Version 3.

0
12/3/08

FY 2009
Management Control Review Guidance

Page 1 of 25

Version 3.0
12/3/08
Management Control Review Guidance

Introduction
The purpose of a Management Control Review is to evaluate the management controls of a specific
activity and determine how well they promote good management. Additionally, the reviews will
help your office operate more efficiently and effectively, and to provide a reasonable level of
assurance that the process and products for which you are responsible are adequately protected.
Internal controls are processes designed to provide reasonable assurance about the achievement of
the entitys objectives with regard to reliability of financial reporting, effectiveness and efficiency
of operations, and compliance with applicable laws and regulations. Internal control over the
safeguarding of assets against unauthorized acquisition, use, or disposition may include controls
related to financial reporting and operations objectives. Generally, controls that are relevant to an
audit of financial statements are those that pertain to the entitys objective of reliable financial
reporting.
The steps Management Control Review consists of: 1) Conducting a Risk Assessment, 2)
Reviewing Internal Controls, 3) Report Findings, and 4) Monitoring.

1) Conducting a Risk Assessment

The purpose of a risk assessment is to determine an area of vulnerability that could be subject to
waste, loss, unauthorized use, or misappropriation.

Conduct a risk assessment to determine an area of concern within your office that has a high
risk of inadequate controls. (Use Attachment A for format.)

Explanations for Columns on Risk Assessment Forms:

Assessable Unit - An organizational subdivision capable of being evaluated by control review
procedures. An assessable unit should be a subdivision of an organization that ensures a reasonable
span of internal control to allow for meaningful control analysis.
Identifying the Event Cycle(s) for Review
The assessable unit is the focus of evaluative work in the internal control process. To properly plan
the scope of an internal control review, the review team must understand the activities and
responsibilities of the assessable unit as a whole. This may be accomplished through a review of
mission statements, Department Administrative Orders, Department Organization Orders, briefing
books, and budget justifications; through interviews; or by relying on other sources that describe the
work that takes place within the assessable unit.

Page 2 of 25

Version 3.0
12/3/08
The MCR need not concentrate on all parts of the assessable unit. Consequently, an assessable unit
may be subdivided into smaller functional groupings called event cycles. Each event cycle has a
distinct starting point and ending point, and is cyclical in nature. When combined, event cycles
reflect all work that is performed within the assessable unit. Care should be taken to examine an
entire event cycle rather than portions of it.
It may be helpful to consider the results or end products that an assessable unit is responsible for
achieving and then examining the process used to do so. Particular attention should be given to
programs that have large appropriations, are subject to specific managerial concern, have previously
identified control problems, are inherently high risk, are highly sensitive or visible, or have not been
recently reviewed through an internal control review or otherwise. If event cycles seem to be of
equal importance, the event cycle(s) which affects the greatest level of funding or has the most
important control implications should be reviewed.
Documentation: Attachment B, List of Event Cycles, may be used to identify and prioritize
event cycles for review.
OIG and GAO Reports or Actions These columns indicate recent monitoring activity by the
indicated agencies, going back five years. Monitoring by outside parties reduces the risk that a
significant control weakness may go undetected.
PART Ratings PART assessments are broad-based and may not impact risk assessment
consistently across all assessable units in an evaluated program area. Generally, a Performing
rating indicates a decrease in risk, while a Not Performing rating indicates an increase.
Substantial Management Responsibility Outside NOAA These programs pass significant funding,
and consequently significant management responsibility, through to parties outside the Federal
government. This could increase the risk of a weakness in management controls.
Substantial Change in Recommended Funding Significant increases or decreases in program
funding can put pressures on management, possibly increasing risk.
Substantial Change in Performance Measure A change in a performance measure can place
additional pressures on management, increases the possibility of control weakness.
Overall Results of Risk Assessment This column summarizes the assessment of relative risk for
the listed assessable units.
Documentation: Complete Risk Assessment Template.

