The NOAA policy for conducting management control reviews is based on many statues and executive documents, some of which are listed here (additional documents are listed in Regulations/Directives):
Management controls are used daily by managers and employees to accomplish the identified objectives of an organization. Simply put, management controls are the operational methods that enable work to proceed as expected. Most controls can be classified as preventive or detective. Preventive controls are designed to discourage errors or irregularities. For example:
- A manager's review of purchases prior to approval prevents inappropriate expenditures of office funds.
- A computer program which asks for a password prevents unauthorized access to information.
Detective controls are designed to identify an error or irregularity after it has occurred. Examples include the following:
- An exception report that detects and lists incorrect or incomplete transactions.
- A manager's review of long distance telephone charges will detect improper or personal calls that should not have been charged to the account.
Often, management controls are documented in terms of policies and procedures. However, sometimes as an organization undergoes structural and functional changes, people within the organization create or adopt ways of ensuring that work proceeds normally. Many times, these methods (controls) are not documented. The purpose of a Management Control Review (MCR) is to evaluate the entire system or management controls to help your unit operate more efficiently and effectively, and to provide a reasonable level of assurance that the process and products for which you are responsible are adequately protected.
A MCR provides a variety of benefits which promote sound management, including the following:
- Ensuring that administrative, financial, and programmatic risks have been adequately addressed.
- Eliminating excessive controls that may have accumulated over the years, allowing for more efficient operations.
- Increased confidence that responsibilities are being carried out according to plan.
NOAA prescribes that the following management control review process be utilized in order to conduct a MCR that adheres to the General Accounting Office standards for management controls. This link provides a listing of the tasks and estimated accomplishment times. These tasks are discussed in detail in the following section.
Analysis of the General Control Environment
The general control environment is the context in which selected processes occur. It is difficult, if not impossible, to underestimate the importance of context when interpreting a spoken statement. The same is true when it comes to processes. Processes should not be analyzed apart from the environment in which they take place. For example, poor training or a lack of adequate delegation of authority may negate the effectiveness of even the best control system. Therefore, a MCR begins with an analysis of the general control environment.
Description of Functional Area
A functional statement describing the unit's organizational responsibilities should be provided. This document may be already in existence in the NOAA Organizational Handbook or in some other internal document. If a functional statement does not already exist, then one must be created for MCR purposes.
GAO General Management Control Standards
The general control environment should be assessed by determining the degree to which General Accounting Office (GAO) standards for management controls are incorporated into the strategies, plans, guidance, and procedures that govern programs and operations. The following general standards must be addressed:
- Compliance With Law - Do all program operations, obligations, and costs comply with applicable law and regulation? Are resources efficiently and effectively allocated for duly authorized purposes?
- Reasonable Assurance and Safeguards - Do management controls provide reasonable assurance that assets are safeguarded against waste, loss, and misappropriation? Are management controls logical, applicable, reasonably complete, effective, and efficient in accomplishing management objectives?
- Integrity, Competence, and Attitude - Is personal integrity encouraged among managers and employees? Are all personnel obligated to support agency ethics programs? What efforts are made to maintain a level of competence that allows employees to accomplish their assigned duties? Is there effective communication within and between offices?
GAO Specific Management Control Standards
In addition to the general standards, the following specific control standards must be addressed:
- Delegation of Authority & Organization - How has management ensured that appropriate authority, responsibility, and accountability are defined and delegated to accomplish the mission of the organization? Is an appropriate organizational structure in place to effectively carry out program responsibilities? To what extent are controls and related decision making authority in the hands of line managers and staff?
- Separation of Duties & Supervision - Are key duties and responsibilities in authorizing, processing, recording, and reviewing official agency transactions separated among individuals? Is there appropriate managerial oversight to ensure that individuals do not exceed or abuse their assigned authorities?
- Access to and Accountability for Resources - What measures are in place to limit access to resources and records to authorized individuals? How is accountability for the custody and use of resources assigned and maintained?
- Recording and Documentation - Are transactions promptly recorded, properly classified, and accounted for in order to prepare timely and reliable reports? The documentation for transactions, management controls, and other significant events must be clear and readily available for examination.
- Resolution of Audit Findings and Other Deficiencies - What is management's response to known deficiencies, reported audit and other findings, and related recommendations? Are corrective actions completed within established time frames?
Determination of Risks
Control systems are developed in response to risks that exist within the processes being reviewed. All administrative and program areas have some degree of risk. Risks are negative events or situations that would occur if all or a part of the selected process was not carried out as planned. Determining the risks that exist within the processes being reviewed is one of the most important phases of the MCR.