Revised5/25/2016

CHAPTER 6.

MANAGER’S RESPONSIBILITYFORINTERNALCONTROLS

SECTIONS

PURPOSE..………………………………………………………………………..1

SCOPE ……………………………………………………………………………2

AUTHORITY……………………………………………………………………..3

POLICY …………………………………………………………………………..4

EFFECTONOTHERISSUANCES………………………………………………5

APPENDIX A:RISK ASSESSMENT…...... 6

APPENDIX B:LIST OF EVENT CYCLES……………………………………..7

APPENDIX C:INTERNAL CONTROL REVIEWPLAN………………………8

APPENDIX D:MCR FLOWCHART EXAMPLE……………………………….9

APPENDIX E:EVALUATION OFGENERALCONTROLENVIRONMENT..10

APPENDIX F:EVALUATIONOFMANAGEMENTCONTROLS…………… 11

APPENDIX G:EVENTCYCLE RISKS, CONTROL OBJECTIVES, AND

CONTROLTECHNIQUES…...... 12

APPENDIX H:TESTING PLAN………………………………………………...13

APPENDIX I:CORRECTIVE ACTION TEMPLATE…………………………..14

6-01 PURPOSE.

This chapter prescribes policy and procedures and assigns responsibilities for establishingand maintainingadequatesystems of internalcontrols in the programs and activities oftheNationalOceanicAtmospheric Administration (NOAA).

6-02 SCOPE.

The provisions of thischapter apply to all program, financial, and administrative activities of NOAA.

6-03 AUTHORITY.

This chapter is pursuant tothe following authorities:

  • FederalManagers’ Financial IntegrityAct (FMFIA) of 1982 (31 U.S.C. 3512)

The FMFIA requires agencies to establish and maintain internal control. The agency head must annually evaluate and report on the control and financial systems that protect the integrity of Federal programs, Section 2 and Section 4 respectively.

  • OMB Circular A-123, Management’sResponsibility for Internal Control

Circular provides guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on internal control.

  • GAO Standards for Internal Controls in the Federal Government

The Standards for Internal Control in the FederalGovernment (known as the “Green Book”), provide the overall frameworkfor establishing and maintaining an effective internal control system.

  • GAOInternalControl Management and Evaluation Tool

The Internal Control Management and Evaluation Tool, which is based upon GAO’s Standards for Internal Control in the Federal Government, assists agencies in maintaining or implementing effective internal control and, when needed, to help determine what, where, and how improvements can be implemented.

  • Chief Financial Officers Act (P.L. 101-576)

The CFO Act requires agencies to both establish and assess internal control related to financial reporting. The Act requires the preparation and audit of financial statements.

  • GovernmentPerformance and Results Act (GPRA) (P.L. 103-62)

To support results-oriented management, GPRA requires agencies to develop strategic plans, set performance goals, and report annually on actual performance compared to goals.

6-04 POLICY.

6.04.01 RESPONSIBILITY

NOAA management is responsible for establishingand maintaining internalcontroltoachievetheobjectives ofeffectiveandefficientoperations,reliablefinancialreporting,and compliance with applicable laws and regulations. NOAA managementshallconsistentlyapplytheinternal control standards tomeet each of the internal controlobjectivesandtoassessinternal control effectiveness.

6.04.02 INTERNALCONTROLSTANDARDS

Internalcontrol,inthebroadestsense, includes the plan of organization, methods and procedures adopted by management to meet itsgoals. Internal control includes processesfor planning, organizing, directing, controlling, and reportingon NOAA operations. Thethree objectives ofinternalcontrolare:

  • Effectiveness and efficiency of operations,
  • Reliabilityoffinancialreporting,and
  • Compliance with applicable laws and regulations.

Thesafeguardingofassetsisasubsetofallof these objectives. Internal control should bedesignedtoprovidereasonable assuranceregardingprevention oforpromptdetectionofunauthorized acquisition, use or disposition of assets.

NOAA management is responsible for developing and maintaining internalcontrolactivities that comply with the following standards to meet theaboveobjectives:

  • Control Environment,
  • Risk Assessment,
  • Control Activities,
  • Information and Communications, and
  • Monitoring

Control Environment

Thecontrol environment istheNOAA organizational structure and culture created bymanagementand employees to sustain organizational support for effective internalcontrol. When designing,evaluatingor modifying organizational structure, managementmustclearlydemonstrate its commitment to competence in the workplace.Within theNOAAorganizationalstructure, managementmustclearly:

  • Demonstrate acommitment to integrity and ethical values;
  • Oversee the entity’s internal control system;
  • Establish an organizational structure, assignresponsibility, and delegate authority to achieve the entity’s objectives;
  • Demonstrate a commitment to recruit, develop,and retain competent individuals; and
  • Evaluate performance and hold individualsaccountable for their internal control responsibilities.