Page 3 of 25

Version 3.0
12/3/08
2) Reviewing Internal Controls
In general, an internal control review consists of:

selecting a team to conduct the review,

planning the internal control review,
investigating and reviewing background material,
documenting the event cycle,
analyzing the control environment,
determining risks within the selected event cycle(s),
developing control objectives,
identifying existing control techniques,
testing internal control techniques, and
evaluating internal controls.

Selecting the Internal Control Review Team

The number of team members depends on the scope and complexity of the internal control review.
Team members should have some analytical background, expertise in planning and conducting
studies, and experience in preparing written reports.
Each member should already be or become familiar with the concept of internal controls, and the
requirements of an internal control review. At least one team member should be a subject matter
specialist in the functional area being examined. If possible, for greater objectivity, one member
should be selected from outside the event cycle(s) being examined. To be even more beneficial,
this team member could be a specialist in an administrative area that may be of particular
significance to the area under review, e.g., information technology, budget, accounting, or travel.
Assessable unit managers should select an internal control review team capable of providing a
meaningful assessment in a reasonable time frame.
Documentation: Each team members name, title, organization, address, telephone number and
relevant experience should be listed in an appendix to the internal control review report.

Planning the Internal Control Review

After the internal control review team has determined which event cycle(s) will be reviewed, a plan
for conducting the internal control review should be prepared. In developing the review plan,
realistic time frames should be established.
Documentation: The review plan should provide information similar to Attachment C, Internal
Control Review Plan.

Page 4 of 25

Version 3.0
12/3/08
Investigating and Reviewing Background Material
This section outlines the procedure for defining the process or work flow that constitutes the event
cycle, and sets the stage for the internal control review team to identify controls within that process.
After the event cycle(s) has been selected, team members should familiarize themselves with the
process being examined and the environment in which it exists. This investigation will be more
complete than the relatively general investigation initially undertaken to determine the event cycles
within the assessable unit. The investigation will focus directly on the event cycle(s) selected for
review and should be quite detailed. Examples of documents that should be reviewed at this stage
include:

enabling legislation and implementing regulations;

government-wide and Commerce policy guidance;
operating unit directives;
program-specific operating policies and procedures;
mission statements;
annual and strategic plans;
performance measures, including measures established under the Government Performance and
Results Act;
delegations of authority;
existing flowcharts;
budget, personnel, and workload data;
organizational charts;
forms used in the process;
position descriptions;
vulnerability assessments, management reports, and issue papers; and
other recent studies.

Throughout this review, the focus of attention should be on documenting and evaluating internal
controls that exist within the selected event cycle(s).
The review of background information should be augmented by interviews with relevant
employees, as necessary. Interviews should be conducted to help clarify the process within the
event cycle and to support the information gathered through initial research. Employees who are
directly involved in or responsible for daily operations should be selectively interviewed to assist in
developing a valid flowchart of the process(es).
Interview questions should be developed in advance, and should give the manager or staff member
an opportunity to explain operations and discuss any perceived problems. Questions should cover
the process as well as formal and informal controls that are in place.
Documentation: Narrative description of items reviewed.

Page 5 of 25

Version 3.0
12/3/08
Documenting the Event Cycle(s)
Based on its review of relevant background information, the internal control review team should
then prepare a narrative description of the work that takes place and a flowchart. These documents
will provide a firm basis for a structured examination of controls within the event cycle(s).
Using knowledge gained from the background investigation, the study team should prepare a short
narrative description of each step, in sequence; that occurs within the process under review. The
description of each step may be only a few words; the important aspect of this exercise is to make
sure that each significant phase of the process is identified. Generally, the work flow includes an
input, a processing phase, and an output.
The description should incorporate all work that is performed within the event cycle. The team
should determine the significant action that initiates the process and the action that concludes the
process. After these boundaries have been established, the remaining steps will become more
readily apparent. The description should identify the employees involved, the forms that are used
and their points of distribution, reviews and approvals that take place, the physical location of the
activity, and any similar information that will help clarify the process. Once the narrative
description has been completed, a flowchart may be developed for the process.
After the review team feels comfortable with the flowchart, its accuracy should be verified with
operational managers or other personnel involved in carrying out the work.
Documentation: Narrative description and flowchart. The flowchart should provide information
similar to Attachment D, MCR Flowchart Example.

