pam leeper am c ess november 8 2012 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Pam Leeper AM&C ESS November 8, 2012 PowerPoint Presentation
Download Presentation
Pam Leeper AM&C ESS November 8, 2012

Loading in 2 Seconds...

  share
play fullscreen
1 / 23
alcina

Pam Leeper AM&C ESS November 8, 2012 - PowerPoint PPT Presentation

449 Views
Download Presentation
Pam Leeper AM&C ESS November 8, 2012
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. DFAS Operations and Audit Readiness Pam Leeper AM&C ESS November 8, 2012 Integrity - Service - Innovation

  2. Overview • The Tools • The Players • The SBR • Terms • The Big Picture • Operations Tools • FISCAM • Known Weaknesses Integrity - Service - Innovation

  3. The Tools • FMFIA • Federal Managers’ Financial Integrity Act • Internal Controls • FFMIA • Federal Financial Management Information Act • System Performance • FISCAM • Federal Information System Controls Audit Manual • System Controls Integrity - Service - Innovation

  4. Audit Readiness Players • DoD • Reporting Entities • Service Providers • DFAS Audit Readiness Teams • Corporate • Site Integrity - Service - Innovation

  5. Statement of Budgetary Resources (SBR) • The SBR is an accounting of the funds available to DoD in a given year, tracking inflows and outflows. • Inflows – budget received from Congress and collections • Outflows – obligations, accruals, and disbursements • Each Reporting Entity is responsible for its own SBR. DoD SBR is a combination of SBRs from Reporting Entities Army GF-SBR WCF-SBR Mil Retirement Fund SBR Corps of Engineers SBR Navy GF-SBR WCF-SBR A/F GF-SBR WCF-SBR SBRs for Defense Agencies (material lines only) Integrity - Service - Innovation

  6. Terminology • Information System/Application • IPA – Independent Public Accountant • OCR – Office of Coordinating Responsibility • SIDR – Self-Identified Deficiency Report • CAP – Corrective Action Plan • POAM – Plan of Action and Milestones • Reporting Entity (User Auditor) • Service Provider (Service Auditor) Integrity - Service - Innovation

  7. Terminology Audit Readiness Participants Reporting Entity – The entity that has engaged a service provider and is working to become audit ready or its financial statements are being audited. Service Provider – The entity (or segment of an entity) that provides services to a reporting entity that are part of the reporting entity’s manual and/or automated processes for financial reporting. User Auditor – The financial statement auditor who issues an opinion report on the financial statements of the reporting entity. Service Auditor – Is retained by the service provider to issue an opinion on controls of the service provider relevant to financial reporting (i.e. SSAE No. 16 audit report). Integrity - Service - Innovation

  8. Terminology • FIAR – Financial Improvement and Audit Readiness • MICP – Management Internal Control Program • Assessable Unit – Multiple Definitions • FIAR • FMFIA • FFMIA • Reporting Entities • DFAS DDO (Deputy Director of Operations) Integrity - Service - Innovation

  9. Terminology • Assertion – I’m ready for audit • Assertion Package • DFAS Assertion (SSAE 16) • SSAE 16 Assessment (Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization) • Pre-assertion work • Customer Assertion (non-SSAE 16) • Self Review Integrity - Service - Innovation

  10. Terminology Assessable Units Pre-Assertion Work Self Review Assertion Package Assertion Package (Service Provider) (Reporting Entity) • SSAE 16 Assessment • Multiple Customers • DFAS initiated & Paid • Assertion Package for DFAS • Auditors at DFAS - Yes • DFAS defined AUs (Five) • Civilian Pay • Military Pay • Contract Pay • Disbursing • Financial Reporting • Customer Assertion • Single Customer • Reporting Entity Initiated & Paid • Assertion Package for Reporting Entity • Auditors at DFAS – Maybe • Customer defined AUs • Financial Statement Line Item • Others Integrity - Service - Innovation

