Encl. (3) to COMDTINST 5700.10
B. Risk Assessment
Management should identify internal and external risks that may prevent the organization from meeting
its objectives. When identifying risks, management should take into account relevant interactions
within the organization as well as with outside organizations. Management should also consider
previous findings; e.g., auditor identified, internal management reviews, or noncompliance with laws
and regulations when identifying risks. Identified risks should then be analyzed for their potential effect
or impact on the agency.
C. Control Activities
Control activities include policies, procedures and mechanisms in place to help ensure that agency
objectives are met. Several examples include: proper segregation of duties (separate personnel with
authority to authorize a transaction, process the transaction, and review the transaction); physical
controls over assets (limited access to inventories or equipment); proper authorization; and appropriate
documentation and access to that documentation.
Internal control also needs to be in place over information systems general and application control.
General control applies to all information systems such as the mainframe, network and end-user
environments, and includes agency-wide security program planning, management, control over data
center operations, system software acquisition and maintenance. Application control should be designed
to ensure that transactions are properly authorized and processed accurately and that the data is valid
and complete. Controls should be established at an application's interfaces to verify inputs and outputs,
such as edit checks. General and application control over information systems are interrelated, both are
needed to ensure complete and accurate information processing. Due to the rapid changes in information
technology, controls must also adjust to remain effective.
D. Information and Communications
Information should be communicated to relevant personnel at all levels within an organization. The
information should be relevant, reliable, and timely. It is also crucial that an agency communicate with
outside organizations as well, whether providing information or receiving it. Examples include:
receiving updated guidance from central oversight agencies; management communicating requirements
to the operational staff; operational staff communicating with the information systems staff to modify
application software to extract data requested in the guidance.
E. Monitoring
Monitoring the effectiveness of internal control should occur in the normal course of business. In
addition, periodic reviews, reconciliations or comparisons of data should be included as part of the
regular assigned duties of personnel. Periodic assessments should be integrated as part of management's
continuous monitoring of internal control, which should be ingrained in the agency's operations. If an
effective continuous monitoring program is in place, it can level the resources needed to maintain
effective internal controls throughout the year.
Deficiencies found in internal control should be reported to the appropriate personnel and management
responsible for that area. Deficiencies identified, whether through internal review or by an external
audit, should be evaluated and corrected. A systematic process should be in place for addressing
deficiencies.
2
Previous Page
