VETS Manual Series, VolumeV
Internal Control Program
Table of Contents
5.1Overview
5.2Internal Controls in VETS
5.3VETS Internal Control Program
5.4The On-site Review Guide
Appendix A:2008 VETS On-site Reviewer’s Guide
1.Background
2.Goal of the On-site Review
3.Assumptions
4.Overview of the Review Process and Roles
5.General Guidance to the Review Team
6.Focal Points of the Review
7.Specific Guidance for the “Control Environment” Review
8.Specific Guidance for the “Control Activities” Review
9.Specific Guidance for the “Information and Communications” Review
10.Specific Guidance for the “Monitoring” Review
11.The Final Report
Appendix B:VETS Major Work Processes, Related Records, and Directives
5.1Overview
VETS is subject to an array of administrative rules and guidelines and the scrutiny of oversight agencies, in addition to the program oversight practiced by the Congress. The internal control program covers all aspects of an agency’s operations (programmatic, financial, and compliance).
The term “internal control” refers to an agency’s array of policies, practices and elements of its operating structure that are intended to:
- prevent, eliminate, or mitigate the risk of fraud, waste, and abuse of resources;
- ensure the effectiveness and efficiency of operations;
- ensure the reliability of program and financial activity reporting; and
- ensure compliance with laws and regulations.
OMB Circular A-123 (see is the primary comprehensive statement of management’s responsibility to maintain appropriate internal controls.
It is expected that an agency will maintain, evaluate, and report on internal control as it relates to all aspects of operations, such as:
- human capital management,
- financial management,
- acquisition and procurement,
- information management and internalcommunications, and
- the provision of services.
All federal agencies are required to maintain, periodically evaluate, and annually report on agency internal control. Each year, The ASVET must send a letter to the Secretary of Labor certifying whether or not the agency’s internal control complies with the prescribed standards, and if they do not, the ASVET must identify and report material weaknesses in any of the operational aspects mentioned above, and the agency’s plans and schedule for correcting the identified weaknesses.
The Government Accountability Office (GAO) maintains the Standards for Internal Control in the Federal Government. That document, found on the GAO web site at provides the context for understanding the concept of internal control in the federal government.
There are five distinct standards for internal control which cover all of the activities of federal agencies: control environment, risk assessment, control activities, information and communications, and monitoring. The GAO has succinctly stated the standard for each:
Control Environment: “Management and employees should establish and maintain an environment throughout the organization that sets a positive and supportive attitude toward internal control and conscientious management.”
Risk Assessment: “Internal control should provide for an assessment of the risks the agency faces from both external and internal sources.”
Control Activities: “Internal control activities help ensure that management’s directives are carried out. The control activities should be effective and efficient in accomplishing the agency’s control objectives.”
Information and Communication: “Information should be recorded and communicated to management and others within the agency who need it and in a form and within a time frame that enables them to carry out their internal control and other responsibilities.”
Monitoring: “Internal control monitoring should assess the quality of performance over time and ensure that the findings of audits and other reviews are promptly resolved.”
The GAO also developed and maintains a document of approximately 180 pages titled, Internal Control Management and Evaluation Tool. The Tool is divided into five major sections, one for each of the five standards, and each section contains a list of major factors to be considered when reviewing internal control as it relates to the particular standard. The GAO developed the Tool for usage by individual agencies “as is,” or to serve as a prototype for agencies to use in developing their own internal control tool(s). (
5.2Internal Controlsin VETS
Most “internal controls” in VETS are not labeled as such. Control activities exist as routine steps in recurring processes. Some examples of control activitieswithin VETS include:
- The segregation of duties -
The employee and the supervisor have separate and distinct duties in regards to payroll, e.g., entering correct time, certifying time, performing comparisons between leave slips and timesheets;
- Unique variances from routine processes -
A VETS employee on a blanket travel authorization requires a specific trip authorization in order to utilize National Office funding;
- Distinct delegations of authority -
The Grant Officer’s Technical Representative has the authority to approve line item changes up to 5% on competitive grants. Line item changes over 5% require the Grant Officers’ intervention.
Some internal control activities are duties exclusively performed by staff designated as managers or supervisors. But many internal control activities are performed by non-management personnel. In some way or another, all VETS staff members are involved in “internal controls.”
Agency documents such as Veterans Program Letters and Director’s Memoranda routinely set forth internal control activity requirements and processes without labeling them as “internal controls.” Internal controls are embedded in routine operations, ranging from basic administrative processes such as those designed to ensure the accuracy of time and leave records, to more complex operations such as USERRA processes for ensuring the adequacy of issue identification and applicable law prior to closing a “no merit” case, or the process of modifying a grant agreement. Some internal control activities are carried out by staff members, some are programmed into automated systems such as E-Travel or the USERRA Information Management System.