  11. Integrity - Service - Innovation

  12. Audit Readiness and FISCAM (Operations) Financial Improvement Audit Readiness (FIAR) Management Internal Control Program (MICP) DoD & DFAS Instruction 5010.40 iControl MICP FISCAM DATABASE Database containing FMFIA results Database containing FFMFIA & FISCAM results FFMIA OMB Cir A-127 FISCAM Law requiring that systems produce accurate, reliable, and timely financial management information FMFIA FISCAM OMB Cir A-127 GAO developed guidance for auditing system controls OMB Cir A-123 GAO developed guidance using system controls checklist. Law requiring managers to assess effectiveness of internal controls Operational Metrics, Audit Findings, SIDRs, Implemented CAPs, Lessons Learned Planning Integrity - Service - Innovation Integrity - Service - Innovation 12 Integrity - Service - Innovation

  13. AuR Overview Key Points • The SBR for each Reporting Entity is audited • DFAS is a Service Provider to Reporting Entities • FIAR is the DoD plan to become audit ready • MICP provides the how to become audit ready • “Assessable Unit” can have different meanings • FMFIA, FFMIA and FISCAM are required annually Integrity - Service - Innovation

  14. Three Main Tools FMFIAFFMIAFISCAM Source Cir A-123 Cir A-127 FIAR DFAS Guidance MICP(5010.40) 7900.4-M(BB) MICP(5010.40) Focus Op Controls Sys Performance Sys Controls Oversight & Review ESS/NC I&T I&T & Site AuR Primary Responsible Operations I&T I&T & Ops Testing Standards DFAS M&N 7900.4-M(BB) FISCAM Manual Documentation & Results iControl FISCAM DB FISCAM DB Output SoASoA Mgt Brief Integrity - Service - Innovation

  15. FMFIA • Maps and Narratives • iControl provides more structure • iControl expands scope across DFAS sites • Standard Processes Integrity - Service - Innovation

  16. FFMIA • A new process to DFAS I&T • A large scope for testing • Blue Book = 3000+ elements • Types of Systems • Core Financial System (System of Record) • Mixed System (Feeder System) • Financial Management System (supports both) Integrity - Service - Innovation

  17. FISCAM • Federal Information Systems Control Audit Manual • Issued by GAO • Annual Requirement • DFAS owned systems • Tiers • Operations (OCR) partners with I&T Integrity - Service - Innovation Integrity - Service - Innovation

  18. FISCAM Controls • FISCAM Controls • Critical Elements • Control Activities • Control Techniques • Audit Procedures • General Controls • Entitywide • Examples - Safeguard data and Protect application programs • Effectiveness of general controls a significant factor in determining the effectiveness of application controls. • Application Controls (163) • Operations (Site and ESS) only involved in Application controls • Examples - Input, Processing, Output, Master file, and Interface Integrity - Service - Innovation

  19. FISCAM Reviews – Application Controls • 4.1 Application Level General Controls (AS) • Security management • Access controls • Configuration management • Segregate of Duties • Contingency planning • 4.2 Business Process Controls (BP) • Transaction Data Input • Transaction Data Processing • Transaction Data Output • Master Data Setup and Maintenance • 4.3 Interface Controls (IN) • Interface strategy and design • Interface processing procedures • 4.4 Data Management System Controls (DA) • Implement an effective data management system strategy and design Integrity - Service - Innovation

  20. FISCAM Testing • Design • Inquiry • Observation/Walk-thru • Examination • Re-performance of control activity • Conduct • Document • Evaluate – Effective, Ineffective • Validate • Control Objectives • Completeness • Accuracy • Validity • Confidentiality • Availability Integrity - Service - Innovation

  21. FISCAM Testing • Ineffective • SIDR (Self-Identified Deficiency Report) • CAP (Corrective Action Plan) • POAM (Plan of Action and Milestones) • CAP • Long term • Short term • Compensating Control • POAM • Implement CAP and Retest • If effective, update documentation, to include FMFIA and FFMIA Integrity - Service - Innovation

  22. FISCAM Key Points • FISCAM is an annual requirement • I&T has the lead for FISCAM and partners with Ops • Ops (Site and ESS) involved only in Application Controls • Testing will determine control effectiveness • Ineffective controls require SIDRs and CAPs • Once CAPs are implemented, retesting is required Integrity - Service - Innovation

  23. Known Weaknesses • Access Controls • Segregation of Duties • Universe of Transactions • Interfaces • Reconciliations • Documentation for Transactions (Journal Vouchers (JVs)) • Configuration Management • Memorandums of Understanding (MOU) (beyond Service Level Agreements) Integrity - Service - Innovation