Download:
pdf |
pdfDOE Internal Controls Program Assessment
Survey Introduction (OMB Control No. 1910-5160 - Expiration Date 8/31/2017)
This survey is a key element in DOE's ongoing Internal Controls Program Assessment project, a joint
effort of the Office of the Chief Financial Officer (CFO) and the National Nuclear Security
Administration (NNSA), supported by Ernst & Young LLP (EY). Questions are designed to capture
information on the current state of processes and tools as the Department looks to make
improvements and meet new Office of Management and Budget (OMB) and Government
Accountability Office (GAO) internal control recommendations.
This data is being collected to identify leading practices and areas for potential training
improvements. The data you supply will be used to help us improve DOE’s internal control program.
Results of this survey are a critical component to the success of this project. We appreciate the time
it takes to gather this information. Ultimately, the higher the participation rate, the better the
information.
With your help, we can improve our processes and tools while we make the necessary adjustments to
meet new recommendations. To encourage candid responses, the survey is anonymous.
We are casting a wide net to gather as much information as possible, so please forward this survey to
others who may have an interest in improving our internal control and risk management processes,
including anyone (Federal employee or contractor) who spends more than 20% of their time on
internal control activities.
Should you have any questions, please contact survey coordinator Tabetha Mueller at(703) 309-3574
or Tabetha.Mueller@ey.com.
The survey includes 40 questions on internal controls, risk management, Enterprise Risk
Management, technology enablement, and general participant information. Most questions have short
answers.
Public reporting burden for this collection of information is estimated to average 20 minutes per
response, including the time for reviewing instructions, searching existing data sources, gathering
and maintaining the data needed, and completing and reviewing the collection of information.
Send comments regarding this burden estimate or any other aspect of this collection of information,
1
including suggestions for reducing this burden, to Office of the Chief Information Officer, Records &
Privacy Management Division, IM-23, Paperwork Reduction Project 1910-5160, U.S. Department of
Energy, 1000 Independence Ave SW, Washington, DC, 20585-1290; and to the Office of Management
and Budget (OMB), OIRA, Paperwork Reduction Project 1910-5160, Washington, DC 20503.
Notwithstanding any other provision of the law, no person is required to respond to, nor shall any
person be subject to a penalty for failure to comply with a collection of information subject to the
requirements of the Paperwork Reduction Act unless that collection of information displays a
currently valid OMB control number.
Submission of this data is entirely voluntary.
Again, we appreciate your time.
2
DOE Internal Controls Program Assessment
Internal Control Questions
In this section, we assess the current state of the internal control function within your organization—
essentially your activities to support the FMFIA assurance statement. OMB Circular A-123 defines
internal control as "the steps an agency takes to provide reasonable assurance that the agency‘s
objectives are achieved through: (1) effective and efficient operations, (2) reliable financial reporting,
and (3) compliance with applicable laws and regulations."
We are interested in hearing about your views with regard to your organization within DOE. For
contractors, this means the DOE organization you are supporting.
1. What is your level of familiarity with internal controls?
I am new to this area
Unfamiliar
Limited familiarity
Familiar
Very familiar
2. What is your level of familiarity with OMB Circular A-123?
I am new to this area
Unfamiliar
Limited familiarity
Familiar
Very familiar
3
3. What is your level of familiarity with the latest version of the Government Accountability Office (GAO)
Standards for Internal Control in the Federal Government or "Green Book" issued in October 2014?
I am new to this area
Unfamiliar
Limited familiarity
Familiar
Very familiar
4. Please rate the maturity level of the internal control function within your organization.
Level 1: Ad hoc (Least mature) - Activities are not well understood by management or staff and not coordinated
Level 2: Managed - Knowledge exists but is driven by external compliance requirements; policies and procedures exist but are
not standardized across the organization
Level 3: Standardized - Organization has established policies and procedures; all units use common definitions and metrics
Level 4: Integrated - Organization has all the attributes of the “standardized” maturity level, and activities are integrated
consistently across the enterprise
Level 5: Optimized (Most mature) - Organization has all attributes of the "integrated" maturity level, and activities are embedded
in how the organization operates; tools and technology are in place to support goals and drive continuous improvement
5. Indicate the extent to which you agree or disagree with the following statement.
Headquarters provides the right level of support and direction for internal control activities.
Strongly disagree
Disagree
Neutral
Agree
Strongly agree
6. Indicate the extent to which you agree or disagree with the following question.
My team has the right number of people to support internal control activities.
Strongly disagree
Disagree
Neutral
Agree
Strongly agree
4
7. Indicate the extent to which you agree or disagree with the following statement.
My team has the right skills and knowledge to support internal control activities.
Strongly disagree
Disagree
Neutral
Agree
Strongly agree
8. Indicate the extent to which you agree or disagree with the following statement.
My team receives the right training to stay up to date with new requirements and maintain our skills and
knowledge.