Analyzing the Control Environment

The environment in which an event cycle operates has a major impact on the effectiveness of its
internal control system. Poor training, ineffective communications, or lack of properly delegated
authority, as examples, may negate the effectiveness of even the best control system. Therefore, an
analysis of the control environment is an important phase of an internal control review.
This portion of the review should consider:

Organization Structure
Personnel
Delegation of Authority and Responsibility
Policies and Procedures
Planning, Budgeting, and Reporting
Organizational Checks and Balances

Complete Attachment E, Evaluation of General Control Environment for template.

Page 6 of 25

Version 3.0
12/3/08
If deficiencies are identified, they should be noted, along with recommendations for improvements,
as part of the overall evaluation of management controls. (See Attachment F, Evaluation of
Management Controls, for a sample template.)
Documentation: Narrative description of the control environment that discusses each of the areas
listed above.

Determining Risks Within the Event Cycle(s)

Determining risks that exist within the event cycle(s) will be one of the most critical phases of the
internal control review; control systems are intended to avoid potential risks.
All administrative and program areas have some degree of risk -- a negative event or situation -that would occur if all or a part of the process under review is not carried out as planned. In this
phase, the internal control review team must determine what risks exist, evaluate the nature and
magnitude of their potential impact, and determine who, both inside and outside of the organization,
could be affected. Each risk identified will describe an event or situation that the organization
wishes to avoid.
Risks should be identified without considering controls that may be in place. Even if the internal
control review team believes that existing controls adequately address a given risk, it should still be
identified and examined. By doing so, the team will objectively confirm the existence of good
management practices within the event cycle and cover all significant risks in the review.
Since each event cycle is different, unique controls are needed to counteract risks that exist within
individual event cycles. Risks that are considered during an internal control review are not only
those related strictly to potential fraud, waste, abuse and mismanagement but also factors that could
impede the proper conduct of normal, daily operations. The internal control team must consider the
risks associated with failing to properly carry out the event cycles operational responsibilities.
Reviews of this nature concentrate on promoting good management practices within event cycles
and collectively improve the Departments overall management processes over time. Therefore,
determining risks means identifying:

the consequence of not performing, as intended, each step of the process identified during the
flowcharting phase; and
any unique risks associated with the event cycle(s), specific safety and security considerations,
or the ramifications of not complying with program legislation or regulatory mandates.

Examples of risks that may occur in an event cycle include:

mishandling sensitive or classified documents, which could have significant security

implications;
inadequate competition during a procurement transaction, which could result in unnecessarily
wasting financial resources;
failure to adhere to budgetary plans, which could result in an Antideficiency Act violation; and

Page 7 of 25

Version 3.0
12/3/08

inaccurate or unreliable research data, which may have a major impact on private sector
activities.

The internal control review team, in conjunction with the assessable unit manager, must make a
realistic determination regarding potential risks within the process under review, and recognize the
associated impact of each risk. By definition, each step that has been included in the flowchart has
some level of importance in the process, and some safeguard(s) should be in place to help assure
that each step is completed as intended.
After the list of risks has been fully developed, it should be reviewed by the assessable unit
manager. The manager should assure that historic or current concerns have been identified.
Documentation: Identification of each risk in a format similar to Attachment G, Event Cycle
Risks, Control Objectives, and Control Techniques.

Developing Control Objectives

Simply stated, control objectives will be the opposite of the risks that have been identified they
are conditions that you want to occur. Control objectives developed in this phase of the internal
control review will be used as a point of reference in identifying and evaluating control techniques.
Therefore, control objectives should be complete, clearly defined, and, to the extent possible,
measurable.
Realistically, event cycles should have a series of control objectives. If only one objective seems to
cover all risks, either the event cycle has been defined too narrowly and does not cover the full
process, or all risks have not been identified. Each identified risk must have a corresponding
control objective.
Documentation: Identification of control objectives for each risk determined. (See Attachment G
as a sample template.)

