1 / 23

Pam Leeper AM&C ESS November 8, 2012

DFAS Operations and Audit Readiness. Pam Leeper AM&C ESS November 8, 2012. Overview. The Tools The Players The SBR Terms The Big Picture Operations Tools FISCAM Known Weaknesses. The Tools. FMFIA Federal Managers’ Financial Integrity Act Internal Controls FFMIA

Download Presentation

Pam Leeper AM&C ESS November 8, 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. DFAS Operations and Audit Readiness Pam Leeper AM&C ESS November 8, 2012 Integrity - Service - Innovation

  2. Overview • The Tools • The Players • The SBR • Terms • The Big Picture • Operations Tools • FISCAM • Known Weaknesses Integrity - Service - Innovation

  3. The Tools • FMFIA • Federal Managers’ Financial Integrity Act • Internal Controls • FFMIA • Federal Financial Management Information Act • System Performance • FISCAM • Federal Information System Controls Audit Manual • System Controls Integrity - Service - Innovation

  4. Audit Readiness Players • DoD • Reporting Entities • Service Providers • DFAS Audit Readiness Teams • Corporate • Site Integrity - Service - Innovation

  5. Statement of Budgetary Resources (SBR) • The SBR is an accounting of the funds available to DoD in a given year, tracking inflows and outflows. • Inflows – budget received from Congress and collections • Outflows – obligations, accruals, and disbursements • Each Reporting Entity is responsible for its own SBR. DoD SBR is a combination of SBRs from Reporting Entities Army GF-SBR WCF-SBR Mil Retirement Fund SBR Corps of Engineers SBR Navy GF-SBR WCF-SBR A/F GF-SBR WCF-SBR SBRs for Defense Agencies (material lines only) Integrity - Service - Innovation

  6. Terminology • Information System/Application • IPA – Independent Public Accountant • OCR – Office of Coordinating Responsibility • SIDR – Self-Identified Deficiency Report • CAP – Corrective Action Plan • POAM – Plan of Action and Milestones • Reporting Entity (User Auditor) • Service Provider (Service Auditor) Integrity - Service - Innovation

  7. Terminology Audit Readiness Participants Reporting Entity – The entity that has engaged a service provider and is working to become audit ready or its financial statements are being audited. Service Provider – The entity (or segment of an entity) that provides services to a reporting entity that are part of the reporting entity’s manual and/or automated processes for financial reporting. User Auditor – The financial statement auditor who issues an opinion report on the financial statements of the reporting entity. Service Auditor – Is retained by the service provider to issue an opinion on controls of the service provider relevant to financial reporting (i.e. SSAE No. 16 audit report). Integrity - Service - Innovation

  8. Terminology • FIAR – Financial Improvement and Audit Readiness • MICP – Management Internal Control Program • Assessable Unit – Multiple Definitions • FIAR • FMFIA • FFMIA • Reporting Entities • DFAS DDO (Deputy Director of Operations) Integrity - Service - Innovation

  9. Terminology • Assertion – I’m ready for audit • Assertion Package • DFAS Assertion (SSAE 16) • SSAE 16 Assessment (Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization) • Pre-assertion work • Customer Assertion (non-SSAE 16) • Self Review Integrity - Service - Innovation

  10. Terminology Assessable Units Pre-Assertion Work Self Review Assertion Package Assertion Package (Service Provider) (Reporting Entity) • SSAE 16 Assessment • Multiple Customers • DFAS initiated & Paid • Assertion Package for DFAS • Auditors at DFAS - Yes • DFAS defined AUs (Five) • Civilian Pay • Military Pay • Contract Pay • Disbursing • Financial Reporting • Customer Assertion • Single Customer • Reporting Entity Initiated & Paid • Assertion Package for Reporting Entity • Auditors at DFAS – Maybe • Customer defined AUs • Financial Statement Line Item • Others Integrity - Service - Innovation

