Navigating Service Provider and Service Receiver Audit ...€¦ · KPMG GOVERNMENT INSTITUTE | 1 Navigating Service Provider and Service Receiver Audit Readiness Considerations in

KPMG GOVERNMENT INSTITUTE | 1

Navigating Service Provider and Service Receiver Audit ReadinessConsiderations in the Department of Defense through Leading Practices

June 2014

KPMG GOVERNMENT INSTITUTEIssue Brief

In the ongoing journey to prepare auditable financial statements, the Financial Improvement and Audit Readiness (FIAR) Guidance, November 2013, establishes the Department of Defense (DoD) methodology for its components to achieve audit readiness by legislatively-mandated deadlines. In recognition of the DoD’s prevalent use of Service Providers, as well as the financial impact they can pose on their customers (‘Service Receivers’), the FIAR Guidance addresses DoD component responsibilities for evaluating Service Provider/Receiver relationships and, based on their nature and financial relevance, carrying out necessary steps to support Department-wide audit readiness objectives.

The process of performing Service Provider/Receiver audit readiness evaluations can be challenging, as it requires detailed analysis of the Service Receiver’s financial information to determine Service Provider impacts, as well as coordination between both parties. These challenges are amplified in the DoD environment because of the Department’s historical tendency to focus interagency partnerships on operational elements. This can result in agreements that do not consistently address administrative requirements relevant to audit readiness (such as, requirements that Service Providers undergo periodic reviews of controls that help protect the integrity of Service Receiver financial information).

The desired outcome of DoD’s audit readiness initiative is the established capability to obtain an independent auditor’s unmodified opinion of full financial statements’ fair presentation. Activities geared toward achieving that outcome represent a ‘capability build-up’. That build-up is a journey marked by incremental milestones, such as DoD reporting entity audit readiness assertions, audit readiness examinations, and audits of portions of the final statements. Service Provider/Receiver audit readiness evaluations must be integrated into the process

of building up Department audit readiness capability because the Department’s ability to achieve each of these milestones depends on the effective identification and evaluation of Service Provider/Receiver relationships.

To help Service Providers and Receivers successfully navigate this challenging aspect of audit readiness, this KPMG Government Institute Issue Brief summarizes key concepts and performance considerations representing leading practices associated with:

• Service Receiver/Provider relationship identification and evaluation to determine their relevance to the Service Receiver’s financial reporting processes and controls.

• Coordination required of DoD Service Providers and Receivers if financial reporting-relevant relationships are identified.

• Key success factors and lessons learned from audit readiness activities and financial statement audits.

• Scoping considerations for Service Providers undergoing Statement on Standards for Attestation Engagements (SSAE) No. 16 examinations.

© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. NDPPS 277050

2 | KPMG GOVERNMENT INSTITUTE

This Issue Brief was developed based on research into leading practices and lessons learned in supporting DoD audit readiness and sustainment initiatives of a variety of federal agencies, including some of DoD’s largest Service Receivers and Providers, as well as auditing 8 of the 15 cabinet-level federal agencies.

What are Service Providers and Service Receivers?1

A Service Provider is an entity that performs outsourced business processes and operations for its customers. Applied to audit readiness, services offered by Service Providers enhance or replace processes and controls performed by customers to receive and/or create, process and report their financial information. Service Providers may be other DoD components, non-DoD federal agencies or commercial entities.

An example of a Service Provider is an entity that processes payroll for others. This organization may (1) receive time and attendance transactions from customers; (2) use computer systems to validate transaction integrity, calculate and check customer employee payroll amounts and prepare disbursement files and customer financial reports; and (3) distribute these outputs. Financial reports and transaction files prepared by the Service Provider are used by customers to update their general ledger accounts related to employee payroll expense and disbursement. Because this organization plays a significant role in the validation, processing and reporting of its customers’ financial information, it is a Service Provider.

Service Receivers are entities that have outsourced functions relevant to financial reporting to other entities (Service Providers). In the above example, Service Receivers are the customers who outsource the validation, processing, disbursement and preparation of reports of employee payroll information to another organization. The external organization’s participation in the Service Receiver’s processing of employee payroll make that organization an important part of the Receiver’s financial reporting capability, and thus establishes the Service Receiver/Provider relationship.

Example DoD Service Providers include the Defense Finance and Accounting Service (DFAS), Defense Information Systems Agency (DISA) and the Defense Logistics Agency (DLA).