Identifying Existing Control Techniques

Control techniques are the safeguards put in place to assure that operations proceed according to
plan and are protected from fraud, waste, abuse, and other risks. Effective control techniques allow
the assessable unit manager to feel confident that their responsibilities are being carried out
properly.
Control techniques are the action items in the control process. Each event cycle will likely have
many control techniques, or safeguards, already in place. Because most controls are so closely
associated with an event cycle, managers may have difficulty in conceptually separating the control
techniques from the process itself. Some common examples of control techniques include:

Page 8 of 25

Version 3.0
12/3/08

standardized forms to collect information,

written program procedures,
routine schedules for equipment maintenance,
annual inventories of personal property,
financial planning,
objective criteria for selecting applicants for federal benefits,
log books,
site visits to financial assistance recipients,
approval procedures and signature requirements,
eligibility criteria for program participation,
receipts that document financial transactions,
computer passwords to protect information technology resources,
quality and timeliness standards for service provision,
background checks for personnel recruitment,
adequate supervision of staff activity,
peer review of research proposals,
training programs to maintain skills needed to carry out program objectives,
security precautions in developing sensitive data prior to its formal release, and
examining equipment purchases prior accepting delivery.

When developing control techniques, the internal control review team must address each control
objective that has been identified. Each control objective may have several control techniques
associated with it. The flowchart that was developed earlier will assist the review team in
systematically identifying various control techniques that exist within the event cycle(s).
Documentation: Identification of control techniques to meet the control objectives determined
earlier and avoid the risks identified. (See Attachment G for a sample template.)

Testing Internal Control Techniques

Employees may not be aware of a control technique or its importance, or may not have adequate
time to complete the control action. Without proper support and emphasis by management, control
systems will deteriorate over time. The testing phase of the internal control review will either
confirm that controls are in place and operating as intended, or will point out areas where
improvements may be needed in the control system.
Once existing internal control techniques have been identified, the review team must determine if
they are being used routinely and if they are achieving the stated objectives. The internal control
review team will use a structured testing exercise to make this determination. Testing will focus on
whether the control techniques exist and are being used. It should not focus on the procedural
aspects of event cycle as described in the flowchart; rather, testing should focus on written
requirements and actions that are routinely performed to make sure that operations proceed as
intended.

Page 9 of 25

Version 3.0
12/3/08
As an example, a control technique may be purchase orders may be processed only if they contain
an approved authorizing signature. The review team would examine a representative sample of
purchase orders to determine if they reflect an appropriate authorizing signature. As another
example, a headquarters program may perform semiannual monitoring visits. The internal
control test would be to formally verify if these monitoring visits took place every six months, and
if the visits were consistent with pre-established criteria designed for the review. An internal
control test would not include actually performing the semiannual review at a field location.
Testing may be performed by using one of the general standard sampling methods; statistical or
non-statistical (judgmental). Statistical sampling techniques scientifically determine the sample
size and the evaluation of sample results. A recommended software for statistical sampling is
www.auditnet.org/docs/statsamp.xls. You would then choose Calc Sample Size - Attributes.
Then enter your total population size and use sampling error of 5%, confidence level of 95%, and
expected error rate of 3% for the highest level of confidence that your sample size is appropriate.
Non-statistical sampling techniques determine the sample size and the evaluation of sample results
judgmentally. A judgmental sample size should give you the maximum coverage possible of the
total population. The sample size should include at least 20% of the total dollars or total line items
in the population. In either case, the test must be planned in advance, test results recorded, and test
data maintained for future review. Attachment H, Testing Plan, provides a sample format for
recording information that should be retained for each test.
The exact number of items that must be examined will depend on (a) the universe or total number
of items that the team could potentially test, (b) the importance of the control technique, and (c) the
available resources. Enough testing should be conducted to allow a reasonable degree of
confidence that the results are accurate; and in line with the relative importance of the control
action. If a fairly limited number of tests are performed and the results do not establish whether or
not the technique is being used, an increased level of testing may be warranted. Ultimately, the
amount of testing completed during an internal control review will depend on the study teams
judgment.
If field activity is included in the event cycle, adequate testing of controls in the field must be
accomplished. To the extent possible, this testing should be combined with other trips to field
locations. This may be done by planning ahead to take advantage of previously scheduled visits.
Another option would be to have an employee in the field participate in the internal control review
team and perform the testing at the field site.
Documentation: For each control objective, identify the control technique, type of test, universe of
potential tests, and number actually selected for review in a format similar to Attachment H.
The general objective of testing controls is to obtain reasonable assurance that the controls are in
use and operating as planned. Tests should meet GAO Standards as follows:
(See http://www.gao.gov/special.pubs/ai2131.pdf for complete GAO Standards)

