work shop 59, how dod financial management systems...
TRANSCRIPT
Work Shop 59, How DoD Financial Management Systems
Play a Key Role in Auditability and Managing DoD's
Financial Resources, June 1, 1045-1200
Mr. Andrew Morgan, Ms. Mobola Kadiri, Mr.
William Roberts and Mr. Jeff Green.
Moderator: Mr. John Argodale
ASA (FM&C)
Army Systems: What is the State of Play?
2
A Complex “As-Is” Financial Enterprise Architecture
Align to Audit
End StateNext-Gen TechIntegrateStandardizeSimplifyHow to EvolveThe
ProblemState of
Play
ASA (FM&C)
Major Issues Across the Board
What is the Problem?
3
Partially Implemented
Data Standards
Aging Systems
Outdated/Unsupported Technologies
Too Many Point-to-Point Interfaces
Capabilities No Longer
Needed
Stovepipes
Redundant Systems and
ProcessesOrphan
Capabilities
Mixed Legacy and ERP
Environment
Morass of Feeder
Systems
Billions Spent Without Being
Auditable
Significant Audit Issues
FM Domain
Align to Audit
End StateNext-Gen TechIntegrateStandardizeSimplifyHow to EvolveThe
ProblemState of
Play
ASA (FM&C)
How will the Army Evolve?
4
The Data Lake
Align to Audit
End StateNext-Gen TechIntegrateStandardizeSimplifyHow to EvolveThe
ProblemState of
Play
Army Enterprise Business Intelligence Approach
Data EngineeringBig Data Platform
Data Lakewith Supporting
Infrastructure
Sensor,Unstructured &Structured Data
Analytical Tools Visualization Tools
$
Data Science$
AESIP
GCSS-A
LMP
GFEBS
IPPS-A End UserData
Legacy Data
ERP Environment Training DataATIS
LOGSA (LIW)
Bottom Line: One-of-a-kind capability within DoD being built today in ERP Enclave within DISA-DECC Ogden and St. Louis. Big Data Pilot(s) in execution. Requires DOTML approach to
Big Data Analytics
ASA (FM&C) 5
Complete an audit of the full Statement of Budgetary Resources in FY17
Continue to hold ourselves and our teams accountable for corrective actions
Enhance governance, outreach and communications
Conduct valuation of property, plant and equipment
Establish and implement strong internal controls for the physical inventories of assets
Establish central location for data to support reconciliation of financials with feeder systems
Continue to enhance partnerships with stakeholders
Complete validation and execution of FY15/FY16 corrective actions for Schedule of Budgetary Activity
What is the Tie to Audit?
Audit: The Way Ahead Army System Number
of NFRs
GFEBS 13
GCSS-A 9
LMP 11
SOMARDS 4
DCAS 1
ELECTRA 3
HQARS 1
STANFINS 1
DDS 6
AFCOS 6
JUSTIS 7
MUP 6
SIDPERS 6
ATAAPS 3
AutoNOA 7
BATS 4
eMILPO 7
FCM 2
PADDS 7
SPS-PD2 2
RECMOD 4
TAPDB-AE 4
RLAS 15Align to Audit
End StateNext-Gen TechIntegrateStandardizeSimplifyHow to EvolveThe
ProblemState of
Play
ASA (FM&C)
What is the End State?
6
↓ Costs
↓ Re-work
↓ Reconciliations
↓ Complexity
↓ Interfaces
↓ Systems Controls
↓ FISCAM Controls
↓ Unmatched
↑ Command $$$
↑ Audit Sustainment
↑ Speed to Audit
↑ Accurate Payments
↑ Timely Payments
↑ Accurate G/L
↑ Timely G/L Align to Audit
End StateNext-Gen TechIntegrateStandardizeSimplifyHow to EvolveThe
ProblemState of
Play
• The Federal Financial Management Improvement Act of 1996 (FFMIA) emphasizes the
need for agencies to have systems that can generate timely, accurate, and useful
information with which to make informed decisions and to ensure accountability on an
ongoing basis.
• Auditors use the GAO’s Federal Information Systems Control Audit Manual (FISCAM)
to help assess compliance with FFMIA for information system internal controls.
• OUSD(C) has identified the minimum control objectives in the FISCAM that DoD
Components should consider when becoming audit ready. These minimum objectives
are defined in the FIAR Guidance.
• IT General Control Objectives:• Security Management
• Access Controls
• Configuration Management
• Segregation of Duties
• Contingency Planning*
8
IT Audit Readiness
FFMIA and IT Audit Readiness
Key IT Audit Readiness Requirements
Enough of the “right” controls need to be in place to satisfy the objectives.
This is not a check / count the boxes exercise.
