Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Financial Improvement and Audit Readiness (FIAR)
Office of the Under Secretary of Defense (Comptroller)
ASMC DC Regional PDI
March 22, 2012
Agenda
• The Basic Framework – Funding Lifecycle
• Principles for Audit Readiness
• A Walkthrough
2
• Prove accurate status of funds entrusted to the entity – Funding Available – Receive and distribute funding to operational
organizations
– Under Contract/Order – Use funding on goods and activities to meet mission goals
– Goods/Services Received – Document orders have been received and record amounts payable
– Invoice Approved – Pay only for goods and services received
– Payment Made – Ensure payments are processed and recorded
– Contract/Order Adjusted/Closed – Adjust orders for subsequent changes
The Basic Framework
1. Funding Available
2. Under Contract/Order
3. Goods/Services
Received
4. Invoice Approved
5. Payment Made
(Outlays)
6. Contract/Order Adjusted/Closed
The Funding Lifecycle
3
You can’t know what you need if you don’t know what you have
What Success Looks Like
Amount and Uses of Funds
Funding Profile:
O&M $ 35,897,900
RDT&E $ 6,030,500
Procurement $ 14,890,000
Total $ 56,818,400
Uses of Funds:
Contract Acquisition $ 23,560,700
Civilian Labor $ 20,432,500
Supply (DLA) $ 8,213,200
MIPRs $ 4,612,000
Total $ 56,818,400
1. Funding Available
2. Under Contract/Order
3. Goods/Services
Received
4. Invoice Approved
5. Payment Made
(Outlays)
6. Contract/Order Adjusted/Closed
• Establish the amount of funds the organization “owns” • Determine the major uses of those funds (e.g. contract acquisition, supply orders, MIPRs,
Civilian Labor, etc.)
What Success Looks Like
Lifecycle Contracts Labor Supply MIPRs Total
Funds Available $ 23,560,700 $ 20,432,500 $ 8,213,200 $ 4,612,000 $ 56,818,400
Under Contract/Order 22,853,879 19,819,525 7,966,804 4,473,640 55,113,848
Goods/Services Received 16,256,883 14,098,425 5,667,108 3,182,280 39,204,696
Invoice Approved 10,602,315 9,194,625 3,695,940 2,075,400 25,568,280
Payments Made (Outlays) 9,424,280 8,173,000 3,285,280 1,844,800 22,727,360
Contract/Order Adjusted/Closed 1,178,035 1,021,625 410,660 230,600 2,840,920
1. Funding Available
2. Under Contract/Order
3. Goods/Services
Received
4. Invoice Approved
5. Payment Made
(Outlays)
6. Contract/Order Adjusted/Closed
• Determine the amount of funding in each phase of the lifecycle
What Success Looks Like
Amount and Uses of Funds
Funding Profile:
O&M $ 35,897,900
RDT&E $ 6,030,500
Procurement $ 14,890,000
Total $ 56,818,400
Uses of Funds:
Contract Acquisition $ 23,560,700
Civilian Labor $ 20,432,500
Supply (DLA) $ 8,213,200
MIPRs $ 4,612,000
Total $ 56,818,400
Lifecycle Contract
Acquisition
Funds Available $ 23,560,700
Under Contract/Order 22,853,879
Goods/Services Received 16,256,883
Invoice Approved 10,602,315
Payments Made (Outlays) 9,424,280
Contract/Order Adjusted/Closed 1,178,035
Transaction Listing: Contracts
Amount Under Contract/ Order
Contract A $ 2,500,000
Contract B $ 4,800,000
…….. ……..