The NOAA organizational cultureshouldbedefinedby management’s leadershipinsetting values of integrityandethicalbehaviorbutisalso affectedbytherelationshipbetweenNOAA,centraloversightagencies,andCongress. Management’s philosophyandoperationalstylewillsetthetonewithin NOAA. Management’scommitment toestablishing and maintainingeffectiveinternal control should cascade down and permeateNOAA’s control environment, which will aid inthe successfulimplementation of internalcontrolsystems.

Risk Assessment

NOAA management should identify internal andexternalrisksthat may preventNOAAfrommeeting its objectives.Whenidentifying risks, management should take intoaccount relevantinteractions withinNOAA as well aswithoutsideorganizations.Management should also consider previousfindings; e.g.,auditor identified, internalmanagementreviews,or noncompliance withlaws and regulations when identifyingrisks.Identifiedrisks should thenbeanalyzed for their potential effect or impact onNOAA. Management has a responsibility to:

  • Define objectives clearly to enable the identification of risks and define risk tolerances;
  • Identify, analyze, and respond to risks related to achieving the defined objectives;
  • Consider the potential for fraud when identifying, analyzing, and responding to risks; and
  • Identify, analyze, and respond to significant changes that could affect the internal control system.

To identify risks, managers should consider the types of risks that impact the organization. This includes both inherent and residual risk. Inherent risk is the risk to an organization in the absence of management’s response to the risk. Residual risk is the risk that remains after management’s response to inherent risk. Management’s lack of response to either risk could cause deficiencies in the internal control system.

Control Activities

Control activities are the actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system, which includes the entity’s information system. Management should

  • Design control activities to achieve objectives and respond to risks.
  • Design the entity’s information system and related control activities to achieve objectives and respond to risks.
  • Implement control activities through policies.

Internalcontrolalsoneeds to be in place over information systems –generalandapplicationcontrol.Generalcontrolapplies to allinformationsystems such as themainframe, network and end-userenvironments, and includes NOAA-wide securityprogramplanning, management, control overdata center operations, systemsoftwareacquisitionandmaintenance. Applicationcontrolshouldbe designedto ensure thattransactionsare properly authorized and processed accuratelyandthatthedataisvalidand complete.Controls should be established at an application’sinterfaces to verifyinputsandoutputs,suchaseditchecks.Generalandapplication control over informationsystems areinterrelated,bothare needed toensure complete and accurate informationprocessing.Dueto the rapidchangesin information technology,controlsmustalsoadjustto remain effective.

Information and Communications

Information should be communicated to relevant personnelatalllevelswithinNOAA.The information shouldberelevant, reliable, and timely. ItisalsocrucialthatNOAAcommunicate with outside organizations as well, whether providing information orreceivingit. Examples include receiving updatedguidance fromcentraloversightagencies; managementcommunicatingrequirements tothe operational staff;and operationalstaff communicating with the information systems staff to modify application software toextractdatarequestedintheguidance. Management should:

Use quality information to achieve the entity’sobjectives;

Internally communicate the necessary qualityinformation to achieve the entity’s objectives; and

Externally communicate the necessary qualityinformation to achieve the entity’s objectives.

Monitoring

Monitoring the effectiveness of internal control shouldoccurinthe normal courseofbusiness.Inaddition,periodic reviews, reconciliations or comparisons of data should beincludedaspartoftheregular assigned duties of personnel. Periodic assessments shouldbeintegratedaspartof management’s continuousmonitoring of internal control, whichshouldbeingrainedinNOAA’soperations.If an effective continuous monitoringprogramisinplace,itcanleveltheresourcesneeded to maintain effective internalcontrols throughout theyear. Management should:

  • Establish and operate monitoring activities to monitor the internal control system and evaluate the results; and
  • Remediate identified internal control deficiencies on a timely basis.

Deficiencies found in internalcontrolshouldbereportedto theappropriatepersonneland managementresponsibleforthatarea.Deficienciesidentifiedwhether through internalrevieworbyanexternalaudit should be evaluated and corrected. A systematic processshould be inplace for addressingdeficiencies.

NOAAmanagersandstaffshouldbe encouraged to identify control deficiencies,asthisreflects positively on NOAA's commitment torecognizing and addressing internalcontrolproblems.Failing to report a known reportable conditionwouldreflect adverselyonNOAAandcontinuetoplaceNOAA’s operations at risk. NOAAmanagers shouldcarefully consider whether systemic weaknessesexistthat adversely affect internalcontrols across organizational or programlines.