Strongly disagree
Disagree
Neutral
Agree
Strongly agree
9. Please share any relevant comments regarding the internal control function at your organization.
5
DOE Internal Controls Program Assessment
Risk management questions
Risk management includes the full spectrum of identifying, classifying, assessing, and responding to
risks—an integral part of effective internal control. The following questions relate to risk management
activities within your organization.
10. What is your level of familiarity with risk management?
I am new to this area
Unfamiliar
Limited familiarity
Familiar
Very familiar
11. Please rate the level of maturity of the risk management function within your organization.
Level 1: Ad hoc (least mature) - Risk management concepts are not well understood by management or staff and not
coordinated
Level 2: Managed - Knowledge exists but is driven by external compliance requirements; policies and procedures exist but are
not standardized across the organization
Level 3: Standardized - Organization has established policies and procedures; all units use common definitions and metrics
Level 4: Integrated - Organization has all the attributes of the “standardized” maturity level, and activities are integrated
consistently across the enterprise
Level 5: Optimized (most mature) - Organization has all attributes of the "integrated" maturity level, and activities are embedded
in how the organization operates; tools and technology are in place to support goals and drive continuous improvement
6
12. Indicate the extent to which you agree or disagree with the following statement.
Our organization uses a common set of risk identification criteria so that risks can be prioritized and
categorized consistently.
Strongly disagree
Disagree
Neutral
Agree
Strongly agree
13. Indicate the extent to which you agree or disagree with the following statement.
Our organization has an effective process for identifying existing and emerging risks.
Strongly disagree
Disagree
Neutral
Agree
Strongly agree
14. Indicate the extent to which you agree or disagree with the following statement.
Our organization considers risk management during the strategic planning process.
Strongly disagree
Disagree
Neutral
Agree
Strongly agree
7
DOE Internal Controls Program Assessment
Non-financial risks
The following questions relate to non-financial risks. We understand that the Financial Management
Assurance (FMA) tool captures financial risk and control information. In this section, however, we
would like to understand the assessment process for areas outside of financial management as GAO
requires documentation on how risk assessments—including those related to non-financial risks—
are documented and monitored.
15. Indicate the extent to which you agree or disagree with the following statement.
Our organization assesses non-financial risks using impact and likelihood scales.
Strongly disagree
Disagree
Neutral
Agree
Strongly agree
Optional comment:
16. Are non-financial risks prioritized?
I don't know
No
Yes
If yes, please explain how non-financial risks are prioritized.
8
17. How do you document non-financial risk assessments? (Please check all that apply.)
I don't know
We do not document the assessment of non-financial risks
Meeting minutes
Spreadsheets
Written memoranda stored as Word or PDF documents
Automated tool (Please describe the name of the tool in the "Other" comment field below)
Other (please describe)
18. Please share any relevant comments regarding the risk management function (for both financial and nonfinancial risks) at your organization.
9
DOE Internal Controls Program Assessment
Enterprise Risk Management questions
Enterprise Risk Management (ERM) encompasses both internal controls and risk management
functions. According to OMB Circular A-11, “ERM is an agency-wide approach to addressing the full
spectrum of the organization’s significant risks by understanding the combined impact of risks as an
interrelated portfolio, rather than addressing risks only within silos. ERM provides an enterprise-wide,
strategically-aligned portfolio view of organizational challenges that provides better insight about
how to most effectively prioritize and manage risks to mission delivery.” The following questions
relate to the concept of ERM.
19. What is your level of familiarity with Enterprise Risk Management?
I am new to this area
Unfamiliar
Limited familiarity
Familiar
Very familiar
20. Is there a process for escalating risk management or internal control issues to higher levels of
management within your organization?
I don't know
No
Yes
If yes, please describe the process
10
21. Tell us how important it is for your organization to improve in each of the following areas. For each
statement, choose the level of importance on a scale of one to five, with one being not at all important and
five being very important. Provide a description of other areas for improvement in the comment box marked
"Other (please specify)."
1 = Not at all
important
2
3
4
5 = Very important
Better align risk
management to strategy
and objectives
Improve
communications among
key stakeholders
Improve the risk
assessment process
Enhance our ability to
identify emerging risks
Improve the
effectiveness of the
control environment
Improve monitoring of
control activities (e.g.,
continuous monitoring)
Improve overall skills
and knowledge
Leverage technology
more effectively
Other (please specify)
22. Please rate the level of leadership involvement in the internal control and risk management functions
within your organization.
I don't know
Not at all involved
Leadership is involved to a limited extent
Leadership is highly involved
11
23. Indicate the extent to which you agree or disagree with the following statement.
Within my organization, internal control and risk management activities strike an appropriate balance between
meeting compliance requirements and achieving my organization’s mission.
