financial improvement and audit readiness (fiar)€¦ · through testing a large portion of...

Financial Improvement and Audit Readiness (FIAR)

Office of the Under Secretary of Defense (Comptroller)

ASMC DC Regional PDI

March 22, 2012

Agenda

• The Basic Framework – Funding Lifecycle

• Principles for Audit Readiness

• A Walkthrough

2

• Prove accurate status of funds entrusted to the entity – Funding Available – Receive and distribute funding to operational

organizations

– Under Contract/Order – Use funding on goods and activities to meet mission goals

– Goods/Services Received – Document orders have been received and record amounts payable

– Invoice Approved – Pay only for goods and services received

– Payment Made – Ensure payments are processed and recorded

– Contract/Order Adjusted/Closed – Adjust orders for subsequent changes

The Basic Framework

1. Funding Available

2. Under Contract/Order

3. Goods/Services

Received

4. Invoice Approved

5. Payment Made

(Outlays)

6. Contract/Order Adjusted/Closed

The Funding Lifecycle

3

You can’t know what you need if you don’t know what you have

What Success Looks Like

Amount and Uses of Funds

Funding Profile:

O&M $ 35,897,900

RDT&E $ 6,030,500

Procurement $ 14,890,000

Total $ 56,818,400

Uses of Funds:

Contract Acquisition $ 23,560,700

Civilian Labor $ 20,432,500

Supply (DLA) $ 8,213,200

MIPRs $ 4,612,000

Total $ 56,818,400



3. Goods/Services

Received

4. Invoice Approved

5. Payment Made

(Outlays)


• Establish the amount of funds the organization “owns” • Determine the major uses of those funds (e.g. contract acquisition, supply orders, MIPRs,

Civilian Labor, etc.)


Lifecycle Contracts Labor Supply MIPRs Total

Funds Available $ 23,560,700 $ 20,432,500 $ 8,213,200 $ 4,612,000 $ 56,818,400

Under Contract/Order 22,853,879 19,819,525 7,966,804 4,473,640 55,113,848

Goods/Services Received 16,256,883 14,098,425 5,667,108 3,182,280 39,204,696

Invoice Approved 10,602,315 9,194,625 3,695,940 2,075,400 25,568,280

Payments Made (Outlays) 9,424,280 8,173,000 3,285,280 1,844,800 22,727,360

Contract/Order Adjusted/Closed 1,178,035 1,021,625 410,660 230,600 2,840,920



3. Goods/Services

Received

4. Invoice Approved

5. Payment Made

(Outlays)


• Determine the amount of funding in each phase of the lifecycle


Amount and Uses of Funds

Funding Profile:

O&M $ 35,897,900

RDT&E $ 6,030,500

Procurement $ 14,890,000

Total $ 56,818,400

Uses of Funds:

Contract Acquisition $ 23,560,700

Civilian Labor $ 20,432,500

Supply (DLA) $ 8,213,200

MIPRs $ 4,612,000

Total $ 56,818,400

Lifecycle Contract

Acquisition

Funds Available $ 23,560,700

Under Contract/Order 22,853,879

Goods/Services Received 16,256,883

Invoice Approved 10,602,315

Payments Made (Outlays) 9,424,280

Contract/Order Adjusted/Closed 1,178,035

Transaction Listing: Contracts

Amount Under Contract/ Order

Contract A $ 2,500,000

Contract B $ 4,800,000

…….. ……..

Contract Z $ 10,460,000

Total $ 22,853,879

CONTRACT Amount $10,460,000 Date 12/13/2011 LOA 21 12 2020… Approval Signature

Pull status of funds information from system – system shows how much funds are in the “under contract”

lifecycle phase

Validate that source documents support the data in the system

• Prepare a list of transactions supporting each category • Identify and test the ability to produce documents supporting the lifecycle phase

classification

Use the Approach Auditors Will Use:

• Scoping – Don’t do too much work – Immaterial process areas

– Non-Key and policy compliance controls

– Don’t get stuck on every detail of the process. Identify the key controls and documents and start testing