  11. Integrity - Service - Innovation

  12. Audit Readiness and FISCAM (Operations) Financial Improvement Audit Readiness (FIAR) Management Internal Control Program (MICP) DoD & DFAS Instruction 5010.40 iControl MICP FISCAM DATABASE Database containing FMFIA results Database containing FFMFIA & FISCAM results FFMIA OMB Cir A-127 FISCAM Law requiring that systems produce accurate, reliable, and timely financial management information FMFIA FISCAM OMB Cir A-127 GAO developed guidance for auditing system controls OMB Cir A-123 GAO developed guidance using system controls checklist. Law requiring managers to assess effectiveness of internal controls Operational Metrics, Audit Findings, SIDRs, Implemented CAPs, Lessons Learned Planning Integrity - Service - Innovation Integrity - Service - Innovation 12 Integrity - Service - Innovation

  13. AuR Overview Key Points • The SBR for each Reporting Entity is audited • DFAS is a Service Provider to Reporting Entities • FIAR is the DoD plan to become audit ready • MICP provides the how to become audit ready • “Assessable Unit” can have different meanings • FMFIA, FFMIA and FISCAM are required annually Integrity - Service - Innovation

  14. Three Main Tools FMFIAFFMIAFISCAM Source Cir A-123 Cir A-127 FIAR DFAS Guidance MICP(5010.40) 7900.4-M(BB) MICP(5010.40) Focus Op Controls Sys Performance Sys Controls Oversight & Review ESS/NC I&T I&T & Site AuR Primary Responsible Operations I&T I&T & Ops Testing Standards DFAS M&N 7900.4-M(BB) FISCAM Manual Documentation & Results iControl FISCAM DB FISCAM DB Output SoASoA Mgt Brief Integrity - Service - Innovation

  15. FMFIA • Maps and Narratives • iControl provides more structure • iControl expands scope across DFAS sites • Standard Processes Integrity - Service - Innovation

  16. FFMIA • A new process to DFAS I&T • A large scope for testing • Blue Book = 3000+ elements • Types of Systems • Core Financial System (System of Record) • Mixed System (Feeder System) • Financial Management System (supports both) Integrity - Service - Innovation

  17. FISCAM • Federal Information Systems Control Audit Manual • Issued by GAO • Annual Requirement • DFAS owned systems • Tiers • Operations (OCR) partners with I&T Integrity - Service - Innovation Integrity - Service - Innovation

  18. FISCAM Controls • FISCAM Controls • Critical Elements • Control Activities • Control Techniques • Audit Procedures • General Controls • Entitywide • Examples - Safeguard data and Protect application programs • Effectiveness of general controls a significant factor in determining the effectiveness of application controls. • Application Controls (163) • Operations (Site and ESS) only involved in Application controls • Examples - Input, Processing, Output, Master file, and Interface Integrity - Service - Innovation

  19. FISCAM Reviews – Application Controls • 4.1 Application Level General Controls (AS) • Security management • Access controls • Configuration management • Segregate of Duties • Contingency planning • 4.2 Business Process Controls (BP) • Transaction Data Input • Transaction Data Processing • Transaction Data Output • Master Data Setup and Maintenance • 4.3 Interface Controls (IN) • Interface strategy and design • Interface processing procedures • 4.4 Data Management System Controls (DA) • Implement an effective data management system strategy and design Integrity - Service - Innovation

  20. FISCAM Testing • Design • Inquiry • Observation/Walk-thru • Examination • Re-performance of control activity • Conduct • Document • Evaluate – Effective, Ineffective • Validate • Control Objectives • Completeness • Accuracy • Validity • Confidentiality • Availability Integrity - Service - Innovation

  21. FISCAM Testing • Ineffective • SIDR (Self-Identified Deficiency Report) • CAP (Corrective Action Plan) • POAM (Plan of Action and Milestones) • CAP • Long term • Short term • Compensating Control • POAM • Implement CAP and Retest • If effective, update documentation, to include FMFIA and FFMIA Integrity - Service - Innovation

  22. FISCAM Key Points • FISCAM is an annual requirement • I&T has the lead for FISCAM and partners with Ops • Ops (Site and ESS) involved only in Application Controls • Testing will determine control effectiveness • Ineffective controls require SIDRs and CAPs • Once CAPs are implemented, retesting is required Integrity - Service - Innovation

  23. Known Weaknesses • Access Controls • Segregation of Duties • Universe of Transactions • Interfaces • Reconciliations • Documentation for Transactions (Journal Vouchers (JVs)) • Configuration Management • Memorandums of Understanding (MOU) (beyond Service Level Agreements) Integrity - Service - Innovation

More Related