Data Integrity
Documentation

Page 10 of 25

Version 3.0
12/3/08

Recordation
Supervision
Authorization
Separation of Duties
Security

Data Integrity
Are there controls in place to ensure the integrity of the data?
Are records up-to-date and accurate?
Documentation
Are all systems, functions, processes, procedures, programs, and activities clearly
documented?
Is the documentation readily available for examination?
Are operating procedures adequate?
Recordation
Are these records that show that controls are in use?
Supervision
Are appropriate procedures in place for assigning, reviewing, and approving work?
Do the employees adhere to procedures for assigning, reviewing, and approving work?
Authorization
Are appropriate controls in place to ensure transactions and other significant activities are
authorized and executed only by authorized personnel?
Do employees adhere to the requirements of authorization only by authorized personnel?
Separation of Duties
Are key duties and responsibilities such as authorizing, processing, recording, and reviewing
separated among individuals?
Security
Are appropriate procedures in place, which limit access to resources and records to
authorized personnel?
Do employees adhere to security procedures?

Evaluating Internal Controls

After the general control environment has been defined, and existing controls have been identified
and their usage tested, the control system must be evaluated. Even if the general control
environment is satisfactory and existing control techniques are being used, the internal control
review team cannot necessarily conclude that the existing control system is adequate. It must be
evaluated to make sure that the best system possible is in place, given existing resources, to

Page 11 of 25

Version 3.0
12/3/08
counteract existing risks. In other words, the internal control review team must consider how well
the control system fosters good management. Are there too many, or perhaps, too few controls?
The relative importance of each objective should correspond with the controls that are put in place.
If a control objective must be met, the control techniques employed should be developed
accordingly. However, absolute or near absolute assurance is seldom required. Before control
techniques are put in place to bring about absolute assurance that an objective will be met, the costs
and relative benefits must be carefully considered. As control systems approach absolute assurance,
they become quite time consuming and expensive. A manager may have nearly complete
confidence in their control system, but the necessary cost or processing time may be unreasonable.
Controls are intended to make sure that operational plans are met without substantially reducing
efficiency.
The internal control review process should allow the study team to step back and objectively
evaluate the controls that exist within the assessable unit, and to determine if they meet the
managerial needs of the unit. This evaluation should include an assessment of the level of control
associated with each objective and whether the existing control techniques actually promote
compliance with the objective. Are safeguards at the right spots? Do they work or is the action
superfluous?
The review team should evaluate each control objective separately. Will the control techniques
currently in place provide a reasonable level of confidence that the objective will be met? If not,
the review team should recommend additional or different control techniques to improve the control
system and address any identified control weakness. These recommendations should be included in
the final report and, when implemented, will allow the assessable unit manager to feel more
confident that their operational responsibilities will be effectively met.
Documentation: A short description of the evaluation process, which should include: (a) whether
the current control techniques provide an adequate level of confidence that the control objectives
will be met, (b) a list of the major strengths and weaknesses in the control system, and (c) a list of
recommendations to strengthen the control system or correct the weaknesses noted during this
evaluation. (See Attachment F for a suggested format.)

