This is the accessible text file for GAO report number GAO-11-851 entitled 'DOD Financial Management: Improvement Needed in DOD Components' Implementation of Audit Readiness Effort' which was released on September 15, 2011. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to Congressional Requesters: September 2011: DOD Financial Management: Improvement Needed in DOD Components' Implementation of Audit Readiness Effort: GAO-11-851: GAO Highlights: Highlights of GAO-11-851, a report to congressional requesters. Why GAO Did This Study: The Department of Defense (DOD) has been required to prepare audited annual financial statements since 1997 but to date, has not been able to meet this requirement. The National Defense Authorization Act of Fiscal Year 2010 mandated that DOD be prepared to validate [certify] that its consolidated financial statements are audit-ready by September 30, 2017. In May 2010, DOD issued its Financial Improvement and Audit Readiness (FIAR) Guidance to provide a methodology for DOD components to follow to develop and implement their Financial Improvement Plans (FIPs) for achieving audit readiness. The DOD FIP is a framework for planning and tracking the steps and supporting documentation. GAO was asked to assess the FIP methodology provided in the FIAR Guidance, the development and implementation of selected components’ FIPs, and DOD’s monitoring and oversight of the FIP process. To do this, GAO analyzed the FIAR Guidance, reviewed two selected FIPs—Navy Civilian Pay and Air Force Military Equipment—and reviewed relevant documentation and interviewed DOD and component officials. What GAO Found: The FIAR Guidance provides a reasonable methodology for DOD components to use in developing and implementing their FIPs. The Guidance details the roles and responsibilities of the DOD components, and prescribes a standard, systematic process to follow to assess processes, controls, and systems. Overall, the procedures required by the FIAR Guidance are consistent with selected procedures for conducting a financial audit, such as testing internal controls and information system controls. The Guidance also requires components to take actions to correct any deficiencies identified during testing and document the results. DOD’s ability to achieve departmentwide audit readiness is highly dependent on its military components’ ability to effectively develop and implement FIPs in compliance with the FIAR Guidance. The Navy and Air Force did not adequately develop and implement their respective FIPs for Civilian Pay and Military Equipment in accordance with the FIAR Guidance. GAO found similar deficiencies in both FIPs. For example, internal controls and information systems controls were not sufficiently tested or documented, and conclusions reached were not supported by the testing results. In addition, neither component had fully developed and implemented corrective action plans to address deficiencies identified during implementation of the FIPs. As a result, the FIPs did not provide sufficient support for the Navy’s and Air Force’s conclusions that Civilian Pay and Military Equipment were ready to be audited. DOD and its military components have assigned to senior executive committees and designated individuals appropriate oversight roles and responsibilities for their financial improvement efforts. However, neither oversight committees nor Navy and Air Force officials effectively carried out their oversight responsibilities for the two FIPs, which did not support the components’ conclusions of audit readiness. However, once the components indicated audit readiness, both the DOD Office of Inspector General and the Undersecretary of Defense (Comptroller) performed reviews and concluded that the FIPs did not comply with the FIAR Guidance and did not demonstrate audit readiness. The lack of adequate oversight results in an ineffective FIP process and can impact the ability of components to meet established milestones. If the components are unable to achieve interim milestones, DOD will need to consider how these factors could affect its ability to achieve departmentwide auditability by the end of fiscal year 2017. What GAO Recommends: GAO recommends that the Secretary of Defense take various actions to improve the development, implementation, documentation, and oversight of DOD’s financial management improvement efforts. DOD generally concurred with the recommendations and commented on actions being taken to implement them. View [hyperlink, http://www.gao.gov/products/GAO-11-851]. For more information, contact Asif A. Khan at (202) 512-9095 or Khana@gao.gov. Contents: Letter: Background: FIAR Guidance Provides a Reasonable Methodology: Navy Civilian Pay and Air Force Military Equipment FIPs Were Not Adequately Developed and Implemented: FIP Monitoring and Oversight Needs Improvement: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope and Methodology: Appendix II: Key Oversight Entities and Their Roles and Responsibilities: Appendix III: Comments from the Department of Defense: Appendix IV: GAO Contact and Staff Acknowledgments: Tables: Table 1: Description of Key FIAR Documents: Table 2: Reported Status of Military Component Assessable Units (by Waves and Components): Table 3: Air Force Military Equipment as of September 30, 2010: Table 4: Key Oversight Entities and Their Roles and Responsibilities. Figure: Figure 1: FIP Oversight Hierarchy: Abbreviations: AFB: Air Force Base: COSO: Committee of Sponsoring Organizations of the Treadway Commission: DCMO: Deputy Chief Management Officer: DCPS: Defense Civilian Pay System: DFAS: Defense Finance and Accounting Service: DIACAP: Defense Information Assurance Certification and Accreditation Process: DOD: Department of Defense: ERP: Enterprise Resource Planning: FAM: Financial Audit Manual: FIAR: Financial Improvement and Audit Readiness: FIP: Financial Improvement Plan: FISCAM: Federal Information System Controls Audit Manual: FM&C: Financial Management and Comptroller: FY: Fiscal Year: GAAP: Generally Accepted Accounting Principles: GAGAS: Generally Accepted Government Auditing Standards: GAO: Government Accountability Office: GFEBS: General Fund Enterprise Business System: ICBM: Intercontinental Ballistic Missiles: KCO: Key Control Objective: KSD: Key Supporting Documents: MILSTRIP: Military Standard Requisition and Issue Procedures: NDAA: National Defense Authorization Act: OIG: Office of Inspector General: OMB: Office of Management and Budge:t OUSD(C): Office of the Under Secretary of Defense (Comptroller): PCIE: President's Council on Integrity and Efficiency: Q1: 1st Quarter: Q2: 2nd Quarter: Q3: 3rd Quarter: Q4: 4th Quarter: RAMPOD: Reliability, Availability, and Maintainability for Pods: REMIS: Reliability and Maintainability Information System: RPA: Remotely Piloted Aircraft: SABRS: Standard Accounting, Budgeting and Reporting System: SAS 70: Statement on Auditing Standards No. 70: SBR: Statement of Budgetary Resources: SSAE: Statement on Standards for Attestation Engagements: STARS-FL: Standard Accounting and Reporting System-Field Level: STARS-HCM: Standard Accounting and Reporting System-Headquarter Claimant Module: TRANSCOM: Transportation Command: USD(C): Under Secretary of Defense (Comptroller): [End of section] United States Government Accountability Office: Washington, DC 20548: September 13, 2011: Congressional Requesters: Since 1997, the Department of Defense (DOD) has been required to prepare annual audited departmentwide financial statements.[Footnote 1] However, because of long-standing and pervasive financial management weaknesses, DOD has not been able to meet this requirement. The National Defense Authorization Act (NDAA) for Fiscal Year 2002 [Footnote 2] required DOD to minimize the resources spent to develop, compile, report, and audit financial statements until the department sufficiently addresses its financial management weaknesses such that it can assert to the Inspector General that its financial statements are reliable. Because of concerns about the limited progress made, the NDAA for Fiscal Year 2010[Footnote 3] mandated that DOD be prepared to validate [certify] that its consolidated financial statements are ready for audit by September 30, 2017. The NDAA for fiscal year 2010 also mandated that DOD (1) develop and maintain a Financial Improvement and Audit Readiness (FIAR) Plan that includes, among other things, the specific actions to be taken and costs associated with correcting the financial management deficiencies that impair the department's ability to prepare timely, reliable, and complete financial management information; (2) provide semiannual reports on the status of the department's implementation of the FIAR Plan (which DOD provides as FIAR Plan Status Reports); (3) develop standardized guidance for DOD components' Financial Improvement Plans (FIP);[Footnote 4] and (4) define oversight roles and assign accountability for carrying out the FIAR Plan to appropriate officials and organizations. In May 2010, the DOD Comptroller issued the FIAR Guidance which defines DOD's strategy, goals, roles, responsibilities, and procedures for the components to become audit ready. More specifically, the Guidance provides a standard methodology for DOD components to follow in developing and implementing their FIPs. In September 2010, we reported that the department needed to focus on implementing its FIAR Plan and that the key to successful implementation would be the efforts of the DOD military components and the quality of their individual FIPs.[Footnote 5] We also reported that DOD would need the sustained commitment of its top leadership, departmentwide and within its components, to address weaknesses and produce financial management information that is timely, reliable, and useful for managers throughout DOD. To assist Congress in its oversight of DOD's financial management improvement efforts, you requested that we assess the implementation of DOD's FIAR Plan Strategy by reviewing the military components' FIPs. In response, our objectives were to determine whether (1) the FIAR Guidance provided a reasonable methodology for DOD components to develop FIPs, (2) the DOD components had adequately developed and implemented selected FIPs in accordance with the FIAR Guidance, and (3) DOD is adequately monitoring and overseeing the FIP process. To address the first objective, we analyzed the current FIAR Guidance, issued in May 2010, using relevant criteria to determine if it provides a reasonable methodology for achieving financial statement auditability.