Contract Z $ 10,460,000
Total $ 22,853,879
CONTRACT Amount $10,460,000 Date 12/13/2011 LOA 21 12 2020… Approval Signature
Pull status of funds information from system – system shows how much funds are in the “under contract”
lifecycle phase
Validate that source documents support the data in the system
• Prepare a list of transactions supporting each category • Identify and test the ability to produce documents supporting the lifecycle phase
classification
Use the Approach Auditors Will Use:
• Scoping – Don’t do too much work – Immaterial process areas
– Non-Key and policy compliance controls
– Don’t get stuck on every detail of the process. Identify the key controls and documents and start testing
• Develop a strategy – Efficient mix of controls and supporting documents
– Is control reliance needed at all? – Low transaction/asset volume
– Is no control reliance realistic? – High transaction/asset volume
• Let the test results guide your actions
Principles of Audit Readiness
7
Scoping - Assessable Units
1. Contract Pay
2. Military Pay
3. MILSTRIP
4. Vendor Pay
5. Civilian Pay
6. Reimbursable Work Orders – Grantor
7. Reimbursable Work Orders – Acceptor
8. FBWT
9. Appropriations Received
10. Other Budgetary Authority
11. Financial Reporting
8
Assessable Units (SBR Business Processes)
9
Assessable Unit
(all amounts in millions of
dollars) DoD Army Navy Air Force
Defense
Agencies
Contract Pay $ 300,068 $ 91,934 $ 80,303 $ 68,788 $ 59,043
Military Pay 210,742 98,350 65,089 47,303 0
MILSTRIP 213,772 43,531 69,652 57,089 43,500
Vendor Pay 73,039 20,220 16,763 19,056 17,000
Civilian Pay 51,674 12,276 10,240 11,080 18,078
Reimbursable Work Orders Grantor 49,983 14,871 14,320 18,786 2,006
Reimbursable Work Orders Provider 48,763 17,960 8,886 9,605 12,312
Total Appropriated Budget Authority
(per FY2010 SBR) 948,041 299,142 265,253 231,707 151,939
FBWT 240,050 63,020 57,925 59,085 60,020
Appropriations Received/Other
Budgetary Activity 899,278 106,805 94,623 87,574 61,049
Financial Reporting
DoD and Component SBRs break down into 7-8 business processes that account for 95% of dollars.
R – C – D = A
Where:
R = Risk of Misstatement [>0]
C = Controls to prevent or detect & fix misstatement [>0]
D = Documentation to support accuracy of statements
A = Audit Readiness [<= .1]
Applications:
Auditor Test and determine whether material misstatement exists [A > .05]
Management Ensure material misstatements do not exist [A < .05]
• The Risks are known for all business processes
• All transactions are not recorded in the correct period in the correct amount
• Transactions have been recorded in the wrong period or amount
• Transactions have been recorded that did not occur or do not relate to the entity
• Financial events are not classified and recorded consistently
• Determine the optimal mix of control and document testing to demonstrate that the risks have been addressed
Develop a Balanced Strategy
10
Risk of
Misstatement -
Effective
Controls
Audit
Readiness
Available
Documentation = -
Using this approach to develop a strategy for our FIP actions at the business process level saves time and ensures nothing is missed
Assessable Unit Strategies
• Reporting entities and service providers must develop a strategy for each assessable unit. A comprehensive and well-defined strategy will:
• Help ensure all significant risks and processes are included in the scope
• Allow for the development of outcomes to measure and demonstrate progress
• Reduce efforts on non-key areas
• Before starting Discovery efforts, develop the assessable unit strategy by:
1. Defining scope of assessable unit
2. Identifying all key risks of financial misstatement and related outcomes
3. Establishing roles and responsibilities
11
1. Defining Scope of Assessable Unit
Personnel (DCPDS)
T&A (e.g., ATAAPS,
SLCADA)
Pay Processing
(DCPS)
G/L (e.g. GAFS, STANFINS)
Source Data
Disbursing (ADS)
1. Understand and document the scope of the assessable unit to:
• Identify all material (based on dollar value) systems, process/sub-processes and service providers
• Allow for clear articulation of the scope of the assessable unit
• Serve as the starting point for identifying all material risks
Civilian Payroll Example: Overall End-to-End Process
12
2. Identifying all Key Risks and Outcomes
2. Identifying all key risks and related outcomes will:
• Help ensure that all key risks are appropriately included in the audit readiness scope, but also include scoping out all immaterial risks
• Allow reporting entities to define outcomes that demonstrate success and measure progress
• Serve as the starting point for defining roles and responsibilities for all entities in the process (service providers)
13
Personnel (DCPDS)
T&A (e.g., ATAAPS,
SLCADA)
Pay Processing
(DCPS) G/L
(e.g. GAFS, STANFINS)
2
8. Stale obligations and accruals may not be removed 1
4
5. Payroll may be calculated or processed incorrectly
3
Source Data
6
2. Personnel information is missing or incomplete
2. Identifying all Key Risks and Outcomes
7. All Payroll obligations, expenses, accruals and disbursements may not be recorded
Disbursing (ADS)
6. Payroll obligations, expenses, accruals and disbursements may be recorded incorrectly
