Department of Defense (DoD) Audit Overview
50
Department of Defense (DoD) Audit Overview March 23, 2016 www.pwc.com
Transcript of Department of Defense (DoD) Audit Overview
Department of Defense (DoD) Audit Overview
March 23, 2016
www.pwc.com
PwC
Agenda
Introduction of PwC and Presenters
Past Accomplishments
Current Performance
Future Expectations
PwC Supporting DoD
Questions?
2
PwC
DoD Audit Overview
PwC Introduction
3
PwC
Firm Overview
PwC is the largest professional services
network in the world:
• 208,000 professionals in 157 countries
• Provide support to 92 percent of the
Financial Times Global 500 and 83 percent
of the Fortune Global 500
• 1,200 employees dedicated to working with
the Federal Government
• Augmented by extensive commercial
capabilities and experience
• Clients include every branch of DOD: the
Army, Navy, Air Force, Marine Corps, and
OSD, plus other related agencies including
NATO and the State Department
4
• Public Sector practice was honored with the 2014 Malcolm Baldrige National Quality Award, the nation’s highest Presidential honor for performance excellence through innovation, improvement and visionary leadership
• “Leader” in Gartner’s Magic Quadrant for Business Operations Consulting Services and Global Risk Management Consulting
• Worldwide MarketScape Leader in Supply Chain Management Consulting and Business Analytics Services
• Kennedy Vanguard for Consulting to the DoD, Analytics IT Consulting, Manufacturing & Product Strategy
• Named one of Fortune’s “100 Best Companies to Work For” for the last 12 years, 2005–2016
• Ranked #1 on Training Magazine's "Top 125" list 2008-2010; inducted into Training Magazine Top 10 Hall of Fame 2011
• Recipient of the Employer Support of the Guard and Reserve's (ESGR) Seven Seals Award
• Recognized by G.I. Jobs as one of the 2012 Top Military Friendly Employers®
PwC: An Industry Leader
PwC
PwC Federal Solutions Overview
Management Consulting Technology ConsultingIT Strategy & Enterprise ArchitectureStrategic Planning & RoadmapEnterprise ArchitectureIT Governance & OrganizationIT Business Management
IT Security, Privacy & RiskStrategy & GovernanceIT RiskSecurity TechnologiesCyber Security and Breach Response
Oracle and SAPFinanceOperations/SCMHuman Capital ManagementCustomer ExperienceGovernance Risk & Compliance
Managed ServicesManaged Services StrategyApplication ManagementInfrastructure Management
Business ApplicationsIndustry-Specific ApplicationsCloud
Applications Strategy & IntegrationSDLCApplication ArchitectureApps Development & IntegrationQuality Management & Testing
Information ManagementInfo Strategy, Arch, & GovernanceBusiness Intelligence & AnalyticsEnterprise Content ManagementEnterprise Data Management
IT InfrastructureData Center SolutionsIT Service ManagementNetworking, Convergence, Connectivity & CollaborationDisaster Recovery
Forensics TechnologyComputer ForensicsData AnalyticsInformation Risk ManagementCyber Crime & Breach Response
Emerging Technologies
StrategyStrategy Growth & DevelopmentStrategy TransformationAnalytics & Decision Making
OperationsProcurement & SourcingManufacturing & Service OpsCapital ProgramsPlanningSupport OperationsLogisticsOps Strategy & TransformationTotal Ownership Cost ReductionReliability-Centered MaintenanceContinuous Process Improvement
ForensicsGovernment ContractsExport ControlsDispute AnalysisAnti-CorruptionInvestigationsFraud Risk
Program & Portfolio ManagementProject ManagementProgram ManagementPortfolio Management
People & ChangeHR Strategy & Program DeliveryHR Operations & TechnologyChange Management CommunicationsOrganizational DesignWorkforce Planning & PerformanceCapability & TrainingLeadership & Culture
FinanceEnterprise Performance MgmtFinancial ManagementAudit Readiness and RemediationActivity Based Costing
Risk Consulting Governance, Risk, and ComplianceResiliency
Risk Assurance
PwC
DoD Audit Overview
What has been accomplished in preparation for the audit?
6
PwC
DoD Audit History Timeline
• The Chief Financial Officers (CFO) Act of 1990 requires all federal agencies to produce auditable financial statements.
• The Federal Financial Management Improvement Act of 1996 (FFMIA) was established to advance Federal financial management by ensuring that Federal financial management systems provide accurate, reliable, and timely financial management information to the government’s managers.
• In 2002, Congress passed the Federal Information Security Management Act (FISMA), which requires IGs to conduct an annual evaluation of the information security programs and practices of their respective agencies.
