US-GAO 米空軍は強化されたエンタープライズリスクマネジメントと内部統制評価を通じてミッションクリティカルな資産に対する説明責任を向上させることができる

こんにちは、丸山満彦です。

US-GAO (U.S. Government Accountability Office)は、空軍を監査し、強化されたエンタープライズリスクマネジメントと内部統制評価（Enhanced Enterprise Risk Management and Internal Control Assessments）を通じて、ミッションクリティカルな資産（約4,000億ドルの総資産の約半分≒約2,000億ドル）に対する説明責任を向上させることができると報告していますね。12の推奨事項を指摘しています。

ここで、OMB Circular No. A-123という用語が出てきますが、2016.07.15に公表された連邦政府のリスクマネジメントと内部統制に関する非常に重要な文書です。

「OMB Circular No. A-123, Management's Responsibility for Enterprise Risk Management and Internal Control」という表題です。

ちなみに、GAOが定めている内部統制の基準はGreen Bookと言われていて、今はウェブになっていますが、公開されています。

・ THe Green Book

 

● U.S. Government Accountability Office (GAO) [wikipedia]

・2020.06.18 GAO-20-332 AIR FORCE : Enhanced Enterprise Risk Management and Internal Control Assessments Could Improve Accountability over Mission-Critical Assets

　・[PDF] Highlights Page

　・[PDF] Full Report

-----

Fast Facts

The Air Force identified more than half of its $398 billion in assets (i.e., aircraft, weapons, vehicles, buildings) as mission-critical in fiscal year 2019. But, for decades, the service has not been accurately tracking and reporting financial information about its mission-critical assets. Without reliable information on this, the Air Force can’t support informed decisions about the condition, cost, or reliability of its assets, or about the need to request more resources.

Our 12 recommendations could help the Air Force strengthen its policies and procedures for overseeing and reporting on its mission-critical assets.

-----

Recommendation:

1. The Secretary of the Air Force should develop and implement procedures for an ERM governance structure that includes oversight responsibilities for identifying, assessing, responding to, and reporting on the risks associated with agency material weaknesses from all relevant sources. These procedures should clearly demonstrate that risks associated with material weaknesses are considered by Air Force governance, as a whole, and are mitigated appropriately to achieve goals and objectives.
   
   
2. The Secretary of the Air Force should develop policies or procedures for assessing internal control to require
   (1) clearly delineating who within the Air Force is responsible for evaluating the internal control components and principles, how often they are to perform the evaluation, the level (e.g., entity or transactional) of the evaluation, what objectives are covered in the assessment, to whom to communicate the results if they are relevant to others performing assessments of internal control, and what guidance to follow;
   (2) documenting management’s determination of whether each component and principle is designed, implemented, and operating effectively; and
   (3) documenting management’s determination of whether components are operating together in an integrated manner.
   
   
3. The Secretary of the Air Force should develop policies or procedures for assessing internal control to require the use of test plans that
   (1) tie back to specific objectives to be achieved as included in the Business Operations Plan;
   (2) specify the nature, scope, and timing of procedures to conduct under the OMB Circular No. A-123 assessment process; and
   (3) reflect a consideration of prior year self-identified control deficiencies and results of internal and external audits.
   
   
4.  The Secretary of the Air Force should develop policies or procedures for assessing internal control to require SAF/FM to validate
   (1) the number of organizational units reporting for its overall internal control assessment;
   (2) how control procedures were tested, what results were achieved, and how conclusions were derived from those results; and
   (3) whether the results used to compile the current year report are based on current fiscal year’s assessments.
   
   
5.  The Secretary of the Air Force should develop policies or procedures for assessing internal control to require SAF/FM to assess how waivers affect the current year assessment of internal control, the determination of systemic weaknesses, and the compilation of the Air Force’s overall Statement of Assurance.
   
   
6.  The Secretary of the Air Force should require that developers of the policy and related guidance associated with designing the procedures for conducting OMB Circular No. A-123 assessments receive recurring training and are appropriately skilled in conducting internal control assessments and are familiar with Standards for Internal Control in the Federal Government.
   
   
7.  Page 25 GAO-20-332 Air Force ERM and Internal Control The Secretary of the Air Force should analyze all definitions included in Air Force ERM and internal control assessment policy and related guidance to ensure that all definitions and concepts are defined correctly.
   
   
8. The Secretary of the Air Force should require SAF/FM to design recurring training for those who will assess internal control that
   (1) includes enhancing their skills in evaluating the internal control system and documenting results;
   (2) reflects all OMB Circular No. A-123 requirements, such as those related to identifying objectives, evaluating deficiencies, and determining material weaknesses; and
   (3) is provided to all who are responsible for performing internal control assessments.
   
   
9. The Secretary of the Air Force should develop policy or procedures consistent with OMB Circular No. A-123 to assess the system of internal control using a risk-based approach.
   
   
10.  The Secretary of the Air Force should develop procedures to assess internal control over processes related to mission-critical assets, including
    (1) tests of design that evaluate whether controls are capable of achieving objectives,
    (2) tests of effectiveness only after a favorable assessment of the design of the control, and
    (3) a baseline that has accurate descriptions of business processes and identifies key internal controls as designed by management to respond to risks.
    
    
11.  The Secretary of the Air Force should establish a process and reporting lines of all the sources of information, including reviews performed of internal control processes related to mission-critical assets, that will be considered in the Secretary’s Statement of Assurance.
    
    
12. The Secretary of the Air Force should develop procedures to require coordination between business process leads and the Air Force’s unit managers to ensure that mission-critical asset–related internal control deficiencies are considered in the unit managers’ assessments of internal control and related supporting statements of assurance. These procedures should include how, when, and with what frequency the results from the business process internal control reviews should be provided to relevant organizational units for consideration in their respective assurance statements.

ーーーーー

要は、

1. 空軍長官はERMを構築しろ
2. 空軍長官は内部統制を評価しろ
3. 空軍長官は内部統制の評価の手順を作成し、計画的に検証しろ
4. 空軍長官は評価のための方針と手順について空軍財務管理・監査官に検証させろ
5. 空軍長官は、空軍財務管理・監査官が内部統制の評価、弱点の決定および組織の評価にどのように影響するか評価させろ
6. 空軍長官は、OMB No.A-123の評価ができるように教育をしろ
7. 空軍長官は、ERMに含まれる定義等を分析し、正しく定義されていることを確認しろ
8. 空軍長官は内部統制を評価する人をトレーニングしろ
9. 空軍長官は、リスクベースのアプローチを使用して内部統制を評価するために、OMB No.A-123に一致する方針・手順を開発しろ
10. 空軍長官は、ミッションクリティカルな資産に関連するプロセスの内部統制を評価するための手順を開発しろ
11. 空軍長官は、ミッションクリティカルな資産に関連性する内部統制の報告ラインを確立しろ
12. 空軍長官は、ミッションクリティカルな資産に関連する内部統制の欠陥が評価の過程で確実に考慮されるようにしろ

という感じですかね。。。

 

● [PDF] OMB Circular No. A-123

● [html]