Problems Outside the Control of the Assessable Unit Manager

An internal control review provides a good opportunity to surface control problems that may exist
between the assessable unit and other government operations, i.e., intra-agency or interagency
activity. If another organization is reducing the effectiveness of the event cycles system of control,
this fact should be recognized. An appropriate recommendation should be developed to address the
problem, e.g., formally informing a service provider in writing of a specific concern and proposing
a resolution designed to be to the extent possible mutually agreeable. The assessable unit
manager may not have the authority to alter the other organizations operations, but should be able
to initiate a dialogue to resolve the problem or raise it to a higher organizational level so that some
concrete action will result.

Page 12 of 25

Version 3.0
12/3/08
The recommendation included in the final report should be the action that the assessable unit
manager will take, not simply a description of the change that another organization may need to
make. Since the assessable unit manager is most familiar with the problem, they are in the best
position to describe it, explain the desired corrective measures, and carry their cause through to
fruition.

3) Report Findings
When determining the severity of any findings, you must understand the 2007 definitions for
material weaknesses and reportable conditions.
(See http://www.aicpa.org/download/members/div/auditstd/AU-00325.PDF for complete details.)
The definitions are as follows:
Material Weakness is a significant deficiency, or combination of significant deficiencies, that
results in more than a remote likelihood that a material misstatement of the financial statements will
not be prevented or detected.
Significant Deficiency is a control deficiency, or combination of control deficiencies, that
adversely affects the entitys ability to initiate, authorize, record, process, or report financial data
reliability in accordance with generally accepted accounting principles such that there is more than
a remote likelihood that a misstatement of the entitys financial statements that is more than
inconsequential will not be prevented or detected.
Control Deficiency exists when the design or operation of a control does not allow management or
employees, in the normal course of performing their assigned functions, to prevent or detect
misstatements on a timely basis.
The major change in definitions is findings that were once considered a reportable condition, may
now be elevated to a Significant Deficiency or a Material Weakness.

Reporting the Results of an Internal Control Review

The final report is the method used to communicate the findings of the internal control review and
document how it was performed. It should be remembered that the report may be reviewed by
individuals with limited knowledge of the assessable units technical operations and should be
understandable by a broad audience.
Generally, the report should include:

Introduction Identify the report as being the result of an internal control review and provide a
short description of the reviews objective. Also include a description of the assessable unit,
i.e., funding, number of full-time-equivalent employees (FTE), organizational location, and

Page 13 of 25

Version 3.0
12/3/08
functional responsibilities. The report should explain the reason that the assessable unit was
chosen for review within your operating unit, program, or organizational area.

Scope Describe the event cycles existing within the assessable unit, which one(s) was targeted
for review, and the reason for its selection. For each event cycle reviewed, provide the number
of FTE, total budget, input, process, and output associated with it as well as the event cycles
significance to the mission of the organization. Briefly mention other Departmental or
government organizations that may be involved in the process and their roles.

Methodology Briefly describe how the internal control review was conducted, addressing the
various steps outlined in these guidelines and the actions taken during each step. This section
should also describe the resources (FTE and funding) used to undertake the review as well as
any unique problems that may have been encountered.

General Control Environment Include a factual discussion of each aspect of the general
control environment, e.g., the organization chart and position descriptions were updated during
a June 2005 reorganization.

Findings and Conclusions Present the results of the internal control review in this section. The
findings and conclusions should highlight both the control weaknesses and strengths found in
the event cycle(s). In addition, any significant concerns or problems that were identified during
the review should be discussed. In conclusion, the report should include a statement regarding
whether there is reasonable assurance that controls are in place and operating effectively
within the event cycle(s).

Recommendations Describe all deficiencies and associated corrective actions that are
recommended by the internal control review team and assessable unit manager. Each
recommendation should be discussed individually, identifying the official responsible for
implementation and the targeted completion date. Recommendations may be referenced in the
narrative and discussed at length using a format similar to Attachment F.
Recommendations such as improve monitoring ongoing lack specificity and are not
adequate. Recommendations should be concise, clearly described, and have a definite
completion date, such as issue new procedures to improve loan monitoring by July 2007.

