This is the accessible text file for GAO report number GAO-14-10 entitled 'DOD Financial Management: The Defense Finance and Accounting Service Needs to Fully Implement Financial Improvements for Contract Pay' which was released on June 23, 2014. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to Congressional Committees: June 2014: DOD Financial Management: The Defense Finance and Accounting Service Needs to Fully Implement Financial Improvements for Contract Pay: GAO-14-10: GAO Highlights: Highlights of GAO-14-10, a report to congressional committees. Why GAO Did This Study: The National Defense Authorization Act for Fiscal Year 2013 mandated that DOD's FIAR Plan include the goal of validating that DOD's Statement of Budgetary Resources (SBR) is audit ready by no later than September 30, 2014. DOD identified contract pay as one of the key elements of its SBR. DFAS, the service provider responsible for the department's contract pay, asserted that its processes, systems, and controls over contract pay were suitably designed and operating effectively to undergo an audit. DOD's FIAR Guidance provides a methodology DOD components are required to follow to develop and implement FIPs to improve financial management and assert audit readiness. The FIP is a framework for planning, executing, and tracking the steps and supporting documentation necessary to achieve auditability. GAO is mandated to audit the U.S. government's consolidated financial statements, including activities of executive branch agencies such as DOD. This report discusses the extent to which DFAS implemented its contract pay FIP in accordance with the FIAR Guidance. GAO reviewed the FIP and related work products, such as process flowcharts, test plans, and test results, and interviewed DFAS and DOD officials. What GAO Found: The Defense Finance and Accounting Service (DFAS) is responsible for processing and disbursing nearly $200 billion annually in contract payments (contract pay) for the Department of Defense (DOD). DFAS recognized the importance of implementing a Financial Improvement Plan (FIP) to improve its contract pay processes, systems, and controls, and performed steps required by DOD's Financial Improvement and Audit Readiness (FIAR) Guidance, such as performing testing of internal controls, and substantive processes. However, GAO found that DFAS did not fully implement the steps required by the FIAR Guidance. GAO found numerous deficiencies in the implementation of DFAS's contract pay FIP, including the following: * DFAS did not adequately perform certain planning activities for its contract pay FIP as required by the FIAR Guidance. For example, DFAS did not assess the dollar activity and risk factors of its processes, systems, and controls, which resulted in the exclusion of three key processes from the FIP, including the reconciliation of its contract pay data to the components' general ledgers. Standards for Internal Control in the Federal Government states that control activities such as reconciliations are an integral part of an entity's planning, implementing, reviewing, and accountability for stewardship of government resources and achieving effective results. As result, DFAS did not obtain sufficient assurance that the contract disbursements are accurately recorded and maintained in the components' general ledgers, and that the status of DOD's contract obligations is accurate and up-to-date. * DFAS did not adequately perform required testing of its contract pay controls, processes, and balances. For example, DFAS did not adequately validate the populations used to perform substantive and internal control testing as required by the FIAR Guidance. DFAS officials stated that they validated that the population that was tested; however, GAO found that the process followed by DFAS for validating the population did not include a reconciliation of the population to the components' general ledgers. As a result, additional deficiencies may exist in DFAS's contract pay controls and additional errors may exist in the recorded transactions activity and balances, which affects the components' ability to rely on DFAS's controls over contract pay. * DFAS did not provide adequate documentation to support that it had remediated all of the identified control deficiencies that DFAS stated had been corrected. GAO's review of a nongeneralizable sample of 25 of these deficiencies found that in 3 instances, corrective actions had not been taken as required, and in 15 other instances, the documentation provided by DFAS did not sufficiently support that the identified deficiencies were remediated. DFAS had adequately developed and implemented the necessary corrective action plans for 7 of the deficiencies GAO reviewed. Although DFAS has asserted audit readiness, until it corrects the deficiencies and fully implements its FIP in accordance with the FIAR Guidance, its ability to process, record, and maintain accurate and reliable contract pay transaction data is questionable. Therefore, DFAS does not have assurance that its FIP will satisfy the needs of the components or provide the expected benefits to department-wide audit readiness efforts. What GAO Recommends: GAO is making nine recommendations for DFAS to fully implement the requirements in the FIAR Guidance in the areas of planning, testing, and corrective actions. DOD concurred with the recommendations and described its actions to address them. View [hyperlink, http://www.gao.gov/products/GAO-14-10]. For more information, contact Asif A. Khan at (202) 512-9869 or khana@gao.gov. [End of section] Contents: Letter: Background: DFAS Did Not Fully Implement Its Contract Pay FIP in Compliance with the FIAR Guidance: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objective, Scope, and Methodology: Appendix II: Comments from the Department of Defense: Appendix III: GAO Contact and Staff Acknowledgments: Table: Table 1: Service Provider Methodology to Become Audit Ready: Figures: Figure 1: FIAR Guidance Process for the Submission, Review, and Approval of the Service Providers' Documentation for Audit Readiness: Figure 2: Overview of DFAS's Contract Pay End-to-End Business Process: Figure 3: DFAS's Implementation of Its Contract Pay FIP: Figure 4: Processes, Systems, and Controls Addressed and Not Addressed in DFAS's Contract Pay FIP: Abbreviations: APVM: Accounting Pre-validation Module: BAM: Business Activity Monitoring: CONOPS: Concept of Operations: DCAS: Defense Cash Accountability System: DFAS: Defense Finance and Accounting Service: DISA: Defense Information Systems Agency: DOD: Department of Defense: EAS: Entitlement Automation System: EFT: electronic funds transfer: EUD: Elimination of Unmatched Disbursements: FIAR: Financial Improvement and Audit Readiness: FIP: Financial Improvement Plan: FISCAM: Federal Information System Controls Audit Manual: FMR: Financial Management Regulation: IT: information technology: MOCAS: Mechanization of Contract Administration Services: NDAA: National Defense Authorization Act: PPVM: Pay Pre-validation Module: SBR: Statement of Budgetary Resources: SCRT: Standard Contract Reconciliation Tool: SDW: Shared Data Warehouse: SSAE: Statement on Standards for Attestation Engagements: [End of section] United States Government Accountability Office: GAO: 441 G St. N.W. Washington, DC 20548: June 23, 2014: The Honorable Thomas R. Carper: Chairman: The Honorable Tom Coburn, M.D. Ranking Member: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Darrell Issa: Chairman: The Honorable Elijah E. Cummings: Ranking Member: Committee on Oversight and Government Reform: House of Representatives: The Department of Defense (DOD) is responsible for more than half of the federal government's discretionary spending.[Footnote 1] For example, the discretionary budget authority of $606 billion DOD requested for fiscal year 2014 constitutes about 53 percent of budget requests for discretionary programs throughout the federal government. Yet it is one of the few major federal entities that cannot accurately account for its spending or assets, and remains the only major federal agency that has been unable to receive an audit opinion of any kind on its department-wide financial statements. To address this, the National Defense Authorization Act (NDAA) for Fiscal Year 2010 mandated that DOD develop and maintain a Financial Improvement and Audit Readiness (FIAR) Plan that describes the specific actions to be taken and the costs associated with correcting DOD's financial management deficiencies and validating that the department's consolidated financial statements are ready for audit by September 30, 2017.[Footnote 2] DOD's FIAR Plan is a strategic plan and management tool for guiding, monitoring, and reporting on the department's ongoing financial management improvement efforts and for communicating the department's approach to addressing its financial management weaknesses and achieving financial statement audit readiness. DOD is required to report semiannually, not later than May 15 and November 15 each year, on the status of the implementation of the FIAR Plan. The NDAA for Fiscal Year 2010 also required that DOD develop standardized guidance for DOD components,[Footnote 3] which DOD has done by issuing its FIAR Guidance to require components to develop Financial Improvement Plans (FIP) for each element of their FIAR-related efforts,[Footnote 4] and define oversight roles and assign accountability for carrying out the FIAR Plan to appropriate officials and organizations.[Footnote 5] Because DOD management relies heavily on budget information for day-to- day management decisions, the DOD Comptroller designated the Statement of Budgetary Resources (SBR)[Footnote 6] as an audit priority and the Secretary of Defense underscored the department's SBR priority with a directive that set an interim date of September 30, 2014, for validating that its SBR is audit ready.[Footnote 7] Subsequently, the NDAA for Fiscal Year 2013 amended the legal requirement to support this goal, explicitly requiring that the FIAR Plan describe the specific actions to be taken and the costs associated with validating audit readiness of the department's SBR by no later than September 30, 2014.[Footnote 8] DOD identified properly accounting for payments made to its contractors, referred to as contract pay,[Footnote 9] as a key element of its SBR audit readiness efforts.[Footnote 10] The Defense Finance and Accounting Service (DFAS) is the service provider responsible for processing the department's contract pay.[Footnote 11] DFAS reported that it processed $183 billion in contract pay disbursements for fiscal year 2013, which was just over one-fourth of DOD's reported $671 billion in net outlays--spending, net of offsetting collections and receipts. DFAS asserted in October 2013 that its contract pay FIP was audit ready and has engaged an independent public accounting firm to conduct an audit. The results of our prior work have raised concerns about the ability of DOD components to effectively implement the FIAR Guidance. For example, our review of the Navy's civilian pay and the Air Force's military equipment audit readiness efforts identified significant deficiencies, such as insufficient testing and conclusions reached that were not supported by testing results.[Footnote 12] In addition, we found that neither the Marine Corps nor the Navy had implemented effective processes for reconciling fund balance with Treasury, which is required by the FIAR Guidance to develop a reliable SBR.[Footnote 13] Further, we have reported on challenges in achieving audit readiness for the U.S. Army's military pay, such as a lack of an efficient or effective process or system for providing supporting documentation for its military payroll expenses.[Footnote 14] This report was performed under our mandate to audit the U.S. government's consolidated financial statements, including activities of executive branch agencies such as DOD.