Workshop 71: Is Your Financial System Ready? An Overview of Effective Federal Information System Controls Audit Manual (FISCAM) Assessments

Similar documents
Synergistic Efforts Between Financial Audit and Cyber Security

IT-CNP, Inc. Capability Statement

What are SSAE 16 Reports and How do I Use Them to Support my Audit and A-123 Compliance? Presentation to ASMC PDI May 29, 2015

NDIA SE Conference 2016 System Security Engineering Track Session Kickoff Holly Dunlap NDIA SSE Committee Chair Holly.

WECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, 2017

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

OSD Product Support BCA Guidebook. Joseph Colt Murphy Senior Financial Analyst ODASD Materiel Readiness 9 May 2011

NERC Staff Organization Chart Budget 2019

DISDI Plenary Session

Air Force Civil Engineer Center. Director s View. Randy Brown Director 4 May Battle Ready Built Right! 1

NERC Staff Organization Chart Budget 2018

Naval Enterprise Networks Industry Day #2 NGEN Re-compete Acquisition Approach

Health Information Technology - Supporting Joint Readiness

NERC Staff Organization Chart Budget 2019

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

NERC Staff Organization Chart Budget 2017

NERC Staff Organization Chart Budget 2017

State of South Carolina Interim Security Assessment

Cloud Overview. Mr. John Hale Chief, DISA Cloud Portfolio February, 2018 UNITED IN SERVICE TO OUR NATION UNCLASSIFIED 1

IT Vulnerabilities: What an IT Auditor Should be Thinking About

DISA CLOUD CLOUD SYMPOSIUM

T&E Workforce Development

IT Consulting and Implementation Services

Information Security Continuous Monitoring (ISCM) Program Evaluation

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

Audit Absolutes DHS/USCG Perspectives. Jeff Bobich DHS Director of Financial Management Mark Rose USCG Comptroller 10 March 2016

Hyperion Application Access Control Governor Blueprint for Oracle GRC Applications

Air Force Digital Strategy

INFORMATION TECHNOLOGY AUDITING GAO AND THE FISCAM AUDIT FRAMEWORK. Ronald E. Franke, CISA, CIA, CFE, CICA. April 30, 2010

ISACA Arizona May 2016 Chapter Meeting

Ensuring System Protection throughout the Operational Lifecycle

TX CIO Leadership Journey Texas CIOs Bowden Hight Texas Health and Human Services Commission Tim Jennings Texas Department of Transportation Mark

Target Baseline -- Consolidated Enterprise IT Baseline --

Federal Acquisition Service

SAP security solutions Is your business protected?

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

CollabNet. Case Study: Building Agile ALM in the Cloud. Mike Kochanik Vice President CollabNet Federal. Agile ALM for Distributed Development

ISE Central Executive Forum and Awards 2012

Public Safety Canada. Audit of the Business Continuity Planning Program

itsmf ITIL V3: Accelerate Success with Tools Maria A Medvedeva, PMP, ITIL Regional Director CA, Inc. itsmf Middle East Board of Directors

Dell helps you simplify IT

ROADMAP TO DFARS COMPLIANCE

Service Management. What an Acquisition Practitioner Needs to Know. Karen Gomez Defense Information Systems Agency Mission Support Division

DEFENSE LOGISTICS AGENCY

Streamlined FISMA Compliance For Hosted Information Systems

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

INFORMATION ASSURANCE DIRECTORATE

Gain Control Over Your Cloud Use with Cisco Cloud Consumption Professional Services

Office of Acquisition Program Management (OAPM)

Governance, Risk & Compliance - Management Commitment; Building a GRC Aware Culture.

Looking Forward: USACE MILCON Cybersecurity Integration

Copyright 2011 EMC Corporation. All rights reserved.

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

354 & Index Board of Directors Responsibilities Audit Committee and Risk Committee Coordination, 244 Audit Committee Functions and Responsibilities, 2

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

The Future of IT Internal Controls Automation: A Game Changer. January Risk Advisory

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Transitioning from SAS 70 to SSAE 16

Information Systems Security Requirements for Federal GIS Initiatives

2. FUNCTIONAL AREA: Primary: Supply/MILSTRIP/DLMS Receipt/DLMS MRA

REPORT 2015/010 INTERNAL AUDIT DIVISION

OFFICE OF THE ASSISTANT SECRETARY OF DEFENSE HEALTH AFFAIRS SKYLINE FIVE, SUITE 810, 5111 LEESBURG PIKE FALLS CHURCH, VIRGINIA

PROFESSIONAL SERVICES (Solution Brief)

INFORMATION ASSURANCE DIRECTORATE

Apex Information Security Policy

Defense Information Systems Agency (DISA) Department of Defense (DoD) Cloud Service Offering (CSO) Initial Contact Form

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

NERC Staff Organization Chart 2015 Budget

Updates to the NIST Cybersecurity Framework

TRIAEM LLC Corporate Capabilities Briefing

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

UNCLASSIFIED R-1 ITEM NOMENCLATURE FY 2013 OCO

The Journey Towards Serving a Digital Government

6/18/ ACC / TSA Security Capabilities Workshop THANK YOU TO OUR SPONSORS. Third Party Testing Program Overview.

