Conducting Management Control Reviews

290 FW 3
FWM Number
Originating Office
Branch of Risk Management

3.1 What is the purpose of this chapter? This chapter provides specific information on planning and conducting a management control review (MCR). This information is supplemented by annual guidelines on the management control program. The Service Management Control Coordinator (MCC) is available to provide training to offices. 290 FW 2 describes the types of management control reviews (comprehensive, alternative, Departmental Functional Review, and automated assessment).

3.2 How do offices prepare for a management control review? Carefully plan your MCR so that you may gain managerial support and achieve the objectives of the review. The following apply in different ways, depending on the type of review.

A. Coordinate Review Activities. Headquarters and Regional Offices should coordinate review activities, such as deciding team members and review sites, and the timing of site visits, to make sure that the review is conducted efficiently. Pre-test draft data-gathering documents and share proposed findings and corrective actions for advance review and comment.

B. Select a Review Team. Choose a review team and team leader with good analytical skills. Teams usually consist of Headquarters and Regional employees. Ideally, one team member should be from another program office and at least one team member must be knowledgeable about the program under review. The number of reviewers depends on the complexity and scope of the review. Only one reviewer may be necessary for automated assessments and some Departmental Functional Reviews.

C. Examine the Component. Review authorizing legislation, implementing regulations, policies and procedures, planning and budget documents, organization charts, and audit reports that are applicable to the component.

D. Review the Management Control Standards. Review the management control standards to arrive at a preliminary opinion about the effectiveness of management controls in a component.

3.3 How do reviewers document a management control system? The primary purpose of a management control system is to identify component risks and the controls in place to eliminate or reduce risks to an acceptable level. Reviewers use the management control system to identify areas for review. The following steps may be accomplished in an order different from the one shown below; it is usually helpful to begin by identifying event cycles first. The Service MCC can provide formats to use in documenting the management control system and rating risks.

A. Identify Event Cycles. Divide the component into event cycles (program segments). An event cycle means a series of steps that make up a separate process or activity within a component.

B. Identify and Rate Risks. Identify the potential risks within those cycles. Assess and record the impact each risk presents; that is, the probability of its occurrence and the severity of its consequences. Assign a rating (High, Medium, or Low) to each risk.

C. Describe Control Objectives. Describe the objectives of the controls listed in subparagraph D below. These objectives should also correspond to the risks identified for the event cycle. Risks without controls and/or control objectives indicate a potential for control weaknesses.

D. Describe Controls. List the techniques, management processes, and documents necessary to achieve control objectives or to reduce the risk of unwanted occurrences to acceptable levels within an event cycle. Examples of controls include laws, regulations, program guidance, passwords, written delegations, and segregating sensitive duties among several individuals.

3.4 How do reviewers decide on the scope of the review? Review the risks and risk ratings in the management control system. Depending on the type of review, the controls that correspond to all or some of the highest risks are usually tested, plus any other controls that the reviewers decide to test.

3.5 How do reviewers develop a review plan? A review plan is usually completed for a comprehensive MCR or other review for which the data collection instrument is developed by the Service. Select the risks to be covered; decide on the controls to be tested, testing methods, and the sample number of records for each control to be tested. Determine organizations and locations for the review. Consider available resources and time frames for each review task. The purpose of your review is to learn whether or not controls are in place and working; whether or not controls need to be improved; and whether or not new controls need to be added.

A. Select Controls to Test. If you do not plan to test all controls, you should choose those controls that contribute most to achieving the control objectives.

B. Select Test Methods. You may combine one or more of the following usual testing methods. Reviewers are encouraged to supplement interviews with other methods, such as document analysis.

(1) Document analysis involves a review of existing records, completed forms, or other written materials.

(2) Transaction testing involves entering and processing transaction data through the system or by tracing transactions already in the system. This method is particularly useful for evaluating processes in automated systems.

(3) Observation calls for being present during performance of any particular control. This method can often be used when you want to test how the controls work from start to finish. The reviewer observes while personnel carry out steps in the process, and records what steps were taken by whom and which controls were used.

(4) Interviews are conducted to obtain information from people who perform the control.

C. Select A Sample Number of Records for Each Control. It is not practical to test all records; therefore, select representative samples to test. Choose samples extensive enough to make sure that findings do not happen by chance and that primary conditions are covered. For example, a review team may decide to test records for more than 1 year of program operations to obtain information about how the program operates over time, or test records that reflect different ways that a program is carried out. Decrease your testing efforts when controls have worked well in the past, insignificant risks are involved, the controls are routine, and no system changes have occurred. Increase your sample when only a small error is acceptable and an important resource is covered.

D. Determine Organizations and Locations to Test. Conduct tests at the principal organizational levels carrying out the program. For a review of a national (Servicewide) program, Headquarters is usually included, and choose a representative sample of Regions (for example, two or three) and selected field offices. Unless required by the Department, onsite visits to each location executing the program are not expected.

3.6 What types of data collection methods can be used? Accurate and detailed records of your test results are an important part of the review process. Data collection methods include: observation logs (what, who, when); frequency tabulations (what, how often); work distribution matrixes (records separation of duties); checklists; interview guides; and questionnaires.

3.7 How are reviews conducted? As you conduct the review, follow your review plan unless you need to revise the scope or size of the review based on your initial sampling.

A. Try to keep variance from the review plan to a minimum.

B. Use two or more persons to conduct tests of significant controls.

C. Keep a testing document checklist, for example:

(1) Who - list the persons conducting the test, persons observed, persons interviewed.

(2) What - describe the items tested and record test results. Describe any informal controls.

(3) When and where - write down test dates and locations.

D. Retain copies of documents or other physical evidence in the file with the review report. If this is not possible, record the location of the supporting documentation.

3.8 How do reviewers identify control weaknesses?

A. Identifying Control Weaknesses. One way to identify control deficiencies is to ask:

(1) Do controls exist? If not, record the absence of controls as a weakness.

(2) If controls exist, are they adequate? If not, record the inadequacy as a weakness.

(3) If controls exist and are satisfactory, are the controls being followed? If not, record the lack of compliance as a weakness.

B. Types of Control Weaknesses.

(1) Minor Nonmaterial weaknesses can be corrected on the spot. Do not include in your report.

(2) Significant Nonmaterial weaknesses require more than on the spot correction. Include in your report.

(3) Material weaknesses are critical to the component and are reported outside the Department if the Management Control and Audit Follow-up Council agrees with the designation. Consider the criteria for reporting a material weakness. Whether or not to report a material weakness is normally decided one management level at a time.

(4) Accounting nonconformance is a result of a failure of a financial system to produce accurate data. Include the information in your report.

3.9 How do reviewers develop corrective actions? When a control weakness is found, Responsible Officials must decide on corrective actions that introduce new controls or improve existing controls. Consider cost versus benefit. Eliminating a weakness may be cost-prohibitive, impractical, or not within the Service's control. Obtain input from each manager responsible for completing the proposed corrective actions and completion dates. Identify realistic dates for the completion of the corrective action.

3.10 What information is included in a review report? Before writing your report, you are encouraged to consult with the Service MCC about any required formats. In general, the review report is normally a summary report with a cover memorandum that describes the review and results, and an attachment that identifies control weaknesses and planned corrective actions, if any. See 290 FW 2 for additional information.