SECNAVINST 5200 - Navy Issuances

More documents

Recommendations

Info

SECNAV M-5200.35JUNE 2008The following tools may assist in preparing your risk assessment documentation:1. Process Narrative and Process Flowchart Examples2. Risk Type and Level Matrix3. Risk Assessment TableProcess Narrative andProcess FlowchartExamplesPreparing processnarratives and processflowcharts that describeand illustrate the major andessential operations canassist in identifying risksand control deficiencies.Process narratives arewritten descriptions of theflow charts, explainingwhat actions are beingtaken in each step. Theprocess flowchart( Example 2) shouldcomplement the processnarrative and summarizethe significant steps inmajor and essentialoperations.General (before Wednesday)Wednesday (before theend of the pay period)Thursday and Friday (beforethe end of the pay period)Monday (after the closeof the pay period)FMO (Office of Financial OperationsT&A System (Time and Attendance System)Example 2: Process FlowchartFMO Time and Attendance ProcessFMO Employee FMO Supervisors Deputy Director, FMO TimekeeperMaintain personalleave recordRoute leaverequest throughsupervisorsSupervisors routetimesheets to DeputyDirectorReceive and submitemployee leaverequests toTimekeeperAdditionally, the method(s)of communication used to share the status of stepsthroughout the process can be documented.KeyApprovesupervisors'timesheetsDeputy Directorreceives leaverecords for closingpay period for review,verification andapprovalDocumentProcessConnectorTimekeeperreceives alltimesheets andapproved leaverequestsTimekeeperenters datainto T&AsystemFMO employeereviews his/hertime account withtimekeeper andsigns/dates toverify theinformation isaccurate.Timekeeper makesfinal adjustmentsto time accountsas neededManual InputStored DataTerminatorThe flowchart will identify key processes and their related control activities such as,control over information processing, physical control over vulnerable assets,segregation of duties, and accurate and timely recording of transactions and events.These flowcharts can then be linked to the required risk assessment documentation.Risk Type and Level MatrixRisk can be assessed through three levels: inherent, control, and combined as shown inTable 3 on the next page.12
SECNAV M-5200.35JUNE 2008Table 3: Risk Type and Level TableRisk Low Moderate HighInherentControlCombinedHazard or misstatementdoes not have severeconsequences and isunlikely to occur.Controls will prevent ordetect any hazard oraggregate misstatementsthat could occur in theassertion in excess ofdesign materiality.Any hazard or aggregatemisstatements in theassertion do not exceeddesign materiality.Hazard or misstatementhas severe consequencesor is likely to occur.Controls will more likelythan not prevent or detectany hazard or aggregatemisstatements that couldoccur in the assertion inexcess of designmateriality.More likely than not, anyhazard or aggregatemisstatements in theassertion do not exceeddesign materiality.Hazard or misstatementhas severe consequencesand is likely to occur.Controls will unlikelyprevent or detect anyhazard or aggregatemisstatements that couldoccur in the assertion inexcess of designmateriality.More unlikely than likely,any hazard or aggregatemisstatements in theassertion do not exceeddesign materiality.Risk Assessment TableSome form of a risk assessment table will be necessary to document the riskassessment required by SECNAV Instruction 5200.35E. The numbers in the columnsof the Risk Assessment Table (Example 3) correlate to the following instructions:(1) Document the risk/control point (i.e. number) from the process flow chart.(2) Identify the risk. (The approach to this process of identifying risks is toenvision what could go wrong. What problems could arise that might hinderthe objective?)(3) Identify the level of Inherent Risk as High, Moderate, or Low. If inherent riskis determined to be “High”, stronger or more extensive controls to prevent ordetect misstatements may be needed than if inherent risk is “Low.”(4) Identify the level of Control Risk as High, Moderate, or Low. If control risk isdetermined to be “High” (i.e. controls have not been implemented or are noteffective in either design or operation), there is no need to test the controls forthat risk. Corrective action plans to address internal controls should bedeveloped to mitigate the risk.(5) Identify the level of Combined Risk as High, Moderate, or Low.(6) Document the control currently being used by the organization to mitigate therisk described in (1) above.13
Page 1: THE SECRETARY OF THE NAVYTHE SECRET
Page 4 and 5: THE ASSISTANT SECRETARY OF THE NAVY
Page 6 and 7: SECNAV M-5200.35JUNE 2008Example 1:
Page 8 and 9: SECNAV M-5200.35JUNE 2008narratives
Page 10 and 11: SECNAV M-5200.35JUNE 2008Senior Ass
Page 12 and 13: SECNAV M-5200.35JUNE 2008MIC Progra
Page 18 and 19: SECNAV M-5200.35JUNE 2008The exampl
Page 24 and 25: SECNAV M-5200.35JUNE 2008Threat to
Page 26 and 27: SECNAV M-5200.35JUNE 2008phases of
Page 28 and 29: SECNAV M-5200.35JUNE 2008memorandum
Page 30 and 31: SECNAV M-5200.35JUNE 2008Tab A: Acc
Page 32 and 33: SECNAV M-5200.35JUNE 2008Tab B-2: U
Page 34 and 35: SECNAV M-5200.35JUNE 2008• Do not
Page 36 and 37: SECNAV M-5200.35JUNE 2008Tab B-3: C
Page 38 and 39: SECNAV M-5200.35JUNE 2008Example 10
Page 40 and 41: SECNAV M-5200.35JUNE 2008Objectives
Page 42 and 43: SECNAV M-5200.35JUNE 2008The next t
Page 44 and 45: SECNAV M-5200.35JUNE 2008Table of R
Page 46: SECNAV M-5200.35JUNE 2008021703 - A

SECNAVINST 5200 - Navy Issuances

Create successful ePaper yourself

Delete template?

Save as template?