Service Provider Support of Audit Readiness

Office of the Under Secretary of Defense (Comptroller)

March 14, 2011

Agenda

Office of the Under Secretary of Defense (Comptroller)

• Background

• Service Provider Role and Approach

• Supply Existence and Completeness Example

• Comply with Laws:Laws require financial statement audits

• Verify Correct Allocation of Funds:Verify that all resources are allocated to approved mission priorities in a legal manner

• Make Better Use of Resources:Provide better information for timely, informed decision-making and identify unused funds

• Increase Public Trust:Reassure the public and Congress that DoD is a good steward

FIAR: Why Important?

3

DoD Only Federal Agency Without a Positive Audit Opinion…“It is unacceptable”

Background and Context

• Focus on information DoD uses to manage– Budgetary data– Asset counts / location (existence and completeness)

• Main emphasis: Improve information– Focus on internal controls and source documentation– Use audits to verify success or identify problems

• Seek cost-effective approach for lower priority information– Primarily historical valuations of assets

• This approach has created unified support for initiatives

• Goal and Law: Auditable statements by 2017

Streamlined FIAR Approach

4

We Need to Move From Strategy to Tactical Execution

Established August 2009

5

Call to Action“It is unacceptable to me that the Department of Defense cannot produce a financial statement that passes all financial audit standards.”

“I’ve directed the Department to cut in half the time it will take to achieve audit readiness for the Statement of Budgetary Resources so that by 2014 we will have the ability to conduct a full-budget audit.”

Also:• Increased effort on property accountability• Review financial controls within 2 years• Course-based certification for financial managers

Focus on Budget Statement and Asset Accountability

What Successful Audit Requires

6

• Doing the day-to-day job right is the starting point

• Verify that each transaction is recorded and supported– Invoice

– Proof of receipt, issuance, transfer, or disposal of goods / services

– Contract

• Verify “checkbook” balances with transaction-level detail

• Strong, consistent financial systems and management controls reassure auditors and allow limited sample sizes

Logistics Role in FIAR Priorities

Budgetary Priority:• Contract Pay (contracts for weapons systems and major service

contracts)• Vendor Pay (contracts for equipment, supplies, and services)• Reimbursable Agreements (depot maintenance, transportation, etc.)• Supply requisition (general fund activities purchasing from working

capital fund activities)

Mission Critical Assets (does not include value of property):• Military Equipment • Real Property• General Equipment• Inventory , Supply

7

Service Provider Role

• Auditors must consider the Service Provider’s internal controls if the services provided are a material part of the Reporting Entity’s processes or systems

• To support its customers a service provider must:– Document its internal control activities, – Test control operating effectiveness, and – Test Key Supporting Documents (KSDs)– Provide auditors access to data and/or Key Supporting Documents

during the audit.– Obtain an unqualified Service Auditor’s Report (SSAE 16) to support

the customers financial statement audit or allow all customer auditors to perform their own testing (OMB 07-04)

8

Assessable Unit Strategies

9

• Reporting entities and service providers must develop a strategy for each assessable unit. A comprehensive and well-defined strategy will:

• Help ensure all significant processes, systems, risks and documentation are included in the scope

• Allow for the development of interim outcomes to measure and demonstrate progress

• Improve the accuracy of reported timelines• Reduce efforts on non-key areas

• Before starting Discovery efforts, develop the assessable unit strategy by:

• Defining scope of assessable unit• Identifying all key risks of financial misstatement and related outcomes• Establishing roles and responsibilities• Determine how much reliance will be placed on controls for the assessable

unit examination

Financial Reporting Risks Outcomes Demonstrating Audit Readiness1 All inventory acquisitions may not be recorded in the

APSR and general ledger (or DDRS-AFS) timelyAll inventory acquisitions are recorded in the APSR and general ledger (or DDRS-AFS) timely

2 Inventory acquisitions may not be recorded accurately in the APSR and general ledger (or DDRS-AFS)

Inventory acquisitions are recorded accurately (correct location, type, quantity) in the APSR and general ledger (or DDRS-AFS)

3 All inventory sales/issuance/disposals may not be recorded in the APSR and general ledger (or DDRS-AFS) timely

All inventory sales/issuance/disposals are recorded in the APSR and general ledger (or DDRS-AFS) timely

4 Inventory sales/issuance/disposals may not be recorded accurately in the APSR and general ledger (or DDRS-AFS)

Inventory sales/issuance/disposals are recorded accurately (correct location, type, quantity) in the APSR and general ledger (or DDRS-AFS)

5 All changes to inventory may not be recorded in the APSR timely

All changes to inventory (condition, location) are recorded in the APSR timely

6 All changes to inventory may not be recorded accurately in the APSR

All changes to inventory (condition, location) are recorded accurately in the ASPR

7 IT General Controls may not be appropriately designed or operating effectively

All material systems achieve the relevant FISCAM IT general and application-level general control objectives

Supply E&C – Key Risks and Outcomes

10

Supply E&C – Roles and Responsibilities

11

NOTE: The reporting entity has overall responsibility to ensure all relevant risks and controls are addressed for their audit readiness assertions and audits. 11

Reporting Entity/Service Provider

Reporting Entity and/or DISA Systems Environment

DFAS

DLA

APSR

General Ledger and/or DDRS-

AFS

Acquisition/Contracting(e.g., SPS)

Sales/Issuance/Disposals

Supply E&C – Considerations when Scoping Systems

1212

3. IT controls must be reliable for general ledger systems (or DDRS-AFS) unless components have implemented manual controls to ensure all inventory is recorded, processed and reported completely, accurately and timely.

2. IT controls must be reliable for APSR systems, unless components have implemented manual controls to ensure all inventory is recorded, processed and reported completely, accurately and timely.

APSR

General Ledger and/or DDRS-

AFS

Acquisition/Contracting(e.g., SPS)

Sales/Issuance/Disposals

1. IT controls must be reliable for acquisition and sales/disposal systems if automated controls, system reports or electronic records are relied upon to ensure all inventory is recorded, processed and reported completely, accurately and timely.

1. IT controls must be reliable for acquisition and sales/disposal systems if automated controls, system reports or electronic records are relied upon to ensure all inventory is recorded, processed and reported completely, accurately and timely.

How Can a Service Provider Best Support its Customers?

• Use the FIAR Service Provider Methodology to prepare to support customer audit readiness assertions and subsequent financial statement audits

• Develop a memorandum of understanding with reporting entities setting forth the expectations of both entities

• Communicate, communicate, and communicate with your customers

• Obtain an unqualified SSAE No. 16 report– DISA has a qualified SAS 70– DFAS has an unqualified DCPS SAS 70 (future scope to

include disbursing and accounting operations / systems)

13