• Develop a strategy – Efficient mix of controls and supporting documents

– Is control reliance needed at all? – Low transaction/asset volume

– Is no control reliance realistic? – High transaction/asset volume

• Let the test results guide your actions

Principles of Audit Readiness

7

Scoping - Assessable Units

1. Contract Pay

2. Military Pay

3. MILSTRIP

4. Vendor Pay

5. Civilian Pay

6. Reimbursable Work Orders – Grantor

7. Reimbursable Work Orders – Acceptor

8. FBWT

9. Appropriations Received

10. Other Budgetary Authority

11. Financial Reporting

8

Assessable Units (SBR Business Processes)

9

Assessable Unit

(all amounts in millions of

dollars) DoD Army Navy Air Force

Defense

Agencies

Contract Pay $ 300,068 $ 91,934 $ 80,303 $ 68,788 $ 59,043

Military Pay 210,742 98,350 65,089 47,303 0

MILSTRIP 213,772 43,531 69,652 57,089 43,500

Vendor Pay 73,039 20,220 16,763 19,056 17,000

Civilian Pay 51,674 12,276 10,240 11,080 18,078

Reimbursable Work Orders Grantor 49,983 14,871 14,320 18,786 2,006

Reimbursable Work Orders Provider 48,763 17,960 8,886 9,605 12,312

Total Appropriated Budget Authority

(per FY2010 SBR) 948,041 299,142 265,253 231,707 151,939

FBWT 240,050 63,020 57,925 59,085 60,020

Appropriations Received/Other

Budgetary Activity 899,278 106,805 94,623 87,574 61,049

Financial Reporting

DoD and Component SBRs break down into 7-8 business processes that account for 95% of dollars.

R – C – D = A

Where:

R = Risk of Misstatement [>0]

C = Controls to prevent or detect & fix misstatement [>0]

D = Documentation to support accuracy of statements

A = Audit Readiness [<= .1]

Applications:

Auditor Test and determine whether material misstatement exists [A > .05]

Management Ensure material misstatements do not exist [A < .05]

• The Risks are known for all business processes

• All transactions are not recorded in the correct period in the correct amount

• Transactions have been recorded in the wrong period or amount

• Transactions have been recorded that did not occur or do not relate to the entity

• Financial events are not classified and recorded consistently

• Determine the optimal mix of control and document testing to demonstrate that the risks have been addressed

Develop a Balanced Strategy

10

Risk of

Misstatement -

Effective

Controls

Audit

Readiness

Available

Documentation = -

Using this approach to develop a strategy for our FIP actions at the business process level saves time and ensures nothing is missed

Assessable Unit Strategies

• Reporting entities and service providers must develop a strategy for each assessable unit. A comprehensive and well-defined strategy will:

• Help ensure all significant risks and processes are included in the scope

• Allow for the development of outcomes to measure and demonstrate progress

• Reduce efforts on non-key areas

• Before starting Discovery efforts, develop the assessable unit strategy by:

1. Defining scope of assessable unit

2. Identifying all key risks of financial misstatement and related outcomes

3. Establishing roles and responsibilities

11

1. Defining Scope of Assessable Unit

Personnel (DCPDS)

T&A (e.g., ATAAPS,

SLCADA)

Pay Processing

(DCPS)

G/L (e.g. GAFS, STANFINS)

Source Data

Disbursing (ADS)

1. Understand and document the scope of the assessable unit to:

• Identify all material (based on dollar value) systems, process/sub-processes and service providers

• Allow for clear articulation of the scope of the assessable unit

• Serve as the starting point for identifying all material risks

Civilian Payroll Example: Overall End-to-End Process

12

2. Identifying all Key Risks and Outcomes

2. Identifying all key risks and related outcomes will:

• Help ensure that all key risks are appropriately included in the audit readiness scope, but also include scoping out all immaterial risks

• Allow reporting entities to define outcomes that demonstrate success and measure progress

• Serve as the starting point for defining roles and responsibilities for all entities in the process (service providers)

13

Personnel (DCPDS)

T&A (e.g., ATAAPS,

SLCADA)

Pay Processing

(DCPS) G/L

(e.g. GAFS, STANFINS)

