work shop 59, how dod financial management systems...

Work Shop 59, How DoD Financial Management Systems

Play a Key Role in Auditability and Managing DoD's

Financial Resources, June 1, 1045-1200

Mr. Andrew Morgan, Ms. Mobola Kadiri, Mr.

William Roberts and Mr. Jeff Green.

Moderator: Mr. John Argodale

1

Mr. Andrew MorganArmy Information Management

Perspective

ASA (FM&C)

Army Systems: What is the State of Play?

2

A Complex “As-Is” Financial Enterprise Architecture

Align to Audit

End StateNext-Gen TechIntegrateStandardizeSimplifyHow to EvolveThe

ProblemState of

Play

ASA (FM&C)

Major Issues Across the Board

What is the Problem?

3

Partially Implemented

Data Standards

Aging Systems

Outdated/Unsupported Technologies

Too Many Point-to-Point Interfaces

Capabilities No Longer

Needed

Stovepipes

Redundant Systems and

ProcessesOrphan

Capabilities

Mixed Legacy and ERP

Environment

Morass of Feeder

Systems

Billions Spent Without Being

Auditable

Significant Audit Issues

FM Domain

Align to Audit


ProblemState of

Play

ASA (FM&C)

How will the Army Evolve?

4

The Data Lake

Align to Audit


ProblemState of

Play

Army Enterprise Business Intelligence Approach

Data EngineeringBig Data Platform

Data Lakewith Supporting

Infrastructure

Sensor,Unstructured &Structured Data

Analytical Tools Visualization Tools

$

Data Science$

AESIP

GCSS-A

LMP

GFEBS

IPPS-A End UserData

Legacy Data

ERP Environment Training DataATIS

LOGSA (LIW)

Bottom Line: One-of-a-kind capability within DoD being built today in ERP Enclave within DISA-DECC Ogden and St. Louis. Big Data Pilot(s) in execution. Requires DOTML approach to

Big Data Analytics

ASA (FM&C) 5

Complete an audit of the full Statement of Budgetary Resources in FY17

Continue to hold ourselves and our teams accountable for corrective actions

Enhance governance, outreach and communications

Conduct valuation of property, plant and equipment

Establish and implement strong internal controls for the physical inventories of assets

Establish central location for data to support reconciliation of financials with feeder systems

Continue to enhance partnerships with stakeholders

Complete validation and execution of FY15/FY16 corrective actions for Schedule of Budgetary Activity

What is the Tie to Audit?

Audit: The Way Ahead Army System Number

of NFRs

GFEBS 13

GCSS-A 9

LMP 11

SOMARDS 4

DCAS 1

ELECTRA 3

HQARS 1

STANFINS 1

DDS 6

AFCOS 6

JUSTIS 7

MUP 6

SIDPERS 6

ATAAPS 3

AutoNOA 7

BATS 4

eMILPO 7

FCM 2

PADDS 7

SPS-PD2 2

RECMOD 4

TAPDB-AE 4

RLAS 15Align to Audit


ProblemState of

Play

ASA (FM&C)

What is the End State?

6

↓ Costs

↓ Re-work

↓ Reconciliations

↓ Complexity

↓ Interfaces

↓ Systems Controls

↓ FISCAM Controls

↓ Unmatched

↑ Command $$$

↑ Audit Sustainment

↑ Speed to Audit

↑ Accurate Payments

↑ Timely Payments

↑ Accurate G/L

↑ Timely G/L Align to Audit


ProblemState of

Play

Ms. Mobola KadiriDoD FIAR Perspective

• The Federal Financial Management Improvement Act of 1996 (FFMIA) emphasizes the

need for agencies to have systems that can generate timely, accurate, and useful

information with which to make informed decisions and to ensure accountability on an

ongoing basis.

• Auditors use the GAO’s Federal Information Systems Control Audit Manual (FISCAM)

to help assess compliance with FFMIA for information system internal controls.

• OUSD(C) has identified the minimum control objectives in the FISCAM that DoD

Components should consider when becoming audit ready. These minimum objectives

are defined in the FIAR Guidance.

• IT General Control Objectives:• Security Management

• Access Controls

• Configuration Management

• Segregation of Duties

• Contingency Planning*

8

IT Audit Readiness

FFMIA and IT Audit Readiness

Key IT Audit Readiness Requirements

Enough of the “right” controls need to be in place to satisfy the objectives.

This is not a check / count the boxes exercise.

* While operationally important, may not be considered as key by some auditors to a financial statement audit.