[Footnote 6] To address the second objective, we selected FIPs for two assessable units[Footnote 7]--Navy Civilian Pay and Air Force Military Equipment--that were scheduled to assert audit readiness in calendar year 2010. We analyzed the FIP documentation supporting the audit readiness assertions,[Footnote 8] such as process flows, control assessments, and test plans and results using the FIAR Guidance. We did not perform separate audit procedures to assess the effectiveness of the controls or the completeness or accuracy of the Navy civilian pay amounts or the Air Force military equipment. To address the third objective, using relevant criteria,[Footnote 9] we analyzed documentation, such as the FIAR Guidance, FIAR Plan Status Reports,[Footnote 10] and committee charters, to determine if the department had assigned monitoring and oversight responsibilities to the appropriate entities and officials, and had properly defined their roles and responsibilities. In addition, for all three objectives, we met with officials involved in developing, implementing, or monitoring the components' FIP efforts to obtain explanations and clarification as needed. Further details on our scope and methodology are provided in appendix I. We conducted this performance audit from May 2010 to September 2011 in accordance with generally accepted government auditing standards (GAGAS). Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: For over a decade, DOD has dominated GAO's list of federal programs and operations at high risk of being vulnerable to fraud, waste, abuse, and mismanagement.[Footnote 11] All of DOD's programs on GAO's High-Risk List relate to its business operations, including systems and processes related to the management of contracts, finances, the supply chain, and support infrastructure, as well as weapons system acquisition. Long-standing and pervasive weaknesses in DOD's financial management and related business processes and systems have (1) resulted in a lack of reliable information needed to make sound decisions and report on the financial status and cost of DOD activities to Congress and DOD decision makers, (2) adversely affected its operational efficiency in business areas such as major weapons system acquisition and support and logistics, and (3) left the department vulnerable to fraud, waste, and abuse. DOD is required by various statutes to improve its financial management processes, controls, and systems to ensure that complete, reliable, consistent, and timely information is prepared and responsive to the financial information needs of agency management and oversight bodies, and to produce annual audited financial statements. As noted above, DOD has been required since 1997 to prepare and issue annual departmentwide audited financial statements and, pursuant to various statutes, certain DOD components, including the military departments, are required to prepare and issue annual audited financial statements. DOD consolidates the component financial statements to prepare its departmentwide financial statements. As reflected in OMB requirements and DOD policy[Footnote 12] for preparation and audit of agency financial statements, DOD and its components must prepare their financial statements consistent with generally accepted accounting principles (GAAP)[Footnote 13] and establish and maintain effective internal control over financial reporting and compliance with laws and regulations. The DOD Office of Inspector General (OIG) is responsible for auditing the financial statements in accordance with GAGAS, which, among other things, requires the auditor to determine if the financial statements are fairly presented and properly supported by the agencies' accounting records. DOD has undertaken a number of initiatives over the years, such as its Financial Improvement Initiative in 2003, to improve the department's business operations, including financial management, and achieve unqualified (or "clean") financial statement audit opinions. In 2005, the DOD Comptroller established the DOD FIAR Directorate to manage DOD- wide financial management improvement efforts and to integrate those efforts with transformation activities, such as those outlined in the department's Enterprise Transition Plan, across the department. The FIAR Plan, which was first prepared in 2005, is DOD's strategic plan and management tool for guiding, monitoring, and reporting on the department's financial management improvement efforts. As such, the plan communicates incremental progress in addressing the department's financial management weaknesses and achieving financial statement auditability. The plan focuses on three goals: (1) achieve and sustain unqualified assurance on the effectiveness of internal controls through the implementation of sustained improvements in business processes and controls addressing the material internal control weaknesses, (2) develop and implement financial management systems that support effective financial management, and (3) achieve and sustain financial statement audit readiness. The NDAA for Fiscal Year 2010 requires DOD to update and report on the FIAR Plan twice a year-- no later than May 15 and November 15--and provide each update to OMB and Congress, among others. Consistent with prior GAO recommendations[Footnote 14] and the NDAA for Fiscal Year 2010, the DOD Comptroller issued the FIAR Guidance in May 2010 to provide standardized guidance for DOD components to follow in developing their FIPs. DOD components are expected to prepare a FIP in accordance with the FIAR Guidance for each of their assessable units. The FIPs are intended to both guide and document financial improvement efforts. While the name "FIP" indicates that it is a plan, as a component implements that plan, it must document the steps performed and the results of those steps, and retain that documentation within the FIP. Therefore, a FIP includes plans for testing controls and data, and documentation of the testing conducted, results of the testing, and any actions taken based on the results. When a component determines that it has completed sufficient financial improvement efforts for an assessable unit so that it is ready for audit, the FIP documentation is used to support the conclusion of audit readiness. A summary of the purpose of each DOD financial improvement document is provided below. Table 1: Description of Key FIAR Documents: FIAR document: FIAR Plan; Description: * Defines DOD's strategy and plan for (1) improving business and financial management, (2) prioritizing needs, and (3) identifying plans to remediate deficiencies and dependencies impeding auditability; * First issued in 2005 and is updated semiannually in the FIAR Plan Status Reports, which also summarize the current status of DOD and its components in executing the FIAR Plan Strategy. FIAR document: FIAR Guidance; Description: * Further defines DOD's goals, strategy, roles, responsibilities, and procedures as well as the FIAR Methodology for becoming audit ready; * Functions as a handbook and a standard reference guide detailing the steps that DOD reporting entities should use to achieve audit readiness; * First issued in May 2010 and is to be updated annually. FIAR document: FIP; Description: * A standard framework of steps and documentation requirements that aligns to the FIAR Methodology; * Is governed by the FIAR Methodology, FIAR Plan Strategy, and the standard FIP template contained in the FIAR Guidance; * Reporting entities develop and execute a FIP for each of their assessable units or combinations of assessable units; * Components apply the framework by performing the requisite steps including asserting that an assessable unit is audit-ready and compiling all applicable supporting documentation. Source: GAO analysis of DOD data. [End of table] The department intends to progress toward achieving financial statement auditability in five "waves" of concerted improvement activities within groups of end-to-end business processes, which are broken down into discrete units, called assessable units. Under the FIAR Plan Strategy, execution of the FIAR Guidance methodology for groups of assessable units across the five waves is intended to result in the preparation of various components' financial statements through fiscal year 2017. The first three waves of the FIAR Plan Strategy focus on achieving the DOD Comptroller's interim budgetary and asset accountability priorities, while the remaining two waves are intended to complete actions needed to achieve full financial statement auditability. However, the department has not yet fully defined its strategy for completing waves 4 and 5, which focus on the auditability of most of the department's financial statements such as the Balance Sheet and the Statement of Net Cost, and significant audit areas such as equipment valuation. The FIAR Guidance states that an analysis of significant reporting entities relevant to waves 4 and 5 will be included in a future version of the FIAR Guidance. For example, in relation to wave 4, the DOD Comptroller has identified weaknesses in DOD valuation of military equipment as an obstacle to achieving auditable balances in DOD financial statements, and the May 2011 FIAR Status Plan Report states that DOD plans to resolve the matter through the deployment of new business and financial management systems, a revised definition of military equipment, and through a change to GAAP related to accounting for the cost of military equipment. DOD plans to seek a change to GAAP and implement the change by September 30, 2017, but DOD has not yet prepared a detailed time line for implementing the changes within affected assessable units (assuming that any proposed changes to GAAP would be approved). The focus and scope of each wave include the following: Wave 1--Appropriations Received Audit focuses efforts on assessing and strengthening, as necessary, internal controls and business systems involved in the appropriations receipt and distribution process, including funding appropriated by Congress for the current fiscal year and related apportionment/reapportionment activity by OMB, as well as allotment and suballotment activity within the department.