[Footnote 15] Our objective was to determine the extent to which DFAS implemented its contract pay FIP in accordance with the FIAR Guidance. To address our objective, we compared DFAS's contract pay FIP with the FIAR Guidance to determine whether the FIP contained all the steps and related supporting documentation that the FIAR Guidance requires the components to complete. Using the FIAR Guidance, we analyzed DFAS's FIP supporting documentation, such as process narratives and flowcharts, test plans, and test results. We also analyzed DFAS's efforts to address control deficiencies identified during testing. Specifically, we selected a nongeneralizable[Footnote 16] sample of 25 control deficiencies that were reported by DFAS as remediated on the FIAR Directorate's Tracking Sheet and reviewed the documentation.[Footnote 17] We interviewed officials from DFAS's Office of Audit Readiness, DFAS's Internal Review, and the FIAR Directorate to obtain explanations and clarifications on the results of our evaluation of the FIP. Appendix I provides further details on our scope and methodology. We conducted this performance audit from May 2012 to April 2014 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: DOD established the FIAR Plan as its strategic plan and management tool for guiding, monitoring, and reporting on the department's ongoing financial management improvement efforts and for communicating the department's approach to addressing its financial management weaknesses and achieving financial statement audit readiness. To implement the FIAR Plan, the DOD Comptroller issued the FIAR Guidance, which defines DOD's strategy, goals, roles, and responsibilities and the procedures that the components need to perform to improve financial management and achieve audit readiness. DOD components are expected to prepare a FIP in accordance with the FIAR Guidance for each of their assessable units.[Footnote 18] The FIPs are intended to both guide and document financial improvement efforts. While the name FIP indicates that it is a plan, as a component implements that plan, it must document the steps performed and the results of those steps, and retain that documentation within the FIP. When a component determines that it has completed sufficient financial improvement efforts for an assessable unit to undergo an audit, it asserts audit readiness for the related assessable unit and submits the FIP documentation to the FIAR Directorate to support the conclusion of audit readiness.[Footnote 19] The FIAR Directorate is responsible for reviewing and validating the supporting documentation within the FIP to determine whether the component is audit ready. FIAR Guidance Service Provider Methodology: DOD's service providers are responsible for a variety of accounting, personnel, logistics, and system development or operations services to support DOD components. Recognizing that the effectiveness of the service providers' controls affects the auditability of the amounts reported on the components' financial statements, DOD's FIAR Guidance outlines the steps service providers are to perform to achieve audit readiness. Specifically, the FIAR Guidance requires service providers to work with the components to execute audit readiness activities on their systems, data, processes, internal controls, and supporting documentation that have a direct effect on the components' audit readiness state. To support the component audit readiness efforts, a service provider is required to take either of the following steps: * Develop and implement a FIP to improve its processes, systems, and controls so that it can successfully undergo a Statement on Standards for Attestation Engagements (SSAE) No. 16 examination.[Footnote 20] Specifically, the FIAR Guidance requires the service provider to implement a FIP if three or more components will rely on its processes and systems for their audit readiness assertions, and if the service provider will be able to assert audit readiness prior to the components' targeted dates for asserting audit readiness. * Directly participate in and support the component's financial statement audit where the service provider's processes, systems, internal controls, and supporting documentation are audited as part of the components' financial statement audits. The FIAR Guidance service provider methodology requires the FIP to include the following five phases: Discovery, Corrective Action, Assertion/Evaluation, Validation, and SSAE No. 16 Examination. Table 1 provides a list of steps for each of the phases and the required deliverables. Table 1: Service Provider Methodology to Become Audit Ready: Discovery Phase: Phases and steps: Overall planning activities; * The service provider coordinates with the components to (1) document understanding of roles and responsibilities for authorizing, initiating, processing, recording, and reporting transactions; (2) retain supporting documentation; and (3) support audit readiness activities; * The service provider documents its end-to-end business processes for an assessable unit; * The service provider coordinates with the components to assess the materiality[A] of the processes and systems based on dollar activity and risk factors to determine which processes and systems should be included in the FIP; Required deliverables to the FIAR Directorate: * Existing service-level agreement and new memorandum of understanding; * Process narratives and flowcharts describing the end-to-end business process for an assessable unit; * Materiality assessment that documents the processes and systems to be included in the FIP. For each assessable unit, the service provider prepares a system inventory and a list of all users and their access privileges for all systems. Phases and steps: The service provider plans and executes internal control testing[B] to obtain evidence about the achievement of control objectives and to assess the design and effectiveness of controls that would prevent, or detect and correct potential misstatementsc in financial statements; Required deliverables to the FIAR Directorate: Test plans and test results; * For testing controls, a complete and accurate population of transactions that tie to the general ledger and financial statements; * Random samples selected from the population for testing. Phases and steps: The service provider plans and executes substantive testing[D] to obtain evidence on whether amounts reported on the financial statements are reliable; Required deliverables to the FIAR Directorate: Test plans and test results; * For substantive testing, a complete and accurate population of transactions that tie to the general ledger and financial statements; * Random samples selected from the population for testing. Phases and steps: The service provider plans and executes testing of information technology (IT) controls, which should include the general[E] and application controls for each significant system and application identified as a result of the materiality assessment; Required deliverables to the FIAR Directorate: Test plans and test results. Phases and steps: The service provider identifies and classifies weaknesses in control activities and notifies components of any material weaknesses[G]; Required deliverables to the FIAR Directorate: Identified weaknesses classified as material weaknesses, significant deficiencies,[H] and control deficiencies[I]. Corrective Action Phase: Phases and steps: The service provider develops and implements corrective action plans to remediate the deficiencies in internal control, IT controls, and substantive testing; Required deliverables to the FIAR Directorate: Corrective action plans that identify each deficiency and the action to be taken to remediate it. Phases and steps: The service provider updates the corrective action section of the FIP to include the classification of the deficiencies (material weaknesses, significant deficiency, or control deficiency); Required deliverables to the FIAR Directorate: Updated FIP status report that shows the progress in executing the corrective action plans and any scope and timeline changes. Phases and steps: The service provider determines the strategy for supporting reporting entities' audit readiness efforts (i.e., proceed with SSAE No. 16 examination or be audited as part of reporting entity's financial statement audit); Required deliverables to the FIAR Directorate: Notification to the FIAR Directorate that the Corrective Action Phase has been completed and that the service provider is ready for an SSAE No. 16 examination, an updated memorandum of understanding, or both. Assertion/Evaluation Phase: Phases and steps: The FIAR Directorate evaluates the service provider's FIP documentation developed in the Discovery and Corrective Action Phases to assess whether the service provider is ready for an audit; If the FIAR Directorate concludes that the service provider is not ready for an audit, it will provide feedback to describe the deficiencies to be corrected by the service provider; Required deliverables to the FIAR Directorate: [Empty]. Phases and steps: The service provider engages an auditor to perform an SSAE No. 16 examination; Required deliverables to the FIAR Directorate: Awarded contract. Phases and steps: The auditor issues SSAE No. 16 examination report; Required deliverables to the FIAR Directorate: SSAE No. 16 examination report. Phases and steps: The service provider addresses deficiencies identified during the SSAE No. 16 examination; Required deliverables to the FIAR Directorate: Updated FIP. Validation Phase: Phases and steps: The FIAR Directorate will review the service provider's documentation, which includes the SSAE No. 16 examination report and support showing the implementation of corrective actions to address deficiencies identified during the SSAE No. 16 examination, if applicable, and assess whether the service provider will be required to undergo a second SSAE No. 16 examination; * If the service provider receives an unqualified opinion on the first SSAE No.16 examination, the FIAR Directorate will not require the service provider to undergo a second audit as part of the SSAE No. 16 examination phase; * If the FIAR Directorate concludes that the service provider is not ready for an audit, it will provide feedback to describe what deficiencies need to be corrected by the service provider prior to undergoing a second SSAE No. 16 examination; Required deliverables to the FIAR Directorate: Documentation demonstrating remediation of deficiencies. SSAE No. 16 Examination Phase: Phases and steps: If applicable, the service provider engages an auditor to perform a second SSAE No. 16 examination; Required deliverables to the FIAR Directorate: Awarded contract. Phases and steps: The auditor issues SSAE No. 16 examination report; Required deliverables to the FIAR Directorate: SSAE No. 16 examination report. Sources: DOD's Financial Improvement and Audit Readiness (FIAR) Guidance, March 2013, and FIAR Directorate officials. [A] Materiality is the effect of an item's omission or misstatement in a financial statement that in the light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the inclusion or correction of the item. [B] Internal control tests are performed to assess the design and operating effectiveness of controls that would prevent, or detect and correct, potential misstatements in the financial statements. [C] Misstatements are the result of an incorrect selection or misapplication of accounting principles or misstatements of facts identified, including, for example, those arising from mistakes in gathering or processing data and the overlooking or misinterpretation of facts. [D] Substantive tests are detailed tests of transactions and account balances to obtain evidence on whether the amounts reported on the financial statements are reliable. [E] General controls are the policies and procedures that apply to all or a large segment of