* While operationally important, may not be considered as key by some auditors to a financial statement audit.
Importance of IT Controls to Financial Statement
Audit
IT Audit Readiness
Due to the pervasive role of systems in the end to end business processes,
IT controls must be designed and operating effectively.
Auditor Sample SizesLevel of Controls Reliance
Minimum Sample Sizes
High Internal Controls Reliance
Reduced Sample SizesSome Internal Controls Reliance
Optimum for a large financial statement audit
Sufficient for a financial statement audit
An auditor’s ability to rely on IT controls directly affects audit and audit support
costs
Maximum Sample Sizes
No Internal Controls Reliance
10s to 100s of thousands of
sample items across DoD
Inefficient and unsustainable
9
DCAS.
CCAS,
ART, Other
Evaluating IT Controls Audit Readiness
IT Audit Readiness
Follow your transactions from end-to-end (including Service Providers) to identify your audit-
relevant systems and controls.
Identify all Audit-Relevant Applications
DDRSSPS,
CONWRITE,
PADDS,
Other
MOCAS, CAPS-W, OnePay,
IAPS, Other
ADS, DDS,
etc.ODS
OI
I
I
I
P
P
STANFINS, SOMARDS, GFEBS,
LMP, STARS, NERP, SABRES,
GAFS, DEAMS, DAI, EBS, …
I P O
I
O
I
Note: This is a representative contract / vendor pay diagram that may vary by entity.Output Control Point
Interface / Input
Input Control Point
Processing Control Point
I
P
O
iRAPT,
Other
OI P
P O
STORES,
EMALL,
Other
Receive /
Accept /
Enter Invoice
Write Contract
Financial
Statements
Place Order
Reporting Entity DFAS DFAS(and/or Service Organization) (and/or Reporting Entity)
O
Financial Reporting
Entitle Payment
Disburse /
Distribute
Accounting
I PP O
O
I
OO
I OP
I OP
I II
10
Audit Readiness Challenges in the Current
Environment
IT Audit Readiness
Many legacy applications lack necessary data validity checks, posting logic, are not compliant with
FFMIA, SFIS, SLOA,…and updates are impractical. 11
There are simply too many applications with too many interfaces owned by too
many organizations on too many platforms hosted in too many data centers.
Sustainment of Audit Readiness in the Future
IT Audit Readiness
DoD will only achieve a high level of reliance on IT controls by drastically reducing its number of
audit-relevant systems through full deployment of ERP functionality.
1. Consolidate audit relevant applications into fewer data centers.
2. Increase standardization of business processes and reduce the number of redundant
legacy applications performing essentially the same business function.
3. Leverage the capabilities of ERP solutions to further reduce the number of applications.
DDRS
ERP
I P O
Note: This is a representative diagram that may vary by entity.Output Control Point
Interface / Input
Input Control Point
Processing Control Point
I
P
O
OI P
Receive /
Accept /
Enter Invoice
Write Contract
Financial
StatementsPlace Order
Reporting Entity DFAS DFAS(and/or Service Organization) (and/or Reporting Entity)
Financial Reporting
Entitle Payment
Disburse /
Distribute
Accounting
12
Accountability & Audit Readiness: Sustaining Army’s Strength
Lack of documentation over key policies and procedures in accordance with DoD requirements, National Institute of Standards and Technology (NIST) or Office of Management and Budget (OMB) Memorandums.
Inability to provide documentation in a timely manner when requested by an auditor.
Inability to provide evidence of performance in accordance with policies and procedures, including:
Lack of execution of procedures at the frequency defined in policies and procedures
Inability to provide the necessary levels of approvals for procedures
Inability to provide evidence of review of key business process and IT procedures by an appropriate level of management
Inability of process owners to satisfy all requested meetings and observations by the auditor.
14
Policies and Procedures
21%
Password Controls
3%
Audit Logging
7%
User Access
Management
18%
Documentati
on
31%
Technical system change
8%
Training3%
Business Process
8%
Testing1%
Findings across systems as % of total
Key Issues Identified
Accountability & Audit Readiness: Sustaining Army’s Strength
Access Controls
Weak password controls that increased the risk of unauthorized system access.
Inability to perform periodic access reviews at the frequency defined in policies and procedures.
No formal audit log or transaction review policy that increase the risk of unauthorized or inappropriate activity with detection or management knowledge.
Lack of a central access control monitoring process to support validation of separated or transferred personnel (civilian, military, contractor, detailed personnel). [Entity-level finding]
Lack of periodic review of database administrator accounts (DBAs) and operating system administrators increasing the risk that users may be assigned unnecessary or excessive access to database and system functionality.
