CHIPS Articles: Audit Readiness: The Challenge

Specifically, the directive requires the following:

• Achieve audit readiness of the SBR by the end of CY 2014.
• Meet the legal requirements to achieve full audit readiness for all financial statements by 2017.
• Increase emphasis on accountability of assets.
• Ensure mandatory training for audit and other key financial efforts, and establish by the end of CY 2012, a pilot certification program for financial managers — similar to the one now in place for acquisition managers.
• Execute a full review of the department’s financial controls during the next two years and establish interim goals against which to assess progress.
• Appropriately resource the efforts to meet these goals.

The SBR and related disclosures provide information about an agency’s budgetary resources and the status of those resources at the end of the fiscal year. These disclosures link budget execution data in an agency’s financial statements to information reported in the “actual” column of the Program and Financing Schedules in the Appendix of the Budget of the United States Government.

While the DON comptroller is responsible for the department’s financial statements and Financial Improvement and Audit Readiness (FIAR) Plan, achieving audit readiness requires support from functional leaders across the department, especially the information technology community. The financial and IT communities jointly bear the burden of proof to provide evidence demonstrating that reported financial figures are fairly stated in accordance with federal accounting standards.

Information technology systems containing financially relevant data are integral to audit readiness. Auditors will assess controls over system data confidentiality, integrity, availability and non-repudiation to make a determination of whether system data is reliable. When key controls over systems and data have been implemented and are functioning effectively, auditors can place greater reliance on data within these systems, limiting substantive sample sizes during a financial statement audit. Controls considered key to a financial audit include, but are not limited to, management of physical and logical access to systems and data, segregation of system user duties, configuration management and interfaces between systems.

The IT community must cooperate with the financial community to ensure that data and transactions captured by DON systems meet minimum auditability requirements. In addition, IT professionals are responsible for ensuring that key system controls are in place, underlying processes and the related key controls and flow of data are completely and accurately documented, and that the controls are effective.

One of the key challenges the military services have encountered in the audit readiness effort is the difficulty in tracing the flow of transactions and individual data elements from initiation through reporting. Many DoD systems, particularly older legacy feeder systems, were not designed to capture transactions at a level of detail that readily supports a financial statement audit, especially requirements established after those systems were fielded, such as those in the Federal Financial Management Improvement Act (FFMIA) of 1996. Additionally, enterprise resource planning (ERP) systems do not guarantee auditability. ERP systems may not fully support audit readiness or may not yet be fully operational at the time of audit. Also, problems with feeder system data can prove to be an ERP system's Achilles' heel.

Another common challenge is insufficient system process and data flow documentation. Documentation is often incomplete or does not reflect system updates, resulting in an inability to determine whether controls exist and/or are suitably designed. When system documentation is incomplete, inaccurate or unavailable, an auditor is unable to design or execute procedures to assess the operational effectiveness of system controls.

To address these challenges, the IT and financial communities must collaborate to identify financially relevant accounting and feeder systems, data and transactions. Next, these communities should work together to jointly document the business processes within these systems and identify relevant business controls. To ensure continued success, standard processes for updating, storing and retrieving relevant policies, procedures and system documentation must be developed.

The FIAR has provided some guidance on how to document and assess system controls:

• Discovery: Document the business environment, define and prioritize processes into assessable units, assess risks and tests controls, evaluate supporting documentation, and identify deficiencies.
• Corrective Action: Define and design an audit-ready environment, develop solutions to resolve deficiencies, identify resources required to implement corrective action plans (CAPs) and define validation procedures to determine if CAPs remediated deficiencies.
• Evaluation: Management evaluates corrective action effectiveness through testing and determines whether it can assert audit readiness.

As IT and financial professionals join together with program managers to address system auditability requirements, each will identify opportunities for greater standardization and efficiencies across commands and systems. Further, these efforts will help eliminate duplication and inaccuracy in system and process documentation. Maintaining this information centrally will acilitate greater information sharing and decreased response times when collecting and providing information. More reliable processes and system information will naturally result.

Pat Dickerson is the segment program manager for information systems controls, civilian pay and entity level controls for the Department of the Navy, Office of the Assistant Secretary of the Navy (Financial Management and Comptroller) financial operations. Geoff Weber provides audit readiness support to the Office of Financial Operations-4.