1 In this Issue Brief, we use ‘Service Provider’ and ‘Service Receiver’ – expressions commonly used in DOD nomenclature and, in the case of ‘Service Provider’, specifically referenced in the DoD’s FIAR Guidance – in reference to the terms ‘Service Organization’ and ‘User Entity’ defined within the American Institute of Certified Public Accountants (AICPA’s) Attestation Standard (AT) 801, Reporting on Controls at a Service Organization, and Clarified Audit Standard (AU-C) 402, Audit Considerations Relating to an Entity Using a Service Organization. Further, we use the terms ‘Service Receiver’ and ‘customer’ based on context. Generally speaking, we use the term ‘customer’ to refer to entities for which services received have not (yet) been deemed financially-relevant. We use the term ‘Service Receiver’ to refer to entities for which services received have been deemed financial-reporting relevant and, as a result, a Service Receiver/Provider relationship exists.

Why are Service Provider/Receiver relationships so important to DoD audit readiness?DoD’s goal is to successfully undergo financial statement audits performed by independent auditors. A key aspect of an audit is the requirement that the auditor gain an understanding of financial reporting processes and controls, including controls performed by Service Providers. If controls are ineffective, the likelihood of misstatements in the financial statements will increase.

Service Providers perform key processes and controls that impact their customer’s financial information and thus are part of the Service Receiver’s control environment considered by the Service Receiver’s auditor. Given the prevalence of Service Providers in DoD, if key Service Receiver/Provider relationships are not identified and evaluated and effective controls are not in place, risks that financial statements contain misstatements dramatically increase. This jeopardizes Department initiatives to become ‘audit ready’.

A Road Map for Service Receiver/Provider relationship identification and evaluationMandates of the Secretary of Defense currently require that DoD have the capability in place to successfully support financial statement audits by 2017. This target date creates timeline pressures that amplify the need for proper coordination of audit readiness tasks, including those related to the identification and evaluation of Service Receiver/Provider relationships. We will now outline a road map approach for Service Receivers and Providers to assess financially-relevant services, agree on actions to achieve audit readiness, and carry out those actions. This approach is summarized in the following high-level process flow diagram (Figure 1) and detailed in the sections that follow.

Relationship identification/evaluationFirst, Service Receivers and Providers must ‘look within’ to understand financially-relevant relationships. The output of this exercise is the identification of relationships that are relevant to Service Receiver financial reporting processes.

For Service Receivers, this requires an understanding of activities and controls that drive the processing and reporting of transactions in the financial statements. Absent previously existing documentation, Service Receivers should identify the significant class of transactions, accounts, and disclosures in their financial statements and ‘walk through’ the business processes that result in the creation, authorization, processing, recording and reporting of applicable transactions. Walk-throughs should


include identification of key risks that might result in financial data inaccuracies and the corresponding controls that address those risks. If external organizations perform controls identified in walk-throughs, a Service Provider relationship exists. Service Receivers should review Service Level Agreements (SLAs), Memorandums of Agreement (MOAs) and other agreements with such organizations to clarify their understanding of the

relationship. It is important to note that Service Providers may be DoD organizations, such as DFAS or DISA, or other federal agencies and/or commercial entities that provide relevant services to Receivers. Service Receivers should not limit their consideration of potential Service Provider relationships to one or two of these parties.

Figure 1: The Service Receiver/Provider Relationship Evaluation Process Flow

Relationship Identification/

Evaluation

Service Receiver/Provider

Coordination/Agreement

Execute the Audit Readiness Strategy

Review and Evaluate Audit Support

Outputs, and Respond

Service Receivers should also consider the following when evaluating business processes for Service Provider impact:

• The specific effect of Service Providers on Service Receiver financial data. Do Service Providers perform services that impact the completeness, accuracy, propriety or timeliness of the Receiver’s financial information?

• Whether the Service Provider already undergoes annual Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Internal Controls at a Service Organization, examinations (in which case Service Receivers should obtain and review the Service Provider’s most recent Service Organization Controls (SOC) 1 report to further their understanding of the Service Provider’s impact on the Service Receiver’s financial reporting processes). See pages 3 and 4 for an overview of SSAE No. 16 examinations and SOC 1 reports.

• Whether existing SLAs or analogous agreement documentation address responsibilities that may already support audit readiness, such as the Service Provider’s agreement to obtain an annual SSAE No. 16 examination and/or perform/support and communicate the results of periodic control assessments.