5.3VETS Internal Control Program
To be effective, an internal control program must encourage and protect the free exchange of information about the status of internal controls in the agency. It also should complement rather than duplicate or compete with program assessment operations, personnel appraisal systems, or rule-making processes. An internal control program should not only reduce the risk of waste, fraud, and abuse and mission failure, it should also serve to protect the agency from adverse publicity and damage to its reputation.
To put it most simplistically, the primary goals of the internal control program in VETS are to:
- find deficiencies in current operations through systematic risk assessment and internal communications activities before “outsiders” find them,
- implement appropriate remedial actions as soon as possible, and
- identify potential risks and take reasonable steps to mitigate or eliminate those risks.
The essential parameters and operational components of the VETS internal control program are established under ASVET Memorandum No. 04-06 ( pursuant to the principles, guidelines and Departmental internal control program structure set forth in Secretary’s Order No. 14-06 ( .
A senior management council called the VETS Strategic Assessment Team (VETSAT) provides leadership and direction to the program. Annually the VETSAT convenes to:
- complete a risk assessment process,
- establish appropriate objectives and targets for the agency’s internal control program activities,
- estimate and allocate the resources necessary to carry out those activities,
- establish appropriate elements and standards for personnel responsible for internal control program activities, and
- initiate intra-agency communications regarding the strategic internal control program plan for the coming year.
At last once each quarter the VETSAT is convened, sometimes wholly or in part through teleconferencing rather than in person, to review progress with respect to the annual objectives and to adjust the plan as necessary.
Internal control program activities at the operational levels are led and/or performed by a work group called the Council of Deputies (COD), comprised of the seconds-in-command of the six VETS regions and the three divisions of the National Office (i.e., the Office of Operations and Programs,the Office of Administrative Management and Budget, and the Office of Compliance and Investigations). This group is authorized to conduct various activities designed to attain the objectives set forth in the annual plan.
The COD convenes in person once per year to plan its activities, which may include setting up ad hoc work groups designed and staffed (with VETS staff and/or contracted specialists) to deal with specific internal control objectives from the plan developed and approved by the VETSAT.
The COD fleshes out the strategic plan established by the VETSAT with specific milestones and timetables to create a comprehensive management plan to help ensure achievement of the program objectives. It convenes via teleconference at least once each quarter to discuss progress, vulnerabilities, and new challenges, and to adjust the operational plan as necessary. Quarterly it provides progress reports to the VETSAT, along with advice regarding any new internal control vulnerabilities or challenges that the Strategic Assessment Team should consider.
VETS uses a myriad of tools and approaches to evaluating its internal control situation. One method that the agency has developed to accomplish risk assessments on a regular basis is creation of its own Internal Control Surveys.
The survey data are compiled and analyzed at the appropriate levels to identify vulnerabilities to fraud, waste, and abuse of resources, and evidence of mismanagement or other threats to mission/goal achievement. Findings are reported to the COD and VETSAT, and also are shared internally with field operations management and program management officials for the purpose of planning and implementing actions to correct or improve internal control situations.
VETS also supports internal control on-site review teams to evaluate internal control situations, using a standardized on-site review instrument and review process.
The review instrument features a list of questions derived from the GAO’s Internal Control Evaluation Tool and from the OMB’s Program Assessment Rating Tool (PART). The review team focuses those questions on specific work processes that are identified (i.e., targeted) prior to going on-site. The targeting mechanism may be information gleaned from one of the aforementioned surveys that suggests need for scrutiny, or audit information received from external sources such as the GAO or Office of the Inspector General, or could be simply reflective of the strategic direction set forth in the annual plan.
On-site review teams are comprised of COD members and field staff volunteers with requisite experience and expertise in administrative, financial management, and program operations. On-site review team members in the past have been selected from the ranks of Deputy RAVETs, MSAs, DVETs, VPSs and ADVETs.
An on-site review entails pre-visit compilation of information relevant to how certain work processes are conducted in the target region and which staff are involved in those processes, on-site interviews with key staff from the region, and on-site review and analysis of related program or administrative records to substantiate (or not) interview and pre-visit findings. The on-site time typically is no more than one week, although pre-visit preparation and planning begins eight weeks prior to the actual on-site work.
A secondary goal of the on-site reviews is to identify efficient and effective administrative and/or programmatic practices (aka “best practices”) worthy of emulation throughout the agency.
A key principle of the on-site reviews is that they focus on the presence or absence of internal controls within work processes and the efficacy of those controls and the overall control environment, rather than on the actual decisions made by program or administrative staff involved in the selected work processes.