7
3. Incorrect time and attendance information may be recorded
5
1
2
3
4 8
1
4. Time and attendance information is missing or incomplete
1. Incorrect personnel information may be recorded
Civilian Payroll Example: Key Risks
9. IT General Controls may not be appropriately designed or operating effectively (See Backup Slide A for further details)
14
2. Identifying all Key Risks and Outcomes
Risks Outcomes
1 Incorrect personnel information may be recorded Civilian personnel actions are valid and recorded accurately
2 Personnel information is missing or incomplete All civilian personnel actions are recorded timely
3 Incorrect time and attendance information may be recorded
T&A information is valid and is recorded correctly
4 Time and attendance information is missing or incomplete
All T&A information is recorded timely
5 Payroll may be calculated or processed incorrectly
Bi-weekly payroll is calculated and processed correctly
6 Payroll obligations, expenses, accruals and disbursements may be recorded incorrectly
Payroll obligations, expenses, accruals, and disbursements are valid and are correctly recorded in the General Ledger(s)
7 All Payroll obligations, expenses, accruals and disbursements may not be recorded
All payroll obligations, expenses, accruals and disbursements are recorded in the General Ledger(s) timely
8 Stale obligations and accruals may not be removed
All stale obligations and accruals are removed from the General Ledger(s) timely
9 IT General Controls may not be appropriately designed or operating effectively
All material civilian payroll systems achieve relevant FISCAM objectives
Achieving outcomes means the risks of financial misstatement have been addressed
Personnel (DCPDS)
T&A (e.g., ATAAPS,
SLCADA)
Pay Processing
(DCPS)
G/L (e.g. GAFS, STANFINS)
Source Data
Disbursing (ADS)
DFAS
DCPAS
DISA Systems Environment
Reporting Entity
3. Establishing Roles and Responsibilities
NOTE: The reporting entity has overall responsibility to ensure all relevant risks and controls are addressed for their audit readiness assertions and audits.
Civilian Payroll Example: Roles and Responsibilities
16
3. Establishing Roles and Responsibilities
When scoping audit readiness efforts, service providers must be considered. Primary areas of responsibility include the following:
1. Entities performing manual processes on behalf of the reporting entity 2. Entities owning systems who are responsible for establishing and maintaining
IT application controls 3. Entities responsible for an application and performing manual processes 4. Entities hosting IT environments where applications reside
Establish roles and responsibilities with all service providers, including:
• Who will be responsible for achieving each outcome, including:
• Identification of manual and systems controls to mitigate risks
• Evaluation and testing of manual and systems controls
• Remediation, as necessary, to demonstrate outcome has been achieved
• Who will be responsible for evaluating the sufficiency of Key Supporting Documents proving outcomes have been achieved
• Documenting “who will do what, by when” in a Memorandum of Understanding (MOU) that is aligned to FIP tasks and dates
17
3. Establishing Roles and Responsibilities
NOTE: The reporting entity has overall responsibility to ensure all relevant risks and controls are addressed for their audit readiness assertions and audits.
Civilian Payroll Example: Personnel Action Risk
Personnel (DCPDS)
T&A (e.g., ATAAPS,
SLCADA)
Pay Processing
(DCPS)
G/L (e.g. GAFS, STANFINS)
Source Data
Disbursing (ADS)
DFAS
DCPAS
DISA Systems Environment
Reporting Entity
1. Incorrect personnel information may be recorded
1 1
1
1. Incorrect personnel information may be recorded
1. Incorrect personnel information may be recorded
18
Personnel (DCPDS)
T&A (e.g., ATAAPS,
SLCADA)
Pay Processing
(DCPS) G/L
(e.g. GAFS, STANFINS)
2
1
4. Support for election changes (FEGLI, FEHB, etc.)
3
6
3. Establishing Roles and Responsibilities
7. Documentation supporting calculations for Obligations (unfilled customer orders and delivered orders (payroll accruals)
Disbursing (ADS)
6. Payroll obligations, expenses, accruals and disbursements may be recorded incorrectly
2. Signed/approved timesheets
5
4
3. Other T&A Support: Leave slips, OT requests, etc.
1. SF-52 (RPA) and SF-50s (NPA)
5. Reconciliation of Gross Pay File (with employee level pay period detail) to general ledger—demonstrating the completeness of any samples selected
5
6. Leave and Earnings Statement (LES)
7
Reporting entities must also define who is responsible for evaluating and maintaining Key Supporting Documents
Audit Readiness Options
20
• Scenario A presents a documentation-based approach where audit readiness is demonstrated
through testing a large portion of transactions to prove amounts are accurately recorded (ideal
for small volume, large dollar populations)
• Scenario B presents a controls-based approach where a combination of manual and
information technology controls are tested and relied upon to ensure transactions are
accurately recorded (ideal for large volumes of small dollar transactions)
Select the most efficient means to demonstrate the outcome
has been achieved.
