240 likes | 733 Views
DFAS Operations and Audit Readiness. Pam Leeper AM&C ESS November 8, 2012. Overview. The Tools The Players The SBR Terms The Big Picture Operations Tools FISCAM Known Weaknesses. The Tools. FMFIA Federal Managers’ Financial Integrity Act Internal Controls FFMIA
E N D
DFAS Operations and Audit Readiness Pam Leeper AM&C ESS November 8, 2012 Integrity - Service - Innovation
Overview • The Tools • The Players • The SBR • Terms • The Big Picture • Operations Tools • FISCAM • Known Weaknesses Integrity - Service - Innovation
The Tools • FMFIA • Federal Managers’ Financial Integrity Act • Internal Controls • FFMIA • Federal Financial Management Information Act • System Performance • FISCAM • Federal Information System Controls Audit Manual • System Controls Integrity - Service - Innovation
Audit Readiness Players • DoD • Reporting Entities • Service Providers • DFAS Audit Readiness Teams • Corporate • Site Integrity - Service - Innovation
Statement of Budgetary Resources (SBR) • The SBR is an accounting of the funds available to DoD in a given year, tracking inflows and outflows. • Inflows – budget received from Congress and collections • Outflows – obligations, accruals, and disbursements • Each Reporting Entity is responsible for its own SBR. DoD SBR is a combination of SBRs from Reporting Entities Army GF-SBR WCF-SBR Mil Retirement Fund SBR Corps of Engineers SBR Navy GF-SBR WCF-SBR A/F GF-SBR WCF-SBR SBRs for Defense Agencies (material lines only) Integrity - Service - Innovation
Terminology • Information System/Application • IPA – Independent Public Accountant • OCR – Office of Coordinating Responsibility • SIDR – Self-Identified Deficiency Report • CAP – Corrective Action Plan • POAM – Plan of Action and Milestones • Reporting Entity (User Auditor) • Service Provider (Service Auditor) Integrity - Service - Innovation
Terminology Audit Readiness Participants Reporting Entity – The entity that has engaged a service provider and is working to become audit ready or its financial statements are being audited. Service Provider – The entity (or segment of an entity) that provides services to a reporting entity that are part of the reporting entity’s manual and/or automated processes for financial reporting. User Auditor – The financial statement auditor who issues an opinion report on the financial statements of the reporting entity. Service Auditor – Is retained by the service provider to issue an opinion on controls of the service provider relevant to financial reporting (i.e. SSAE No. 16 audit report). Integrity - Service - Innovation
Terminology • FIAR – Financial Improvement and Audit Readiness • MICP – Management Internal Control Program • Assessable Unit – Multiple Definitions • FIAR • FMFIA • FFMIA • Reporting Entities • DFAS DDO (Deputy Director of Operations) Integrity - Service - Innovation
Terminology • Assertion – I’m ready for audit • Assertion Package • DFAS Assertion (SSAE 16) • SSAE 16 Assessment (Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization) • Pre-assertion work • Customer Assertion (non-SSAE 16) • Self Review Integrity - Service - Innovation
Terminology Assessable Units Pre-Assertion Work Self Review Assertion Package Assertion Package (Service Provider) (Reporting Entity) • SSAE 16 Assessment • Multiple Customers • DFAS initiated & Paid • Assertion Package for DFAS • Auditors at DFAS - Yes • DFAS defined AUs (Five) • Civilian Pay • Military Pay • Contract Pay • Disbursing • Financial Reporting • Customer Assertion • Single Customer • Reporting Entity Initiated & Paid • Assertion Package for Reporting Entity • Auditors at DFAS – Maybe • Customer defined AUs • Financial Statement Line Item • Others Integrity - Service - Innovation
Audit Readiness and FISCAM (Operations) Financial Improvement Audit Readiness (FIAR) Management Internal Control Program (MICP) DoD & DFAS Instruction 5010.40 iControl MICP FISCAM DATABASE Database containing FMFIA results Database containing FFMFIA & FISCAM results FFMIA OMB Cir A-127 FISCAM Law requiring that systems produce accurate, reliable, and timely financial management information FMFIA FISCAM OMB Cir A-127 GAO developed guidance for auditing system controls OMB Cir A-123 GAO developed guidance using system controls checklist. Law requiring managers to assess effectiveness of internal controls Operational Metrics, Audit Findings, SIDRs, Implemented CAPs, Lessons Learned Planning Integrity - Service - Innovation Integrity - Service - Innovation 12 Integrity - Service - Innovation