• OUSD (C) FIAR Plan was first issued in 2005 as the guidance to achieve audit readiness.
• GAO is monitoring DOD’s progress on its initial Schedule of Budgetary Activity audits as well as assessing the existence and completeness of its mission critical assets.
• Congress has mandated a full audit of DOD’s fiscal year 2017 financial statements.
7
PwC
OUSD(C) Established the FIAR Directorate
The Financial Improvement and Audit Readiness (FIAR) Directorate was established by the Office of the Under Secretary of Defense –Comptroller (OUSD-C) in order to manage the DoD FIAR plan and audit initiatives.
Key activities include:
• Assisting the Components
• Developing and issuing detailed FIAR preparation methodologies and guidance
• Organizing and convening cross-Component financial and functional working groups to develop the audit readiness methodology
• Utilizing experienced financial, accounting and auditing personnel
• Developing metrics for monitoring and reporting progress
• Performing detailed reviews of the Component Financial Improvement Plans (FIPs)
8
PwC
FIAR Methodology
The FIAR Methodology contains 5 phases each with key tasks for achieving improved financial information and audit readiness that can be applied uniformly regardless of the size, materiality, or scope of an assessable unit. Although each component is in a different phase, they all must follow the same progression.
• Discovery
• Correction Action
• Assertion/Evaluation
• Validation
• Audit
9
PwC
FIAR Plan Status Report November 2015 Charts Audit Readiness-SBA Timelines (Army and Navy)
10
PwC
FIAR Plan Status Report November 2015 Charts Audit Readiness-SBA Timelines (Marine Corp and Air Force)
11
PwC
Baseline activities in order to gauge as-is environment across Components
In order to establish a starting point, each Component conducted baseline activities focused on:
• Business Process Standardization (BPS)
• Consolidation and Systems Integration
• Transaction Reviews and Reconciliations
• Internal Reviews
12
PwC
Developed baseline of processes, policies, controls, and guidance
In order to establish ground zero for audit, each Component within the DoD developed a baseline of processes, procedures, and controls.
• Business Process Standardization
- Developed standardized process workflows and methodology
- Baselined internal controls
◦ Business process controls
◦ IT controls
◦ Entity-level controls
- Developed desk guides and Standard Operating Procedures (SOPs) to support policies and methodologies
13
PwC
Consolidation and System Integration
One of the major focus areas has been to identify, analyze, integrate, and consolidate the expansive list of DoD financial systems.
• Identified and documented General and Working Capital Fund feeder systems with General Ledger impact
• Analyzed which systems are auditable and imperative to DoD financial success
• Consolidated duplicate systems or those deemed not auditable
• Established IT controls for remaining systems
• Developed and began implementing strategy for sustainable feeder system reconciliations
14
PwC
Transaction reviews and reconciliations
The DoD has conducted transaction reviews and reconciliations across Components.
• Completed transaction reviews on:
- Journal Vouchers
- Adjustments
- Classifications of transactions
- Compliance with DoD Financial Management Regulation (FMR) and Generally Accepted Accounting Principles (GAAP)
• Funds Balance with Treasury (FBWT) reconciliations: have tied the financial statements to the first Tier GL systems (STARS, N-ERP, etc.)
15
PwC
FIAR Internal Reviews
DoD has been conducting internal reviews across Components for each of the financial business processes being audited (funds distribution, contracts, assets, etc.).
• Internal Reviews
- Components have developed internal review plans to measure their compliance with FIAR guidance and procedures
- Internal reviews have already began in order to gain a baseline
- Corrective Action Plans (CAPs) have been developed to address gaps identified during each round of review
- Based on remediation actions taken, some components have been able to have assessable units meet assertion criteria
16
PwC
DoD Audit Overview
What are the current accomplishments and lessons learned?
17
PwC
DoD Report on Auditable Financial Statements
• The DoD ranked reporting entities within the existing audit tier structure to ensure entities of similar size were being compared. A methodology based on the Department’s approach to auditability and various objective factors was then evenly applied.
• The reporting entities are ranked based on their progress toward achieving:
- Auditable Statement of Budgetary Resources (SBR);
- Auditable existence and completeness of assets;
- and auditable full financial statements.
18
PwC
DoD Report on Auditable Financial Statements –Tier 1: Military Services
19
The Military Services include the Army, Navy, Marine Corps, and Air Force, and will each be audited on a stand-alone basis. Tier 1 entities account for about 72 percent of FY 2015 budgetary resources.