6.04.03 INTERNAL CONTROLACTIVITIES

Internalcontrolactivities (“control activities”) are the policies, procedures,techniques, and mechanisms thathelp ensure that management’sdirectives to mitigaterisksidentifiedduring the riskassessment processarecarriedout.Control activities are an integral part ofNOAA’splanning, implementing, andreviewing.Theyare essential for proper stewardship andaccountability for government resources and forachievingeffectiveandefficientprogramresults.

Control activitiesoccur atalllevelsandfunctionsof NOAA. They include a wide rangeof diverse activities, suchas approvals, authorizations,verifications,reconciliations,performance reviews, security activities,andtheproductionofrecordsanddocumentation. A manager or evaluator shouldfocus on control activities in the contextof NOAA’s managementdirectives to addressrisks associated with established objectivesfor each significantactivity(program or mission). Therefore, a manager or evaluator willconsider whether control activities relate totherisk-assessment process and whether theyareappropriatetoensurethat management’s directivesarecarriedout.Inassessingtheadequacy of internal control activities, a reviewer shouldconsiderwhetherthepropercontrol activities havebeen established, whether they are sufficient in number and thedegreetowhichthoseactivitiesareoperatingeffectively. This shouldbedoneforeachsignificantactivity.Thisanalysisandevaluationshouldalsoincludecontrolsovercomputerizedinformationsystems. A manager orevaluatorshouldconsidernotonlywhether established control activitiesare relevant tothe risk-assessment process,butalsowhethertheyarebeingappliedproperly.

GeneralControlActivities

There are several general control activities that areapplicablethroughoutNOAA,including:

  • Appropriatepolicies,procedures,techniques, andmechanisms exist with respect toeachofNOAA’sactivities.
  • The controlactivitiesidentified as necessary areinplaceandbeingapplied.Forexample:
  • Control activities described inpolicyandprocedures manuals areactuallyappliedandappliedproperly.
  • Supervisorsand employees understandthe purpose of internal control activities.
  • Supervisorypersonnelreviewthefunctioning of established controlactivitiesandremain alertforinstancesinwhichexcessivecontrol activities should bestreamlined.
  • Timely actionistakenonexceptions, implementation problems, or informationthat requires follow-up.
  • Control activities are regularly evaluated to ensure thattheyare still appropriate andworking as intended.
  • Management tracks major NOAA achievements inrelationtoitsplans.
  • NOAA managers reviewactual performance against targets.
  • NOAA effectively manages NOAA’s workforce to achieve results.
  • NOAA employs avarietyofcontrol activities suitedto information processingsystems toensureaccuracyand completeness.
  • NOAA employs physicalcontroltosecureandsafeguardvulnerableassets.Forexample:
  • Physical safeguarding policies andprocedures have been developed, implemented, and communicated to all employees.
  • Assets that are particularly vulnerable toloss, theft, damage, or unauthorized use,suchascash,securities,supplies,inventories, and equipment, are physicallysecuredandaccesstothem controlled.
  • NOAAhasestablishedand monitors performancemeasures and indicators. Forexample:
  • Performancemeasures and indicators havebeenestablishedthroughoutNOAAatthe NOAA-wide, activity, and individual level.
  • Performancemeasurementassessmentfactors areevaluatedtoensure they arelinkedto mission, goals,andobjectives, andarebalanced and set appropriateincentivesforachievinggoalswhile complying with law, regulations, and ethicalstandards.
  • Actual performance data are continually comparedagainstexpected/planned goalsand differences are analyzed.
  • Key duties and responsibilities are divided orsegregated among differentpeopletoreducetheriskoferror,waste, or fraud. For example:
  • Nooneindividualisallowedtocontrol all key aspectsofatransactionorevent.
  • Responsibilitiesanddutiesinvolving transactions and events are separated amongdifferent employees with respect to authorization, approval, processing andrecording, makingpaymentsor receiving funds,reviewandauditing,andthecustodialfunctionsand handling of related assets.
  • NOAA management is aware that collusion canreduceordestroythecontroleffectiveness of segregation of duties, therefore, is especially alert for it, and attempts to reduce the opportunitiesfor it to occur.
  • Transactions and other significant eventsareauthorizedand performed bytheappropriatepersonnel.For example:
  • Controls areestablished toensure thatall transactions and othersignificant eventsthatare entered into areauthorized and executedonlyby employees actingwithinthescopeoftheirauthority.
  • Transactions and other significant eventsare properlyclassified and promptlyrecorded. For example:
  • Transactionsandeventsare appropriately classified and promptly recorded so thatthey maintain their relevance, value,and usefulness to NOAA management incontrollingoperations andmakingdecisions.
  • Proper classification andrecording takeplacethroughouttheentirelifecycleofeachtransactionorevent, including authorization,initiation, processing, and finalclassification in summary records.
  • Accesstoresourcesandrecordsis limited andaccountabilityfortheircustodyisassigned.
  • Internal control, all transactions, and other significant events areclearlydocumented. For example:
  • The documentation isreadily available for examination.
  • Documentation, whether in paperorelectronic form, isusefulto managers inmonitoringtheiroperationsandtoany others involvedinevaluatingoranalyzingoperations.
  • All documentation and records are properly managed,maintained, andperiodicallyupdated.