For Service Providers, services should be evaluated to determine how they impact customer financial reporting processes and controls. Depending on the nature of services, many Providers have little or no understanding of the role they play in their customers’ financial reporting processes and controls. As a result, Providers may be unable to perform a conclusive analysis of the relevance of their services to customer financial reporting. In such cases, the Service Provider should coordinate with customers to confirm their preliminary assessment.

Application hosting organizations, such as DISA, are considered Service Providers because they provide configuration management, physical, logical, and computer operations controls that help protect the integrity of Service Receiver application programs and financial data.


Service Providers should consider the following when evaluating their services:

• Services that include processes and controls supporting the initiation, authorization, processing, recording and/or reporting of customer financial transactions.

• Performance requirements documented in SLAs, MOAs and/or analogous agreements.

• The number of customers to which financial reporting-relevant services are provided.

• Standard services offered to most, or all, customers versus unique services offered to only one or a few customers.

Service Receiver/Provider Coordination and AgreementOnce a relationship is identified, Service Receivers and Providers must agree on each party’s audit readiness responsibilities. When developing the agreement, they must focus on the identification of support activities the Service Provider will perform to help establish Service Receiver audit readiness; that is, the Service Receiver’s ability to demonstrate

to its auditor that the control environment, including key Service Provider controls, is effective.

This coordination should occur through (1) the exchange of information regarding the nature of the relationship, responsibilities of each party and the impact of services on Service Receiver financial information; (2) one or more moderated discussions between the Service Receiver and Provider to confirm understanding of this information and develop the Service Provider’s support role; and (3) each party’s agreement on audit readiness roles and responsibilities.

Mutual understanding of the nature of the relationship, each party’s responsibilities, and the impact of services on Service Receiver financial information is critical as it provides the insight required to identify the appropriate Service Provider support activities. Because different support options offer varying levels of audit assurance, some of which may not satisfy Service Receiver auditors, choosing the proper support option is critical. Figure 2 provides an overview of various Service Provider support options and associated assurance levels.



…Less

Service Provider representations (no documentation)

Service Provider-performed self assessment documentation

Properly-scoped SOC 1 report

Service Provider's controls are tested by the Service Receiver's auditor

Auditor Reliance Demarcation Line

Less Likely to Rely… More Likely to Rely…

Auditor’s Assurance Spectrum

More…

Zero Assurance

The following provides details about each Service Provider support option.

• Undergo an independent auditor’s examination performed in accordance with SSAE No. 16 and provide the resulting SOC 1 report to Service Receivers. SSAE No. 16 (issued by the American Institute of Certified Public Accountants and included by reference in Generally Accepted Government Auditing Standards, issued by the Comptroller General of the United States) is a professional standard that defines requirements for independent auditors conducting an examination of Service Provider processes and controls.2 This process culminates with the auditor’s issuance of an opinion regarding the effectiveness of those controls. SSAE No. 16 establishes the SOC 1 report as a means by which the Service Receiver’s financial statement auditors can obtain assurance that Service Provider controls were effective during the period covered by the report. This examination option is best for Service Providers whose services are standardized and used by many Service Receivers.

• Allow the Service Receiver’s auditors to test key controls performed by the Service Provider. In this scenario, the Service Provider opens its doors to the Service Receiver’s auditors to test the effectiveness of Service Provider controls relevant to the Service Receiver’s financial reporting processes. This option makes most sense when the Service Provider performs unique services for only one or a few Service Receivers. As the number of Services Receivers who are provided similar services increases, this option loses its draw, as the Service Provider is faced with the prospect of responding to many different groups of Service Receiver auditors interested in testing the same set of controls, which is just not efficient or cost effective.

• Perform control self assessments, assert to the effectiveness of key controls and make testing documentation available to Service Receivers on an as-requested basis. Service Receiver auditors cannot rely on Service Provider assertions and/or self assessment documentation alone to plan financial statement audit testing. However, this support option may be worth considering if the Service Provider performs controls that are related to but do not significantly impact Service Receiver financial reporting and wishes to have information about such controls available should Service Receiver auditors request it.

Service Providers may need to support Service Receiver audit readiness initiatives using more than one of the above options. For example, the Service Provider may offer a common set of services for most Receivers, as well as specialized services for a few or only one Receiver. In this case, the Service Provider may decide to undergo a SSAE 16 examination covering common services and support individual Service Receiver auditor requests to test controls associated with specialized services performed by the Service Provider. Auditors of Service Receivers that receive both common and specialized services may rely on the SOC 1 report and test specialized controls performed by the Service Provider.