[Footnote 15] Wave 2--Statement of Budgetary Resources (SBR) Audit focuses efforts on assessing and strengthening, as necessary, the internal controls, processes, and business systems supporting the budgetary-related data (e.g., status of funds received, obligated, and expended) used for management decision making and reporting, including the SBR. In addition to fund balance with Treasury reporting and reconciliation, significant end-to-end business processes in this wave include procure- to-pay, hire-to-retire, order-to-cash, and budget-to-report. Wave 3--Mission-Critical Assets Existence and Completeness Audit focuses efforts on assessing and strengthening, as necessary, internal controls and business systems involved in ensuring that all assets (including military equipment, general equipment, real property, inventory, and operating materials and supplies) are recorded in the department's accountable property systems of record, all of the reporting entities' assets are recorded in those systems of record, reporting entities have the right (ownership) to report these assets, and the assets are consistently categorized, summarized, and reported. Wave 4--Full Audit Except for Legacy Asset Valuation focuses efforts on assessing and strengthening, as necessary, internal controls, processes, and business systems involved in the proprietary side of budgetary transactions covered by the Statement of Budgetary Resources effort of wave 2, including accounts receivable, revenue, accounts payable, expenses, environmental liabilities, and other liabilities. This wave also includes efforts to support valuation and reporting of new asset acquisitions. Wave 5--Full Financial Statement Audit focuses efforts on assessing and strengthening, as necessary, processes, internal controls, and business systems involved in supporting the valuations reported for legacy assets once efforts to ensure controls over the valuation of new assets acquired and the existence and completeness of all mission assets are deemed effective on a go-forward basis. Given the lack of documentation to support the values of the department's legacy assets, federal accounting standards allow for the use of alternative methods to provide reasonable estimates for the cost of these assets. To guide the components in executing the strategy, the FIAR Guidance provides a set of mandatory, standardized phases and steps that the components must follow to develop and implement their FIPs to achieve audit readiness. This step-by-step methodology delineates FIP responsibilities between the components' management and the auditors. For each assessable unit, management's responsibilities focus on identifying, implementing, and documenting necessary financial management improvements during the first four phases of the FIAR Methodology, and sustaining those improvements through the fifth phase. For phases six and seven, after the DOD Comptroller's initial review and approval of a FIP supporting audit readiness, the component engages an independent auditor to first perform an examination of the FIP and if validated, then an audit of the assessable unit and finally, the entity's financial statements. After a component concludes that an assessable unit is ready for audit, a component continues to maintain the FIP to document the validation of audit readiness by an independent auditor and the sustainability of audit readiness through ongoing efforts by the component. Throughout this report, however, we use the term "FIP" to mean the record of FIP implementation and related documentation that was used to support the conclusion of audit readiness because that is the point at which we reviewed the two selected FIPs. In instances where additional documentation was provided to us later, we indicate that such information was provided subsequent to the audit readiness conclusion. A description of each of the phases of the FIAR Methodology as set forth in the FIAR Guidance follows: Phase 1 - Evaluation and Discovery: Management documents its business and financial environment, defines and prioritizes its processes into assessable units, assesses risk and tests controls, evaluates supporting documentation, identifies weaknesses and deficiencies, and defines its audit readiness environment. Phase 2 - Corrective Action: Management develops and executes corrective action plans that identify the specific steps a reporting entity will take to resolve deficiencies, the resources required and committed, and targeted milestones and completion dates. Phase 3 - Evaluation: Management evaluates its corrective action effectiveness through testing and determines whether the entity is ready for audit. Phase 4 - Assertion: Management prepares all relevant supporting documentation and asserts audit readiness to the Office of the Under Secretary of Defense (Comptroller) (OUSD(C)) and the DOD OIG. Phase 5 - Sustainment: Management maintains audit readiness through risk-based periodic testing of internal controls utilizing the OMB Circular No. A-123, Appendix A processes and procedures, and resolves any identified weaknesses in a timely manner. Phase 6 - Validation: The DOD Comptroller and DOD OIG conduct an initial review of the FIP including management's assertion. If the DOD Comptroller determines that management's assertion is supported by the FIP, then an independent auditor performs an examination for the audit readiness assertion. Phase 7 - Audit: The component (reporting entity) engages an independent auditor and supports the audit of the assessable unit or the financial statements. Each wave of the FIAR Plan Strategy is comprised of numerous assessable units identified by the components, and each assessable unit must go through the seven phases of the FIAR Methodology. As shown in table 2, the DOD military components reported 73 assessable units for waves 1-3 in the May 2011 FIAR Plan Status Report. No assessable units had yet been reported for waves 4 and 5. While our focus was on the military components, the FIAR Plan Status Report also provided general information on the status of assessable units for other DOD components for waves 1-3. Table 2: Reported Status of Military Component Assessable Units (by Waves and Components): Wave 1: Wave/component: Army; Assessable unit: Appropriations Received; Audit readiness phase (as of May 2011): Phase 6; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2010. Wave/component: Navy; Assessable unit: Appropriations Received; Audit readiness phase (as of May 2011): Phase 6; Quarter asserted, or scheduled to assert, audit readiness: Q2 FY 2009. Wave/component: Air Force; Assessable unit: Appropriations Received; Audit readiness phase (as of May 2011): Phase 6; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2010. Wave 2: Wave/component: Army; Assessable unit: General Fund Enterprise Business System (GFEBS) - All Waves, Examination 3; Audit readiness phase (as of May 2011): not started; Quarter asserted, or scheduled to assert, audit readiness: Q1 FY 2013. Wave/component: Army; Assessable unit: GFEBS - All Waves, Examination 4; Audit readiness phase (as of May 2011): not started; Quarter asserted, or scheduled to assert, audit readiness: Q1 FY 2014. Wave/component: Army; Assessable unit: Civilian Pay; Audit readiness phase (as of May 2011): Phase 1; Quarter asserted, or scheduled to assert, audit readiness: Q1 FY 2015. Wave/component: Army; Assessable unit: Military Pay; Audit readiness phase (as of May 2011): Phase 1; Quarter asserted, or scheduled to assert, audit readiness: Q1 FY 2015. Wave/component: Army; Assessable unit: Net Outlays (including Fund Balance With Treasury); Audit readiness phase (as of May 2011): Phase 1; Quarter asserted, or scheduled to assert, audit readiness: Q1 FY 2015. Wave/component: Army; Assessable unit: Obligations - Contracts; Audit readiness phase (as of May 2011): Phase 1/Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q1 FY 2015. Wave/component: Army; Assessable unit: Obligations - Permanent Change of Station; Audit readiness phase (as of May 2011): Phase 1/Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q1 FY 2015. Wave/component: Army; Assessable unit: Obligations - Temporary Duty; Audit readiness phase (as of May 2011): Phase 1/Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q1 FY 2015. Wave/component: Army; Assessable unit: Reimbursable; Audit readiness phase (as of May 2011): Phase 1/Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q1 FY 2015. Wave/component: Army; Assessable unit: GFEBS - Waves 1 & 2, Examination 2; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q2 FY 2012. Wave/component: Army; Assessable unit: Financial Statement Compilation and Reporting; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q1 FY 2015. Wave/component: Army; Assessable unit: GFEBS - Wave 1, Examination 1; Audit readiness phase (as of May 2011): Phase 6; Quarter asserted, or scheduled to assert, audit readiness: Q2 FY 2011. Wave/component: Navy; Assessable unit: Civilian Pay; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q2 FY 2010[A]. Wave/component: Navy; Assessable unit: Transportation of People; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2010[B]. Wave/component: Navy; Assessable unit: Examination of One Acquisition Program; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2011. Wave/component: Navy; Assessable unit: Examination of One Navy Enterprise Resource Planning Entity; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2012. Wave/component: Navy; Assessable unit: Financial Statement Compilation and Reporting; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2012. Wave/component: Navy; Assessable unit: Military Pay; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2012. Wave/component: Navy; Assessable unit: Net Outlays (including Fund Balance With Treasury); Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2012. Wave/component: Navy; Assessable unit: Complete Statement of Budgetary Resources; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q1 FY 2013. Wave/component: Navy; Assessable unit: MILSTRIP Orders; Audit readiness phase (as of May 2011): Phase 4; Quarter asserted, or scheduled to assert, audit readiness: Q3 FY 2011. Wave/component: Navy; Assessable unit: Reimbursable Authority; Audit readiness phase (as of May 2011): Phase 4; Quarter asserted, or scheduled to assert, audit readiness: Q3 FY 2011. Wave/component: Navy; Assessable unit: Reimbursable Work Orders - Grantor; Audit readiness phase (as of May 2011): Phase 4; Quarter asserted, or scheduled to assert, audit readiness: Q3 FY 2011. Wave/component: Air Force; Assessable unit: Examination of Defense Enterprise Accounting and Management System at TRANSCOM/Scott AFB; Audit readiness phase (as of May 2011): Phase 1; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2012. Wave/component: Air Force; Assessable unit: Examination of One Acquisition Program; Audit readiness phase (as of May 2011): Phase 1; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2012. Wave/component: Air Force; Assessable unit: Reimbursable Authority; Audit readiness phase (as of May 2011): Phase 1; Quarter asserted, or scheduled to assert, audit readiness: Q1 FY 2013. Wave/component: Air Force; Assessable unit: Civilian Pay; Audit readiness phase (as of May 2011): Phase 1; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2015. Wave/component: Air Force; Assessable unit: Contracts; Audit readiness phase (as of May 2011): Phase 1; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2015. Wave/component: Air Force; Assessable unit: Financial Statement Compilation and Reporting; Audit readiness phase (as of May 2011): Phase 1; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2015. Wave/component: Air Force; Assessable unit: Net Outlays (including Fund Balance With Treasury); Audit readiness phase (as of May 2011): Phase 1; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2015. Wave/component: Air Force; Assessable unit: Plan to Stock Transactions (Operating Materials and Supplies); Audit readiness phase (as of May 2011): Phase 1; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2015. Wave/component: Air Force; Assessable unit: Procure to Pay Transactions (non-acquire-to-retire); Audit readiness phase (as of May 2011): Phase 1; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2015. Wave/component: Air Force; Assessable unit: Reimbursements; Audit readiness phase (as of May 2011): Phase 1; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2015. Wave/component: Air Force; Assessable unit: Military Pay; Audit readiness phase (as of May 