InformationSystemControlActivities

Inaddition,thereare some control activity factors specifically designed for informationsystems. As discussed previously, there are two broad groupings of information systemscontrol:generalcontrol and application control.

Generalcontrolincludesthestructure, policies, and procedures that apply to NOAA’soverall computer operations. It applies to allinformationsystems,mainframe,mini-computer, network,andend-user environments. General control createsthe environmentin which NOAA’s application systems operate. Thegeneralcontrolactivities include:

  • NOAA periodically performs a comprehensive,high-level assessment ofriskstoitsinformationsystems.
  • NOAAhasdevelopedaplanthatclearly describes the NOAA-wide security program, policies,andproceduresthatsupportit.
  • NOAAsenior management hasestablisheda structureto implement and manage thesecurity programthroughout NOAA, and security responsibilities are clearly defined.
  • NOAA has implemented effective security-related personnelpolicies.
  • NOAA monitors the securityprogram’s effectivenessandmakeschangesasneeded.
  • NOAA classifies informationresources according totheircriticalityand sensitivity.
  • Resource owners have identified authorized users, and their access tothe informationhas been formally authorized.
  • NOAAhasestablishedphysical and logical controls to preventordetectunauthorizedaccess.
  • NOAA monitors information systems access, investigates apparent violations, andtakes appropriate remedial and disciplinary action.
  • Information systemprocessing featuresand programmodifications are properlyauthorized.
  • All new or revised software is thoroughly tested and approved.
  • NOAAhasestablishedprocedurestoensure control of its softwarelibraries,including labeling, access restrictions, and use of inventories andseparatelibraries.
  • NOAA limits accesstosystemsoftwarebasedonjobresponsibilities,andaccessauthorization is documented.
  • Access to and use of systemsoftware is controlled and monitored.
  • NOAAcontrolschangesmadetothesystemsoftware.
  • Incompatibledutieshave been identified andpolicies implemented tosegregatethoseduties.
  • Access controls have been established to enforce segregation of duties.
  • NOAA exercises control over personnel activities through the use of formaloperatingprocedures,supervision,andreview.
  • The criticality and sensitivity of computerized operations have been assessed andprioritized, and supporting resourceshavebeenidentified.
  • NOAAhastakenstepstopreventand minimize potential damage and interruptionthrough the use of data and programbackupproceduresincludingoffsitestorage.
  • NOAA management has developed and documented a comprehensive contingencyplan.
  • NOAA periodically tests the contingencyplanandadjustsitasappropriate.

Applicationcontrolcoversthe structure, policies, and procedures designed to help ensurecompleteness, accuracy, authorization, and validity of all transactions during applicationprocessing.Itincludesboththeroutines contained within the computer programcode aswellasthe policies and procedures associated withuser activities, such as manualmeasuresperformed by the user to determinethat thedatawereprocessedaccuratelybythe computer. The application controlactivitiesinclude:

  • Source documents are controlledandrequireauthorization.
  • Data entry terminals have restrictedaccess.
  • Masterfilesandexceptionreportingareusedtoensurethatalldataprocessedare authorized.
  • All authorizedtransactions are entered into and processed by the computer.
  • Reconciliations are performed toverify data completeness.
  • NOAA’s data entry design featurescontribute to data accuracy.
  • Data validation and editing are performed to identify erroneous data.
  • Erroneous data are captured, reported, investigated, and promptly corrected.
  • Output reports are reviewed to help maintain data accuracy and validity.
  • Proceduresensure that thecurrent version of production programs and data files areusedduringprocessing.
  • Programs include routines to verify that the proper version of the computer fileisusedduringprocessing.
  • Programs include routines for checking internalfile headerlabelsbeforeprocessing.
  • Theapplicationprotects against concurrent file updates.