Outcomes Category Approach: Documents/Controls Detail Responsible Party Scenario A Scenario B
Beginning Balance: Test obligations as of the beginning of the year,
tracing obligation back to signed contract documents and verifying
amounts were accurately ecorded in the general ledger
Component
Current Year: Test new contract transactions, tracing obligations back to
signed contract documents and verifying amounts were accurately
recorded in the general ledger
Component
Test a sample of contracts recorded in SPS to verify review and approval
prior to contract issuance
Component, DFAS
Test periodic reviews of SPS and General Ledger user roles Component, DFAS
SPS: (1) Test SPS user roles required to create, approve and modify
contracts; and (2) test SPS accuracty edit checks
DLA
General Ledger: (1) Test G/L user roles required to create, approve and
modify contracts; and (2) test G/L accuracty edit checks
Component/DFAS
Test IT general and application-level general controls related to SPS to
achieve relevant FISCAM objectives
Component
Test IT general and application-level general controls related to General
Ledger to achieve relevant FISCAM objectives
DISA
100% 100%
Documentation
IT general controls over SPS and the General Ledger
needed to rely on application business process
controls
Select a sample of obligations and verify they were
accurately recorded and supported by valid contracts
Obligations are
recorded
accurately and
represent valid
contracts
15%0%
Contract Pay
85% 5%
40%15%
0% 40%
Controls based approach includes testing reviews of
contracts and periodic reviews of user roles in SPS
and the General Ledger
Controls based approach includes testing SPS and
General Ledger controls surrounding user roles in
the system and edit checks
IT Application
Controls
IT General Controls
Manual Controls
What Next?
• 9 – 3.5 – 5.0 = 0.5 = Audit Ready
• Once a strategy has been defined and documented for an assessable unit, reporting entities should:
• Update FIPs and develop MOUs
• Commence Discovery phase audit readiness efforts
• Continually communicate with relevant service providers to ensure audit readiness efforts are coordinated
• Regularly assess and report on progress in achieving interim outcomes
21
Conclusion
22
Field Commanders Are Key to Translating Strategy into Action
Field Commander/Director must be fully engaged:
• Ensure management controls in place and operating – Strong security controls on financial and feeder systems
– Identify and test key process controls
• Monitor levels of business discipline and accountability by
asking questions such as: – Are your contracts recorded accurately and timely?
– Are your financial obligations still valid?
– Are material receipts recorded accurately and timely?
– Are your financial decisions based on information in official systems?
– Can you rely upon internal control testing results to answer the questions above?
• Include audit readiness as part of command assessments
Backup
23
Assessable Units (cont’d)
In the following slides, each assessable unit will contain the following information:
– Key Risks of Financial Misstatement: Identification of key risks that may cause a financial statement balance to be inaccurate/invalid
– Key Risks and Outcomes: Identification of outcomes when each risk of financial misstatement has been successfully mitigated
– Roles and Responsibilities: Identification of entities with responsibilities in audit readiness efforts (Components and Service Providers)
– Key Supporting Documents: Documentation needed to support transactions and balances
– Considerations when Scoping Systems: Criteria to consider when scoping key systems to be included in audit readiness efforts, because:
1) Automated controls within the system are identified as key controls;
2) Systems are used to generate/store original key supporting documentation; or
3) Reports from a system are utilized in the execution of key manual controls.