2011): Phase 1; Quarter asserted, or scheduled to assert, audit readiness: Q1 FY 2017. Wave/component: Air Force; Assessable unit: Complete Statement of Budgetary Resources; Audit readiness phase (as of May 2011): Phase 1; Quarter asserted, or scheduled to assert, audit readiness: Q1 FY 2017. Wave/component: Air Force; Assessable unit: Funds Distribution to Base; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q1 FY 2012. Wave/component: Air Force; Assessable unit: Fund Balance With Treasury Reconciliation; Audit readiness phase (as of May 2011): Phase 6; Quarter asserted, or scheduled to assert, audit readiness: Q1 FY 2011. Wave/component: Air Force; Assessable unit: Non-expenditure Transfers; Audit readiness phase (as of May 2011): Phase 6; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2010. Wave/component: Air Force; Assessable unit: Rescissions; Audit readiness phase (as of May 2011): Phase 6; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2010. Wave 3: Wave/component: Army; Assessable unit: General Equipment - Remainder; Audit readiness phase (as of May 2011): Phase 1; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2014. Wave/component: Army; Assessable unit: Inventory; Audit readiness phase (as of May 2011): Phase 1; Quarter asserted, or scheduled to assert, audit readiness: Q3 FY 2015. Wave/component: Army; Assessable unit: Military Equipment - Remainder; Audit readiness phase (as of May 2011): Phase 1; Quarter asserted, or scheduled to assert, audit readiness: Q1 FY 2015. Wave/component: Army; Assessable unit: Operating Materials and Supplies; Audit readiness phase (as of May 2011): Phase 1; Quarter asserted, or scheduled to assert, audit readiness: Q3 FY 2015. Wave/component: Army; Assessable unit: Real Property; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q1 FY2013. Wave/component: Army; Assessable unit: General Equipment - Fire & Rescue; Audit readiness phase (as of May 2011): Phase 6; Quarter asserted, or scheduled to assert, audit readiness: Q2 FY 2011. Wave/component: Army; Assessable unit: Military Equipment - 8 asset types; Audit readiness phase (as of May 2011): Phase 6; Quarter asserted, or scheduled to assert, audit readiness: Q2 FY 2011. Wave/component: Navy; Assessable unit: Military Equipment - Remainder; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2013. Wave/component: Navy; Assessable unit: Military Equipment - U.S. Marine Corps; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2013. Wave/component: Navy; Assessable unit: General Equipment; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2014. Wave/component: Navy; Assessable unit: General Equipment - U.S. Marine Corps; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2014. Wave/component: Navy; Assessable unit: Inventory - Navy; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q1 FY 2014. Wave/component: Navy; Assessable unit: Inventory -U.S. Marine Corps; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q1 FY 2014. Wave/component: Navy; Assessable unit: Real Property - Navy; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q2 FY 2014. Wave/component: Navy; Assessable unit: Real Property -U.S. Marine Corps; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q2 FY 2014. Wave/component: Navy; Assessable unit: Operating Materials and Supplies - Remainder; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q2 FY 2015. Wave/component: Navy; Assessable unit: Operating Materials and Supplies -U.S. Marine Corps; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q2 FY 2015. Wave/component: Navy; Assessable unit: Military Equipment - Aircraft; Audit readiness phase (as of May 2011): Phase 5 or 7; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2010. Wave/component: Navy; Assessable unit: Military Equipment - Intercontinental Ballistic Missiles; Audit readiness phase (as of May 2011): Phase 5 or 7; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2010. Wave/component: Navy; Assessable unit: Military Equipment - Satellites; Audit readiness phase (as of May 2011): Phase 5 or 7; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2010. Wave/component: Navy; Assessable unit: Military Equipment - Ships; Audit readiness phase (as of May 2011): Phase 5 or 7; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2010. Wave/component: Navy; Assessable unit: Operating Materials and Supplies - Ordnance; Audit readiness phase (as of May 2011): Phase 5 or 7; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2010. Wave/component: Air Force; Assessable unit: General Equipment; Audit readiness phase (as of May 2011): Phase 1; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2016. Wave/component: Air Force; Assessable unit: Real Property; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q3 FY 2013. Wave/component: Air Force; Assessable unit: Inventory; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2015. Wave/component: Air Force; Assessable unit: Operating Materials and Supplies - Remainder; Audit readiness phase (as of May 2011): Phase 2; Quarter asserted, or scheduled to assert, audit readiness: Q4 FY 2016. Wave/component: Air Force; Assessable unit: Operating Materials and Supplies - Cruise Missiles & Drones; Audit readiness phase (as of May 2011): Phase 4; Quarter asserted, or scheduled to assert, audit readiness: Q3 FY 2011. Wave/component: Air Force; Assessable unit: Operating Materials and Supplies - Missile Motors; Audit readiness phase (as of May 2011): Phase 4; Quarter asserted, or scheduled to assert, audit readiness: Q3 FY 2011. Wave/component: Air Force; Assessable unit: Operating Materials and Supplies - Spare Engines; Audit readiness phase (as of May 2011): Phase 4; Quarter asserted, or scheduled to assert, audit readiness: Q3 FY 2011. Wave/component: Air Force; Assessable unit: Military Equipment; Audit readiness phase (as of May 2011): Phase 6; Quarter asserted, or scheduled to assert, audit readiness: Q1 FY 2011. Source: FIAR Plan Status Report, May 2011: [A] Assessable unit is scheduled to re-assert audit readiness in Q2 FY 2012. [B] Assessable unit is scheduled to re-assert audit readiness in Q1 FY 2013. [End of table] FIAR Guidance Provides a Reasonable Methodology: The May 2010 FIAR Guidance provides a reasonable methodology for the DOD components to use to develop and implement their FIPs. It details the roles and responsibilities of the DOD components, and prescribes a standard, systematic process components should follow to assess processes, controls, and systems, and identify and correct weaknesses in order to achieve auditability. The FIAR Guidance requires components to fully document the procedures carried out as they implement the FIPs, and the results, which will allow for an independent assessment of audit readiness. Overall, the procedures required by the FIAR Guidance are consistent with selected procedures for conducting financial statement audits, such as reconciling the population of transactions to be tested, conducting tests of information systems controls, and conducting internal control and substantive testing.[Footnote 16] The FIAR Guidance also requires the components to correct the deficiencies identified during testing and document the results, which is consistent with federal internal control standards and OMB guidance.[Footnote 17] While the audit strategy for waves 4 and 5 has not been completely defined yet, the same overall FIAR Methodology will likely apply to these waves as well. DOD's ability to achieve audit readiness is highly dependent on the components' ability to effectively develop and implement FIPs in compliance with the FIAR Guidance. The DOD Comptroller has identified critical elements of financial reporting which DOD components are expected to carry out during phases 1 through 3 of the FIAR Methodology and which closely align with procedures that are performed during an audit. Following are more details about some of the critical elements required by the FIAR Guidance. Internal control and substantive testing. DOD components are required to perform both internal control and substantive testing as part of the process to assess audit readiness. Internal control tests are performed to obtain evidence about the achievement of specific control objectives, while substantive tests are performed to obtain evidence on whether amounts reported on the financial statements are reliable. Both types of testing generally involve determining whether appropriate supporting documentation exists and is readily available. Internal control testing focuses on assessing the effectiveness of controls that would prevent or detect potential misstatements in the financial statements. For example, to test controls over operating expenses, a component would review a sample of invoices to determine if they had been properly approved for payment, typically indicated by a signature of an authorized official. Substantive testing, on the other hand, is conducted to obtain evidence on whether the amounts reported on the financial statements are reliable. For example, to test an operating expense balance, a component's procedures would include examining invoices to determine if the amounts of the invoices matched the transaction amounts recorded in the general ledger and determining if the purchased item or service was actually received. As discussed below, a key step in testing involves reconciling the population of transactions to be tested. Reconciliation of population of transactions. To conduct both internal control and substantive testing, a sample of the data transactions is typically selected for testing. An organization must ensure that a sample is taken from, or represents, the complete population of transactions that needs to be tested. According to the FIAR Guidance, to ensure the completeness of the population, the DOD components are required to identify the population of transactions for an assessable unit, compare the total amount of those transactions to the amounts recorded in the general ledger[Footnote 18] and the financial statements, and then research and resolve any differences between the amounts prior to selecting a sample. Tests of information systems controls. Because most financial information is maintained in computer systems, the controls over how those systems operate are integral to the reliability of financial data. The components are required to identify, document, and test both general and application controls for key systems that process transactions. General controls are the policies and procedures that apply to all or a large segment of an entity's information systems and help ensure their proper operation. The objectives of general controls include safeguarding data, protecting application programs, and ensuring continued computer operations in case of unexpected interruptions. For example, general controls include logical access controls that prevent or detect unauthorized access to sensitive data and programs that are stored, processed, and transmitted electronically. Application controls, sometimes referred to as business controls, are incorporated directly into computer applications