an entity's information systems and help ensure their proper operation. The objectives of general controls include safeguarding data, protecting application programs, managing specific system resources (e.g., networks, operating systems, and infrastructure applications), and ensuring continued computer operations in case of unexpected interruptions. For example, general controls include logical access controls that prevent or detect unauthorized access to sensitive data and programs that are stored, processed, and transmitted electronically. [F] Application controls, sometimes referred to as business controls, are incorporated directly into computer applications to help ensure the validity, completeness, accuracy, and confidentiality of data during application processing and reporting. For example, a system edit used to prevent or detect a duplicate entry is an application control. [G] A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis. [H] A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. [I] A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. [End of table] As presented in table 1, the service provider documents, evaluates, and tests its processes, systems, and controls during the Discovery Phase of its FIP, and designs and implements the necessary corrective action plans as part of the Corrective Action Phase. The deliverables from the service provider are then reviewed by the FIAR Directorate during the Assertion/Evaluation Phase. Based on its review of the deliverables, the FIAR Directorate determines whether the service provider is audit ready and, if so, authorizes the service provider to engage an auditor to perform an SSAE No. 16 examination. If the FIAR Directorate determines that the service provider is not audit ready, the FIAR Directorate provides feedback, which the service provider has to address before resubmitting the required deliverables for review. After the auditor completes the SSAE No. 16 examination and issues the report, the service provider submits a copy of the SSAE No. 16 examination report to the FIAR Directorate and evidence that it has implemented corrective actions to remediate the deficiencies identified by the auditor, if any. As part of the Validation Phase, the FIAR Directorate reviews the SSAE No. 16 report and supporting documentation of the implemented additional corrective actions to determine if the service provider is ready for a second SSAE No. 16 examination and, if so, authorizes the service provider to engage an auditor to perform a second SSAE No. 16 examination. If the service provider receives an unqualified opinion on the first SSAE No. 16 examination, the FIAR Directorate will not require the service provider to undergo a second audit as part of the SSAE No. 16 Examination Phase. Figure 1 illustrates a summary of the process in the FIAR Guidance related to the submission, review, and approval of the service providers' documentation for audit readiness. Figure 1: FIAR Guidance Process for the Submission, Review, and Approval of the Service Providers' Documentation for Audit Readiness: [Refer to PDF for image: process illustration] Discovery/Corrective action: 1. Service provider submits deliverables from discovery and corrective action phases. Assertion/Evaluation: 2. FIAR Directorate evaluates FIP documentation to assess audit readiness; Is submission audit ready? If no: Service provider responds to feedback from FIAR Directorate before resubmitting (return to #1); If yes: continue. 3. Service provider engages auditor to perform first SSAE No. 16 examination and issue report. Are further corrective actions required? If yes, go to #4; If no, go to #5. 4. Service provider implements additional corrective action plans. Validation: 5. FIAR Directorate reviews SSAE No. 16 and evidence for the implementation of additional corrective action plans to assess whether service provider is ready for second SSAE No. 16 examination. Is a second SSAE No. 16 examination required? If yes, go to #6; If no, go to #7. SSAE No. 16. 6. Service provider engages auditor to perform second examination and issue report. Audit Readiness: 7. Process complete. The FIAR Directorate is responsible for reviewing and validating DOD components' supporting documentation to determine whether the components are audit ready. The Statement on Standards for Attestation Engagements (SSAE) No. 16 examination provides standards for auditors to follow for reporting on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities' internal control over financial reporting. The Financial Improvement Plans (FIP) is a framework for planning, executing and tracking the steps and supporting documentation necessary to achieve audit readiness. Sources: DOD's Financial Improvement and Audit Readiness (FIAR) Guidance, March 2013, and FIAR Directorate officials. [End of figure] DFAS's Contract Pay End-to-End Business Process: DFAS is the service provider responsible for processing, accounting, and reporting contract pay for DOD components. Figure 2 illustrates the relevant systems and end-to-end process, which includes contract input, invoice entitlements, pre-validation, disbursing, Treasury reporting, accounting and reconciliation, and contract closeout and reconciliation processes. Figure 2: Overview of DFAS's Contract Pay End-to-End Business Process: [Refer to PDF for image: process illustration] Components: Contract awarded: Contract Writing System; General Ledger (GL). Contractor: Submits invoice for payment. DFAS systems: MOCAS: Processes contract pay disbursements: Receives Contract input from Contract Writing System; Receives Invoice entitlement from: Contractor; Receives and delivers invoice entitlement from/to: * EAS: Used to manually process invoices; * BAM: Checks invoice data for errors; Pre-validation to and from EUD-PPVM: Downloads MOCAS data; EUD-PPVM pre-validates with GLEUD-APVM which Interfaces with GL; Disbursements: * Checks are mailed to contractors; * Federal Reserve Bank processes electronic payment; Reports to Treasury through DCAS: System utilized to report to Treasury; Accounting and reconciliation with General Ledger (GL); Contract closeout and reconciliation: * SCRT: Compares data from MOCAS and GLSCRT; * General Ledger (GL). Source: GAO analysis of DFAS contract pay process information. [End of figure] 1. Contract input: The components electronically transmit contract award data and related document images through their contract writing systems into the Mechanization of Contract Administration Services (MOCAS) system.[Footnote 21] DFAS reported that some contract awards are issued with manually produced documents, which the components mail or fax to DFAS for input into MOCAS. DFAS's Contract Input Branch personnel validate the contract data before inputting them into MOCAS. 2. Invoice entitlements: Contractors electronically transmit invoices to DFAS for payment processing in MOCAS; however, if these invoices do not pass a series of automatic validation edits in MOCAS, they are rejected by the system. DFAS's Entitlement branch personnel process these transactions utilizing its Entitlement Automation System (EAS). [Footnote 22] MOCAS perform edits to validate the invoices in MOCAS or EAS and compare the contract obligations, invoices, and receiving reports. DFAS's entitlement branch personnel also utilize the Business Activity Monitoring (BAM) tool during the entitlement process to monitor and validate the contractors' invoices. The BAM tool is a monitoring capability that DFAS uses to identify potential erroneous or improper payments. 3. Pre-validation: The Elimination of Unmatched Disbursements (EUD) system transmits invoice data to the components' accounting systems. [Footnote 23] The components review the invoice data transmitted by EUD and approve the invoices for payment. 4. Disbursing: Once the components approve the invoices for payment, the components notify DFAS disbursing operations personnel who input the approval status into MOCAS. MOCAS processes the approved invoices to be paid either by check or electronic funds transfer (EFT). MOCAS generates a disbursement file that identifies all invoices to be paid. A certifying official reviews the disbursement file for accuracy prior to payment being made. After approval by the certifying official, DFAS's Disbursing Operations personnel either mail the checks to contractors or transmit the EFT file to the Federal Reserve Bank to make the payment. 5. Treasury reporting: Once the disbursements are processed, MOCAS interfaces with the Defense Cash Accountability System (DCAS), which is the system used by DFAS to generate and submit monthly reports on contract pay disbursements to the Department of the Treasury (Treasury).[Footnote 24] 6. Accounting and reconciliation: DFAS's Contract Branch personnel generate a disbursement file from MOCAS that is provided to the components to record the contract disbursements into their general ledgers. DFAS is also responsible for the reconciliation of the disbursements transactions in MOCAS to the components' general ledgers; however, DFAS has yet to implement this process. 7. Contract closeout and reconciliation: DFAS's Contract Branch personnel assist the components during the contract closeout and reconciliation processes, for example, with paying final vouchers and, when needed, resolving unreconciled balances on a contract. DFAS officials explained that they utilize the Standard Contract Reconciliation Tool (SCRT) to investigate differences in contract payment data between MOCAS and the components' general ledgers upon request from the components and to process the necessary adjustments. Most of these requests are submitted to DFAS from the components during the contract closeout procedures. DFAS Did Not Fully Implement Its Contract Pay FIP in Compliance with the FIAR Guidance: DFAS recognized the importance of implementing a FIP to improve its contract pay processes, systems, and controls, and performed steps required by the FIAR Guidance, such as performing internal control, information technology (IT), and substantive testing. However, we found that DFAS did not fully comply with the requirements in the FIAR Guidance to improve its contract pay processes, systems, and controls. For example, our review found that DFAS did not perform adequate planning and testing activities for the Discovery Phase of its FIP. In addition, DFAS did not provide adequate documentation for several corrective action plans to support that it has remediated identified control deficiencies. DFAS asserted in October 2013 that its contract pay controls were suitably designed and operating effectively to undergo an audit, and awarded a contract to an independent public accounting firm prior to fully remediating the deficiencies it identified during the implementation of its contract pay FIP.