Additional information on control activities can be found in GAO publication GAO-01-1008G,InternalControl Management and Evaluation Tool, which isavailableat .

6.04.04 MANAGEMENTCONTROLREVIEW

Each NOAA Line and Staff Office is responsible for conducting a Management ControlReview at least annually.

The purpose of a Management Control Review (MCR) istoevaluatethe management controlsofaspecificactivityand determine howwell they promote good management. Additionally, the review will helpline/staffoffices operate moreefficiently andeffectively,and to provide a reasonable level of assurance that the process and products for whichyou are responsible are adequately protected.

Internal controls are processes designedto provide reasonableassurance about the achievement of the entity’s objectives with regardto reliability of financialreporting,effectiveness and efficiency of operations,andcompliancewithapplicablelawsand regulations.Internal control over thesafeguarding of assets against unauthorized acquisition, use,or disposition may include controls relatedtofinancialreportingandoperationsobjectives.Generally, controlsthatarerelevanttoanauditoffinancialstatements arethosethatpertainto the entity’s objective ofreliable financial reporting.

The steps for performing a MCRconsists of:1)ConductingaRisk Assessment, 2)Reviewing Internal Controls, 3) Report Findings, and 4) Monitoring.

The purpose of a risk assessment is to determine an area of vulnerability that couldbesubjectto waste, loss, unauthorized use, or misappropriation. A risk assessmentis conducted to determine anarea of concern thathas a high risk of inadequate controls. (SeeAttachment A for format.)

Explanations for Columns on Risk Assessment Forms

  • AssessableUnit-Anorganizationalsubdivision capable of being evaluated by controlreviewprocedures.Anassessableunitshould be a subdivision of an organization thatensuresareasonablespanof internal control to allowformeaningful control analysis.
  • Magnitude – Very large assessable units should be considered to be inherently more risky than smaller ones because of their proportionately large impact on the financial statements.
  • Non-Appropriated Funds – Programs with obligated funds from sources other than appropriated funds have greater risk due to less scrutiny given to non-appropriated funds.
  • Contracts/Grants – These programs pass significant funding, and consequently significant managementresponsibility, throughtopartiesoutsidetheFederal government.Thiscouldincreasetheriskofaweaknessinmanagementcontrols.
  • SubstantialChangeinObligations–Significantincreases or decreasesinprogramfunding can put pressures on management, possiblyincreasingrisk.
  • OIG, GAO, and FPCD Reports or Actions–These columns indicate recent monitoring activitybytheindicatedagencies,goingbackfiveyears.Monitoringbyoutsidepartiesreducesthe riskthatasignificant control weakness may go undetected.
  • SubstantialChangeinPerformanceMeasure–Achangeina performance measure canplace additionalpressures on management causing increasedrisk.
  • Erroneous Payments – This category is to score programs with the risk of erroneous payments.
  • Management Control Reviews – If a program has been the subject of a previous management control review, a lower risk score should be assigned.
  • OverallResultsof Risk Assessment–This column summarizes the assessment ofrelativeriskforthelistedassessableunits.

Documentation:Complete Risk Assessment Template (Attachment A).

Identifying the Event Cycle(s) for Review

Theassessableunitis the focusofevaluativework in theinternal control process.Toplanthescopeofaninternalcontrol review properly, the review teammust understandthe activities and responsibilities oftheassessableunitasawhole.This may beaccomplished throughareviewof mission statements,DepartmentAdministrativeOrders, Department Organization Orders, briefing books, and budget justifications;through interviews;orby relying on other sources that describe theworkthattakes placewithin the assessable unit.

The MCR need not concentrate on all parts ofthe assessable unit. Consequently, an assessableunit may besubdividedinto smaller functional groupingscalled event cycles.Eacheventcyclehasadistinct starting pointandendingpoint,andiscyclicalinnature.When combined, event cyclesreflectallworkthatis performed within the assessableunit.Careshouldbetakento examine anentireeventcycle–rather than portions of it.

It may behelpfultoconsidertheresults orendproductsthatanassessableunitisresponsibleforachievingandthen examining theprocessusedtodoso.Particularattention should be given to programs that havelargeappropriations,aresubjecttospecific managerial concern, have previously identifiedcontrolproblems, are inherentlyhigh risk, are highly sensitive or visible, or have notbeenrecently reviewed –throughaninternal control review or otherwise.Ifeventcyclesseemtobeofequalimportance,theeventcycle(s), whichaffectsthegreatest level of funding or has the most importantcontrol implications should be reviewed.