Appendices should include:

o information regarding the internal control review team members,
o the flow chart and narrative description of the event cycle, and
o documentation of the steps taken using matrices such as those attached to these guidelines.

Documentation: Internal control review final report. The MCR final report becomes part of
NOAAs annual FMFIA report to the Secretary of Commerce. The MCR must be completed by
June 30 with a final report completed by July 31 of each year.

Page 14 of 25

Version 3.0
12/3/08
Submitting the Management Control Review Report
Internal control review reports should be reviewed and approved by the assessable unit manager,
and forwarded for review and concurrence by the program or Line Office, Chief Financial Officer
or the Staff Office, Director. The assessable unit manager shall maintain working papers that
support the findings and recommendations made in the report, e.g., interview records and testing
records.
The original signed final version of the MCR is to be sent to the Financial Policy and Compliance
Division no later than July 31. This should be sent to the attention of Nancy M. Gates, Chief,
Financial Policy and Compliance Division, 20200 Century Blvd., Suite 1310, Germantown, MD
20874. Additionally, a copy of the signed report is to be sent to the Line Office, Chief Financial
Officer or the Staff Office, Director.

4) Monitoring

Resolution of Review Findings and Other Deficiencies

Quarterly reporting of the progress of the corrective actions.

Resolution of Review Findings and Other Deficiencies All Line/Staff Offices must develop
corrective actions plans using Attachment I, Corrective Action Template, for any finding and
deficiencies and submit to the Financial Policy and Compliance Division with the report.
Quarterly Reporting of Corrective Actions Quarterly progress reports for all corrective action
plans are due to the Financial Policy and Compliance Division by the 15th day following the end of
a quarter. Corrective action plans must be completed by June 30 of the following year.

References
This NOAA Management Control Review Guidance is based on many statues and executive
documents some of which are listed below:

Federal Managers Financial Integrity Act (FMFIA) of 1982 (31 U.S.C. 3512)
OMB Circular A-123, Managements Responsibility for Internal Control
GAO Standards for Internal Controls in the Federal Government
Chief Financial Officers Act (P.L. 101-576)
Government Performance and Results Act (GPRA) (P.L. 103-62)
Department of Commerce Guidelines for Conducting Non-Financial Internal Control
Reviews

Page 15 of 25

Version 3.0
12/3/08

Attachment A
Risk Assessment

(See separate Excel file for risk assessment format)

Page 16 of 25

Version 3.0

12/3/08
Attachment B
Internal Control Review
List of Event Cycles

Component/Program:

_________________________________________

Assessable Unit:

_________________________________________

Scheduled for
Review

Event Cycle

Prepared by:

____________________________________________________

Date: ________________

Reviewed by:

____________________________________________________

Date: ________________

Page 17 of 25

Comment /
Rationale

Version 3.0

12/3/08
Attachment C
Internal Control Review Plan

1.
2.

3.
4.
5.
6.
7.
8.
9.

Component/Program:

_________________________________________

Assessable Unit:

_________________________________________

Event Cycle:

_________________________________________

Task
Investigation / Review of Background Material
Documentation of Event Cycle
a. Narrative
b. Flowchart
Analysis of General Control Environment
Determine Risks
Develop Control Objectives
Determine Control Techniques
Test Control Techniques
Evaluate Internal Controls
Write Report

Estimated Time

Start Date

Prepared by:

____________________________________________________
Internal Control Review Team Leader

Date: ________________

Reviewed by:

____________________________________________________
Assessable Unit Manager

Date: ________________

Page 18 of 25

End Date

Version 3.0
12/3/08
Attachment D
MCR Flowchart Example

Start

National Weather
Service
Headquarters

Consolidated
Purchase Order

Logistics System

Vendor

NLSC RECEIVING

RECEIVING TICKET
Purchase Order

NRC
QUALITY
CONTROL

NO

Does item meet

quality control
specifications?