There are other ways Service Providers may need to support Service Receivers’ audit readiness initiatives. Some Service Receiver/Provider relationships have been established so that only the Service Provider can generate certain documents required by Service Receiver auditors to test Service Receiver controls. In such cases, the Service Receiver and Provider should agree to standard protocols for the Service Provider’s timely preparation and delivery of such documents or, if feasible, establish a capability for the Service Receiver to prepare and deliver the documents without the Service Provider’s assistance.

Figure 2: Assurance Provided by Various Service Provider Support Options

2 Such auditors are commonly referenced as ‘Service Auditors’.



FIAR Guidance requires that Service Receivers and Providers document agreements regarding audit readiness responsibilities.

For example, certain DISA customer agreements are structured so that the Service Receiver is responsible for preparing, testing and authorizing financial application program changes, and DISA is responsible for installing them into the production environment. In some cases, only DISA has access to the software tools necessary to generate a system-based list of financial application program changes that have been installed over a period of time. Service Receiver auditors may request program change lists for use in control evaluation procedures to determine whether specific changes were tested and authorized by Service Receiver management. As such, DISA and its Service Receivers should develop protocols regarding DISA’s preparation of program change lists or, better yet, establish the capability for Service Receivers to generate the lists without DISA’s assistance.

Once both parties agree on the division of responsibilities and Service Provider support to be provided, they should formalize the agreement through an audit readiness Memorandum of Understanding (MOU) or analogous document. At a minimum, the agreement should establish (1) the services, business processes and computer systems that impact the Service Receiver’s financial information; (2) responsibilities for performing key controls that impact the Service Receiver’s financial information; and (3) the nature and timing of Service Provider support activities, including protocols and the individuals responsible for responding to periodic and ad hoc audit support requests by the Service Receiver.

Execute the audit readiness strategyWith an executed agreement, the Service Receiver and Provider have a baseline to follow in fulfilling their responsibilities. If the agreement is properly formed, requirements for carrying out recurring and ad hoc support activities are known and can be followed in a standard and orderly fashion. If not already built in to the agreement, Service Receivers and Providers should establish periodic meetings to discuss the status of various audit readiness support activities and potential issues. After the end of each annual Service Receiver audit cycle (that is, following the Service Receiver auditor’s issuance of an audit report), Service Receivers and Providers should revisit audit readiness or sustainment activities from the previous year to identify lessons learned and opportunities to improve and, if necessary, modify audit readiness support agreements.

Review and evaluate audit support outputs and respond as neededThe outputs of Service Provider support activities are reviewed by Service Receivers and its auditors (‘reviewers’). Depending on the nature of support provided, output may consist of (1) SOC 1 reports, (2) testing documentation prepared by Service Receivers and/or its auditors evaluating the Service Provider’s controls and (3) documents requested by the Service Receiver or its auditor that are needed to test the Service Receiver’s controls. Additional considerations associated with the evaluation of and response to certain audit support outputs are described below.

The SOC 1 Report

The purpose of a SOC 1 report is to provide readers with information that will help them develop an understanding of the Service Provider’s impact on the Service Receiver’s financial reporting processes and controls, and whether Service Provider controls were effective. To that end, reviewers should read the entire SOC 1 report to make sure they understand:

• The report type and availability: It should be a ‘Type 2’ SOC 1 report – not a ‘Type 1’3; its scope should include services provided to the Service Receiver, covering most or all of the time period relevant to the Service Receiver’s fiscal year; and it should be made available to Service Receiver auditors with sufficient time to use the report for their financial statement audit (in the federal fiscal year, generally no later than the end of August). If not, the Service Receiver may need to work with the Service Provider to obtain additional information related to the coverage gap(s). Alternatively, the Service Receiver or its auditor may be able to identify Service Receiver controls that cover the gap(s).

• Complementary User Entity Controls (CUECs): CUECs are controls the Service Provider expects Service Receivers to have in place to help achieve control objectives included in the SOC 1 report. For example, a Service Provider may specify a CUEC that Service Receivers approve their employees’ access to a Service Provider-managed computer system. If Service Receivers do not have this control in place, the Service Provider’s system may be subject to elevated risks of unauthorized access, even if Service Provider access controls are effective. As such, Service Receiver auditors using a SOC 1 report test relevant CUECs to determine whether they are effective. Service Receivers preparing for future audits should do the same.