to help ensure the validity, completeness, accuracy, and confidentiality of data during application processing and reporting. For example, a system edit used to prevent or detect a duplicate entry is an application control. Corrective action plans. The components are required to develop and execute corrective action plans to remediate any deficiencies that indicate that controls are not working and/or transaction amounts are not supported. The corrective action plans should include the solutions to be implemented to resolve the deficiencies, the identification of resources required and committed to carry out the solutions, and the targeted milestones and completion dates. Further, the FIAR Guidance states that after corrective actions have been taken, the components should perform additional testing to determine whether the deficiencies were in fact remediated. Navy Civilian Pay and Air Force Military Equipment FIPs Were Not Adequately Developed and Implemented: The Navy and Air Force did not adequately develop and implement their respective FIPs for Civilian Pay and Military Equipment in accordance with the FIAR Guidance. Our review of these FIPs found similar deficiencies in both of them. Specifically, our review of the FIPs found that the Navy and Air Force did not conduct sufficient control and substantive testing, and reached conclusions that were not supported by the testing results, did not complete reconciliations of the population of transactions, and did not fully test information systems controls. Also, neither component had fully developed and implemented corrective action plans to address deficiencies identified during implementation of the FIPs. In addition, the Navy did not accurately report the status of certain metrics in the November 2010 FIAR Plan Status Report. As a result of these deficiencies, neither FIP provided sufficient support for the components' conclusions that the assessable units were ready to be audited. Navy officials stated that they were taking action to address the issues identified and planned to submit a revised FIP by March 2012. Air Force officials also indicated that they were taking action to address the issues identified. In July 2011, Air Force officials provided updates on the status of several actions that were underway or completed but, for the most part, did not provide supporting documentation for our review. Further, the actions they identified did not address all of the deficiencies that we noted. Navy's Civilian Pay FIP Was Not Adequately Developed and Implemented: The Navy did not adequately develop and implement its FIP for civilian pay in accordance with the FIAR Guidance. Specifically, our review of this FIP found that the Navy did not (1) conduct sufficient control and substantive testing, and reached conclusions that were not supported by the testing results; (2) reconcile the population of transactions recorded in the payroll system to those in the general ledger prior to testing; (3) fully test information systems controls; (4) adequately develop and implement corrective action plans; and (5) accurately assess and report the status of its FIP work in terms of specific FIAR Plan metrics. As such, the FIP documentation did not support audit readiness for civilian pay as asserted by the Navy on March 31, 2010. Both the DOD Comptroller and the DOD OIG found many of the same issues that we did during their reviews of the FIP. Navy officials said that they are performing additional analysis and testing to address identified deficiencies and plan to submit a revised FIP by March 2012. The following paragraphs provide more details about the deficiencies we found in the Navy's Civilian Pay FIP. Testing Was Insufficient and Did Not Support Conclusions. The Navy did not conduct sufficient internal control and substantive testing for civilian pay, as required by the FIAR Guidance. We found instances in which documentation of the Navy's testing results was not included in the FIP and other instances in which the documentation was included but did not support the conclusion reached. For example, while the Navy concluded that internal controls were designed and operating effectively, the results of the control testing indicated that 9 of 17 controls tested were ineffective. The Navy reported that its civilian pay was ready for audit because its control environment[Footnote 19] mitigated the deficiencies of its ineffective controls; however, it did not explain how this was accomplished. Based on our analysis and discussions with Navy officials, we determined the control environment did not mitigate these deficiencies. Both the DOD Comptroller and OIG had similar comments about the control environment. In addition, the Navy concluded that system exception and change reports, which are computerized input and edit controls in the form of reports,[Footnote 20] were in general operating effectively. However, the detailed test results showed that 5 of 14 reports would not always run properly, and that one report was in fact not running properly as it was producing false positives and negatives (i.e., information that was not always accurate). The FIP indicated that no exceptions were identified as a result of the substantive testing performed. However, during our review of the testing results, we identified substantive exceptions. For example, the Navy was unable to verify the reasonableness of payroll amounts for a sample of employees because of incomplete and missing documentation, such as time and attendance reports and schedules with approved pay rates. Navy officials said that they did not pursue the missing documents because the related control test for this process had failed; therefore, they did not believe the substantive test needed to be completed nor did they consider the incomplete or missing documents to be substantive exceptions. Navy officials said that they later tested payroll transactions for another sample of employees, but did not retain the documentation because it contained personally identifiable information (e.g., social security numbers). The officials also said that they are performing additional substantive testing and will include that documentation in the revised FIP. In addition, there was no evidence in the FIP that control and substantive tests were performed for personnel benefits (e.g., payments for retirement plans and health insurance). Navy officials said that they had performed testing of personnel benefits, but that they did not retain the documentation as it contained personally identifiable information. However, as stated earlier, the FIAR Guidance requires that all FIP procedures and the results be fully documented. The officials also said that the additional payroll testing that they are performing includes personnel benefits, and that this will be documented in the revised FIP. Population of Transactions Was Not Reconciled. The Navy did not reconcile the population of transactions for civilian pay prior to conducting testing as required by the FIAR Guidance. Specifically, the Navy did not ensure that it selected samples from the complete population of payroll transactions recorded in the Defense Civilian Pay System (DCPS)[Footnote 21] because it did not reconcile all DCPS data to the Navy's general ledger systems.[Footnote 22] Instead, it used a subset of the payroll transactions to conduct a reconciliation. The Navy stated that the transactions excluded from the reconciliation were immaterial but the rationale and support for this conclusion was not documented in the FIP at the time the Navy concluded that civilian pay was audit-ready. In addition, the Navy identified discrepancies during its efforts but did not clearly document what these discrepancies were or their resolution. For example, the Navy documented in the FIP that there were instances of missing data and high variances, but did not indicate the nature of these issues or how pervasive they were, the actions taken to resolve them, and/or whether the issues were resolved. In response to these concerns we raised, Navy officials said that they subsequently performed a reconciliation using more recent payroll transactions that resulted in insignificant unreconciled discrepancies. The officials stated that they believed these results were sufficient to ensure that a complete population was identified and that they used this population to select a sample of transactions and are performing detailed testing. Navy officials said that the results of this work will be included in the revised FIP. In addition, the Navy documented in the FIP that it was unable to reconcile the payroll accounts in its general ledgers to the DOD-wide general ledger that is used to generate the components' and department's financial statements. In their attempt to perform this reconciliation, Navy officials noted that they were unable to extract reliable payroll data from the DOD-wide general ledger and that the payroll account balance in the DOD-wide general ledger was greater than the total of the account balances in the Navy's general ledgers. As a result, the Navy was unable to reconcile the population of payroll transactions to the system that ultimately produces its financial statements; in other words, it could not identify the information needed to test the civilian pay amounts included in the financial statements. The Navy officials stated they plan to address these issues as part of the SBR Financial Statement Compilation and Reporting assessable unit, which they plan to have audit-ready by the end of fiscal year 2012. Information Systems Controls Were Not Fully Tested. The FIAR Guidance requires DOD components to test system controls to ensure that they are operating as intended. However, the methodology--the Defense Information Assurance Certification and Accreditation Process (DIACAP)--that the Navy used to assess information systems controls did not address all the elements of a general controls assessment. For example, the DIACAP did not address the periodic review of (1) users' access authorizations or privileges to ensure that they are appropriate based on assigned roles and responsibilities, and (2) automated logs of changes to security access authorizations to ensure that management is aware of any unusual activity. In addition, the Navy did not review the results of general controls assessments to ensure that the assessments covered the overall operating environment in which the systems operated. For example, any general control weaknesses in a mainframe or network that were not included in the scope of the assessment could possibly negate the effectiveness of the controls for the individual system reviewed. Because the Navy did not include all elements of a general controls assessment in its testing, it was unable to demonstrate the effectiveness of the Navy's overall general control environment. The Navy reported in the FIP that it relied on a SAS 70 report [Footnote 23] to obtain assurance over key payroll processing controls (i.e., application controls) for the DCPS. However, that report identified significant weaknesses. Specifically, it indicated that several control activities were found to be ineffective and as a result, certain control objectives were not met for DCPS.