The purposes of the internal control program are not to second-guess, ex post facto, the quality of decision-making by staff on particular matters, but rather to focus on the adequacy of controls within processes and make determinations as to the need for process improvements, and to assess the efficacy of the control environment and the internal flow of information about the adequacy of internal controls. That distinction is intended to ensure that internal control program activities are not personalized, do not infringe upon routine human resource management or labor-relations activities, and most of all, to encourage full cooperation by all VETS staff in identifying and fixing internal control problems.
The on-site review process is designed to ensure that conclusions regarding internal control deficiencies are identified before the review team leaves the site, so that a comprehensive exit discussion with the Regional Administrator and other key staff results in agreements as to corrective actions that can and should be initiated locally, and those which are agency-wide deficiencies are elevated to the appropriate National Office component for remedial action are immediately identified. All findings are shared with COD and VETSAT members.
The internal control program also has impacts on the agency’s processes for dealing with proposed legislation and /or regulations and new program initiatives. In addition to the typical programmatic and cost analyses to which proposed rules are subjected, the VETSAT will ensure that such items are scrutinized with regard to the risks that the agency would incur should the proposals become part of the statute.
Proposed program initiatives, whether they emanate from legislated requirements, new regulations, or executive determination, will be subjected to a risk management analysis to ensure that such risk areas such as:
- cost/budget
- schedule
- scope/requirements
- communication
- management support
- staffing and resources
- technology
- quality control
- identification of users and customers, and
- security/privacy/safety
are properly considered and risk mitigation measures are established in response to perceived threats.
5.4The On-site Review Guide
Although agency resources generally permit only one formal region-wide on-site review by a Review Team, DVETs and other field staff are encouraged to become familiar with the review methodology,including the questions asked, the documents and records that are scrutinized, and the applicability of the aforementioned five Standards for Internal Control in the Federal Government.
Awareness on the part of DVETs and other staff of how the GAO/OMB standards relate to specific work processes, policies, procedures and the cultural environment in VETS should help to ensure that the agency will measure up well when it comes under the scrutiny of GAO, OMB or other oversight agencies.
VMS Volume V- 1 -Last update 3/27/09
Appendix A:2009 VETS Internal Control On-site Reviewer’s Guide
1. BACKGROUND.
This Guide is intended to help the agency achieve consistently reliable, valid results from its Internal Control Evaluation (ICE) program. The Guide is developed to provide uniform guidance to staff selected to perform on-site internal control reviews at the regional/state/area office levels utilizing the agency’s standard on-site review instrument.
The Guide provides additional information related to each of the questions arrayed under the four Internal Control Standards established by the Government Accounting Office (GAO) and OMB Circular A-123to assist Review Team members in understanding the relationship between the GAO standard and the related aspect(s) of the subject VETS operations. In some cases the Guide may include recommendations for record sampling, staff to be interviewed, and additional probe questions to be asked, etc. The Guide is written to be useful to any VETS’ internal control Review Team, regardless which level of management initiates or leads the review.
2. GOAL OF THE ON-SITE REVIEW.
The primary goals of the internal control on-site review are to identify internal control deficiencies and to implement, or begin the implementation of, appropriate remedies so that the Agency meets the GAO/A-123 standards. A secondary goal is to identify best practices that may be exportable to other VETS regions or operational units.
3. ASSUMPTIONS.
The on-site review is a collaborative process between the Review Team and the staff of the region being reviewed, with the common goals cited above.
It is assumed that there will be considerable variations among regions as to what internal controls exist in program and administrative operations—with certain definite exceptions related to financial controls required by the DOL Office of the Chief Financial Officer (OCFO) and the Office of the Assistant Secretary for Administration and Management (OASAM). Therefore, it is assumed that one of the first functions of the Review Team is to gain a clear understanding of how each of the subject processes being reviewed actually functions in the region being reviewed. The review methodology does not require actual mapping of the processes in regional program and administrative operations, but because regions have considerable flexibility to devise their own internal control activities, it is imperative that the reviewer completely understands the particular regional standard operating procedure (or “process”) before making any judgments as to the adequacy of the internal control environment and control activities embedded in those processes.
It is assumed that the results of the review will be used exclusively for operational improvements. With one possible exception, internal control review findings will not have any impact on personnel evaluations or related personnel management decisions; the exception would be a finding indicative of personal fraud, abuse of position, or other infraction(s) covered by statutes that require follow up by management with regard to that particular set of circumstances.
4. OVERVIEW OF THE REVIEW PROCESS AND ROLES.
(See Chart below for a graphic depiction of the pre-visit timeline and responsibilities described in the following list.)