[Footnote 25] Without fully implementing the financial improvement steps required in the FIAR Guidance, DFAS does not have assurance that its processes, systems, and controls can produce and maintain accurate, complete, and timely financial management information for contract pay. Further, the deficiencies noted will affect the components' ability to rely on DFAS's controls over contract pay, ultimately increasing the risk that DOD's goal for an auditable SBR will not be achieved in its planned time frame. Figure 3 provides a summary of the results of our review of DFAS's contract pay FIP. Figure 3: DFAS's Implementation of Its Contract Pay FIP: [Refer to PDF for image: illustrated table] FIAR guidance phases and steps: Discovery (service provider): Overall planning activities: Document coordination with the components to scope the FIP within a memorandum of understanding; Results: Not met: DFAS did not provide any documentation that satisfies the criteria. Overall planning activities: Document its end-to-end business processes; Results: Partially met: DFAS provided documentation that partially satisfies the criteria. Overall planning activities: Assess the materiality of the processes and systems; Results: Not met: DFAS did not provide any documentation that satisfies the criteria. Plan and execute internal control and substantive testing; Results: Partially met: DFAS provided documentation that partially satisfies the criteria. Test the information technology controls for each significant system and application; Results: Partially met: DFAS provided documentation that partially satisfies the criteria. Identify and classify the identified weaknesses in control activities and notify components of any material weaknesses; Results: Not met: DFAS did not provide any documentation that satisfies the criteria. Corrective actions (service provider): Develop and implement corrective actions plans; Results: Partially met: DFAS provided documentation that partially satisfies the criteria. Update FIP status report to show progress in executing corrective action plans; Results: Not met: DFAS did not provide any documentation that satisfies the criteria. Notify the FIAR Directorate that corrective action phase has been completed and develop audit strategy; Results: Partially met: DFAS provided documentation that partially satisfies the criteria. Source: GAO analysis of DFAS FIP. [End of figure] Discovery Phase: DFAS Did Not Adequately Complete Required Key Tasks: DFAS developed flowcharts and narratives and performed internal control, substantive, and IT testing. Based on the testing performed during the Discovery Phase, DFAS identified a total of 399 deficiencies. Specifically, DFAS identified 20 internal control deficiencies and 379 IT control deficiencies--20 related to general controls and 359 related to application controls. However, we found that DFAS did not (1) adequately perform the required planning activities for its contract pay FIP, such as assessing the materiality of its processes and systems; (2) adequately perform the required testing; and (3) properly classify the identified deficiencies. As a result, additional deficiencies may exist that could negatively affect DFAS processes, systems, and controls that are relied upon by DOD components. DFAS's Overall Planning Activities: DFAS developed a high-level end-to-end flowchart for contract pay that identified seven key processes and prepared detailed flowcharts and narratives for four of these seven key processes. However, DFAS did not perform all activities required by the FIAR Guidance. Specifically, based on our review of the contract pay FIP, DFAS did not: * prepare a memorandum of understanding for each of the DOD components that documented roles and responsibilities for transactions, supporting documentation retention, and audit readiness activities; * prepare detailed flowcharts and narratives for three of the seven key processes: (1) reporting of disbursements to Treasury, (2) accounting and reconciliation of contract pay disbursements to the components' general ledgers, and (3) contract closeout; and: * assess the materiality of its processes and systems based on dollar activity and risk factors. DFAS officials stated that they coordinated with the DOD components to develop the contract pay FIP; however, DFAS did not maintain meeting minutes and was unable to provide documentation to support the components' input or concurrence with the decisions made. DFAS is developing a Concept of Operations (CONOPS) to supplement existing mission work agreements that it has established with each component to comply with the requirements in the FIAR Guidance for the service providers to develop a memorandum of understanding.[Footnote 26] However, DFAS has not established a time frame for when the CONOPS will be completed. In addition, our review of the draft CONOPS and existing mission work agreements showed that they do not address all the requirements reflected in the FIAR Guidance. For example, these documents do not: * identify the roles and responsibilities for authorizing, initiating, processing, recording, and reporting of transactions; * identify the roles and responsibilities for the creation, completion, and retention of supporting documentation; and: * identify the supporting documentation that should be retained for each business process and transaction type. DFAS officials stated that they did not assess materiality and risk level for determining what processes, systems, and controls needed to be included in DFAS's contract pay FIP because their approach consisted of including in the FIP the processes and systems that were common to at least three or more components. By applying this approach, they determined that the three processes that were excluded were used by two or fewer components. For example, each client has a different general ledger system; therefore, DFAS did not consider the general ledger reconciliation process to be a common service. However, this approach did not comply with the requirements in the FIAR Guidance, which requires service providers to determine the processes to be covered in the FIP based on whether the process is critical to the audit readiness efforts as defined by both materiality and risk. As a result, and as shown in figure 4, DFAS excluded from the FIP three of its key contract pay processes: (1) reporting of disbursements to Treasury, (2) accounting and reconciliation of contract pay disbursements to the components' general ledgers, and (3) contract closeout. Figure 4: Processes, Systems, and Controls Addressed and Not Addressed in DFAS's Contract Pay FIP: [Refer to PDF for image: process illustration] All processes included in DFAS Contract Pay FIP except where noted. Components: Contract awarded: Contract Writing System; General Ledger (GL). Contractor: Submits invoice for payment. DFAS systems: MOCAS: Processes contract pay disbursements: Receives Contract input from Contract Writing System; Receives Invoice entitlement from: Contractor; Receives and delivers invoice entitlement from/to: * EAS: Used to manually process invoices; * BAM: Checks invoice data for errors; Pre-validation to and from EUD-PPVM: Downloads MOCAS data; EUD-PPVM pre-validates with GLEUD-APVM which Interfaces with GL; Disbursements: * Checks are mailed to contractors; * Federal Reserve Bank processes electronic payment; Reports to Treasury through DCAS: System utilized to report to Treasury: [This Process not included in DFAS Contract Pay FIP] Accounting and reconciliation with General Ledger (GL); [This Process not included in DFAS Contract Pay FIP] Contract closeout and reconciliation: * SCRT: Compares data from MOCAS and GLSCRT; * General Ledger (GL). [This Process not included in DFAS Contract Pay FIP] Source: GAO analysis of DFAS contract pay process information. [End of figure] These processes excluded by DFAS from its FIP are intended to help ensure that the contract disbursements processed by DFAS are accurately recorded and maintained in the components' general ledgers and that the status of DOD's contract obligations is accurate and up- to-date. At the time of the implementation of its contract pay FIP, DFAS had not established a general ledger reconciliation process. DOD's Financial Management Regulation (FMR) requires DFAS to reconcile disbursements transactions to the components' general ledger,[Footnote 27] and the FIAR Guidance notes that the DOD components will not be able to successfully pass an audit without transaction-level reconciliation to the general ledger. Standards for Internal Control in the Federal Government states that control activities such as reconciliations are an integral part of an entity's planning, implementing, reviewing, and accountability for stewardship of government resources and achieving effective results.[Footnote 28] DFAS officials explained that DFAS is evaluating the three processes excluded from its contract pay FIP for each of the components to support their audit readiness efforts and that they will provide the results of these efforts to the affected components before the components assert audit readiness for contract pay. Specifically, these officials indicated that they have established a general ledger reconciliation process and plan to evaluate it and the other two processes (i.e., the reporting of disbursements to Treasury and contract closeout processes) in support of the Departments of the Navy, Air Force, and Army with a completion date of June 2014. However, DFAS did not provide sufficient documentation for us to assess the scope and methodology of these efforts or to confirm the completion status. Without an adequately scoped and planned FIP, DFAS will not be able to ensure that it is covering all key processes that will materially affect the timeliness, accuracy, and reliability of its contract pay transaction data. As a result, even though DFAS has already asserted audit readiness, DFAS does not have assurance that its FIP will satisfy the needs of the components or provide the expected benefits to the department-wide efforts to assert audit readiness for contract pay as a key element of the SBR. DFAS Internal Control and Substantive Testing: DFAS performed both internal control and substantive testing; however, DFAS did not validate the populations of transactions used to perform the testing. Therefore, DFAS's test results cannot be generalized to support the assertion that its controls, and its transaction activities and balances, are audit ready. The FIAR Guidance requires service providers to validate the population of transactions to be tested prior to performing internal control and substantive testing by reconciling the population to the general ledger and assessing it for invalid transactions, abnormal balances, and missing data fields. As noted earlier, at the time of the implementation of its contract pay FIP, DFAS had not established a general ledger reconciliation process. In response to our inquiries, DFAS officials stated that they had validated the populations and provided to us a copy of a data reliability assessment. According to the FIAR Guidance, a data reliability assessment is intended to document a comparison of the transaction data to the components' general ledgers and data mining performed to identify any outliers.[Footnote 29] However, the data reliability assessment provided by DFAS did not contain such a comparison or address data mining activities. Instead, the data reliability assessment provided background information on the Shared Data Warehouse (SDW), which is the database used by DFAS to generate the samples of transactions tested. SDW was developed by DFAS as a tool to generate reports for the disbursements recorded in MOCAS because MOCAS has limited query capabilities. As a result, SDW is used by DFAS to store contract administration and payment data collected from MOCAS, conduct queries, and produce reports. Because SDW is a database that stores data from MOCAS, this comparison is not an adequate reconciliation and, in essence, represents a comparison of the transactions recorded in MOCAS to MOCAS itself. An effective reconciliation process would involve comparing transactions to supporting documentation, systems of record, or both to ensure the completeness, validity, and accuracy of financial information. Even if DFAS had performed an adequate reconciliation process, according to the data reliability assessment that DFAS provided, the population of transactions validated by DFAS only covered the disbursements for 1 day, not the population of data for the entire fiscal year that was used by DFAS to select the samples that were tested. DFAS did not identify any deficiencies related to its substantive testing of the contract disbursements recorded in MOCAS and identified 20 deficiencies related to its internal control testing. However, because DFAS did not validate the population used to perform internal control and substantive testing, additional deficiencies may exist in DFAS's contract pay controls and errors may exist in the recorded transactions activity and balances. DFAS Testing of Information Technology Controls: We found that DFAS did not perform sufficient general and application controls testing.