24
Contract Pay: Key Risks of Financial Misstatement
8. IT General Controls may not be appropriately designed or operating effectively 25
G/L (e.g. GAFS/ STANFINS)
Acceptance/Invoice Processing (WAWF)
Entitlement/Disbursing (e.g., MOCAS)
Acquisition/Contracting (e.g., SPS)
Disbursing (e.g. ADS, SRD-1, CDS)
Obligations
Disbursements
Payables/Disbursements
1
5
6
6
1
2 3 4
1. All obligations may not be recorded timely
2. Obligations may be recorded inaccurately or may be invalid
3. All accruals and/or payables may not be recorded timely
4. Accruals and/or payables may be recorded inaccurately or may be invalid
6. Disbursements may be recorded inaccurately or may be invalid
5. All disbursements may not be recorded timely 7. Stale or invalid obligations
and accruals may not be removed
5
6
Identify and include all key risks and related outcomes in the audit readiness scope and exclude immaterial risks
EDA
3 4
7
5
2
Contract Pay: Key Risks and Outcomes
Financial Reporting Risks Outcomes Demonstrating Audit Readiness
1 All obligations may not be recorded timely All obligations are recorded in the correct period and within 10 days of award
2 Obligations may be recorded inaccurately or may be invalid
Obligations are recorded accurately (correct amount, Treasury account, vendor, line of accounting (agrees to requisition), reporting entity) and contracts are valid (authorized/approved transactions supported by contract)
3 All accruals and/or payables may not be recorded timely
All accruals and/or payables (for goods/services received not yet invoiced) are recorded in the correct period and within 10 days of receipt
4 Accruals and/or payables may be recorded inaccurately or may be invalid
All accruals and/or payables are recorded accurately (correct amount, Treasury account, contract/obligation/line of accounting, reporting entity) and invoices are valid (authorized/approved transactions supported by evidence goods/services were received or otherwise due)
5 All disbursements may not be recorded timely All disbursements are recorded in the correct period and within 10 days of payment
6 Disbursements may be recorded inaccurately or may be invalid
Disbursements are recorded accurately (correct amount, Treasury account, contract/obligation/line of accounting, reporting entity) and disbursements are valid (authorized/approved transactions supported by invoice and receiving report)
7 Stale or invalid obligations and accruals may not be removed
All obligations and accruals are reviewed, and adjusted as necessary, at least three times per year
8 IT General Controls may not be appropriately designed or operating effectively
All material systems achieve the relevant FISCAM IT general and application-level general control objectives
Achieving outcomes means the risks of financial misstatement have been addressed 26 26
NOTE: The reporting entity has overall responsibility to ensure all relevant risks and controls are addressed for their audit readiness assertions and audits. 27
G/L (e.g. GAFS/ STANFINS)
Receipt/Invoice Processing (WAWF)
Entitlement/Disbursing (e.g., MOCAS)
Acquisition/Contracting (e.g., SPS) Obligations
Disbursements
Payables/Disbursements
Disbursing
(e.g. ADS, SRD-1, CDS)
DLA Reporting Entity
DCMA
DFAS
Contract Pay: Roles and Responsibilities
DISA Systems Environment
EDA
G/L (e.g. GAFS/ STANFINS)
Receipt/Invoice
Processing (WAWF)
Vendor Invoices
Receiving Reports
Entitlement/Disbursing (e.g., MOCAS)
Acquisition/Contracting (e.g., SPS) Obligations
Disbursements
Define and Document
Requirements
Payables/Disbursements
Disbursing
(e.g. ADS, SRD-1, CDS)
Contract Pay: Key Supporting Documents
28
1. Contract and related documents
2. Invoices and Receiving Reports (DD-250)
3. Documentation supporting accruals
4. Disbursing voucher and related support 4. Disbursing voucher and related support
28
2
3
4
4
EDA
1
G/L (e.g. GAFS/ STANFINS)
Receipt/Invoice Processing (WAWF)
Entitlement/Disbursing (e.g., MOCAS)
Acquisition/Contracting (e.g., SPS)
Obligations
Disbursements
Payables/Disbursements
Disbursing
(e.g. ADS, SRD-1, CDS)
Contract Pay: Considerations when Scoping Systems
29
1. IT controls must be reliable because the original contract and all modifications are generated, approved and retained in SPS/EDA.
2. IT controls must be reliable because the receiving report and invoices are approved and retained in WAWF.
3. IT controls must be reliable because contract calculations and allocations, as well as entitlement and release of disbursements are performed and maintained in MOCAS.
19
1
2
3
4. IT controls surrounding disbursing systems must be reliable as there are key automated application controls (e.g., data validity edit checks) relied upon for processing disbursements.
4
5. IT controls must be reliable for general ledger systems, unless components have implemented manual controls to ensure all obligations, accruals and disbursements are recorded, processed and reported completely, accurately and timely.
EDA