Importance of IT Controls to Financial Statement

Audit

IT Audit Readiness

Due to the pervasive role of systems in the end to end business processes,

IT controls must be designed and operating effectively.

Auditor Sample SizesLevel of Controls Reliance

Minimum Sample Sizes

High Internal Controls Reliance

Reduced Sample SizesSome Internal Controls Reliance

Optimum for a large financial statement audit

Sufficient for a financial statement audit

An auditor’s ability to rely on IT controls directly affects audit and audit support

costs

Maximum Sample Sizes

No Internal Controls Reliance

10s to 100s of thousands of

sample items across DoD

Inefficient and unsustainable

9

DCAS.

CCAS,

ART, Other

Evaluating IT Controls Audit Readiness

IT Audit Readiness

Follow your transactions from end-to-end (including Service Providers) to identify your audit-

relevant systems and controls.

Identify all Audit-Relevant Applications

DDRSSPS,

CONWRITE,

PADDS,

Other

MOCAS, CAPS-W, OnePay,

IAPS, Other

ADS, DDS,

etc.ODS

OI

I

I

I

P

P

STANFINS, SOMARDS, GFEBS,

LMP, STARS, NERP, SABRES,

GAFS, DEAMS, DAI, EBS, …

I P O

I

O

I

Note: This is a representative contract / vendor pay diagram that may vary by entity.Output Control Point

Interface / Input

Input Control Point

Processing Control Point

I

P

O

iRAPT,

Other

OI P

P O

STORES,

EMALL,

Other

Receive /

Accept /

Enter Invoice

Write Contract

Financial

Statements

Place Order

Reporting Entity DFAS DFAS(and/or Service Organization) (and/or Reporting Entity)

O

Financial Reporting

Entitle Payment

Disburse /

Distribute

Accounting

I PP O

O

I

OO

I OP

I OP

I II

10

Audit Readiness Challenges in the Current

Environment

IT Audit Readiness

Many legacy applications lack necessary data validity checks, posting logic, are not compliant with

FFMIA, SFIS, SLOA,…and updates are impractical. 11

There are simply too many applications with too many interfaces owned by too

many organizations on too many platforms hosted in too many data centers.

Sustainment of Audit Readiness in the Future

IT Audit Readiness

DoD will only achieve a high level of reliance on IT controls by drastically reducing its number of

audit-relevant systems through full deployment of ERP functionality.

1. Consolidate audit relevant applications into fewer data centers.

2. Increase standardization of business processes and reduce the number of redundant

legacy applications performing essentially the same business function.

3. Leverage the capabilities of ERP solutions to further reduce the number of applications.

DDRS

ERP

I P O

Note: This is a representative diagram that may vary by entity.Output Control Point

Interface / Input

Input Control Point

Processing Control Point

I

P

O

OI P

Receive /

Accept /

Enter Invoice

Write Contract

Financial

StatementsPlace Order

Reporting Entity DFAS DFAS(and/or Service Organization) (and/or Reporting Entity)

Financial Reporting

Entitle Payment

Disburse /

Distribute

Accounting

12

Mr. William RobertsArmy Audit Readiness Perspective

Accountability & Audit Readiness: Sustaining Army’s Strength

Lack of documentation over key policies and procedures in accordance with DoD requirements, National Institute of Standards and Technology (NIST) or Office of Management and Budget (OMB) Memorandums.

Inability to provide documentation in a timely manner when requested by an auditor.

Inability to provide evidence of performance in accordance with policies and procedures, including:

Lack of execution of procedures at the frequency defined in policies and procedures

Inability to provide the necessary levels of approvals for procedures

Inability to provide evidence of review of key business process and IT procedures by an appropriate level of management

Inability of process owners to satisfy all requested meetings and observations by the auditor.

14

Policies and Procedures

21%

Password Controls

3%

Audit Logging

7%

User Access

Management

18%

Documentati

on

31%

Technical system change

8%

Training3%

Business Process

8%

Testing1%

Findings across systems as % of total

Key Issues Identified


Access Controls

Weak password controls that increased the risk of unauthorized system access.

Inability to perform periodic access reviews at the frequency defined in policies and procedures.

No formal audit log or transaction review policy that increase the risk of unauthorized or inappropriate activity with detection or management knowledge.

Lack of a central access control monitoring process to support validation of separated or transferred personnel (civilian, military, contractor, detailed personnel). [Entity-level finding]

Lack of periodic review of database administrator accounts (DBAs) and operating system administrators increasing the risk that users may be assigned unnecessary or excessive access to database and system functionality.