2

8. Stale obligations and accruals may not be removed 1

4

5. Payroll may be calculated or processed incorrectly

3

Source Data

6

2. Personnel information is missing or incomplete


7. All Payroll obligations, expenses, accruals and disbursements may not be recorded

Disbursing (ADS)

6. Payroll obligations, expenses, accruals and disbursements may be recorded incorrectly

7

3. Incorrect time and attendance information may be recorded

5

1

2

3

4 8

1

4. Time and attendance information is missing or incomplete

1. Incorrect personnel information may be recorded

Civilian Payroll Example: Key Risks

9. IT General Controls may not be appropriately designed or operating effectively (See Backup Slide A for further details)

14


Risks Outcomes

1 Incorrect personnel information may be recorded Civilian personnel actions are valid and recorded accurately

2 Personnel information is missing or incomplete All civilian personnel actions are recorded timely

3 Incorrect time and attendance information may be recorded

T&A information is valid and is recorded correctly

4 Time and attendance information is missing or incomplete

All T&A information is recorded timely

5 Payroll may be calculated or processed incorrectly

Bi-weekly payroll is calculated and processed correctly

6 Payroll obligations, expenses, accruals and disbursements may be recorded incorrectly

Payroll obligations, expenses, accruals, and disbursements are valid and are correctly recorded in the General Ledger(s)

7 All Payroll obligations, expenses, accruals and disbursements may not be recorded

All payroll obligations, expenses, accruals and disbursements are recorded in the General Ledger(s) timely

8 Stale obligations and accruals may not be removed

All stale obligations and accruals are removed from the General Ledger(s) timely

9 IT General Controls may not be appropriately designed or operating effectively

All material civilian payroll systems achieve relevant FISCAM objectives

Achieving outcomes means the risks of financial misstatement have been addressed

Personnel (DCPDS)

T&A (e.g., ATAAPS,

SLCADA)

Pay Processing

(DCPS)


Source Data

Disbursing (ADS)

DFAS

DCPAS

DISA Systems Environment

Reporting Entity

3. Establishing Roles and Responsibilities

NOTE: The reporting entity has overall responsibility to ensure all relevant risks and controls are addressed for their audit readiness assertions and audits.

Civilian Payroll Example: Roles and Responsibilities

16


When scoping audit readiness efforts, service providers must be considered. Primary areas of responsibility include the following:

1. Entities performing manual processes on behalf of the reporting entity 2. Entities owning systems who are responsible for establishing and maintaining

IT application controls 3. Entities responsible for an application and performing manual processes 4. Entities hosting IT environments where applications reside

Establish roles and responsibilities with all service providers, including:

• Who will be responsible for achieving each outcome, including:

• Identification of manual and systems controls to mitigate risks

• Evaluation and testing of manual and systems controls

• Remediation, as necessary, to demonstrate outcome has been achieved

• Who will be responsible for evaluating the sufficiency of Key Supporting Documents proving outcomes have been achieved

• Documenting “who will do what, by when” in a Memorandum of Understanding (MOU) that is aligned to FIP tasks and dates

17


NOTE: The reporting entity has overall responsibility to ensure all relevant risks and controls are addressed for their audit readiness assertions and audits.

Civilian Payroll Example: Personnel Action Risk

Personnel (DCPDS)

T&A (e.g., ATAAPS,

SLCADA)

Pay Processing

(DCPS)


Source Data

Disbursing (ADS)

DFAS

DCPAS


Reporting Entity


1 1

1



18

Personnel (DCPDS)

T&A (e.g., ATAAPS,

SLCADA)

Pay Processing

(DCPS) G/L

(e.g. GAFS, STANFINS)

2

1

4. Support for election changes (FEGLI, FEHB, etc.)

3

6


7. Documentation supporting calculations for Obligations (unfilled customer orders and delivered orders (payroll accruals)

Disbursing (ADS)

6. Payroll obligations, expenses, accruals and disbursements may be recorded incorrectly

2. Signed/approved timesheets

5

4

3. Other T&A Support: Leave slips, OT requests, etc.

1. SF-52 (RPA) and SF-50s (NPA)

5. Reconciliation of Gross Pay File (with employee level pay period detail) to general ledger—demonstrating the completeness of any samples selected

5

6. Leave and Earnings Statement (LES)

7

Reporting entities must also define who is responsible for evaluating and maintaining Key Supporting Documents

Audit Readiness Options

20

• Scenario A presents a documentation-based approach where audit readiness is demonstrated

through testing a large portion of transactions to prove amounts are accurately recorded (ideal

for small volume, large dollar populations)

• Scenario B presents a controls-based approach where a combination of manual and

information technology controls are tested and relied upon to ensure transactions are

accurately recorded (ideal for large volumes of small dollar transactions)

Select the most efficient means to demonstrate the outcome

has been achieved.