[Footnote 24] In the FIP, the Navy stated that the particular control activities identified as ineffective in the SAS 70 report did not significantly affect Navy Civilian Pay, but it did not adequately document the rationale for this assessment. Nevertheless, we determined that several of these control activities, and related control objectives, were significant to Navy Civilian Pay and, as such, the Navy did not have reasonable assurance that its personnel and payroll data were complete, accurate, and timely processed. Corrective Actions Were Not Adequately Developed and Implemented. The Navy's FIP did not include the information needed for corrective action plans as required by the FIAR Guidance. For the most part, the FIP did not include (1) the deficiencies to be corrected (the root cause of the exceptions), (2) the solutions to be implemented to resolve the identified deficiencies, (3) the resources needed to carry out those solutions, and (4) a schedule for timely completion of corrective actions. Navy officials stated that they are currently developing corrective action plans; however, their first priority is to develop and implement the revised FIP which will include evidence of audit readiness based on substantive procedures rather than reliance on internal controls. In effect, the Navy plans to assert audit readiness based on its testing of account balances without addressing the identified internal control deficiencies. However, the development and implementation of a corrective action plan to address such deficiencies is a requisite for improving financial management, which is one of the goals of the FIAR effort. FIP Status Was Not Accurately Reported. The FIAR Guidance requires the components to report the status of Key Control Objectives (KCO) and Key Supporting Documents (KSD) for their assessable units. However, the status for these metrics that the Navy reported in the November 2010 FIAR Plan Status Report to demonstrate audit readiness was not supported by the results of the Navy FIP work. For example, * The Status Report indicated that 95 percent of KCOs pertaining to Navy Civilian Pay were found to be effective; however, the Navy's control testing results reflected mostly ineffective internal controls. * The Status Report indicated that 100 percent of KSDs related to Navy Civilian Pay (e.g., documentation evidencing the operation of an internal control such as properly approved time and attendance records) were found to exist. However, as discussed earlier, Navy Civilian Pay testing results indicated that incomplete and missing documentation was one of the more prevalent findings. Navy officials said that the differences we noted were due to the fact that the KCOs and KSDs required for the FIAR Plan did not exactly match or align with the Navy's actual work. Therefore, the Navy tried to estimate the appropriate level of progress to report for the KCOs and KSDs listed in the FIAR Plan based on testing that it conducted. In the May 2011 FIAR Plan, the Navy revised its reported progress for these metrics. For example, instead of reporting that 95 percent of KCOs were effective, the May 2011 FIAR Plan indicates that 60 percent of KCOs were effective for Navy's civilian pay. We did not assess the accuracy of these revised metrics. Air Force's Military Equipment FIP Was Not Adequately Developed and Implemented: The Air Force did not adequately develop and implement its FIP for military equipment in accordance with the FIAR Guidance. See table 3 for the types of Air Force military equipment, and their reported quantities and values. In our review of this FIP, we found that the Air Force did not (1) conduct sufficient control and substantive testing, and reached conclusions that were not supported by the testing results; (2) reconcile the population of transactions recorded in its accountable property system to the general ledger; (3) fully test information systems controls; and (4) adequately develop and implement corrective action plans. As a result of these deficiencies, the FIP documentation did not support the Air Force's December 2010 assertion that the military equipment assessable unit was ready to be audited. The DOD Comptroller provided initial comments based on its review of the FIP which indicated that it had found issues similar to those we identified and concluded that the Air Force had not demonstrated audit readiness for its military equipment. In addition, the DOD OIG identified similar issues and concluded that the Air Force had not complied with the FIAR Guidance in developing and implementing this FIP. Air Force officials acknowledged that they had more work to do to address the identified deficiencies and indicated that they planned to complete these corrective actions by the end of June 2011. In July, the Air Force provided updates on the status of several actions underway or completed but did not provide any supporting documentation for our review. Further, these actions did not address all of the deficiencies that we identified. Table 3: Air Force Military Equipment as of September 30, 2010: Asset type: Aerospace Vehicles: Aircraft; Quantity: 6,959; Net book value ($ millions): $83,053,000,000. Asset type: Aerospace Vehicles: Intercontinental Ballistic Missiles (ICBM)[A]; Quantity: 450; Net book value ($ millions): $4,433,000,000. Asset type: Aerospace Vehicles: Remotely Piloted Aircraft (RPA); Quantity: 402; Net book value ($ millions): $1,200,000,000. Asset type: Aerospace Vehicles: Satellites; Quantity: 75; Net book value ($ millions): $848, 000,000. Asset type: Subtotal - Aerospace Vehicles; Quantity: 7,886; Net book value ($ millions): $89,534, 000,000. Asset type: Pods[B]; Quantity: 5,015; Net book value ($ millions): $729, 000,000. Asset type: Total Air Force Military Equipment; Quantity: 12,901; Net book value ($ millions): $90,262,000,000[C]. Source: Air Force Military Equipment FIP. (Data are unaudited.) [A] The 450 ICBMs is an approximation of the actual number of ICBMs, which has been adjusted for reporting purposes because the amount of these missiles reported in the accountable property system (the Reliability and Maintainability Information System) is known to be inaccurate. This issue is further explained later in the report. [B] Pods are module electronic systems that are externally attached to aircraft to provide specific capabilities to augment the aircraft's internal systems, such as electronic warfare, targeting, reconnaissance, and data collection. [C] Due to rounding, the total amount for Air Force military equipment does not equal the sum of aerospace vehicles and pods. [End of table] The following paragraphs provide more details about the deficiencies we found in the Air Force's FIP. Testing Was Insufficient and Did Not Support Conclusions. As described earlier, DOD components are required to conduct both internal control and substantive testing for each assessable unit. The Air Force did not perform sufficient testing to support audit readiness for the existence and completeness of various types of its military equipment. For aircraft, the Air Force judgmentally selected five sites at which to perform the testing but did not provide evidence that the conditions at these five sites were representative of all Air Force locations. Selecting sites judgmentally could be an acceptable method if the Air Force could demonstrate that the processes and controls at the selected sites were representative of all other locations not tested. For the other four categories of military equipment--ICBMs, RPAs, satellites, and pods--the FIP did not include any documentation of internal control or inventory testing for the existence and completeness of these assets. Instead, the FIP described the routine monitoring activities over these assets that are conducted for operational purposes. With regard to ICBMs, Air Force officials said that the Air Force Audit Agency will be performing inventory testing of ICBMs in fiscal year 2011. Population of Transactions Was Not Reconciled. The Air Force did not reconcile the population of transactions for military equipment prior to conducting testing as required by the FIAR Guidance. Specifically, the Air Force did not ensure that it selected testing samples from the complete population of transactions because it did not complete a reconciliation of the military equipment data recorded in its accountable property systems of record to its general ledger. When it compared the data in these systems, it found discrepancies that it did not resolve. For example, there was an unresolved difference of about $2 billion that was largely attributed to differences in both the recorded costs and accumulated depreciation of satellites. We also found that the FIP included documentation that reported different balances for aerospace vehicles. As shown in table 3, the Air Force reported a net book value[Footnote 25] of $89.5 billion for its aerospace vehicles, which was about $11 billion more than the balance used to perform the reconciliation to the general ledger. Air Force officials said that the balance for aerospace vehicles shown in table 3 is inaccurate and that the balance used to perform the reconciliation is likely more reasonable; however, there was no documentation in the FIP to support this statement. Because of the unresolved reconciling items and the discrepancies in the balances reported for aerospace vehicles, the Air Force does not have assurance that the testing done to determine audit readiness covered the complete population of its military equipment. Information Systems Controls Were Not Fully Tested. The FIAR Guidance requires DOD components to test system controls to ensure that they are operating as intended. However, the FIP did not provide support to indicate that general and application systems controls were operating effectively for the two systems[Footnote 26] that maintain accountability for the Air Force's military equipment. For REMIS, the FIP included information about the Air Force's conclusions regarding the effectiveness of specific controls. However, the FIP did not include any evidence of the testing performed that would allow for an independent evaluation of its work. For RAMPOD, the FIP included a list of controls to be tested, but did not provide any conclusions or any other evidence that any testing had been done. The DOD Comptroller expressed concerns similar to ours and as a result, Air Force officials stated that they would be performing additional testing of general and application controls. In July 2011, Air Force officials reported that this testing was completed but they did not provide supporting documentation for our review. Corrective Actions Were Not Adequately Developed and Implemented. The Air Force had not developed corrective action plans to address all of the exceptions identified during testing, and had not implemented any corrective actions to address these exceptions as of December 31, 2010, when it submitted its