3 Type 2 SOC 1 reports include auditor tests and results regarding the operating effectiveness of controls over a period of time. Type 1 SOC 1 reports do not include these elements and thus are of limited use to Service Receiver financial statement auditors. FIAR Guidance requires that DoD Service Providers undergoing SSAE 16 examinations obtain Type 2 reports from their independent auditors.



• Subservice organizations: Subservice organizations are entities providing services to the Service Provider that impact the controls covered in the SOC 1 report. As an example, DFAS is a Service Provider of payroll processing services to DoD components and other government agencies. In order to deliver those services, DFAS contracts with DISA to provide data center management and application hosting services for DFAS’s key payroll processing computer systems. DISA is a subservice organization to DFAS because it performs several controls (including, but not limited to, operating system, physical access and backup management controls) that are key to DFAS and, by extension, Service Receivers of DFAS.

• Auditors using a SOC 1 report review the report’s description of subservice organizations to determine whether they perform controls that impact the Service Receiver’s financial information. The Service Receiver auditor may find it necessary to treat the subservice organization as a ‘nested’ Service Provider and, as such, subject them to evaluation procedures similar to that of the top-level Service Provider. In the example above, Service Receiver auditors may determine it necessary to obtain and review DISA’s hosting service SOC 1 report upon identification of DISA as a subservice organization in DFAS’s payroll processing SOC 1 reports. As such, Service Receivers should coordinate with Service Providers to identify and evaluate the Provider’s subservice organizations, and, for subservice organizations deemed relevant to Service Receiver financial reporting processes, agree with the Service Provider and/or subservice organization on the appropriate support to be provided.

Key considerations when reviewing a SOC 1 report:

1. Is the report ‘Type 1’ or ‘Type 2’?

2. Coverage (are services, systems, and time period of interest to the reviewer covered?)

3. Availability (will the report be issued in time for Service Receiver auditors to use it?)

4. Results of the auditor’s testing (were there any control weaknesses identified?)

5. CUECs (are there controls the Service Receiver should have in place?)

6. Subservice organizations (are there organizations that provide relevant services to the Service Provider?)

• Control weaknesses: If the service auditor identifies control weaknesses and reports such weaknesses in the SOC 1 report, the Service Receiver should evaluate the impact of these weaknesses on each of the Service Receiver’s business processes and overall control environment. The Service

Receiver’s evaluation should result in identification of any specific risks of misstatement of Service Receiver’s financial data, as well as other Service Provider or Service Receiver controls that may mitigate risks. Compensating controls need to be identified and tested within the Service Receiver’s operating environment to determine whether they could be relied upon and were suitably designed and operating effectively during the period of interest to the Service Receiver.

Other Service Provider Support Outputs

Other Service Provider support outputs include self-assessment test documentation and Service Provider control testing completed by the Service Receiver and/or the Service Receiver’s auditors. These outputs should be reviewed to determine whether testing covers processes, controls and the time period of interest to the Service Receiver and their auditor. If Service Provider support outputs do not cover control elements and/or time periods of interest to the Service Receiver, or control weaknesses are noted, the Service Receiver should seek additional information and/or identify and test compensating controls as described in the bullets above.

Key Success Factors and Lessons Learned In working with DoD and others on audit readiness-related activities, serving as financial statement auditors and in conducting SSAE No. 16 examinations, we have noted key success factors and lessons learned. The following actions have helped organizations, including several DoD components, effectively identify and evaluate Service Receiver/Provider relationships, agree upon audit readiness and sustainment support requirements and realize objectives associated with establishing an effective control environment.

Be PROACTIVE and INCLUSIVE

• Don’t wait. If you haven’t already, begin evaluating relationships your organization has with Service Providers/Receivers now.

• Make sure the right parties are at the table to participate in evaluations and Service Provider/Receiver support negotiations. If the right parties are not participating, Service Provider/Receiver coordination activities may be hindered.

• Timing is key. Know your own/Service Receiver audit readiness timelines and plan coordination and support activities accordingly.

UNDERSTAND relationships with other organizations

• Is your organization a Service Provider? A Service Receiver? Or both?

• Service Receivers: Don’t assume your Service Provider does everything. Evaluate your processes and review SLAs or analogous documents to clarify understanding of who performs which processes and controls.



COMMUNICATE early and often

• Discuss relationships, dependencies and responsibilities internally and with the other party’s representatives.

• Establish regular touch point sessions throughout the fiscal year to set and refine responsibilities so both parties remain on task and on time.

