable Unit Vulnerability Assessment

• Process (8)

Annual Reporting
Annual Statement of Assurance
20
Risk Assessment

RISK ASSESSMENT IS AN EVALUATION OF THE
SUSCEPTIBILITY OF AN ACTIVITY TO WASTE, FRAUD,
AND MISMANAGEMENT.
Risks Associated with each Activity
MC Objectives
MC Techniques (Risk Mitigation)
Risk Ranking

• Probable or potential adverse effects from
  inadequate management controls that may result in
  fraud, error, or mismanagement.
• DODI 5010.40 - E2.1.20.

• A specific aim, goal, condition, or level of
  control that provides reasonable assurance that
  resources are protected against waste, fraud, or
  mismanagement.

• A system of guidance, instructions, regulations,
  procedures, rules or other organization
  instructions that will help to mitigate risks
  identified
• DODI 5010.40 - E2.1.9

• A general risk assessment, to include
• Probability of Risk Occurrence
• Consequence of Risk Occurrence

21
Risk Management Model

• RISK IDENTIFICATION(Activity Level)
• Identify functions within each AU
• Identify activities within each function
• Identify risks associated with each activity
• Document management control objectives
• Document management control techniques
• Identify Vital and Non-Vital MCs

• RISK ASSESSMENT (Activity Level)
• Analyze probability of risk occurrence associated
  with each activity
• Analyze consequence of risk occurrence associated
  with each activity
• Analyze risks associated with each activity
  within each function
• Analyze risks associated with each activity for
  all AU's

Management Control Objectives A specific aim,
goal, condition, or level of control established
by a manager for an assessable unit.
Management Control Techniques Any form of
organization procedure or document flow that is
being relied on to accomplish a control
objective. Vital Management Controls MCs
that are most important to the accomplishment of
the mission. Non-compliance would have
undesirable impact on the accomplishment of the
mission and require management to disclose this
non-compliance, or its impact, to more senior
management. Non-Vital Management Controls MCs
may be classified as non-vital because minor
non-compliance would not have a significant
impact on the accomplishment of the mission.
22
Risk Identification/Assessment (Sample Report)
AU - MHS IM/IT Program Management Oversight

23
Risk Assessment Model Ranking of Risks

CONSEQUENCE OF RISK OCCURRENCE
PROBABILITY OF RISK OCCURRENCE
Legend Low Rank Moderate
Rank High Rank
Probability of Occurrence 0-10 - Very
Unlikely 11-40 - Low Likelihood 41-60 -
Likely 61-90 - Highly likely 91-100 - Near
Certainty
24
Risk Identification/Assessment (Sample Report)
AU - MHS IM/IT Program Management Oversight

25
Management Control Program (Operational
Activities)

• Review the MC Program Annually and Update,
  as required
• Incorporate Lessons Learned
• Develop Annual MC Program Schedule

• Process (1)

• Operational/Functional Breakdown
• Review/Identify Assessable Units (AU's)
• Review/Identify Functions
• Review/Identify Activities

• Process (2)

• Risk Assessment
• Review/Identify Risks
• Review/Document MC Objectives
• Review/Document MC Techniques
• Review/Identify Ranking of Risks

• Process (3)

• Annual MC Plan
• Determine MC Priorities
• Develop MC Schedule

• Process (4)

• MC Evaluation
• Conduct MC Reviews
• Perform MC Testing

• Process (5)

• MC Corrective Actions
• (If Required)
• Develop MC Corrective Actions
• Monitor MC Corrective Actions

• Process (67)

Assessable Unit Vulnerability Assessment

• Process (8)

Annual Reporting
Annual Statement of Assurance
26
Annual MC Plan

Evaluation Schedules
MC Techniques
MC Priorities

• A system of guidance, instructions, regulations,
  procedures, rules or other organization
  instructions that will help to mitigate risks
  identified.
• DODI 5010.40 - E2.1.9.

• Annual IMTR MC Plan is based on the severity of
  the ranking of related risks
• Vital MCs only (at the Dir. IMTR level).

• Annual MC Plan will address Schedule for
  evaluation or testing.

27
Annual MC PlanSample for Training Purposes

28
Management Control Program (Operational
Activities)

• Review the MC Program Annually and Update,
  as required
• Incorporate Lessons Learned
• Develop Annual MC Program Schedule

• Process (1)

• Operational/Functional Breakdown
• Review/Identify Assessable Units (AU's)
• Review/Identify Functions
• Review/Identify Activities

• Process (2)

• Risk Assessment
• Review/Identify Risks
• Review/Document MC Objectives
• Review/Document MC Techniques
• Review/Identify Ranking of Risks

• Process (3)

• Annual MC Plan
• Determine MC Priorities
• Develop MC Schedule

• Process (4)

• MC Evaluation
• Conduct MC Reviews
• Perform MC Testing

• Process (5)

• MC Corrective Actions
• (If Required)
• Develop MC Corrective Actions
• Monitor MC Corrective Actions

• Process (67)

Assessable Unit Vulnerability Assessment

• Process (8)

Annual Reporting
Annual Statement of Assurance
29
MC Evaluation
WHENEVER EXISTING DATA DOES NOT PROVIDE FOR
ADEQUATE REVIEW OF MCs, THEN APPROPRIATE REVIEWS
SHOULD BE PLANNED AND PROVIDED THAT WILL ENABLE
MANAGEMENT TO MAKE REASONABLE JUDGMENTS ABOUT
THE EFFECTIVENESS OF THE MCs. DODD 5010.38 -
PARA 4.2.4

MC Testing
MC Reviews
MC Plan
IF REQUIRED 2.4

• A documented evaluation of the MCs to determine
  whether adequate MCs exist and are implemented to
  achieve cost-effective compliance
• MC reviews may utilize IG, GAO or internal
  audits, inspections, or investigations.
• DODI 5010.40 - Para E2.1.10.

• Procedures to determine, through observation,
  examination, verification, sampling, or other
  procedures whether MC systems are working as
  intended (in accordance with management's MC
  objectives).
• DODI 5010.40 - E2.1.23.

Annual MC Plan will address (1) What is to be
evaluated and tested (2) Who evaluates and
tests (3) Which type of evaluation or testing
to be used and (4) Schedule for evaluation or
testing.
30
MC Evaluation MC Reviews

• Management Control Evaluation - A documented
  evaluation of the MCs of an assessable unit to
  determine whether adequate control techniques
  exist and are implemented.
• Management Control Review - Detailed examination
  of a system of MCs in an assessable unit using
  the methodology specific for that purpose.
  Reviews should be conducted only when a reliable
  alternative source of information is not
  available.
• Alternative Management Control Review - Detailed
  examination of a system of MCs in an assessable
  unit, based upon existing documentation such as
  computer security reviews quality assessments,
  financial systems reviews IG, GAO or DoD
  Component audits, inspections, or investigations
  internal review studies and management and/or
  consulting reviews.
• Testing of Management Controls - Test management
  controls, if required, using techniques such as
  Walk-Through Flowcharting Individual and/or
  Group Interviews Sampling Analysis of Source
  Document Processing or a combination of test
  procedures.

31
Management Control Program (Operational
Activities)

• Review the MC Program Annually and Update,
  as required
• Incorporate Lessons Learned
• Develop Annual MC Program Schedule

• Process (1)

• Operational/Functional Breakdown
• Review/Identify Assessable Units (AU's)
• Review/Identify Functions
• Review/Identify Activities

• Process (2)

• Risk Assessment
• Review/Identify Risks
• Review/Document MC Objectives
• Review/Document MC Techniques
• Review/Identify Ranking of Risks

• Process (3)

• Annual MC Plan
• Determine MC Priorities
• Develop MC Schedule

• Process (4)

• MC Evaluation
• Conduct MC Reviews
• Perform MC Testing

• Process (5)

• MC Corrective Actions
• (If Required)
• Develop MC Corrective Actions
• Monitor MC Corrective Actions

• Process (67)

Assessable Unit Vulnerability Assessment

• Process (8)

Annual Reporting
Annual Statement of Assurance
32
MC Corrective Actions (If Required)

OMB CIRCULAR A-123 REQUIRES DOD COMPONENT
MANAGERS TO TAKE TIMELY AND EFFECTIVE ACTIONS TO
CORRECT WEAKNESSES IN THEIR MCs.