FIP, as required by the FIAR Guidance. For example, in reviewing the status of the corrective actions, we found the following: * Capital Modifications[Footnote 27]--The Air Force's testing determined that it did not have the necessary controls in place to ensure that equipment modifications were capitalized when appropriate. The Air Force's corrective action plan had identified the nature of this deficiency, the solution, the required resources, and targeted milestone. However, the targeted milestone noted in the FIP was January 2011--1 month after the Air Force had indicated that the assessable until was audit ready. Air Force officials indicated that they did not expect to complete this corrective action until December 2011. * Accumulated Depreciation--The Air Force's initial testing identified discrepancies with the accumulated depreciation balance reported in REMIS. The errors included both over-and underdepreciation of assets, which, in some instances, resulted in accumulated depreciation amounts in excess of the acquisition cost of the assets. However, as of the date it indicated audit readiness, the Air Force had not identified the cause of this problem, the solution, or a time frame for implementation. Subsequent to indicating audit readiness, the Air Force said that it analyzed the issue further and that it had resolved the issue by July 2011. However, based on our review of documentation provided, the Air Force's actions did not fully address this weakness. * REMIS ICBM Records--The FIP stated that 555 complete ICBMs were recorded in REMIS, but that only approximately 450 complete ICBMs exist at any time. The approximately 100 remaining ICBMs pertain to unassembled missile components which, according to the Air Force, should be classified as operating materials and supplies rather than military equipment. The FIP identified the solution needed to address this deficiency and stated that it must be corrected before military equipment can be ready for audit. However, Air Force officials indicated that they did not expect to complete this corrective action until the fourth quarter of fiscal year 2011, and that testing the effectiveness of the corrective action would be incorporated into the fiscal year 2012 testing efforts. FIP Monitoring and Oversight Needs Improvement: DOD and its military components have established senior executive committees as well as designated officials at the appropriate levels to monitor and oversee their financial improvement efforts. These committees and individuals have also generally been assigned appropriate roles and responsibilities. (Figure 1 depicts the key organizations and positions involved in the overall FIP process and table 4 in appendix II outlines their roles and responsibilities.) According to relevant criteria,[Footnote 28] monitoring should be performed continually and includes regular management and supervisory activities such as assigning qualified people with the appropriate roles and responsibilities, carrying out assigned oversight duties, and documenting the results of oversight activities. We found that Navy and Air Force officials as well as oversight committees did not effectively carry out their monitoring responsibilities for the FIPs that we reviewed. However, once the components indicated audit readiness, we found that the DOD OIG and the DOD Comptroller appropriately carried out their responsibilities for reviewing the FIPs. Figure 1: FIP Oversight Hierarchy: [Refer to PDF for image: illustration] Top level: DOD Comptroller (FIAR Directorate): * FIAR Governance Board; * DOD OIG. Second level, reporting to DOD Comptroller (FIAR Directorate) and FIAR Governance Board: Component Assistant Secretary (Financial Management and Comptroller): * Component Senior Executive Committee(s). Third level, reporting to Component Assistant Secretary (Financial Management and Comptroller): Component FIP Director. Source: GAO analysis of DOD data. [End of figure] Based on our reviews of the Navy Civilian Pay and Air Force Military Equipment FIPs discussed earlier, the Navy and Air Force officials responsible for monitoring and oversight did not effectively ensure that the FIP work was performed in accordance with the FIAR Guidance. The FIP Directors did not ensure that their respective FIPs provided sufficient evidence to support the conclusions of audit readiness before providing the FIPs to the Assistant Secretaries--Financial Management and Comptroller (FM&C) for their signature. Neither Assistant Secretary ensured that the FIPs were sufficient before signing them to indicate audit readiness. For example, the Air Force's FIP was signed even though the FIP stated that the deficiency in ICBM reporting, as discussed earlier, "must be addressed before the military equipment line item can be ready for audit." In addition, committees at both the component and DOD levels did not effectively carry out their responsibilities for FIP oversight. Minutes of the components' senior executive committee meetings did not indicate that these committees thoroughly reviewed the progress of the FIPs in addressing financial management weaknesses. With respect to the FIPs that we reviewed, the FIAR Governance Board's[Footnote 29] activities consisted primarily of receiving status update briefings. Because neither the individual FIP managers nor the oversight committees adequately reviewed and monitored the FIPs, each of the assessable units we reviewed was deemed audit-ready even though the results did not support these conclusions. Once the components indicated audit readiness, both the DOD OIG and the DOD Comptroller carried out their responsibilities for reviewing the FIPs. The DOD OIG, which reviews FIPs concurrently with the DOD Comptroller after a component indicates audit readiness, provided comments to the DOD Comptroller on each of the FIPs. It identified many of the same, or similar, issues that we did, as discussed earlier, and concluded that the FIPs did not comply with the FIAR Guidance nor demonstrate audit readiness for the assessable units. The DOD Comptroller, which makes the final determination as to whether an assessable unit is ready for audit, also identified issues for the Navy Civilian Pay FIP similar to those discussed earlier and concluded that the Navy had not demonstrated audit readiness for its civilian pay. For the Air Force Military Equipment FIP, the DOD Comptroller provided initial comments indicating that it had found issues similar to those we identified and concluded that the Air Force had not demonstrated audit readiness for its military equipment, but it had not yet issued final comments. Recognizing that additional actions were needed to assist the components in developing and implementing their FIPS, the DOD Comptroller established a quality assurance team in January 2011 to review the components' FIPs as they are being developed and implemented. The intent is for the quality assurance team to provide detailed feedback on the FIPs before they are formally submitted for review and validation. In addition, the DOD Comptroller developed a series of training courses to help component personnel understand and execute the FIAR Methodology. Officials from the DOD Comptroller's Office said that the components need additional training and assistance with their FIPs because they do not necessarily have staff with the appropriate skills and qualifications to adequately carry out the procedures required by the FIAR Guidance. We believe that the DOD Comptroller's efforts to review the FIPs as they are being developed and implemented, and to provide additional training and ongoing feedback, will improve the FIPs and thus, the components' ability to demonstrate that assessable units are audit-ready. When the components report the progress of their FIPs inaccurately and submit FIPs to DOD that do not adequately support audit readiness, DOD--both the Comptroller and the OIG--must use resources to review unreliable or incomplete information, and components must then perform rework to reach audit readiness. Thus, the lack of adequate oversight results in an inefficient FIP process and can impact the ability of components to meet established milestones. Conclusions: DOD's FIAR Guidance provides a reasonable and systematic process that DOD components can follow in their efforts to achieve audit readiness. It establishes clear priorities for the components and a road map for reaching auditability for each assessable unit. However, we found that the components did not adequately carry out the procedures required by the FIAR Guidance for the two FIPs we reviewed. Top managers involved in FIP oversight also did not properly monitor and assess the status of FIP efforts in order to make accurate decisions regarding audit readiness. As a result, both the Navy's and Air Force's conclusions of audit readiness for civilian pay and military equipment, respectively, were unsupported. Both the Navy and the Air Force indicated that they have initiated additional actions to address the identified deficiencies, but they did not provide supporting documentation for us to verify their actions. To achieve departmentwide audit readiness, DOD leaders will need to ensure that the components develop, implement, and document their FIPs in compliance with the FIAR Guidance. Considering the deficiencies identified in this report can help inform DOD leaders and the components as they develop and implement other FIPs to better utilize resources by minimizing rework. If the DOD components are unable to achieve interim FIAR milestones, DOD will need to consider the effect on its ability to achieve departmentwide audit readiness by September 30, 2017. Recommendations for Executive Action: We are making 13 recommendations to the Secretary of Defense to improve the development, implementation, documentation, and oversight of the department's financial management improvement efforts. To ensure that the Navy develops and implements its Financial Improvement Plan in accordance with the FIAR Guidance, we recommend that the Secretary of Defense direct the Secretary of the Navy to put procedures in place to help ensure that the Navy's Financial Improvement Plans include documentation that the Navy performed the following: * Sufficient control and substantive testing. * A reconciliation of the complete population of transactions for an assessable unit to the relevant general ledger(s) and to the amount(s) reported in the financial statements, including researching and resolving reconciling items. * An assessment of information systems controls that (1) addresses all relevant critical elements, and (2) for any deficiencies identified in a SAS 70 report that is relied upon, show that either mitigating controls exist or actions have been taken to address the deficiencies. * Preparation and execution of corrective action plans to address significant control weaknesses. * Assessments of the metrics (e.g., key control objectives and key supporting documents) to ensure that they are consistent with, and supported by, testing results. To ensure that the Air Force develops and