[Footnote 30] Further, DFAS did not develop an audit plan or strategy for its application-level testing. As a result, DFAS did not have support for the scope of its application-level testing, such as its rationale for excluding a significant number of the controls from the testing of several of the systems DFAS classified as key for contract pay, even though the FIAR Guidance requires consideration of such controls. For the controls it did test, DFAS found numerous deficiencies that needed to be addressed. Specifically, DFAS found issues with 20 entity-level general controls and 359 application-level controls. General controls: DFAS tested 122 of the 261 entity-level general controls identified in the FIAR Guidance; however, it did not determine whether the remaining 139 controls were relevant and should have been tested. DFAS officials told us that they decided to focus the entity-level testing on the 122 controls identified by the FIAR Guidance as having the highest relevance for a financial statement audit because of resource constraints. Based on the entity-level controls that were tested, DFAS identified 20 general control deficiencies at the entity level that were related to either the design or operation of controls, such as inappropriate segregation of duties and inadequate monitoring of system access privileges. However, because of the limited testing performed, additional deficiencies may exist that were not identified. DFAS officials acknowledged that they needed to assess the other 139 entity-level controls and planned to perform such an assessment during fiscal year 2014. However, as stated previously, DFAS asserted in October 2013 that its contract pay process was audit ready and did so without having assessed these 139 entity-level controls. Without effective entity-level general controls, application-level controls may be rendered ineffective by circumvention or modification. As a result, these deficiencies can materially affect the effectiveness of DFAS application-level controls. For example, edits designed to preclude users from entering unreasonably large dollar amounts in a payment processing system can be an effective application control. However, this control cannot be relied on if the general controls permit unauthorized program modifications that might allow some payments to be exempt from the edit. Application-level controls: DFAS performed application-level testing for the six system applications it determined to be key to its contract pay systems. However, DFAS did not develop audit plans or strategies to guide its application-level control testing for all six systems and did not perform sufficient testing for three of its systems--BAM, SCRT, and EUD-Accounting Pre-validation Module (APVM). The FIAR Guidance requires service providers to follow the Federal Information System Controls Audit Manual (FISCAM) to test the IT controls of the systems and applications that are necessary to achieve audit readiness.[Footnote 31] FISCAM requires a written audit program or strategy that describes the objective, scope, and methodology for the testing of IT controls. Entities are required to use the information documented in the audit plan or strategy to determine the nature, timing, and extent of the IT test procedures. DFAS officials explained that they did not document a plan or strategy for application-level controls because they were performing self- assessments and not audits. They also stated that some of their staff members did not know how to perform a FISCAM audit and that this was a learning experience. However, the FIAR Guidance requires DOD components to follow a process similar to an audit to obtain sufficient evidence that the organization is audit ready. DFAS officials stated that they recognized that the assessments could be improved, but noted that the FIAR Directorate had validated the results of its application-level testing. In addition, DFAS did not perform sufficient application-level testing for BAM, SCRT, and EUD-APVM. Out of the 163 controls required by the FIAR Guidance to be considered for each system, DFAS tested 40 controls for EUD-APVM, 32 for BAM, and 9 for SCRT. DFAS provided us a document to support how it selected the key controls that were tested for these systems and its reasoning for excluding from the testing most of the controls that are required by the FIAR Guidance. However, this document did not adequately support DFAS's scope and methodology for testing these systems. For example, the document stated that either limited or no testing was performed of certain control areas, such as the application-level general controls for Security Management and Contingency Planning, because those controls were tested at the entity or system level; however, DFAS's review of entity-level controls did not cover any application-related controls. Further, as stated earlier, DFAS did not perform sufficient testing of its entity- level controls. Although the Defense Information Systems Agency (DISA)--which is responsible for the mainframe platforms where DFAS's contract pay systems are executed and maintained--received an unqualified opinion on its SSAE No. 16 examination, this examination did not cover DFAS's application-level controls.[Footnote 32] DISA's SSAE No. 16 report also recognized the need for its user entities to implement complementary controls in different areas, including backup and recovery management. As a result, the application-level testing performed by DFAS for BAM, SCRT, and EUD-APVM was not sufficient and did not comply with the FIAR Guidance. Based on its limited testing of application-level controls, DFAS identified a total of 359 deficiencies. For example, DFAS found deficiencies in its access controls, such as a lack of processes to ensure that users' system access is authorized and limited to job responsibilities. DFAS also found a lack of adequate policies and procedures to ensure proper segregation of duties and related monitoring processes. Because DFAS did not use a documented plan or strategy, and did not have adequate evidence on whether its application-level control testing was adequately designed, it did not obtain the necessary assurance that its contract pay data are valid, complete, and accurate. This increases the risk that additional deficiencies exist that were not identified during the application- level testing, which in turn hinders DFAS's ability to remediate existing deficiencies thus adversely affecting audit readiness. DFAS Classification of Identified Deficiencies and Coordination with the Components: DFAS did not coordinate and work with the components to assess the impact of the identified deficiencies on the components' audit readiness efforts and classify the deficiencies as control deficiencies, significant deficiencies, or material weaknesses as required by the FIAR Guidance. DFAS officials explained that they classified the identified deficiencies into high-, medium-, or low- risk categories based on their assessment of the risk to DFAS not being able to achieve its control objectives.[Footnote 33] These officials indicated that they did not follow the FIAR Guidance for risk classification because SSAE No. 16 states that the service provider will not be able to determine the impact of the identified deficiencies on the components' financial statements. DFAS officials also stated that in order for them to classify the deficiencies as control deficiencies, significant deficiencies, or material weaknesses as required by the FIAR Guidance, they would need to obtain information from the components regarding their processes and controls affected by the identified deficiencies. The FIAR Guidance recognizes that this coordination is needed to determine the effect of the identified deficiencies on the components' financial statements, which is the intent of DOD's overall FIAR effort. Further, the FIAR Guidance states that because of the complexities inherent in DOD component and service provider relationships and associated audit readiness interdependencies, it is essential that such coordination is documented in a memorandum of understanding. While an SSAE No. 16 examination is intended to provide assurance regarding the control environment of the service providers, the FIAR effort is intended, among other things, to provide assurance that the components are ready for a financial statement audit. To do this, the components must be aware of the impact of the deficiencies in the service provider's control environment so that they can assess their risks and identify and implement compensating controls if needed. Because DFAS did not adequately classify the identified deficiencies and assess their related impact to the components, DOD components will not be able to obtain a complete understanding of the impact of the deficiencies identified by DFAS on their own control environments and design and implement compensating controls to mitigate the effect of DFAS's control deficiencies on their financial operations. Corrective Action Phase: DFAS Did Not Adequately Complete Required Key Tasks: DFAS notified the FIAR Directorate that it had implemented the necessary corrective action plans and developed an audit readiness strategy; however, we found that DFAS did not (1) take the necessary corrective actions or maintain sufficient documentation for 18 of 25 deficiencies DFAS reported as remediated that we reviewed and (2) properly update the Corrective Action Phase section of its FIP status report. DFAS's audit strategy consisted of its contract pay FIP undergoing an SSAE No. 16 examination and, as stated earlier, DFAS evaluating the three processes excluded from its contract pay FIP for each of the components to support their audit readiness efforts. However, DFAS did not provide documentation (an updated CONOPS or memorandum of understanding) to show that it had coordinated with the components to determine how it would support their audit readiness efforts for those processes excluded from the FIP as required by the FIAR Guidance. Further, additional deficiencies may exist in DFAS's contract pay processes and systems that were not considered during the Corrective Action Phase because, as discussed previously, DFAS did not (1) validate the population used to perform internal control and substantive testing and (2) perform sufficient general control and application-level testing. As a result of these deficiencies, DFAS's contract pay FIP did not provide sufficient assurance that all the deficiencies that may materially affect the accuracy and reliability of its contract pay transaction data had been fully remediated. The FIAR Directorate reviewed the DFAS's supporting documentation for its contract pay FIP and authorized DFAS to undergo an SSAE No. 16 examination. DFAS Corrective Action Plans: DFAS reported that it had developed and implemented corrective actions to remediate 393 of the 399 deficiencies it identified as part of the Discovery Phase. DFAS officials stated that for the 6 deficiencies that were not remediated as part of the contract pay FIP, DFAS will either address the deficiencies subsequent to its audit readiness assertion or rely on other components to address these deficiencies. The FIAR Guidance requires service providers to remediate each identified deficiency before asserting that they are audit ready. In addition, 2 of these 6 deficiencies were determined by the FIAR Directorate to be material. However, DFAS did not provide evidence that these deficiencies were remediated before asserting audit readiness for contract pay. We selected a nongeneralizable sample of 25 control deficiencies DFAS reported as remediated to determine whether DFAS had adequately implemented corrective actions to remediate the identified deficiencies.