Develop MC Corrective Actions
Validate MC Corrective Actions
Monitor MC Corrective Actions

• Correcting MC weaknesses is an integral part of
  management accountability. DODI 5010.40 -
  5.1.4.3.
• Sufficient corrective actions need to be taken to
  achieve the desired results. OMB Cir. A-123 -
  Section IV.

• Management should track progress to ensure timely
  and effective results. OMB Cir. A-123 - Section
  IV.
• Tracking corrective actions should be
  commensurate with the severity of the weakness.
  DODI 5010.40 - 5.1.4.3.

• A determination that a weakness has been
  corrected should be made only when sufficient
  actions have been taken and the desired results
  achieved.
• Validation should be the last milestone. DODI
  5010.40 - 5.1.4.3.

33
MC Corrective Actions Sample Corrective Actions
Report - Date Jan. 23, 2003

34
Management Control Program (Operational
Activities)

• Review the MC Program Annually and Update,
  as required
• Incorporate Lessons Learned
• Develop Annual MC Program Schedule

• Process (1)

• Operational/Functional Breakdown
• Review/Identify Assessable Units (AU's)
• Review/Identify Functions
• Review/Identify Activities

• Process (2)

• Risk Assessment
• Review/Identify Risks
• Review/Document MC Objectives
• Review/Document MC Techniques
• Review/Identify Ranking of Risks

• Process (3)

• Annual MC Plan
• Determine MC Priorities
• Develop MC Schedule

• Process (4)

• MC Evaluation
• Conduct MC Reviews
• Perform MC Testing

• Process (5)

• MC Corrective Actions
• (If Required)
• Develop MC Corrective Actions
• Monitor MC Corrective Actions

• Process (67)

Assessable Unit Vulnerability Assessment

• Process (8)

Annual Reporting
Annual Statement of Assurance
35
Annual Reporting

CONTINUOUS MONITORING, AND OTHER PERIODIC
EVALUATIONS, SHOULD PROVIDE THE BASIS FOR THE
ANNUAL STATEMENT ABOUT REASONABLE ASSURANCE.
DODD 5010.38 - PARA 4.2.3
Annual Statement of Assurance
TMA Vulnerability Assessment of AUs

• A statement of assurance indicates whether or not
  the MC system meets the program standards, goals,
  and objectives of sound and effectively
  implemented MCs.
• DODD 5010.38 - Para 4.3

• A general assessment of the effectiveness of MCs
  within AUs that provides the basis for the
  Annual Statement of Assurance.
• DODI 5010.40 - Para E2.1.10

36
FY05 Annual MC Program Schedule

37

• Backup Slides

38
Definitions

• Assessable Units Organization segmented along
  organizational, functional, or programmatic lines
  into assessable units (or appropriate alternative
  methodology providing equivalent results). Each
  DoD Component shall establish and maintain an
  inventory of its assessable units. This
  inventory should be an aspect of every DoD
  Components Management Control Plan. Each
  Assessable Unit has one or more functions. DoD
  Instruction 5010.40.
• Functions Each Assessable Unit has one or more
  functions. Any function performed contains such
  processes used to start and perform related
  activities. DODI 5010.40 - E2.1.7.
• Activities Each function consists of one or
  more activities. Activities represent detailed
  operations that support functions.

39
Definitions

• Management Control Program The process to
  assist managers in establishing, assessing, and
  reporting on management controls.
• Management Control Plan A brief, written plan
  (updated as necessary) that indicates the number
  of scheduled and accomplished MC evaluations.
  The data contained in, or summarized by, the MCP
  shall be consistent with information reported in
  the DoD Components Annual Statement of
  Assurance. The MCP need not be lengthy and any
  format may be used, so long as it addresses MC
  evaluations throughout the organization and
  conveys, with a reasonable certainty, the
  knowledge that the objective has been
  accomplished. DoD Instruction 5010.40.

