Workshop 71: Is Your Financial System Ready? An Overview of Effective Federal Information System Controls Audit Manual (FISCAM) Assessments ASMC PDI 2015 New Orleans, LA May 28, 2015
Workshop 71: Agenda 1. Panelist Introductions 5 Minutes 2. DLA Presentation: Ms. Simone Reba 15 Minutes 3. Navy Presentation: Ms. Pat Dickerson 15 Minutes 4. Air Force DEAMS Presentation: Mr. Todd Baker 15 Minutes 5. Open Forum Discussion 25 Minutes Moderator: Mike Alipui - 2 -
DLA IT Testing Efforts and Lessons Learned Ms. Simone Reba, SES CDFM Deputy Director, Finance Defense Logistics Agency
DLA IT Testing Efforts To Date Challenge: Provide annual assurance over large portfolio while maintaining high quality, customer focused IT operations Support internal and external customer assertions and audits Objectives: Limit testing duplicative controls and focus on high risk areas from a financial audit perspective Reduce overall testing effort by leveraging common controls Fix problems from an enterprise-wide view Successes: Reduced overall scope each year Reduced time, effort, and resources spent on testing and compliance management Fiscal Year Assessment Area Controls Tested FY 2013 IT General Controls for 13 IT Systems 1465 FFMIA (FFMRs) 3406 Total: 2930 FY 2014 IT General Controls for 12 IT Systems 1188 FFMIA (FFMRs) 1289 Total: 2477 FY 2015 IT General Controls for 5 Enterprise Processes and 12 IT systems 106 and 1148 FFMIA (FFMRs) TBD Total: 1154 GRAND TOTAL: 6561 4
DLA Systems Testing and Corrective Action Lessons Learned Scoping Testing Corrective Action Validation Assess Plan Standardize Enterprise versus Systemby-System Functional versus Technical Accountability Focus on just enough first, then get to perfect 5
Navy IT Audit Readiness Ms. Pat Dickerson, CPA CISA Department of the Navy ASN(FM&C) FMO FIAR Program Manager, Information Systems and Controls
Road Map to IT Audit Readiness Phase 1 Discovery Phase 2 Analysis Phase 3 Evaluation Phase 4 Remediation Identify and classify financial systems across the enterprise Discovery at Navy yielded over 400 Navy owned and Service Provider systems Sharpened focus to less than 150 systems supporting full financial statements Document and analyze enterprise architecture focusing on transactional data flow Develop quantitative and non-financial measures of materiality for prioritization Anticipate changes to the systems environment (e.g. modernization) and impact to audit readiness efforts Evaluate controls supporting key systems using audit-like methodology OSD FIAR Guidance Relevant FISCAM Control Objectives & Techniques GAO FISCAM Third party assessment for key systems, self assessment for non-key Analyze gaps/issues to develop corrective action plans (CAPs) Develop remediation strategies for common issues across different programs Navy is tracking 535 CAPs as of May 1 2015 Sustainment
Examples from Phase 2 - Analysis Transactional data flow by business segment 1 NSIPS (Personnel Data Entry Point) 2 Navy Personnel Systems NES (Active Enlisted) OPINS (Active Officers) 13 Defense Joint Military Pay System DJMS-AC (Active) RHS (Reserve) 4 DJMS-RC (Reserve) Accompanying Narrative Marine Corps Personnel Systems 1. NSIPS forwards personnel data to the personnel MCTFS data systems and receives positive acknowledgements (USMC) 2. NSIPS forwards entitlement data to DJMS 3. NES and OPINS send personnel data to DJMS-AC 4. RHS sends personnel data to DJMS-RC
Examples from Phase 4 - Remediation Inventorying and Classifying CAPS Old: Collecting and Tracking CAPS Evaluation, Prioritization and Remediation New: Evaluating Audit Readiness Risk Rating - Open CAPs Total Closed Open IT Systems High Moderate Low System A 8 8 0 0 3 System B 19 19 6 13 0 1 System C 17 6 11 5 6 0 1 System D 74 23 51 43 8 1 System E 20 5 15 0 8 7 1 System F 8 8 0 7 1 1 System G 9 9 1 7 1 1 System H 13 9 4 0 1 3 1 System I 0 0 0 0 0 1 168 51 117 12 85 20 Priority of Completion
Lessons learned Challenges Evaluating FISCAM controls for infrastructure and general support systems Asset Management System Owner Engagement Accountable Property System of Record (APSR) decision Full scope audit not until 2017 Multiple Resource Sponsors and System Owners Command that owns system may not be primary user of system Resources skills and quantity Legacy and ERP environment Response Coordinate efforts with data center consolidation program office, data center personnel, and enterprise network program office. Integrate IT with property business segment discovery & assertions Stress importance of early remediation before full scope audit Engage Command IT community and DON CIO to communicate importance of IT audit readiness work Provide training, tools, and templates to government personnel performing self assessments. Augment assessment teams with third party IT Audit SMEs Modify approach to accommodate inherent legacy system limitations (e.g. manual compensating controls for missing functionality)
Service ERP FISCAM Lessons Learned Mr. Todd Baker, CDFM Chief of Compliance, SAF/FMFS (DEAMS)
DEAMS Overview What is DEAMS? What is DEAMS? DEAMS Today 4 AF Major Commands DFAS field sites HQ USTRANSCOM HQ USCENTCOM HQ USSOCOM Guard/Reserve Tenants The Defense Enterprise Accounting Management System is the Air Force s financial management Enterprise Resource Planning (ERP) solution utilizing the Oracle ebusiness Suite DEAMS Tomorrow DEAMS will deploy by October 2016 (FY17) to approximately 22,800 users Deploying While Under Audit DEAMS is deployed to 6,900 users and adding ~2,300 users in June with incremental deployments through October FY17 Feb 15 Jun 15 6.9K 9.2K How DEAMS Supports Audit Readiness One system for many processes not many systems for one process Shared financial data Effective cyber security Supported COTS software Centralized Interface controls Segregated roles and responsibilities SFIS/USSGL Compliant DEAMS Audit Status DEAMS transactions deemed material to the SBA assertion Completed FISCAM IT General Control review Integrated DEAMS business process controls with assessable units Implemented integrated corrective action plans Fulfilling PBC requests for IPA Continuing software development and user deployments to achieve the target financial system environment DEAMS
Service ERP FISCAM Lessons Learned Understand Your Environment Service Providers Inherited deficiencies and controls MOAs, SLAs, MOUs, Interdependence of CAPs Interface Partners Data integrity/completeness Validation controls Data translation Process Owners Users Policy Oversight Who is your oldest, slowest, most underfunded, externally managed partner? START THERE. Reconcile your span of responsibility to your span of control