Module 3. Overview of TOGAF 9.1 Architecture Development Method (ADM)

Les joies et les peines de la transformation numérique

Workshop IT Star IT Security Professional Positioning and Monitoring: e-cfplus support

Defense Logistics Agency Environmental Management System

Audit of Information Technology Security: Roadmap Implementation

THE JOURNEY OVERVIEW THREE PHASES TO A SUCCESSFUL MIGRATION ADOPTION ACCENTURE IS 80% IN THE CLOUD

Information for entity management. April 2018

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

FIVE BEST PRACTICES FOR ENSURING A SUCCESSFUL SQL SERVER MIGRATION

FISMA Cybersecurity Performance Metrics and Scoring

USGv6: US Government. IPv6 Transition Activities 11/04/2010 DISCOVER THE TRUE VALUE OF TECHNOLOGY

INFORMATION ASSURANCE DIRECTORATE

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

DISN Evolution. TDM Elimination. Mr. Jessie L. Showers, JR., SES Infrastructure Executive (IE) 15 June 2017 UNITED IN SERVICE TO OUR NATION

Security Survey Executive Summary October 2008

CONTROLS OVER ELECTRONIC DOCUMENT MANAGEMENT. Report No. D April 16, Office of the Inspector General Department of Defense

The Modeling and Simulation Catalog for Discovery, Knowledge, and Reuse

IT Service Quality amidst a World Gone Cloud. June 2012 V: 2.0

SUBJECT: Training Policy-04 Defense Finance and Accounting Service Civilian Certifications, and Related Expenses

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

DoD Software Assurance Initiative. Mitchell Komaroff, OASD (NII)/DCIO Kristen Baldwin, OUSD(AT&L)/DS

NS2 Cloud Overview The Cloud Built for Federal Security and Export Controlled Environments. Hunter Downey, Cloud Solution Director

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Transcription:

Workshop 71: Is Your Financial System Ready? An Overview of Effective Federal Information System Controls Audit Manual (FISCAM) Assessments ASMC PDI 2015 New Orleans, LA May 28, 2015

Workshop 71: Agenda 1. Panelist Introductions 5 Minutes 2. DLA Presentation: Ms. Simone Reba 15 Minutes 3. Navy Presentation: Ms. Pat Dickerson 15 Minutes 4. Air Force DEAMS Presentation: Mr. Todd Baker 15 Minutes 5. Open Forum Discussion 25 Minutes Moderator: Mike Alipui - 2 -

DLA IT Testing Efforts and Lessons Learned Ms. Simone Reba, SES CDFM Deputy Director, Finance Defense Logistics Agency

DLA IT Testing Efforts To Date Challenge: Provide annual assurance over large portfolio while maintaining high quality, customer focused IT operations Support internal and external customer assertions and audits Objectives: Limit testing duplicative controls and focus on high risk areas from a financial audit perspective Reduce overall testing effort by leveraging common controls Fix problems from an enterprise-wide view Successes: Reduced overall scope each year Reduced time, effort, and resources spent on testing and compliance management Fiscal Year Assessment Area Controls Tested FY 2013 IT General Controls for 13 IT Systems 1465 FFMIA (FFMRs) 3406 Total: 2930 FY 2014 IT General Controls for 12 IT Systems 1188 FFMIA (FFMRs) 1289 Total: 2477 FY 2015 IT General Controls for 5 Enterprise Processes and 12 IT systems 106 and 1148 FFMIA (FFMRs) TBD Total: 1154 GRAND TOTAL: 6561 4

DLA Systems Testing and Corrective Action Lessons Learned Scoping Testing Corrective Action Validation Assess Plan Standardize Enterprise versus Systemby-System Functional versus Technical Accountability Focus on just enough first, then get to perfect 5

Navy IT Audit Readiness Ms. Pat Dickerson, CPA CISA Department of the Navy ASN(FM&C) FMO FIAR Program Manager, Information Systems and Controls