Outcomes Category Approach: Documents/Controls Detail Responsible Party Scenario A Scenario B

Beginning Balance: Test obligations as of the beginning of the year,

tracing obligation back to signed contract documents and verifying

amounts were accurately ecorded in the general ledger

Component

Current Year: Test new contract transactions, tracing obligations back to

signed contract documents and verifying amounts were accurately

recorded in the general ledger

Component

Test a sample of contracts recorded in SPS to verify review and approval

prior to contract issuance

Component, DFAS

Test periodic reviews of SPS and General Ledger user roles Component, DFAS

SPS: (1) Test SPS user roles required to create, approve and modify

contracts; and (2) test SPS accuracty edit checks

DLA

General Ledger: (1) Test G/L user roles required to create, approve and

modify contracts; and (2) test G/L accuracty edit checks

Component/DFAS

Test IT general and application-level general controls related to SPS to

achieve relevant FISCAM objectives

Component

Test IT general and application-level general controls related to General

Ledger to achieve relevant FISCAM objectives

DISA

100% 100%

Documentation

IT general controls over SPS and the General Ledger

needed to rely on application business process

controls

Select a sample of obligations and verify they were

accurately recorded and supported by valid contracts

Obligations are

recorded

accurately and

represent valid

contracts

15%0%

Contract Pay

85% 5%

40%15%

0% 40%

Controls based approach includes testing reviews of

contracts and periodic reviews of user roles in SPS

and the General Ledger

Controls based approach includes testing SPS and

General Ledger controls surrounding user roles in

the system and edit checks

IT Application

Controls

IT General Controls

Manual Controls

What Next?

• 9 – 3.5 – 5.0 = 0.5 = Audit Ready

• Once a strategy has been defined and documented for an assessable unit, reporting entities should:

• Update FIPs and develop MOUs

• Commence Discovery phase audit readiness efforts

• Continually communicate with relevant service providers to ensure audit readiness efforts are coordinated

• Regularly assess and report on progress in achieving interim outcomes

21

Conclusion

22

Field Commanders Are Key to Translating Strategy into Action

Field Commander/Director must be fully engaged:

• Ensure management controls in place and operating – Strong security controls on financial and feeder systems

– Identify and test key process controls

• Monitor levels of business discipline and accountability by

asking questions such as: – Are your contracts recorded accurately and timely?

– Are your financial obligations still valid?

– Are material receipts recorded accurately and timely?

– Are your financial decisions based on information in official systems?

– Can you rely upon internal control testing results to answer the questions above?

• Include audit readiness as part of command assessments

Backup

23

Assessable Units (cont’d)

In the following slides, each assessable unit will contain the following information:

– Key Risks of Financial Misstatement: Identification of key risks that may cause a financial statement balance to be inaccurate/invalid

– Key Risks and Outcomes: Identification of outcomes when each risk of financial misstatement has been successfully mitigated

– Roles and Responsibilities: Identification of entities with responsibilities in audit readiness efforts (Components and Service Providers)

– Key Supporting Documents: Documentation needed to support transactions and balances

– Considerations when Scoping Systems: Criteria to consider when scoping key systems to be included in audit readiness efforts, because:

1) Automated controls within the system are identified as key controls;

2) Systems are used to generate/store original key supporting documentation; or

3) Reports from a system are utilized in the execution of key manual controls.