[Footnote 34] Of these 25 deficiencies, we found that DFAS had adequately developed and implemented the necessary corrective action plans for 7. We found the following for the remaining 18 deficiencies: * For 3 deficiencies, DFAS did not develop corrective action plans. For example, DFAS reported 1 of these deficiencies as closed because it planned to rely on the Defense Contract Management Agency (DCMA) to remediate the identified weaknesses. Although DFAS provided documentation of DCMA's agreement to address this deficiency, DFAS did not provide documentation to support that this deficiency had been remediated by DCMA. In addition, DFAS reported as closed 2 deficiencies related to the reconciliation of its contract pay activity with the components' general ledger because, as stated earlier, it decided not to address this reconciliation as part of its contract pay FIP. DOD's FMR and the FIAR Guidance require DFAS to reconcile disbursement transactions to the components' general ledgers, and the FIAR Guidance notes the DOD components will not be able to successfully pass an audit without transaction-level reconciliation to their general ledgers. Standards for Internal Control in the Federal Government states that control activities such as reconciliations are an integral part of an entity's planning, implementing, reviewing, and accountability for stewardship of government resources and achieving effective results. * For eight deficiencies, the corrective action plans developed by DFAS were not adequate. Corrective action plans should include, among other things, the responsible point of contact, the root causes of the deficiency, and resource needs.[Footnote 35] However, these corrective action plans did not adequately describe the root causes of the identified deficiencies that needed to be corrected. For example, half of these corrective action plans only described the control requirements from FISCAM but did not describe the underlying root cause of the deficiencies identified by DFAS. As a result, these corrective action plans do not provide sufficient information to perform an independent review to determine whether an implemented corrective action remediated the identified deficiency. * For the remaining 7 deficiencies, DFAS did not provide adequate documentation to support that the corrective action plans were adequately implemented. For example, DFAS provided us a copy of a documented procedure as support for the implementation of one of its corrective action plans; however, the documented procedure provided by DFAS was not relevant to the identified deficiency. In addition, DFAS did not provide support that a corrective action had been tested and had successfully remediated the deficiency, and for another deficiency the test results showed that it had not been successfully remediated by the implemented corrective action. Further, the corrective action plan for another deficiency noted that it would not be fully remediated until February 2014, which was 4 months after DFAS asserted audit readiness. DFAS stated that the actions taken to address these 18 deficiencies were appropriate. However, we found that in 3 of the 18 instances, corrective actions had not been taken as required by the FIAR Guidance and that the documentation provided by DFAS for the other 15 deficiencies was insufficient. Without implementing adequate corrective action plans, DFAS lacks sufficient assurance that these identified control deficiencies were remediated, which will negatively affect the accuracy and reliability of its contract pay transaction data. DFAS's FIP Status Report: DFAS submitted its monthly FIP status report for the department to monitor its progress in meeting interim and long-term goals. However, we found that DFAS's status reports were not accurate and complete. For example, although DFAS has reported since November 2012 on its FIP status report that its Corrective Action Phase was completed in August 2012, DFAS did not assert its Corrective Action Phase as complete until October 2013. Further, DFAS did not include in the status report the information required by the FIAR Guidance for the Corrective Action Phase, such as the identified weaknesses by classification (e.g., material weaknesses), and respective corrective actions with targeted completion dates. DFAS officials explained that they did not update the contract pay FIP status report to include the information required by the FIAR Guidance for the Corrective Action Phase because of limitations in the software used to maintain the FIP. They explained that the software does not allow them to make significant updates to the FIP and they would have to develop a work-around to update the FIP, such as creating a new project in the software with the required updates. However, this information is key for DOD's oversight of the components' audit readiness efforts, as it is used by DOD's key stakeholders and governing bodies for financial improvement and audit readiness to oversee the FIAR effort and is reported publicly on a biannual basis. Further, because the status information reported by DFAS is inaccurate and incomplete, it could misinform stakeholders as to the status of DFAS's audit readiness efforts and negatively affect the adequacy and effectiveness of the components' audit readiness plans for contract pay. DFAS Strategy for Supporting Components' Audit Readiness Efforts: DFAS notified the FIAR Directorate that it had implemented the necessary corrective action plans and developed an audit readiness strategy. The FIAR Directorate reviewed the DFAS's supporting documentation for its contract pay FIP and authorized DFAS to undergo an SSAE No. 16 examination. DFAS's audit strategy consisted of undergoing an SSAE No. 16 examination for its contract pay FIP and, as stated earlier, evaluating the three processes excluded from its contract pay FIP for each of the components to support their audit readiness efforts. However, DFAS did not provide documentation (an updated CONOPS or memorandum of understanding) to show that it had coordinated with the components to determine how it would support their audit readiness efforts for those processes excluded from the FIP as required by the FIAR Guidance. For example, because DFAS has not implemented a memorandum of understanding with the components, it is unclear whether the Army implemented the necessary compensating controls in the absence of assurance from DFAS that its contract pay processes, systems, and controls were designed and operating as intended. As stated earlier, DFAS has not completed its evaluation of the three processes that were excluded from its contract pay FIP for the components, including the Department of the Army; however, the Army asserted in June 2013 that its processes, systems, and controls for contract pay were audit ready. In addition, DFAS did not assert audit readiness of the processes, systems, and controls included in its contract pay FIP until October 2013. Thus, the usefulness of DFAS's efforts in support of the Army's and other components' audit readiness efforts remains questionable. Conclusions: DFAS recognized the importance of implementing a FIP to improve its contract pay processes, systems, and controls and performed steps required by the FIAR Guidance, such as performing internal control, IT, and substantive testing. However, DFAS did not fully comply with the requirements in the FIAR Guidance for the Discovery and Corrective Action Phases; therefore, the FIP did not support DFAS's October 2013 assertion that its contract pay controls were suitably designed and operating effectively. As a result, DFAS did not have assurance that its processes, systems, and controls can produce and maintain accurate, complete, and timely financial management information for the approximately $200 billion of contract pay disbursements it annually processes on behalf of DOD components. For example, DFAS did not perform adequate planning and testing activities for the Discovery Phase of its FIP. In addition, DFAS did not provide adequate documentation demonstrating that it had remediated certain identified deficiencies. Although DFAS asserted audit readiness, correcting the weaknesses identified in this report can help ensure that it effectively carries out its contract pay mission and implements, maintains, and sustains the necessary financial improvements to its contract pay processes, systems, and controls. Until DFAS does so, its ability to properly process, record, and maintain accurate and reliable contract pay transaction data is questionable. Recommendations for Executive Action: To ensure that DFAS is able to obtain the necessary assurance that its contract pay end-to-end process can produce, maintain, and sustain accurate, complete, and timely information in support of the components' and DOD-wide financial improvement and audit readiness efforts, we recommend that the Under Secretary of Defense (Comptroller)/Chief Financial Officer direct the Director of the Defense Finance and Accounting Service to take the following nine actions: Address deficiencies in its Discovery Phase planning activities for contract pay by performing the following: * Document its contract pay end-to-end process by developing the necessary flowcharts and narratives for those processes excluded from the FIP. * Assess the materiality (i.e., dollar activity and risk factors) of its processes, systems, and controls. * Complete a memorandum of understanding with each of the components. Address deficiencies in its Discovery Phase testing activities by performing the following: * Validate the completeness and accuracy of the populations of transactions used to perform testing. * Consider and assess the design and operational effectiveness of the entity-level general controls that were not tested by DFAS, as appropriate. * Document and execute an audit strategy or plan for application-level testing of system controls. * Coordinate with the components to classify all identified deficiencies as control deficiencies, significant deficiencies, and material weaknesses. Address deficiencies in its Corrective Action Phase activities by performing the following: * Assess the population of implemented corrective action plans to determine whether the deficiencies we found in our nongeneralizable sample of DFAS's corrective action plans are more wide spread in the population. * Revise its FIAR status reports to accurately reflect the current status of its audit readiness efforts. Agency Comments and Our Evaluation: We provided a draft of this report to DOD for comment. In its written comments, reprinted in appendix II, DOD concurred with our recommendations. DOD also described planned and ongoing actions that DFAS and the FIAR Directorate are taking to address the recommendations, including developing procedures for the processes excluded from DFAS's contract pay FIP; performing a materiality assessment of processes, systems, and controls; completing a memorandum of understanding to document roles and responsibilities for each component; validating the completeness and accuracy of populations of transactions used to perform testing; and reviewing and certifying corrective actions. DOD also stated that significant progress had been made but much work remained to be accomplished to include applying lessons learned in implementing the FIAR Guidance during audit preparations, as our recommendations indicated. Further, DOD commented that there had been positive results and it was expecting a favorable opinion from the ongoing independent public accountant examination being conducted under SSAE No. 16. However, as discussed in our report, the scope of DFAS's SSAE No. 16 examination was limited and did not cover all key processes that will materially affect the timeliness, accuracy, and reliability of its contract pay transaction data. Therefore, until DFAS completes its other efforts, such as establishing a general ledger