Inability to provide formal Access Control policies and procedures that detail the following:– User access provisioning– Granting, modifying, and removing user access– Transferred and terminated users– User inactivity/invalid attempts– Managing authenticators– User access reviews (to include database administrator accounts (DBAs) and operating system
administrators)– Audit logging, to include:
• Access logs/transaction logs• Independent monitoring of application security audit logs• Review of audit logs
15
Accountability & Audit Readiness: Sustaining Army’s Strength
Configuration Management
Ineffective/inadequate patch management across the IT environment or inability to provide evidence of patches applied to the environment.
Inability to provide evidence of appropriate levels of approvals, and documentation of test results of changes migrated to production.
Configuration settings were not appropriately configured based on DoD, NIST and OMB guidelines.
Vulnerabilities identified were not appropriately tracked and addressed in the audit period.
Inability to provide evidence of restriction of or system-generated user listings to maintenance, development, testing and production libraries.
Inability to provide formal Configuration Management policies and procedures that detail the following:– Requirements for performing and documenting program change testing and approval
– A formalized testing and approval plan for the change releases
– Job roles and descriptions for individuals involved in the change management process
– Emergency change protocol
– Documentation requirements and tracking of configuration changes
16
Accountability & Audit Readiness: Sustaining Army’s Strength
Segregation of Duties
Key user accounts were not configured to prevent access related to their own transactions or were allowed to configure their own access within an application.
Applications were not configured to enforce documented segregation of duties for key user accounts.
Security administrators granted users access to conflicting privileges within the audit period.
Inability to provide formal Separation of Duties policies and procedures that cover the following:
– Identification and prevention of incompatible duties conflicts
– Approval of incompatible duties conflicts
– User of group/generic accounts and passwords
17
Accountability & Audit Readiness: Sustaining Army’s Strength
Financial Management Systems Audit Readiness
18
Critical activities• Compliance with Federal and DoD standards and regulations
• Adapting to new Federal standards (i.e. NIST Risk Management Framework)
• Identification and execution of key controls that support multiple Federal requirements
• Understanding key controls, compensating controls, and monitoring controls in key end-to-end processes (related to financial reporting)
• Information technology (IT) systems are material
components of a financial statement audit
– The Department of Defense (DoD) is too large an
entity to efficiently conduct a substantive-based audit
• Effective reliance on internal controls reduces the scope
of audit testing
– Smaller sample sizes
• Effective reliance cannot be obtained without having
auditable systems
Background
20
• Configuration Management
– Are software changes to financial systems tested prior to production?
– Are software changes in production approved by management and recorded in
the organization’s change management system?
• Interfaces – When the financial systems interface with feeder systems,
how does management know the following:
– Are the interfaces completed successfully every day?
– Does data between the two systems (legacy and financial) reconcile?
– Are interface errors corrected in a timely manner and transactions recorded in
the proper period?
21
Key Audit Areas for IT
• Segregation of duties (SOD) –User roles should be defined and evaluated
to identify conflicts with other system roles. SOD conflicts could allow
users to manipulate financial data or commit fraudulent transactions
without being detected. Examples include:
– Journal voucher (JV) entry and approval (Risks – fraudulent financial
statements and balances prone to errors)
– Creating a new hire and assigning time and attendance (Risk – fraudulent
transactions resulting from fictitious employees)
– Changing the vendor table and processing a disbursement (Risk –fraudulent
transactions resulting from fictitious vendors)
– Programmers with access to the production/live environment (Risk –
individuals may inappropriately change how the system posts general ledger
[GL] transactions or how money is disbursed)
22
Key Audit Areas for IT
• Monitoring – Users with elevated privileges could use their access to circumvent
SOD controls:
– System administrators could create excessive accounts and user roles
• Risk to control environment
• System administrator actions (account additions and deletions) must be monitored
by an independent party
– Entitlement systems (payroll, travel pay, vendor pay) are most vulnerable
• SOD controls should prevent a single user from creating payee master records
(payee name, banking information) and authorizing payments
• System controls should require at least two individuals to approve payments before
the payment can be processed
• Controls should prevent or detect situations where a user could create fictitious
accounts, authorize payments to those accounts and subsequently delete the
accounts
• Account additions and deletions should be routinely monitored
23
Key Audit Areas for IT
• Periodic reviews of user access
– A knowledgeable individual with the appropriate level of responsibility should
obtain and review a list of users with access to the system and their associated
roles
– While considered a simplistic control, this control helps ensure that separated
or inactive users are removed from the system, segregation of duties are
enforced, and the concept of least privilege is enforced
– Least privilege is the idea that a user should not have more access than what is
required to do his/her job
24
Key Audit Areas for IT