YES

Return to
vendor

Consolidated
Logistics
System

NLSC
Warehouse

Page 19 of 25

Update
Commerce
Business System
(CBS)
(Completed
Monthly)

Version 3.0

12/3/08

Attachment E
Internal Control Review
Evaluation of General Control Environment

Question
Organization Structure:
1. Is the organization chart current and are reporting relationships
clear? (Include copy of organization chart.)
2. Are employee responsibilities clearly divided so as to avoid
duplication, overlap, or conflict?
3. Does the organizational structure foster the achievement of the
assessable units objectives?
4. Are mission statements accurate and consistent with the
organizational structure?
Personnel:
5. Are position descriptions in writing, current and consistent with
mission statements?
6. Do all employees have accurate and up-to-date performance
standards?
7. Are there periodic performance reviews and counseling for all
employees?
8. Are there sufficient training opportunities to meet competency
requirements and ensure that the assessable units mission is
achieved?
Delegation of Authority and Responsibility:
9. Are all appropriate delegations current, in writing and
systematically maintained in a single location?
10. Do assigned responsibilities properly reflect separation of
duties, e.g., time and attendance clerks do not approve their own
time sheet?

Yes

Page 20 of 25

No

Comments

Version 3.0

12/3/08

Policies and Procedures:

11. Are policies and procedures current and in writing?
12. Are policies and procedures clearly stated and systematically
communicated (manuals, handbooks, directives, etc.)?
13. Are policies and procedures flexible enough to accommodate
unusual circumstances?
Planning, Budgeting, and Reporting:
14. Are activities formally planned?
15. Are reports on the activities of the event cycle timely, accurate
and relevant?
16. Is actual performance tracked and compared with (a) planned
performance, (b) budget allowances, and/or (c) past
performance?
17. Are performance measures in place, as appropriate? Are they
clearly defined? Is adequate documentation supporting results
maintained and readily available?
Organizational Checks and Balances:
18. Are there clearly established levels of operational and financial
accountability?
19. Are employees accountable only for matters within their
control?

Prepared by: ____________________________________________________

Internal Control Review Team Leader

Date: ________________

Reviewed by: ____________________________________________________

Assessable Unit Manager

Date: ________________

Page 21 of 25

Version 3.0

12/3/08
Attachment F
Internal Control Review
Evaluation of Management Controls

Component/Program: _________________________________________
Assessable Unit:

_________________________________________

Event Cycle:

_________________________________________

Control Objective

Are Controls
Adequate?
Yes
No

Recommendation

Responsible Official

Target
Completion Date

Prepared by: ____________________________________________________

Internal Control Review Team Leader

Date: ________________

Reviewed by: ____________________________________________________

Assessable Unit Manager

Date: ________________

Page 22 of 25

Version 3.0

12/3/08
Attachment G
Internal Control Review
Event Cycle Risks, Control Objectives, and Control Techniques

Component/Program: _________________________________________
Assessable Unit:

_________________________________________

Event Cycle:

_________________________________________

Risk

Prepared by:

Control Objective

Control Technique

____________________________________________________
Internal Control Review Team Leader

Date: ________________

Reviewed by: ____________________________________________________

Assessable Unit Manager

Date: ________________

Page 23 of 25

Version 3.0

12/3/08

Attachment H
Internal Control Review
Testing Plan

Component/Program: _________________________________________
Assessable Unit:

_________________________________________

Event Cycle:

_________________________________________

Control Objective

Control Technique

Type of Test

Universe of
Potential Tests

Number Selected
for Review

Prepared by: ____________________________________________________

Internal Control Review Team Leader

Date: ________________

Reviewed by: ____________________________________________________

Assessable Unit Manager

Date: ________________

Page 24 of 25

Version 3.0

12/3/08

Attachment I
Internal Control Review
Corrective Action Template

INTERNAL CONTROL
DEFICIENCY

CORRECTIVE ACTIONS TO BE
TAKEN

RESPONSIBLE
PARTY AND
PHONE
NUMBER

1.

2.

3.

4.
5.

6.

Page 25 of 25

ESTIMATED PERCENTAGE
ACTUAL
COMPLETION
OF
COMPLETION
DATE
COMPLETION
DATE