40
Definitions

• Risk The probable or potential adverse effects
  from inadequate management controls that may
  result in the loss of Government resources or
  cause an agency to fail to accomplish significant
  mission objectives through fraud, error, or
  mismanagement. DoD Instruction 5010.40.
• Categories High, medium, and low risk
  categories are defined as follows
• High Risk - A high risk would cause major or
  critical problems and would cause activity
  failure because activity requirements would not
  be met.
• Medium Risk - A medium risk would cause
  non-critical problems, however, activity
  requirements would still be met.
• Low Risk - A low risk would cause insignificant
  problems, however, activity requirements would
  still be met.

41
Definitions

• Risk Assessment In a risk assessment, an
  evaluation is made of the susceptibility to
  waste, fraud, and mismanagement. A risk
  assessment
• is based on existing data and management
  knowledge
• is conducted on all responsibilities
• focuses on the the potential negative impact to
  the unit or organization
• is documented and
• provides the basis to identify and rate risks as
  low, medium, or high which assists in scheduling
  a more in-depth look at the status of the
  management controls.
• Source - Integrity Act Management
  Accountability and Control, Management Concepts
  Inc., Page 4-43.

42
Definitions

• Types of Risks There are two main types of
  risks - internal risks and external risks.
• Internal Risks Risks generally due to the acts
  of entities within an organization. For example,
  employees - either intentionally or
  unintentionally fail to adhere to established
  policies and procedures. Internal risk can be
  further categorized into inherent risks or
  integrity-related risks.
• Inherent Risks These risks are generally due to
  the nature and characteristics of the mission,
  functional area, or the type of activities of an
  organization
• Integrity-Related Risks These risks are
  generally due to the acts of an organization's
  employees who compromise integrity and ethical
  values.
• External Risks Risks generally related to
  forces outside of an organization. For example
  risks due to court decision Congressional
  requirements and possible natural catastrophes
  or criminal or terrorist actions.

43
Definitions Risk Assessment

• CONSEQUENCE OF RISK OCCURENCE
• Critical - The consequence of a risk would be
  critical if the impact of the resulting problems
  could cause extremely urgent or very serious
  activity failure
• Serious - The consequence of a risk would be
  serious if the impact of the resulting problems
  could cause important or grave activity failure
• Moderate (Major) - The consequence of a risk
  would be major if the impact of the resulting
  problems could cause significant (but not
  serious) failure and activity requirements might
  not be met
• Minor - The consequence of a risk would be minor
  if the impact of the resulting problems could not
  cause any major failure and activity requirements
  would still be met
• Negligible - The consequence of a risk would be
  negligible if the impact of the resulting
  problems could not cause any activity failure and
  activity requirements would still be met

44
Definitions MC Evaluation/MC Testing Procedures

• Walk-Through A walk-through of operations is
  made to observe how the control functions in
  actual practice. During the walk-through,
  determine how the control is meeting the
  objective. Any facet of operations that raises a
  concern should be identified for further analysis
  as to whether a control deficiency exists.
• Flowcharting Flowcharting provides a visual
  depiction of functions being performed and the
  flow of the transactions. This form of testing
  is particularly useful in determining violations
  of the separation of duties standard.
• Individual and/or Group Interviews Interviews
  are an important testing technique to facilitate
  an understanding of how controls function.
  Often, the best sources of information are
  personnel performing the operation. Combining
  inquiry and observation can often provide
  valuable insights into problem areas, such as a
  lack of financial and personnel resources
  necessary to effectively meet control objectives.
• Sampling If there are a considerable number of
  documents or transactions performed, you may
  review a sample of them. If no discrepancies are
  noted, then a reasonable conclusion is that the
  control is adequate. If discrepancies are
  identified, you should examine additional
  documents/transactions to confirm whether the
  control is functioning as designed.
• Analysis of Source Document Processing Select a
  sample of source documents and follow them
  through each step of the process. Source
  document analysis can often disclose improper
  procedures, failure to follow procedures, or
  breakdowns among processing steps.
• A combination of test procedures You may want
  to combine several methods of testing procedures
  to ensure that your controls are adequate.