PwC
DoD Report on Auditable Financial Statements –Tier 2: DoD-Designated Audits DoD management directed certain material Defense agencies and funds to be audited on a stand-alone basis. Tier 2 entities account for about 23 percent of FY 2015 budgetary resources.
20
PwC
DoD Report on Auditable Financial Statements –Tier 3: DoD-Designated Examinations
DoD management directed the remaining material Defense agencies and funds to undergo annual examinations. Tier 3 entities account for about 4 percent of FY 2015 budgetary resources.
21
PwC
DoD Report on Auditable Financial Statements –Tier 3: DoD-Designated Examinations (Continued)
22
PwC
Audit Phases
23
The IPA will develop an Audit Plan, testing methodology, and
materiality for the entity
Audit requests for Key Supporting Documents
pertaining to processes and transactions (Substantive
and Controls Testing)
Issue Notice of Findings and Recommendations (NFRs) for identified deficiencies
and weaknesses
Issue the audit report containing the opinion
PwC
Transparency of an Audit
• Undergoing a financial statement audit provides transparency to relevant stakeholders of the DoD
- US Government
- Citizens
- Warfighters and Civilians
• May improve public perception and confidence in DoD
- Reduction of waste and fraud with tax payer dollars
- Responsibility and accountability
• Leads to a more reliable budget formulation for DoD entities
- Informed decisions with regards to expenditures
24
PwC
Components Successfully Achieved Provided By Client (PBC) Compliance• PBC Lists are requests by external auditors of items that will be
required from the client by the auditor prior to the commencement of fieldwork
- PBC Lists are considered preliminary and will be expanded upon once the audit commences
- PBC requests provide Key Supporting Documentation (KSD) or procedural documentation to support the accounting transactions of business and financial environments
- It is critically important that each command works on their PBC Lists requests as soon as possible in order to have them ready before the start of the audit
- All responses are addressed in a timely manner in order to support sample requests for testing
25
PwC
Implementation of Process Improvements
• Process improvement will allow for greater efficiency throughout DOD activities
- Goal is to improve the quality of information related to DOD assets that are critical to the success of the DOD’s mission
- Improve processes, controls, and systems that report financial information to produce more effective, transparent business processes
- In effect, this increases the public trust and confidence in DOD’s use of taxpayer dollars
- Ensures correct allocation of funds and makes better use of resources
- Improves the reliability and accuracy of data and decision-making information in operations
26
PwC
Implementation of Process Improvements (Continued)
• Process maps are created of both lifecycle and sub-processes related to the DOD components mission and vision
• Process Improvement seeks to fill gaps to better understand financial accountability and determine if government entities should be contacted for more information
- Standard Operating Procedures (SOPs) are developed to assist with walkthroughs that generally achieve favorable results
27
PwC
Prepared & Submitted Assessment Packages
• There is a difference between an audit and an assessment:
- The purpose of an audit is to compare against a specific standard, and find specific gaps that need correction
- The purpose of an assessment is to understand where you are for the benefit of improvement
• Assessment packages define the current reality of the accounting transactional environment with the good, bad, and ugly to reveal new insights and provide clear direction for improvement efforts
- Helps evaluate key business process and system controls to identify where the organization has a higher risk of loss through errors, theft, or noncompliance
- Establishes better business practices
28
PwC
Key Deficiencies Identified During FY15 SBA Audit
• DoD deficiencies identified during the audit included:
- Incomplete transaction universe
- Ineffective controls over IT Systems
- Ineffective controls over financial reporting
- Ineffective transactional controls across major segments
- Insufficient audit evidence/trail
• Deficiencies need to be identified and addressed to reduce the risk of material misstatement on entity financial statements
• Auditability will not be achieved until deficiencies are mitigated
29
PwC
Deficiencies Preventing Full Statement Auditability
30
• The entirety of underlying, individual, accounting transactions that support a financial statement line or balance and must reconcile to general ledgers and feeder systems.
Universe of Transactions
• An asset line on the Balance Sheet that represents the aggregate amount of funds in the Defense Department’s numerous accounts that must be reconciled with the Treasury Department’s accounts.
Funds Balance With Treasury
• Summary-level accounting adjustments made when balances cannot be reconciled. Although many journal vouchers are justified, many lack supporting documentation.
Journal Vouchers
• Reported assets exist and recorded in the financial statements.
• Valuation of assets establishes acquisition and improvement cost baselines that can be audited. Assets include General Property, Plant, and Equipment; and Inventory and Related Property.
Asset E&C and Valuation
• Probable future outflow or expenditure of resources as of the reporting date for environmental cleanup, closure, and disposal resulting from past transactions or events.