24

Contract Pay: Key Risks of Financial Misstatement

8. IT General Controls may not be appropriately designed or operating effectively 25

G/L (e.g. GAFS/ STANFINS)

Acceptance/Invoice Processing (WAWF)

Entitlement/Disbursing (e.g., MOCAS)

Acquisition/Contracting (e.g., SPS)

Disbursing (e.g. ADS, SRD-1, CDS)

Obligations

Disbursements

Payables/Disbursements

1

5

6

6

1

2 3 4

1. All obligations may not be recorded timely

2. Obligations may be recorded inaccurately or may be invalid

3. All accruals and/or payables may not be recorded timely

4. Accruals and/or payables may be recorded inaccurately or may be invalid

6. Disbursements may be recorded inaccurately or may be invalid

5. All disbursements may not be recorded timely 7. Stale or invalid obligations

and accruals may not be removed

5

6

Identify and include all key risks and related outcomes in the audit readiness scope and exclude immaterial risks

EDA

3 4

7

5

2

Contract Pay: Key Risks and Outcomes

Financial Reporting Risks Outcomes Demonstrating Audit Readiness

1 All obligations may not be recorded timely All obligations are recorded in the correct period and within 10 days of award

2 Obligations may be recorded inaccurately or may be invalid

Obligations are recorded accurately (correct amount, Treasury account, vendor, line of accounting (agrees to requisition), reporting entity) and contracts are valid (authorized/approved transactions supported by contract)

3 All accruals and/or payables may not be recorded timely

All accruals and/or payables (for goods/services received not yet invoiced) are recorded in the correct period and within 10 days of receipt

4 Accruals and/or payables may be recorded inaccurately or may be invalid

All accruals and/or payables are recorded accurately (correct amount, Treasury account, contract/obligation/line of accounting, reporting entity) and invoices are valid (authorized/approved transactions supported by evidence goods/services were received or otherwise due)

5 All disbursements may not be recorded timely All disbursements are recorded in the correct period and within 10 days of payment

6 Disbursements may be recorded inaccurately or may be invalid

Disbursements are recorded accurately (correct amount, Treasury account, contract/obligation/line of accounting, reporting entity) and disbursements are valid (authorized/approved transactions supported by invoice and receiving report)

7 Stale or invalid obligations and accruals may not be removed

All obligations and accruals are reviewed, and adjusted as necessary, at least three times per year

8 IT General Controls may not be appropriately designed or operating effectively

All material systems achieve the relevant FISCAM IT general and application-level general control objectives

Achieving outcomes means the risks of financial misstatement have been addressed 26 26

NOTE: The reporting entity has overall responsibility to ensure all relevant risks and controls are addressed for their audit readiness assertions and audits. 27


Receipt/Invoice Processing (WAWF)


Acquisition/Contracting (e.g., SPS) Obligations

Disbursements


Disbursing

(e.g. ADS, SRD-1, CDS)

DLA Reporting Entity

DCMA

DFAS

Contract Pay: Roles and Responsibilities


EDA


Receipt/Invoice

Processing (WAWF)

Vendor Invoices

Receiving Reports


Acquisition/Contracting (e.g., SPS) Obligations

Disbursements

Define and Document

Requirements


Disbursing


Contract Pay: Key Supporting Documents

28

1. Contract and related documents

2. Invoices and Receiving Reports (DD-250)

3. Documentation supporting accruals

4. Disbursing voucher and related support 4. Disbursing voucher and related support

28

2

3

4

4

EDA

1


Receipt/Invoice Processing (WAWF)


Acquisition/Contracting (e.g., SPS)

Obligations

Disbursements


Disbursing


Contract Pay: Considerations when Scoping Systems

29

1. IT controls must be reliable because the original contract and all modifications are generated, approved and retained in SPS/EDA.

2. IT controls must be reliable because the receiving report and invoices are approved and retained in WAWF.

3. IT controls must be reliable because contract calculations and allocations, as well as entitlement and release of disbursements are performed and maintained in MOCAS.

19

1

2

3

4. IT controls surrounding disbursing systems must be reliable as there are key automated application controls (e.g., data validity edit checks) relied upon for processing disbursements.

4

5. IT controls must be reliable for general ledger systems, unless components have implemented manual controls to ensure all obligations, accruals and disbursements are recorded, processed and reported completely, accurately and timely.

EDA