Inability to provide formal Access Control policies and procedures that detail the following:– User access provisioning– Granting, modifying, and removing user access– Transferred and terminated users– User inactivity/invalid attempts– Managing authenticators– User access reviews (to include database administrator accounts (DBAs) and operating system

administrators)– Audit logging, to include:

• Access logs/transaction logs• Independent monitoring of application security audit logs• Review of audit logs

15


Configuration Management

Ineffective/inadequate patch management across the IT environment or inability to provide evidence of patches applied to the environment.

Inability to provide evidence of appropriate levels of approvals, and documentation of test results of changes migrated to production.

Configuration settings were not appropriately configured based on DoD, NIST and OMB guidelines.

Vulnerabilities identified were not appropriately tracked and addressed in the audit period.

Inability to provide evidence of restriction of or system-generated user listings to maintenance, development, testing and production libraries.

Inability to provide formal Configuration Management policies and procedures that detail the following:– Requirements for performing and documenting program change testing and approval

– A formalized testing and approval plan for the change releases

– Job roles and descriptions for individuals involved in the change management process

– Emergency change protocol

– Documentation requirements and tracking of configuration changes

16


Segregation of Duties

Key user accounts were not configured to prevent access related to their own transactions or were allowed to configure their own access within an application.

Applications were not configured to enforce documented segregation of duties for key user accounts.

Security administrators granted users access to conflicting privileges within the audit period.

Inability to provide formal Separation of Duties policies and procedures that cover the following:

– Identification and prevention of incompatible duties conflicts

– Approval of incompatible duties conflicts

– User of group/generic accounts and passwords

17


Financial Management Systems Audit Readiness

18

Critical activities• Compliance with Federal and DoD standards and regulations

• Adapting to new Federal standards (i.e. NIST Risk Management Framework)

• Identification and execution of key controls that support multiple Federal requirements

• Understanding key controls, compensating controls, and monitoring controls in key end-to-end processes (related to financial reporting)

Mr. Jeff GreenIndependent Public Accountant’s

(IPA) Auditor Perspective

• Information technology (IT) systems are material

components of a financial statement audit

– The Department of Defense (DoD) is too large an

entity to efficiently conduct a substantive-based audit

• Effective reliance on internal controls reduces the scope

of audit testing

– Smaller sample sizes

• Effective reliance cannot be obtained without having

auditable systems

Background

20

• Configuration Management

– Are software changes to financial systems tested prior to production?

– Are software changes in production approved by management and recorded in

the organization’s change management system?

• Interfaces – When the financial systems interface with feeder systems,

how does management know the following:

– Are the interfaces completed successfully every day?

– Does data between the two systems (legacy and financial) reconcile?

– Are interface errors corrected in a timely manner and transactions recorded in

the proper period?

21

Key Audit Areas for IT

• Segregation of duties (SOD) –User roles should be defined and evaluated

to identify conflicts with other system roles. SOD conflicts could allow

users to manipulate financial data or commit fraudulent transactions

without being detected. Examples include:

– Journal voucher (JV) entry and approval (Risks – fraudulent financial

statements and balances prone to errors)

– Creating a new hire and assigning time and attendance (Risk – fraudulent

transactions resulting from fictitious employees)

– Changing the vendor table and processing a disbursement (Risk –fraudulent

transactions resulting from fictitious vendors)

– Programmers with access to the production/live environment (Risk –

individuals may inappropriately change how the system posts general ledger

[GL] transactions or how money is disbursed)

22


• Monitoring – Users with elevated privileges could use their access to circumvent

SOD controls:

– System administrators could create excessive accounts and user roles

• Risk to control environment

• System administrator actions (account additions and deletions) must be monitored

by an independent party

– Entitlement systems (payroll, travel pay, vendor pay) are most vulnerable

• SOD controls should prevent a single user from creating payee master records

(payee name, banking information) and authorizing payments

• System controls should require at least two individuals to approve payments before

the payment can be processed

• Controls should prevent or detect situations where a user could create fictitious

accounts, authorize payments to those accounts and subsequently delete the

accounts

• Account additions and deletions should be routinely monitored

23


• Periodic reviews of user access

– A knowledgeable individual with the appropriate level of responsibility should

obtain and review a list of users with access to the system and their associated

roles

– While considered a simplistic control, this control helps ensure that separated

or inactive users are removed from the system, segregation of duties are

enforced, and the concept of least privilege is enforced

– Least privilege is the idea that a user should not have more access than what is

required to do his/her job

24


work shop 59, how dod financial management systems...

Documents