DOCUMENT roles and responsibilities

• FIAR Guidance requires that audit readiness responsibilities be defined in a MOU or analogous agreement document.

• Formally documenting the Service Provider/Receiver agreement (1) provides a baseline for both parties to follow, (2) establishes the protocols so execution is not delayed, (3) takes the guess work out of many of the coordination and support activities that need to be completed and (4) helps avoid pitfalls associated with both parties’ efforts to help ensure Service Receivers are ready to undergo financial statement audits.

It’s a MARATHON, not a Sprint

• Audit support and sustainment capabilities don’t instantaneously materialize in their final/optimized form. They are developed and refined over the course of several annual audit cycles, based on lessons learned over time, training and by adapting the support model to changes in the Service Receiver’s and/or Provider’s services, business processes, systems and/or controls. The implication for Service Receivers and Providers is not to expect initial financial statement audits and SSAE No.16 examinations to necessarily result in ‘clean’ reports (i.e., reports with no findings and/or qualifications to the auditor’s opinion), however, they provide the lessons learned that Service Receivers and Providers can implement to obtain ‘clean’ reports in subsequent financial statement audits and

SSAE No. 16 examinations. As such, Service Receivers and Providers should focus on continuous improvement of their respective control environments, maintaining robust communication with each other throughout the audit cycle and refining audit readiness agreements based on lessons learned from previous cycles.

Considerations for Service Receivers and their Providers undergoing SSAE 16 examinations:In addition to the above key success factors and lessons learned, Service Providers should consider the following when scoping SSAE No. 16 examinations:

• SSAE No. 16 examinations should be scoped to accommodate the collective needs of the Service Receiver community and, as such, may not address all needs of each individual Service Receiver. Thus, Service Provider services, business processes, locations and control activities considered relevant to most or all Receivers should be considered first.

• Resulting SOC 1 reports should clearly highlight subservice organizations as well as CUECs so Service Receivers and their auditors can readily identify them and adjust testing methods as appropriate. As a leading practice, the Service Provider should vet CUECs by reviewing SLAs and holding discussions with key Service Receivers. Both subservice organizations and CUECs should be documented in corresponding MOUs or analogous documents.

• The SSAE No. 16 examination should cover the appropriate period (at least 75 percent of Service Receiver community’s fiscal year), and the resulting SOC 1 report should be made available to Service Receivers in time for their management and auditors to consider and react to results (in the federal government, generally no later than the end of August).


Final Thoughts As DoD continues its march towards audit readiness target dates, the need for Service Receivers and Providers to come together in support of Department-wide financial improvement initiatives intensifies. Any Service Provider relationships based on handshake-driven and inconsistently-documented partnerships may hinder Department-wide audit readiness goals. The result can be a complex web of semi-defined component interrelationships in which financial governance and audit readiness requirements are often unclear and unsupported. The potential for these conditions highlight the

need for a well-established process for identifying, evaluating and developing audit support requirements for Service Provider relationships that impact Service Receiver financial information.

The military services and DoD support components alike can position themselves and the Department as a whole to achieve audit readiness objectives by applying a similar level of discipline to the process of Service Receiver/Provider relationship identification and evaluation. The approach outlined in this Issue Brief provides the DoD with a baseline of leading practices for successfully executing that process.





Contact us

Geoffrey L. WeberPrincipal Advisory T: + 703-286-8480 E: [email protected]

Phillip B. MooreManaging DirectorAdvisory T: + 703-286-8678 E: [email protected]

Stephen L. CamaraDirector Advisory T: + 804-782-4445 E: [email protected]

About the KPMG Government Institute

The KPMG Government Institute was established to serve as a strategic resource for government at all levels, and also for higher education and nonprofit entities seeking to achieve high standards of accountability, transparency, and performance. The Institute is a forum for ideas, a place to share leading practices, and a source of thought leadership to help governments address difficult challenges, such as effective performance management, regulatory compliance, and fully leveraging technology.

For more information, visit us at: www.kpmginstitutes.com/government-institute/

This Issue Brief was developed by the KPMG Government Institute with assistance from Advisory Manager John A. Heath, Advisory Manager Mary K. Stauffer and Senior Associate Lynne Munsey.

Jeffrey C. Steinhoff Executive Director [email protected]

kpmg.com

Documents

Navigating Service Provider and Service Receiver Audit ...€¦ · KPMG GOVERNMENT INSTITUTE | 1 Navigating Service Provider and Service Receiver Audit Readiness Considerations in