Environmental and Disposal Liabilities
PwC
Remediating Deficiencies
• A Corrective Action Plan (CAP) is used to remediate a perceived control weakness or deficiency
• DoD entities should develop and implement CAPs to address deficiencies identified within their IT infrastructure
- System Owners play an important role
• DoD entities are currently developing CAPs to address deficiencies related to their information systems’ controls
- Additional IT infrastructure deficiencies may be identified as more systems are included in future audits, which will result in the need for CAP remediation to achieve full financial statement auditability
31
PwC
Lessons Learned from the DoD Audits
32
Knowledge Gained
• DoD entities have a better understanding of how to substantiate transactions
• Time and effort required for audits
• Audit process from beginning to end
• Quick turnaround for requests
Control
Deficiencies
• Identified the high risk areas within the entity
• Need to improve manual control performance
• Automate processes where appropriate
• Develop and implement CAPs for deficiencies
Communication
• What the auditor requests versus what the auditor actually requires to
substantiate the transaction
• Due to user role limitations in various systems, Cross-Entity support may be
required to obtain supporting documentation
Best
Practices/Tools
• Use of Standard Operating Procedures (SOPs)
• Repository to hold Key Supporting Documents
• Information/knowledge sharing across entities
PwC
DoD Audit Overview
What are the expected future actions?
33
PwC
Audit Actions
Auditors have delivered the Audit Reports and Plan to expand the scope in FY16
• Full Financial Statement Audit
• General Fund and Working Capital Fund
• Asset Management Phase Completion
- Existence & Completeness
- Rights & Obligations
- Valuation, Presentation & Disclosure
• Notice of Findings and Recommendations (NFR) Remediation and Deal Breaker Identification
• FY16 Audit Kick-offs Held
- IT PBC Requests Underway
34
PwC
Audit Initiatives
• Universe of Transactions: Validating completeness and accuracy
• Establishing Beginning Balances
• Business Process Standardization (BPS)
- Individual Component BPS
- Overarching DoD BPS
• Improved enterprise-wide policies
• Improved Reliance on the Information Technology through strengthening of the internal control environment
- Access and SOD controls
- Interface Inventory and Agreements
- Third party service providers
• Cyber Security Strategy & Risk Management Framework (RMF)
35
PwC
Guidance Updates & DoD Initiatives
• Government Accountability Office (GAO) Green Book Revision
• Cyber Economic Vulnerability Assessments (CEVA) Joint Memorandum
• Federal Information Technology Acquisition Reform Act (FITARA) Implementation OMB Memorandum
36
PwC
GAO Green Book Revisions Effective for FY16
In September 2014, the GAO issued its revision of Standards for Internal Control in the Federal Government, also knows as the Green Book.
The Green Book sets the standards for an effective internal control system for entities, which may be used to ensure accountability and to achieve an organization’s mission.
• The Green Book’s revised edition retains the five (5) components of internal control established by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)
• The updated Green Book presents seventeen (17) new principles that enumerate management responsibilities in implementing and overseeing an effective internal control system
• Each principle is comprised of illustrative attributes, control objectives and sample control activities applicable to all internal controls.
37
PwC
Entity Level ControlsThe five components and 17 principles of internal controls do not apply to a single specific process. Instead, they apply to entity-wide operations.
Entity Level Controls:Entity Level Controls are internal controls that help implement management directives and generally serve as a top down approach to understanding the risks of an organization. They have a pervasive effect on an entity’s internal control system.
How are they unique?Entity Level Controls are unique because they reflect a broad range of control principles that includes an entities culture, values, and ethics as well as the attitudes, awareness, and actions of management and those charged with governance concerning the entity’s internal controls and its importance.
Why are Entity Level Controls important?Entity Level Controls help organizations:Reduce the likelihood of negative risks including fraud, abuse, misconductCommunicate values from the top downImprove their processes and efficiencyIncrease transparency and accountability
Entity Level Controls are already part of your everyday processes.38
PwC
Evaluation Criteria - Components
39
ELC evaluations will be made on the Green Book’s 5 components for effective internal controls:
• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring
And corresponding principles and
attributes.
PwC
Evaluation Criteria - Principles
40
PwC
Cyber Economic Vulnerability Assessments (CEVA) Joint Memorandum
Cyber threats present a risk of economic exploitation of information systems whose functions include financial management, payments, allotments, and fiscal transfers. Many of these systems connect to non-Department of Defense (DoD) networks and environments. An adversary may exploit such systems to disrupt mission-essential logistics or steal funds.
• “All cyber adversarial activities must be conducted with certified and accredited personnel and should include system and cyber economic subject matter experts to ensure the key operational capabilities and business processes are evaluated.”