AuR Overview Key Points • The SBR for each Reporting Entity is audited • DFAS is a Service Provider to Reporting Entities • FIAR is the DoD plan to become audit ready • MICP provides the how to become audit ready • “Assessable Unit” can have different meanings • FMFIA, FFMIA and FISCAM are required annually Integrity - Service - Innovation
Three Main Tools FMFIAFFMIAFISCAM Source Cir A-123 Cir A-127 FIAR DFAS Guidance MICP(5010.40) 7900.4-M(BB) MICP(5010.40) Focus Op Controls Sys Performance Sys Controls Oversight & Review ESS/NC I&T I&T & Site AuR Primary Responsible Operations I&T I&T & Ops Testing Standards DFAS M&N 7900.4-M(BB) FISCAM Manual Documentation & Results iControl FISCAM DB FISCAM DB Output SoASoA Mgt Brief Integrity - Service - Innovation
FMFIA • Maps and Narratives • iControl provides more structure • iControl expands scope across DFAS sites • Standard Processes Integrity - Service - Innovation
FFMIA • A new process to DFAS I&T • A large scope for testing • Blue Book = 3000+ elements • Types of Systems • Core Financial System (System of Record) • Mixed System (Feeder System) • Financial Management System (supports both) Integrity - Service - Innovation
FISCAM • Federal Information Systems Control Audit Manual • Issued by GAO • Annual Requirement • DFAS owned systems • Tiers • Operations (OCR) partners with I&T Integrity - Service - Innovation Integrity - Service - Innovation
FISCAM Controls • FISCAM Controls • Critical Elements • Control Activities • Control Techniques • Audit Procedures • General Controls • Entitywide • Examples - Safeguard data and Protect application programs • Effectiveness of general controls a significant factor in determining the effectiveness of application controls. • Application Controls (163) • Operations (Site and ESS) only involved in Application controls • Examples - Input, Processing, Output, Master file, and Interface Integrity - Service - Innovation
FISCAM Reviews – Application Controls • 4.1 Application Level General Controls (AS) • Security management • Access controls • Configuration management • Segregate of Duties • Contingency planning • 4.2 Business Process Controls (BP) • Transaction Data Input • Transaction Data Processing • Transaction Data Output • Master Data Setup and Maintenance • 4.3 Interface Controls (IN) • Interface strategy and design • Interface processing procedures • 4.4 Data Management System Controls (DA) • Implement an effective data management system strategy and design Integrity - Service - Innovation
FISCAM Testing • Design • Inquiry • Observation/Walk-thru • Examination • Re-performance of control activity • Conduct • Document • Evaluate – Effective, Ineffective • Validate • Control Objectives • Completeness • Accuracy • Validity • Confidentiality • Availability Integrity - Service - Innovation
FISCAM Testing • Ineffective • SIDR (Self-Identified Deficiency Report) • CAP (Corrective Action Plan) • POAM (Plan of Action and Milestones) • CAP • Long term • Short term • Compensating Control • POAM • Implement CAP and Retest • If effective, update documentation, to include FMFIA and FFMIA Integrity - Service - Innovation
FISCAM Key Points • FISCAM is an annual requirement • I&T has the lead for FISCAM and partners with Ops • Ops (Site and ESS) involved only in Application Controls • Testing will determine control effectiveness • Ineffective controls require SIDRs and CAPs • Once CAPs are implemented, retesting is required Integrity - Service - Innovation
Known Weaknesses • Access Controls • Segregation of Duties • Universe of Transactions • Interfaces • Reconciliations • Documentation for Transactions (Journal Vouchers (JVs)) • Configuration Management • Memorandums of Understanding (MOU) (beyond Service Level Agreements) Integrity - Service - Innovation