Road Map to IT Audit Readiness Phase 1 Discovery Phase 2 Analysis Phase 3 Evaluation Phase 4 Remediation Identify and classify financial systems across the enterprise Discovery at Navy yielded over 400 Navy owned and Service Provider systems Sharpened focus to less than 150 systems supporting full financial statements Document and analyze enterprise architecture focusing on transactional data flow Develop quantitative and non-financial measures of materiality for prioritization Anticipate changes to the systems environment (e.g. modernization) and impact to audit readiness efforts Evaluate controls supporting key systems using audit-like methodology OSD FIAR Guidance Relevant FISCAM Control Objectives & Techniques GAO FISCAM Third party assessment for key systems, self assessment for non-key Analyze gaps/issues to develop corrective action plans (CAPs) Develop remediation strategies for common issues across different programs Navy is tracking 535 CAPs as of May 1 2015 Sustainment

Examples from Phase 2 - Analysis Transactional data flow by business segment 1 NSIPS (Personnel Data Entry Point) 2 Navy Personnel Systems NES (Active Enlisted) OPINS (Active Officers) 13 Defense Joint Military Pay System DJMS-AC (Active) RHS (Reserve) 4 DJMS-RC (Reserve) Accompanying Narrative Marine Corps Personnel Systems 1. NSIPS forwards personnel data to the personnel MCTFS data systems and receives positive acknowledgements (USMC) 2. NSIPS forwards entitlement data to DJMS 3. NES and OPINS send personnel data to DJMS-AC 4. RHS sends personnel data to DJMS-RC

Examples from Phase 4 - Remediation Inventorying and Classifying CAPS Old: Collecting and Tracking CAPS Evaluation, Prioritization and Remediation New: Evaluating Audit Readiness Risk Rating - Open CAPs Total Closed Open IT Systems High Moderate Low System A 8 8 0 0 3 System B 19 19 6 13 0 1 System C 17 6 11 5 6 0 1 System D 74 23 51 43 8 1 System E 20 5 15 0 8 7 1 System F 8 8 0 7 1 1 System G 9 9 1 7 1 1 System H 13 9 4 0 1 3 1 System I 0 0 0 0 0 1 168 51 117 12 85 20 Priority of Completion

Lessons learned Challenges Evaluating FISCAM controls for infrastructure and general support systems Asset Management System Owner Engagement Accountable Property System of Record (APSR) decision Full scope audit not until 2017 Multiple Resource Sponsors and System Owners Command that owns system may not be primary user of system Resources skills and quantity Legacy and ERP environment Response Coordinate efforts with data center consolidation program office, data center personnel, and enterprise network program office. Integrate IT with property business segment discovery & assertions Stress importance of early remediation before full scope audit Engage Command IT community and DON CIO to communicate importance of IT audit readiness work Provide training, tools, and templates to government personnel performing self assessments. Augment assessment teams with third party IT Audit SMEs Modify approach to accommodate inherent legacy system limitations (e.g. manual compensating controls for missing functionality)

Service ERP FISCAM Lessons Learned Mr. Todd Baker, CDFM Chief of Compliance, SAF/FMFS (DEAMS)

DEAMS Overview What is DEAMS? What is DEAMS? DEAMS Today 4 AF Major Commands DFAS field sites HQ USTRANSCOM HQ USCENTCOM HQ USSOCOM Guard/Reserve Tenants The Defense Enterprise Accounting Management System is the Air Force s financial management Enterprise Resource Planning (ERP) solution utilizing the Oracle ebusiness Suite DEAMS Tomorrow DEAMS will deploy by October 2016 (FY17) to approximately 22,800 users Deploying While Under Audit DEAMS is deployed to 6,900 users and adding ~2,300 users in June with incremental deployments through October FY17 Feb 15 Jun 15 6.9K 9.2K How DEAMS Supports Audit Readiness One system for many processes not many systems for one process Shared financial data Effective cyber security Supported COTS software Centralized Interface controls Segregated roles and responsibilities SFIS/USSGL Compliant DEAMS Audit Status DEAMS transactions deemed material to the SBA assertion Completed FISCAM IT General Control review Integrated DEAMS business process controls with assessable units Implemented integrated corrective action plans Fulfilling PBC requests for IPA Continuing software development and user deployments to achieve the target financial system environment DEAMS

Service ERP FISCAM Lessons Learned Understand Your Environment Service Providers Inherited deficiencies and controls MOAs, SLAs, MOUs, Interdependence of CAPs Interface Partners Data integrity/completeness Validation controls Data translation Process Owners Users Policy Oversight Who is your oldest, slowest, most underfunded, externally managed partner? START THERE. Reconcile your span of responsibility to your span of control

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback