Naval Service Training Command Managers Internal Control Program

Naval Service Training Command Managers’ Internal Control Program (MICP) Training Ms. Judith Goldsmith, NSTC IG Mr. Kevin Du. Bose, NSTC Deputy IG February 2018 UNCLASSIFIED

MICP Overview • • • Governing Regulations Purpose Benefits Responsibilities (Primary/Alternate MICP Coordinators and Process Owners) Define Process, Internal Controls & Key Metrics Five Elements for Annual MICP NSTC Shared Drive for NSTC, RTC and OTC NSTC Website Home Page for NROTCUs and Maritime Academies Plan of Action & Milestones

Governing Regulations • Federal Managers’ Financial Integrity Act (FMFIA) of 1982 • SECNAVINST 5200. 35 F, Department of the Navy (DON) MICP • SECNAV M-5200. 35, DON MIC Manual • DON MIC Evaluation Checklist, 12 Apr 2013 • NETCINST 5200. 1, MICP • NETCNOTE 5200 of 17 Mar 17 • NSTCNOTE 5200 of 26 Jan 18 • CNSTC Email of 10 Apr 17, NSTC Domain Mandatory Online MICP Training Requirements

MICP in a Nutshell • Manager’s annual self-assessment tool that addresses command’s objectives, risks, vulnerabilities and controls of processes and operations. • Provides reasonable assurance processes are effective and safeguards are in place. • Requires annual certification from process owners, program managers and Commanding Officers (COs). • Documents major accomplishments and material weaknesses. • Provides an audit trail of accountability.

Benefits to MICP Ø Baseline for the Inspections Program. Ø Standardizes programs and processes. Ø Serves as Standard Operating Procedures (SOP) and turnover item for new personnel. Ø Provides understanding of processes to all personnel. Ø Identifies safeguards in the process and key metrics (KMs). Ø Tool for self assessments and process improvement. Ø Reflects management involvement. Ø Mechanism to report major accomplishments and material weaknesses to higher authority.

Responsibilities PRI/ALT MICP Coordinators Ø Be designated, in writing, via Appointment Letter, per ASN(FM&C ) ltr 5000 Ser U 015 of 14 Mar 2013. Ø Complete mandatory online MICP Training Course (OASN-MCPT-1. 3) every three yrs. Ø Maintain command’s online MICP Training Certifications. Ø Review and update the MICP Inventory of Assessable Units (IAU). Ø Evaluate work processes for relevancy to command’s mission & associated support. Ø Provide training, guidance and assistance to staff. Ø Coordinate annual requirements. Ø Ensure completeness of required documentation. Ø Consolidate Departmental Certification Statements and prepare Annual Certification Statement signed by the CO. Ø Track status of weaknesses. Ø Retain MICP documentation for three yrs. Ø Update shared drive, if applicable. Process Owners/Points of Contact Ø Complete and maintain online MICP Training for Managers Course (OASN-MCPTM-1. 3). Ø Review and update the MICP IAU. Ø Ensure compliance with the latest governing directives for each applicable process. Ø Identify and test internal controls (ICs) by performing a walk through of the processes, reviewing documents, interviewing managers and process owners and/or evaluating data. Ø Review/revise and maintain process flowcharts. Ø Ensure each flowchart has two-three KMs. Ø Review/revise and maintain Internal Control System Tests (ICSTs) and Operational Risk Management (ORM) Assessments. Ø Submit Departmental Certification Statements to the CO via the Primary/Alternate MICP Coordinator.

What’s a Process? A process is an action where resources are employed in generating a product, performing a responsibility, or rending a service in support of the command’s mission. A process consists of starting and ending points connected by a series of decision points and includes KMs/ICs and various work-related steps. A process consumes time, involves personnel to complete the action, results in a product, addresses organizational initiatives and carries out goals/objectives of the command.

Work Process (WP)/Assessable Unit (AU) • WPs/AUs are broken down into four major categories: – Mission Critical: Processes that are specific to your command mission, i. e. , Performance Review Boards (PRBs), Curriculum Management, Student Performance/Administrative Files. – Universal: Processes that exist at most commands, i. e. , Command Managed Equal Opportunity (CMEO)/Drug and Alcohol (DAPA)/Urinalysis and Sexual Assault Prevention and Response (SAPR) Programs. – Financial Compliance: Processes that must meet the financial standards set by government laws and regulations, i. e. , Government Commercial Purchase Card (GCPC), Government Travel Charge Card (GTCC) , Defense Travel System (DTS), Civilian Time and Attendance (T&A) and Property Management Programs. – Associated Support: Processes that support your command mission, i. e. , MICP, Voting Assistance, Inspections, and Privacy Act Programs.

What are ICs ? • • Every process has an objective; however, there are risks the objective will not be accomplished. ICs are safeguards that lessens the risks and ensures the objectives are accomplished. ICs do not stand alone but are part of infrastructure. ICs are embedded within a flowchart for determining SECNAV/OPNAV’s focus three Es: Efficiency, Effectiveness, and Economy.

Four Types of ICs : • Directive – designed to assist in achieving goals and objectives. Directives/instructions; training seminars; road signs; written job descriptions; drop down menus. • Preventive – designed to discourage errors/irregularities. Policies, procedures; passwords; physical access controls (locks, fences); required fields on applications/documents; managers’ approvals or Preapprovals. • Detective – designed to identify errors/irregularities after occurring. Reviewing signed documents/invoices; smoke alarms; observations; spell checker; inspections/audits. • Corrective – designed to restore the process to its expected state. Archived files that can be reloaded; a transaction trail; a follow-up log; budget variance reports.

KMs provide a quick look as to how well a process is achieving its intended purpose (quantity or quality). • Quantity Metrics – processing time; number completed, reworked or backlogged. • Quality Metrics – accomplished by due dates or within timeframe specified.

KEEP IT SIMPLE Per MICP governing directives, the MICP is regarded as a dynamic living process requiring annual manager’s review.

For annual MICP requirements, managers and process owners must: 1) Review and update the MICP IAU. 2) Ensure compliance with the latest governing directives for each applicable process. 3) Identify and test ICs for each process. 4) Review/revise and maintain applicable flowcharts, ICSTs and ORM Assessments. 5) Submit Departmental Certification Statements to the CO via Primary/Alternate MICP Coordinator.

The idea is to keep the annual review simple while also providing managers a tool for self-assessments and the baseline that links directly to the DON Inspections Program (NETC Area Visit Program / NSTC Assist Visit Program) and/or inspections from external Do. D agencies.

FIVE ELEMENTS FOR ANNUAL MICP: • • E 1: IAU E 2: Flowcharts E 3: ORM Assessments E 4: ICSTs which includes the NSTC Domain’s Nine Strategic Goals • E 5: Annual MICP Certification Statements

E 1: Evaluate the IAU Managers update the IAU annually by making revisions to the past year’s inventory if processes were added, deleted or transferred. The IAU includes universal, financial compliance, mission critical/essential and associated support processes.

2018 High Visibility Areas Ø Audit readiness of processes requiring financial accountability: Contract Management GCPC Program GTCC Program DTS Civilian T&A Property Management Programs Ø Information Assurance (IA)/Network Security Ø Urinalysis Program Ø Privacy Act Program Ø CMEO Program Ø SARP Program Ø Emergency Action Planning (EAP) Ø Anti-Terrorism Force Planning (ATFP) Ø Operations/Physical and Personnel Security Programs Ø Suicide Prevention Program Ø Voting Assistance Program Ø Management Accountability Ø Strategic Planning (NSTC HQ) Ø Safety issues associated with a process

E 2: Flowcharts Process owners must develop an onepage linear Microsoft Word or Power Point flowchart for each universal, financial compliance, mission critical and associated support process identified by management on the IAU. **Visio flowcharts require all reviewers to have access to the software.

Flowcharts • Ensure each flowchart includes the following: Ø Command Name Ø Title of Process and Governing Regulation(s) Ø Office code, telephone number and email address Ø Two or three KMs Ø Date reviewed or revised Ø Description of acronyms used Ø For Official Use Only (FOUO) Statement

E 3: ORM Assessments (NETC Form 5200/2) Ø On page 3 of the ORM Assessment, for each process, identify safety, high risk and/or “administrative” hazards, vulnerabilities and risks. Ø Answers what could go wrong to hinder the process objective. Ø Completed ORM Assessments and RACs are needed to answer the ICSTs. Ø Forms must be signed and dated by the process owner and supervisor. The NSTC Chief of Staff (Co. S) will sign as the supervisor for all Special Assistants. Ø If no changes from last year, just sign and date ORM Assessment.

E 4: ICST (NETC Form 5200/1) This test requires identifying at least one of the nine NSTC Domain’s Strategic Goals in which the process is linked. Ensure the KMs identified in block 5 of the ICST are linked to the process flowchart.

ICST • Document on the ICST how the test was accomplished (can be one or all of the below) – Perform physical inspection or walk-through – Review documents – Conduct interviews – Evaluate data • The KMs used to measure performance must agree with the KMs on flowchart. • Annotate if the process involves Personally Identifiable Information (PII). • Update as information changes. • The process owner must sign and date the form.

E 5: Annual MICP Certification Statement NSTC Directors and Department Heads must submit an annual MICP Certification Statement to CNSTC via NSTC IG to demonstrate the existence of a clear audit trail of accountability at the activity level. Subordinate commands (RTC and OTC) will have their process owners submit departmental MICP Certification Statements to the CO and electronically submit one MICP Certification Statement signed by the CO or Acting CO to CNSTC via NSTC IG. NROTCUs and Maritime Academies will electronically submit one MICP Certification Statement signed by the CO or Acting CO to CNSTC via NSTC IG.

When applicable, commands also submit Major Accomplishments (NETC Form 5200/3) and/or Material Weaknesses or Status of Corrective Actions (NETC Form 5200/4).

NSTC’s consolidated MICP Certification Statement supports the MPT&E consolidated Statement of Assurance (SOA) which is submitted to CNO.

To better assist the NSTC domain, the NSTC IG Office has made available PDF and digital signature ORM Assessments, ICSTs, Major Accomplishments and Material Weaknesses Forms.

NSTC Shared Drive • For NSTC, RTC and OTC’s convenience, all 2017 MICP documents (flowcharts, ICSTs, ORM Assessments, Certification Statements, Online Training Certificates, regulations and forms) are located on S: GRLKNSTCMICP 2017. • NSTC, RTC and OTC personnel have read only access. • Staff are required to copy and rename the documents for use in the 2018 MICP requirements.

NSTC Website Home Page • For NROTCUs and Maritime Academies convenience, please visit the NSTC Website Home Page for all MICP governing regulations, Power. Point Training and forms. • For access, click Other Links and then NSTC IG.

Common 2017 Rework Items • • • Flowcharts updated, however, KMs not annotated. KMs updated on flowchart but not on ICST. PII info on ICST & ORM Assessment do not match. PII Risks not listed on ORM Assessment when the PII box on the ICST annotated yes. ICST annotated obsolete NSTC Strategic Goals. Page 3 of the ORM Assessment did not annotate any “administrative” hazards, vulnerabilities and/or risks. Flowcharts not dated when reviewed or revised. Acronyms not defined. Command and/or Departmental Certification Statements had incorrect formats or were signed “By direction”. **Certification Statements submitted annotating that management controls are in place and operating effectively, however, annual requirements were not completed. Ensure the appropriate Paragraph 2 of the Certification Statement is selected. One sentence accomplishments lacked quantifiable results. Signed Certification Statements not electronically forwarded to NSTC IG.

Plan of Action/Milestones Ø Flowcharts are due no later than (NLT) 4 April 2018 to the NSTC IG. (NROTCUs and Maritime Academies will maintain flowcharts in-house. The flowcharts will be inspected during the NSTC AV. ) Ø ORM Assessments/ICSTs are due NLT 11 April 2018 to the NSTC IG. (NROTCUs and Maritime Academies will maintain ORM Assessments/ICSTs in-house. The documents will be inspected during the NSTC AV. ) Ø NSTC, RTC, OTC, NROTCUs and Maritime Academies Certification Statements are due NLT 18 April 2018 to the NSTC IG. Ø CNSTC’s Consolidated Certification Statement is due to the NETC IG 27 April 2018. Forward all submissions electronically to judith. goldsmith 1@navy. mil and cc kevin. dubose@navy. mil.

Summary MICP is regarded as a dynamic living process requiring annual manager’s review. Primary and Alternate MICP Coordinators are available to provide guidance and assistance to the process owners.

FOR MICP QUESTIONS OR CONCERNS, PLEASE CONDUCT Judith Goldsmith, NSTC IG (847) 688 -2258 judith. goldsmith 1@navy. mil or Kevin Du. Bose, NSTC DEPUTY IG (847) 688 -2286 kevin. dubose@navy. mil