reconciliation process, it does not have reasonable assurance that its SSAE No. 16 examination will satisfy the needs of the components or provide the expected benefits to the department-wide effort to assert audit readiness for contract pay as a key element of the SBR. We are sending copies of this report to the Secretary of Defense, the Under Secretary of Defense (Comptroller)/Chief Financial Officer, the Director of the Defense Finance and Accounting Service, the Director of DFAS-Columbus, the Director of the Office of Management and Budget, and appropriate congressional committees. In addition, the report is available at no charge on the GAO website at [hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report, please contact me at (202) 512-9869 or khana@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff members who made major contributions to this report are listed in appendix III. Signed by: Asif A. Khan: Director, Financial Management and Assurance: [End of section] Appendix I: Objective, Scope, and Methodology: To determine the extent to which the Defense Finance and Accounting Service (DFAS) implemented its contract pay Financial Improvement Plan (FIP) in accordance with the Financial Improvement and Audit Readiness (FIAR) Guidance, we compared DFAS's contract pay FIP with the FIAR Guidance to determine if the FIP contained all steps and supporting documentation that the FIAR Guidance requires the components to complete. Using the FIAR Guidance, we analyzed DFAS's FIP supporting documentation, such as process narratives and flowcharts, and test plans and test results. We also analyzed DFAS's efforts to address deficiencies identified during testing. Specifically, we selected a nongeneralizable sample[Footnote 36] of 25 deficiencies that were reported on the FIAR Directorate's Tracking Sheet as of September 23, 2013.[Footnote 37] To ensure the reliability of the data reported on the Tracking Sheet, we (1) interviewed FIAR Directorate officials to obtain an understanding of the process they followed to monitor and validate DFAS's efforts to remediate identified deficiencies and (2) reviewed the actions taken to ensure that all deficiencies identified during the testing were included in the Tracking Sheet. We also reviewed the data on the Tracking Sheet for outliers, such as the deficiencies reported on the Tracking Sheet as not being fully remediated or controls tested for which DFAS did not identify any deficiencies. As a result, we excluded 174 items from the total of 542[Footnote 38] items on the Tracking Sheet for a population of 368 deficiencies.[Footnote 39] From this population, we selected a random sample of 20 deficiencies with noted corrective action plans[Footnote 40] that were designated as remediated by DFAS as of September 23, 2013. We also selected from the population of 368 deficiencies an additional 5 deficiencies: (1) 2 to include deficiencies associated with DFAS's testing of general controls[Footnote 41] that were not included in the initial random sample and (2) 3 deficiencies identified by DFAS as remediated with a corrective action plan where the FIAR Directorate noted that the controls tested did not apply to DFAS's contract pay FIP. We also interviewed officials from DFAS's Office of Audit Readiness, DFAS's Internal Review, and the FIAR Directorate to obtain explanations and clarifications on the results of our evaluation of the FIP. We conducted this performance audit from May 2012 to April 2014 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Comments from the Department of Defense: Office of The Under Secretary Of Defense: Comptroller: 1100 Defense Pentagon: Washington, DC 20301-1100: June 5, 2014: Mr. Asif A Khan: Director, Financial Management and Assurance: U.s. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Khan: This is the Department of Defense (DoD) response to the Government Accountability Office (GAO) draft report GAO-14-10, "DoD Financial Management: The Defense Finance and Accounting Service Needs to Fully Implement Financial Improvements for Contract Pay," dated May 1, 2014 (GAO Code 197118). The Department acknowledges receipt of the draft report and we concur with the nine recommendations. Our detailed responses are enclosed. This report was based on work that was conducted over an extended period of time. During this period, the Defense Finance and Accounting Service (DF AS) has worked to verify that processes, systems, and controls over contract pay are suitably designed and operating effectively. Significant progress has been made but much work remains to be accomplished, to include applying lessons learned in implementing the Financial Improvement and Audit Readiness Guidance during audit preparations as your recommendations indicate. With that said, there have been positive results and we are expecting a favorable opinion from the ongoing independent public accountant exam being conducted under the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) standard. This product, along with other required reconciliations outside the scope of SSAE 16, must be part of DFAS customers' assertion packages relating to their budgetary statements. We agree that the processes performed by DFAS are critical to ensure that the contract disbursements are accurately recorded and maintained in the components' general ledgers. We will review these processes as part of component assertions between now and September 30, 2014. Thank you for the opportunity to comment. We look forward to your continued engagement and support on this very important agency-wide initiative. My point of contact for this effort is Ms. Sharon DePrato, at 571-256-2707 or sharon.d.deprato.civ@mail.mil. Sincerely, Signed by: Robert F. Hale: Enclosure: As stated. Enclosure: GAO Draft Report Dated May 1, 2014: GAO-14-10 (GAO Code 197118): “DOD Financial Management: The Defense Finance And Accounting Service Needs To Fully Implement Financial Improvements For Contract Pay” Department Of Defense (DoD) Responses To GAO Recommendations: Recommendation 1: The GAO recommends that the Under Secretary of Defense (Comptroller)/Chief Financial Officer direct the Director of the Defense Finance and Accounting Service to address deficiencies in its discovery phase planning activities for contract pay by documenting its contract pay end to end process by developing the necessary flowcharts and narratives for those processes excluded from the FIP. DoD Response: Concur. Defense Finance and Accounting Service (DFAS) sites have either developed and shared with the components, or are in the process of developing the Treasury Reconciliation, Accounting & Reporting, and Contract Close out process maps and narratives for the Contract Pay functions outside the Statement on Standards for Attestation Engagements No. 16 scope. As part of final component assertion package reviews, the Office of the Under Secretary of Defense (Comptroller)'s Financial Improvement and Audit Readiness (FIAR) directorate will validate appropriate documentation. Estimated completion date (ECD): September 30, 2014. Recommendation 2: The GAO recommends that the Under Secretary of Defense (Comptroller)/Chief Financial Officer direct the Director of the Defense Finance and Accounting Service to address deficiencies in its discovery phase planning activities for contract pay by assessing the materiality of its processes, systems, and controls. DoD Response: Concur. DFAS sites have assessed or will finalize the materiality assessment (i.e., dollar activity and risk factors) of its processes, systems and controls. As part of final component assertion package reviews, the FIAR directorate will validate required documentation. ECD: July 31, 2014. Recommendation 3: The GAO recommends that the Under Secretary of Defense (Comptroller)/Chief Financial Officer direct the Director of the Defense Finance and Accounting Service to address deficiencies in its discovery phase planning activities for contract pay by completing a Memorandum of Understanding with each of the components. DoD Response: Concur. DFAS sites submitted draft memorandums of understanding and concepts of operations to the components throughout various stages of their assertion work during 2013 & 2014. As part of final component assertion package reviews, the FIAR directorate will validate that this information has been finalized. ECD: September 30, 2014. Recommendation 4: The GAO recommends that the Under Secretary of Defense (Comptroller)/Chief Financial Officer direct the Director of the Defense Finance and Accounting Service to address deficiencies in its discovery phase testing activities by validating the completeness and accuracy of the populations of transactions used to perform testing. DoD Response: Concur. DFAS has either developed or is in the process of developing a method for validating the population to be tested by reconciling the population to the General Ledger. As part of final component assertion package reviews, the FIAR directorate will examine this capability. ECD: September 30, 2014. Recommendation 5: The GAO recommends that the Under Secretary of Defense (Comptroller)/Chief Financial Officer direct the Director of the Defense Finance and Accounting Service to address deficiencies in its discovery phase testing activities by considering and assessing the design and operational effectiveness of the entity level general controls that were not tested by DFAS. DoD Response: Concur. DFAS Internal Review will conduct an audit of the remaining 139 entity-level Information Technology General Controls (ITGCs) that were not reviewed during an April 2013 audit of entity- level ITGCs. As part of final component assertion package reviews, the FIAR directorate will validate supporting documentation. ECD: August 31, 2014. Recommendation 6: The GAO recommends that the Under Secretary of Defense (Comptroller)/Chief Financial Officer direct the Director of the Defense Finance and Accounting Service to address deficiencies in its discovery phase testing activities by documenting and executing an audit strategy or plan for application level testing of system controls. DoD Response: Concur. DFAS has developed a strategy of focusing on the most critical Federal Information System Controls Audit Manual control objectives, which includes System Security, Access Control, Configuration Management, Segregation of Duties, Interface Strategy, and Design and Interface Processing. As part of final component assertion package reviews, the FIAR directorate will validate supporting documentation. ECD: June 30, 2014. Recommendation 7: The GAO recommends that the Under Secretary of Defense (Comptroller)/Chief Financial Officer direct the Director of the Defense Finance and Accounting Service to address deficiencies in its discovery phase testing activities by coordinating with the components to classify all identified deficiencies as control deficiencies, significant deficiencies and material weaknesses. DoD Response: Concur. DFAS has shared Contract Pay test failures with the components and will ensure all of the failures are classified as control deficiencies, significant deficiencies, or material weaknesses in relation to their impact on the General Fund Financial Statements. As part of final component assertion package reviews, the FIAR directorate will validate required documentation. ECD: September 30, 2014. Recommendation 8: The GAO recommends that the Under Secretary of Defense (Comptroller)/Chief Financial Officer direct the Director of the Defense Finance and Accounting Service to address deficiencies in its corrective action phase activities by assessing the population of implemented corrective action plans to determine whether the deficiencies that GAO found in their nongeneralizable sample of DFAS' corrective action plans are more widespread in the population. DoD Response: Concur. Corrective actions for the information technology general level controls will be reviewed