• Updated Guidance - DoD systems that include financial or fiscal/business activities functions should include the following:
- Cyber Economic Threat Analysis
- Cyber Economic Scenario Testing
- Financial Transaction Analysis41
PwC
Federal Information Technology Acquisition Reform Act (FITARA)
FITARA was developed to establish management practices that align IT resources with organization missions, government-wide IT management controls, a common baseline outlining roles/responsibilities and enable the CIO role to include strengthening accountability.
Requirements Summary:
• Agency Chief Information Officer (CIO) Authority Enhancements• Enhanced Transparency and Improved Risk Management in IT Investments• Portfolio Review• Federal Data Center Consolidation Initiative• Expansion of Training • Maximizing the Benefit of the Federal Strategic Sourcing Initiative• Government-wide Software Purchasing Program
42
PwC
DoD Audit Overview
Highlights of PwC’s support to the DoD on its journey to audit
43
PwC
Summary of PwC Audit Support - Department of Defense (DoD)
44
Office of the Under Secretary of Defense (Comptroller)
Performed mock audits to ensure validity of current-year budgetary activity in FY2015, while progressing to full budgetary activity in FY2016 and FY2017
• Shifted audit readiness focus to asset valuation (i.e., Existence & Completeness, Valuation, Rights & Obligations) with the focus on Real Property (e.g., Inventory/Operations Material System (OM&S) and General Equipment)
• Executed walkthroughs and presented assertion deliverables to the auditors identifying key controls
PwC
Summary of PwC Audit Support - Department of Defense (DoD)
45
Department of Navy Financial Improvement (FIP)
• Developed testing plans, identify self identified deficiencies (SIDs) and provide recommendations to close gaps in internal controls
• Performed enterprise-wide business process standardization (BPS) sustaining end-to-end operational processes that has mitigated audit/financial readiness impediments
• Performed CAP remediation and root cause analysis for notice of findings reports (NFRs) that helped streamline deficiencies to satisfy audit requirements
• Configured a Governance, Risk, and Compliance (GRC) tool to manage segregation of duties issues with Navy ERP
• Integrated the Standard Accounting and Reporting System (STARS) to the Standard Accounting Budget and Reporting System (SABRS) while identifying and tracing deficiencies
PwC
Summary of PwC Audit Support - Department of Defense (DoD)
46
Department of Air Force
• Interfaced with External Auditor and track prepared by client (PBC) requests and responses
• Closed Corrective Action Plans (CAPs) and receive signed memorandums by SAF/FM leaders to ensure compliance and governance
• Performed Service Provider Interaction (i.e., DFAS, DLA, DCMA, DISA, etc.) aligned to business processes and internal controls
• Aligned Process and System Drill (PSDs) analysis associated with general ledger accounts (GLACs) and associated systems (i.e., AFM, DEAMS, GAFS-R, etc.)
• Developed guidance packages providing key supporting documents (KSDs) aligning to SBA lines/GLACs
PwC
Summary of PwC Audit Support - Department of Defense (DoD)
47
Department of Army Working Capital Fund (WCF)
• Achieved auditability of the Statement of Budgetary Resources (SBR) and completeness of mission critical assets
• Developed Tiger Teams supporting the Army WCF Civilian Payroll, Military Payroll and Funds Balance with Treasury (FBwT) SBR assessable units
• Executed the FIAR methodology and performed site visits to Army locations to interview process owners and conduct walkthroughs, complete process documentation and test plans, and perform WCF transaction-level reconciliation
PwC
Summary of PwC Audit Support - Department of Defense (DoD)
48
United States Marine Corps – Real Property
• Conducted benchmarking studies for the Marine Corps related to real property
• Conducted workforce performance analysis for both Marine Corps and Coast Guard
• Performed complex DISA DECC SAS 70 examinations to mitigate logistical challenges
Coast Guard
• Supported audit remediation efforts for the combined Department of Homeland Security (DHS) audit
• Executed financial improvement led to Coast and the DHS to receive an unmodified audit opinion
PwC
Contact Information
Safa Khaleq, CPA, PMP
PwC | PS Manager
Mobile: 330 261 3130
Email: [email protected]
Alissa Fulton, CSSGB
PwC | PS Senior Associate
Mobile: (703) 853-0345
Email: [email protected]
Luke Rininger, CPA
PwC | PS Manager
Mobile: +1 412 951 3359
Email: [email protected]
49
PwC
Questions?
50
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
© 2016 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the US member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This document is for general information purposes only, and should not be used for consultation with professional advisors.