Strongly disagree
Disagree
Neutral
Agree
Strongly agree
24. Please rate the level of maturity of Enterprise Risk Management within your organization.
Level 1: Ad hoc (least mature) - Risk management concepts are not well understood by management or staff and not
coordinated
Level 2: Managed - Knowledge exists but is driven by external compliance requirements; policies and procedures exist but are
not standardized across the organization
Level 3: Standardized - Organization has established policies and procedures; all units use common definitions and metrics
Level 4: Integrated - Organization has all the attributes of the “standardized” maturity level, and activities are integrated
consistently across the enterprise
Level 5: Optimized (most mature) - Organization has all attributes of the "integrated" maturity level, and activities are embedded
in how the organization operates; tools and technology are in place to support goals and drive continuous improvement
25. Please share any relevant comments regarding Enterprise Risk Management within your organization.
12
DOE Internal Controls Program Assessment
Technology Enablement
Our current tools (Financial Management Assurance (FMA)/Utility Reporting Tool (URT) and the Entity
Assessment Tool (EAT)/Financial Management Systems (FMS) tool) were built several years ago to
streamline the process for developing the statement of assurance required by the Federal Managers
Financial Integrity Act. Over time, the amount of data and the need for analysis has increased
dramatically, straining the tools’ capabilities. We need to replace the tools soon and want to ensure
the replacement leverages any systems and processes currently in use to the extent possible. The
new tools will also potentially need to fit within larger plans for enterprise risk management. This
area of the survey focuses on current functionality and provides a starting point for gathering
information on future business needs.
26. Which of the following activities do you perform or are you involved with using either the Financial
Management Assurance (FMA) / Utilities Reporting Tool (URT), the Entity Assessment Tool (EAT) or
the Financial Management System (FMS)? (Select all that apply.)
Financial Management Assurance
(FMA)/Utilities Reporting Tool
(URT)
Entity Assessment Tool (EAT)
Financial Management System
(FMS)
Data entry or import
Create reports
Analytics
Generate QA reports
Data validation
Controls monitoring
Impact assessments
Manage local controls
Manage local risk
assessments
Other (use field below to
describe)
Other (please describe)
13
27. Do you generate internal control reports for management within your organization? If so, what type of
information is included? (Select all that apply)
Performance relative to risk metrics
Risk rating or ranking
Significant events
Developing trends
Escalation issues
Early warning indicators
Red flags
Heat maps
Dashboards
I do not generate reports of internal control data
Other (please describe)
28. How are management reports generated or created?
Not applicable
Manually
Through an automated tool
(Please describe automated tool)
29. Do you use other tools or software programs in addition to FMA/URT and EAT/FMS to perform risk
management and internal control activities?
I don't know
No
Yes
If yes, please describe the tool(s) or software program(s)
14
30. If the answer to Question 29 is yes, please identify which of the following activities are enabled through
these tools. (Please select all that apply) If the answer to Question 29 is not yes, please select N/A for this
question.
N/A
Enterprise risk assessments
Policy Management (e.g., distribution and housing of policies and procedures documents)
Contractor assurance
Audit management and reporting
Compliance reporting
Evaluation and testing
Process controls monitoring
Security controls monitoring
Process improvement or automation
Document management
Data analytics and modeling
Dashboards and reporting
Access to third party or external content
Incident or issue management
Other (please specify)
31. Do other people within your organization use tools or software that may potentially be expandable to
support risk management or internal controls activities?
I don't know
No
Yes
If yes, please name or describe the tool(s) or software package(s) if known
32. Indicate the extent to which you agree or disagree with the following statement.
I have the right technology tools to effectively manage and assess risk.
Strongly disagree
Disagree
Neutral
Agree
Strongly agree
15
33. What other functions or processes would you like to see enabled by technology in the future?
Improved reporting
Ability to create dashboards
Analytics
Ease of Use
Alerts
Automated testing capabilities
Workflow management
Other (please describe)
34. Please identify functions of the current tools that you would not want to change.
35. Please share any relevant comments regarding technology tools for risk management and internal
control.
16
DOE Internal Controls Program Assessment
Participant Information
While the survey is anonymous, providing information will help us understand and analyze the data.
36. What is your Departmental Element? (If your organization is not listed, please select "Other" to enter the
information).
37. I am a
Federal employee
Contractor
Other (please specify)
17
38. Please select the attributes of your role. (Select all that apply)
I am part of the leadership for my organization's internal control program
I provide full time support for my organization’s internal control program
I spend between 50% and 99% of my time supporting my organization's internal control program
I spend between 20% and 49% of my time supporting my organization's internal control program
I provide limited support to my organization's internal control program
I participate in testing activities
I participate in risk assessment activities
I participate in quality review activities
I participate in documentation of processes
I develop policies and procedures
I participate in the Entity evaluation process (A-123)
I participate in the FMA evaluation process (A-123 Appendix A)
I participate in the Financial Management Systems evaluation process (A-123 Appendix D)
Other (please describe)
39. Total years of experience with internal controls at DOE:
40. Please share any final comments that will help us improve risk management and internal controls for
DOE.
If you are interested in providing documentation or participating in an interview in person or by phone, please email
Tabetha.Mueller@ey.com.
Tabetha.Mueller@ey.com
18
File Type | application/pdf |
File Title | View Survey |
File Modified | 2015-08-03 |
File Created | 2015-08-03 |