and certified by a qualified independent public accountant. Corrective actions for the business process controls will be reviewed and certified by the DFAS Audit Readiness teams. As part of final component assertion package reviews, the FIAR directorate will review supporting documentation. ECD: July 31, 2014. Recommendation 9: The GAO recommends that the Under Secretary of Defense (Comptroller)/Chief Financial Officer direct the Director of the Defense Finance and Accounting Service to address deficiencies in its corrective action phase activities by revising its FIAR status reports to accurately reflect the current status of its audit readiness efforts. DoD Response: Concur. FIAR status reports have accurately reflected past status of efforts, based on available information. DFAS sites will review and revalidate financial improvement plans (DFAS Contract Pay Self Review plans) for the components to ensure that they accurately reflect the current status of DFAS efforts. ECD: September 30, 2014. [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: Asif A. Khan, (202) 512-9869 or khana@gao.gov: Staff Acknowledgments: In addition to the contact named above, Arkelga Braxton (Assistant Director), Greg Marchand (Assistant General Counsel), Jason Kirwan, Omar V. Torres (Auditor-in-Charge), Jason Kelly, Sabrina Rivera, and Heather Rasmussen made key contributions to this report. [End of section] Footnotes: [1] Discretionary spending refers to outlays from budget authority that are provided in and controlled by appropriation acts, unlike mandatory spending, such as Medicare and other entitlement programs. [2] Pub. L. No. 111-84, § 1003(a),(b) (Oct. 28, 2009). [3] DOD defines "DOD components" to include its military departments as well as smaller entities within DOD, such as the defense agencies and field activities. [4] The FIP is a framework for planning, executing, and tracking the steps and supporting documentation necessary to achieve audit readiness. [5] The FIAR Guidance details the roles and responsibilities of the DOD components and prescribes a standard, systematic process to follow to assess processes, controls, and systems. [6] The SBR is the only financial statement predominantly derived from an entity's budgetary accounts in accordance with budgetary accounting rules, which are incorporated into generally accepted accounting principles (GAAP) for the federal government. The SBR is designed to provide information on authorized budgeted spending authority and links to the Budget of the United States Government (President's Budget), including budgetary resources, availability of budgetary resources, and how obligated resources have been used. Budgetary resources include the amount available to enter into new obligations and to liquidate them. Budgetary resources are made up of new budget authority (including direct spending authority provided in existing statute and obligation limitations) and unobligated balances of budget authority provided in previous years. [7] According to DOD, validation of audit readiness occurs when the DOD Comptroller examines a DOD component's documentation supporting its assertion of audit readiness and concurs with the assertion. This takes place after the DOD Comptroller or independent auditor first reviews the documentation and agrees that it supports audit readiness. A component asserts audit readiness when it believes that its documentation and internal controls are sufficient to support a financial statement audit that will result in an audit opinion. [8] NDAA for Fiscal Year 2013, Pub. L. No. 112-239, § 1005(a) (Jan. 2, 2013). [9] DOD defines contract pay as the payments for goods and services provided by contractors to the DOD components as authorized by formal, long-term contract instruments that require contract administration primarily utilizing the Mechanization of Contract Administration Services system. [10] DOD identified the following areas as key elements of the SBR: appropriations received, fund balance with Treasury, civilian pay, military pay, contract pay, reimbursable work orders, military standard requisitioning and issuing procedures, and financial reporting. [11] Service providers are entities that provide services that affect a DOD component's manual and automated processes used for reporting amounts in the financial statements. [12] GAO, DOD Financial Management: Improvement Needed in DOD Components' Implementation of Audit Readiness Efforts, [hyperlink, http://www.gao.gov/products/GAO-11-851] (Washington, D.C.: Sept. 13, 2011). [13] GAO, DOD Financial Management: Ongoing Challenges with Reconciling Navy and Marine Corp Fund Balance with Treasury, [hyperlink, http://www.gao.gov/products/GAO-12-132] (Washington, D.C.: Dec. 20, 2011). [14] GAO, DOD Financial Management: The Army Faces Significant Challenges in Achieving Audit Readiness for Its Military Pay, [hyperlink, http://www.gao.gov/products/GAO-12-406] (Washington, D.C.: Mar. 22, 2012). [15] 31 U.S.C. §§ 331(e). [16] The results from a nongeneralizable sample cannot be used to make inferences about a population. [17] The FIAR Directorate developed the Tracking Sheet to document its review and validation of the efforts taken by DFAS to remediate the control deficiencies identified during testing. [18] Assessable units can be any part of the financial statements, such as line items or classes of assets (e.g., civilian pay or military equipment), a class of transactions, or a process or a system that helps produce the financial statements. [19] The DOD Comptroller established the DOD FIAR Directorate to manage DOD-wide financial management improvement efforts. [20] SSAE No. 16, Reporting on Controls at a Service Organization, provides standards for auditors to follow for reporting on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities' internal control over financial reporting. The FIAR Guidance requires the SSAE No. 16 examination to cover at least 6 months of the component's audit period. [21] DFAS uses MOCAS to process and make contract payments for the Army, Navy, Air Force, and other DOD organizations. [22] EAS is an application designed to allow users to view the contingent liability of the specific contract and invoice information, make payments, and edit existing payments, as well as view and print online reports. [23] The EUD contains two modules: (1) Pay Pre-validation Module (PPVM) and (2) Accounting Pre-validation Module (APVM). PPVM is a module of the EUD system that is used by DFAS to download the entitlement data from MOCAS and communicate the data to APVM. APVM is a module of the EUD system that transfers data from PPVM to the components' general ledger to determine whether the contract invoices have valid obligations. [24] Federal agencies are required to submit monthly reports to Treasury with information relating to the agency's collections and disbursements. [25] DFAS entered into an $867,257 contract with the independent public accounting firm for the SSAE No. 16 examination covering the period from November 2013 to September 2014. This contract also includes 4 option years that could be exercised for a total of $3.3 million. [26] A CONOPS is a document used to describe an organization, its mission, and the organizational objectives. DFAS stated that the purpose of its draft CONOPS is to define roles and responsibilities for the contract pay examination under SSAE No. 16. [27] DOD Financial Management Regulation 7000.14-R (FMR), vol. 6A, ch. 2, Financial Reports Roles and Responsibilities, Section 020204 (August 2011). [28] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). [29] For purposes of data mining, outliers are those transactions that are unusual and invalid and have abnormal balances (e.g., negative obligations) or instances where data fields are missing. [30] General controls are the policies and procedures that apply to all or a large segment of an entity's information systems and help ensure their proper operation. Application controls, sometimes referred to as business controls, are incorporated directly into computer applications to help ensure the validity, completeness, accuracy, and confidentiality of data during application processing and reporting. The effectiveness of general controls is a significant factor in determining the effectiveness of application controls. For example, automated edits designed to preclude users from entering unreasonably large dollar amounts in a payment processing system can be an effective application control. However, this control is not effective (cannot be relied on) if the general controls permit unauthorized program modifications that might allow some payments to be exempted from the edits or unauthorized changes to be made to data files after the edit is performed. [31] FISCAM is a methodology for performing information system control audits of federal and other governmental entities in accordance with professional standards. GAO, Federal Information System Controls Audit Manual (FISCAM), [hyperlink, http://www.gao.gov/products/GAO-09-232G] (Washington, D.C.: February 2009). [32] DISA is a DOD service provider responsible for managing major portions of DOD's common global IT resources, providing services and operating and maintaining systems that support the computing, networking, and information needs of the national command authority, military services, joint military commands, and defense agencies. [33] DFAS classified as high risk the deficiencies that if not remediated could negatively affect its ability to assert audit readiness. In addition, DFAS classified as medium and low risk the deficiencies that needed to be considered in aggregate to determine the potential impact to its audit readiness assertion. [34] The results from a nongeneralizable sample cannot be used to make inferences about a population. [35] United States Chief Financial Officers Council, Implementation Guide for OMB Circular A-123, Management's Responsibility for Internal Control, Appendix A, Internal Control over Financial Reporting (Washington, D.C.: July 2005), and GAO, DOD Financial Management: Ineffective Risk Management Could Impair Progress toward Audit-Ready Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-13-123] (Washington, D.C.: Aug. 2, 2013). [36] The results from a nongeneralizable sample cannot be used to make inferences about a population. [37] The FIAR Directorate developed the Tracking Sheet to document its review and validation of the efforts taken by DFAS to remediate the deficiencies identified during testing. [38] Out of the 542 items in the tracking sheet, 395 items were related to deficiencies identified by DFAS. The Tracking Sheet did not include 3 of the 6 deficiencies for which DFAS did not design and implement the necessary corrective actions plans and 1 reported deficiency that did not required a corrective action plan. [39] Out of the 399 deficiencies identified by DFAS, DFAS did not remediate 6 deficiencies, the implementation of 24 corrective action plans was in progress on the FIAR Directorate's Tracking Sheet, and 1 reported deficiency did not required a corrective action plan. Thus, the FIAR Directorate's Tracking Sheet contained a population of 368 corrective action plans implemented by DFAS as of September 23, 2013. [40] Corrective action plans describe the specific steps that will be taken to resolve an identified deficiency. [41] General controls are the policies and procedures that apply to all or a large segment of an entity's information systems and help ensure their proper operation. For example, general controls include logical access controls that prevent or detect unauthorized access to sensitive data and programs that are stored, processed, and transmitted electronically. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO's actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO's website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, DC 20548. [End of document]