implements its Financial Improvement Plan in accordance with the FIAR Guidance, we recommend that the Secretary of Defense direct the Secretary of the Air Force to ensure that the Air Force's Financial Improvement Plans include documentation that the Air Force performed the following: * Sufficient control and substantive testing. * A reconciliation of the complete population of transactions for an assessable unit to the relevant general ledger(s) and to the amount(s) reported in the financial statements, including researching and resolving reconciling items. * An assessment of information systems controls that includes documentation of both the testing and the results. * Preparation and execution of corrective action plans to address significant control weaknesses. To ensure that other FIPs from DOD components comply with the requirements in the FIAR Guidance, we recommend that the Secretary of Defense direct the Secretary of the Army and the heads of other DOD components to consider the weaknesses identified in this report when preparing their FIPs. To improve DOD's monitoring and oversight of FIP activities, we recommend that the Secretary of Defense direct: * The Co-Chairs of the FIAR Governance Board to ensure that the board carries out its responsibilities for identifying risks that could prevent the department from achieving its goals and ensuring sufficient documentation of FIP assessment results. * The Secretary of the Navy to ensure that all responsible parties within the Navy, including the Assistant Secretary of the Navy (Financial Management and Comptroller), carry out their responsibilities for ensuring that FIP development and implementation complies with the FIAR Guidance and that the FIP contains sufficient information to indicate audit readiness before it is signed. * The Secretary of the Air Force to ensure that all responsible parties within the Air Force, including the Assistant Secretary of the Air Force (Financial Management and Comptroller) carry out their responsibilities for ensuring that FIP development and implementation complies with the FIAR Guidance and that the FIP contains sufficient information to indicate audit readiness before it is signed. Agency Comments and Our Evaluation: We provided a draft of this report to the Secretary of Defense and received written comments from the Under Secretary of Defense (Comptroller), which are reprinted as appendix III. Overall, DOD concurred with 10 recommendations and partially concurred with three, and identified some specific actions that are completed, underway, or planned. DOD commented that its approach of prioritizing its efforts on improving information related to budgetary resources and the existence and completeness of its assets and achieving auditability in those areas has garnered more participation and attention in the FIAR effort than in the past, and DOD described some initiatives underway to speed progress on this effort. DOD recognized that there is room for improvement in implementation of the FIP process by the military components as well as in governance and management of the process. In that regard, DOD concurred with 10 of our recommendations, and said that it is critical to continue to review how DOD applies lessons learned across the department and changes business processes to reflect those lessons. We agree that identifying and incorporating lessons learned into the FIAR process will be an important part of effective implementation, and we look forward to seeing how DOD develops a mechanism to capture and disseminate the lessons. DOD partially concurred with three other recommendations specifically related to the Navy and Air Force FIPs. DOD explained that the Navy and Air Force FIPs that we reviewed were prepared before issuance of the May 2010 FIAR Guidance and may have proceeded with a strategy that was not sufficiently supported, but that corrective actions are underway. As we discussed with DOD, although the FIPs we selected were initiated prior to issuance of the final FIAR Guidance, the issues we identified are consistent with draft FIAR Guidance as well as standard procedures for conducting a financial statement audit that we found to be incorporated into the final FIAR Guidance. On our recommendation related to improving the Navy's process for reconciling transactions with its general ledgers, DOD partially concurred, but noted that the Navy will be unable to reconcile transaction populations until it completes its Financial Statement Compilation Process. As we report, performing reconciliations is key to properly testing financial statement amounts and therefore should be done prior to asserting audit readiness. On our recommendation related to improving the sufficiency of the Air Force's control and substantive testing, DOD partially concurred, but noted that the Air Force based the extent of its testing procedures on its assessment of the inherent risk of the asset category, stating that ICBMs were not tested due to their limited number and extensive controls for these assets. Although the Air Force's FIP noted that ICBMs are subject to extensive controls, the FIP did not document those controls or any tests conducted to validate the controls. Also, for RPAs, satellites, and pods, no evidence of controls was provided and no testing was done. While the FIAR Guidance allows components to use a substantive approach (versus a controls approach) when there are a limited number of items, it does not allow no testing if an area is significant or material. Also as we report, the Air Force's basis for its judgmental selection of the locations to test aircraft was inadequate since it did not demonstrate that the processes and controls at the five selected sites were representative of all other locations not tested. In addition to partial concurrence with this recommendation, DOD commented it will further review this issue and take action as appropriate. On our recommendation related to improving the Air Force's corrective action plans, DOD partially concurred, but noted that when the Air Force asserted auditability it did not believe that the issues being addressed by corrective actions were significant control weaknesses and, therefore, the Air Force was allowed under the FIAR Guidance to assert auditability. We believe that the Air Force reported significant control weaknesses that would have precluded an assertion of auditability; the FIAR Guidance does not allow for auditability assertions when there are unresolved material deficiencies. For example, as we report, the Air Force documented that it was unable to reconcile its population of transactions to its financial statements, and as a result, did not have assurance that the testing done covered the population of military equipment. Also, the Air Force reported errors in its depreciation amounts and that accurate depreciation amounts were "essential" and Air Force military equipment "will not be ready for audit" if not corrected. The Air Force also reported that the cause of errors was "unknown." Although the Air Force subsequently withdrew part of its FIP related to some of these issues, we evaluated the content of the FIP that the Air Force asserted was audit-ready. In addition to partial concurrence with this recommendation, DOD commented it will further review this issue and take action as appropriate. As agreed with your offices, we plan no further distribution of this report until two days from its date, unless you publicly announce its contents earlier. At that time, we will send copies of this report to the appropriate congressional committees. We are also sending copies to the Secretary of Defense; the Under Secretary of Defense (Comptroller); the Secretary of the Navy; the Secretary of the Air Force; the Deputy Chief Management Officer; the Chief Management Officer of the Navy; and the Chief Management Officer of the Air Force. This report also is available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you or your staff have any questions concerning this report, please contact Asif A. Khan at (202) 512-9095 or khana@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix IV. As discussed with your staff, we will restrict the release of this report until September 15, 2011. Signed by: Asif A. Khan: Director: Financial Management and Assurance: List of Congressional Requesters: The Honorable Thomas R. Carper Chair Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security Committee on Homeland Security and Governmental Affairs United States Senate: The Honorable Claire McCaskill: Chair: Subcommittee on Contracting Oversight: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Todd Platts: Chair: Subcommittee on Government Organization, Efficiency, and Financial Management: Committee on Oversight and Government Reform: United States House of Representatives: The Honorable Scott P. Brown: Ranking Member: Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Tom Coburn: Ranking Member: Permanent Subcommittee on Investigations: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Edolphus Towns: Ranking Member: Subcommittee on Government Organization, Efficiency, and Financial Management: Committee on Oversight and Government Reform: United States House of Representatives: The Honorable John McCain: Member: Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security: Committee on Homeland Security and Governmental Affairs: United States Senate: [End of section] Appendix I: Objectives, Scope and Methodology: Our objectives were to determine whether (1) the Financial Improvement and Audit Readiness (FIAR) Guidance provided a reasonable methodology for the Department of Defense (DOD) components to develop Financial Improvement Plans (FIP), (2) the DOD components had adequately developed and implemented selected FIPs in accordance with the FIAR Guidance, and (3) DOD is adequately monitoring and overseeing the FIP process. To address the first objective, we analyzed the FIAR Guidance using relevant criteria such as the GAO and President's Council on Integrity and Efficiency (PCIE) Financial Audit Manual (FAM); the Federal Information System Controls Audit Manual (FISCAM); and Office of Management and Budget (OMB) Circular No. A-123, Management's Responsibility for Internal Control, Appendix A, Internal Control over Financial Reporting. The FAM provides a methodology to perform financial statement audits of federal entities in accordance with professional auditing and attestation standards and OMB guidance. The FISCAM provides a methodology for performing information system control audits in accordance with generally accepted government auditing standards. The OMB Circular No. A-123 provides guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on internal control. Appendix A of OMB Circular No. A-123 provides a methodology to assess and report on agencies' internal controls over financial reporting. We also interviewed agency officials at the Office of the Under Secretary of Defense (Comptroller) (OUSD(C)) FIAR Directorate's office, which developed the FIAR Guidance, and at the Navy and Air Force to obtain explanations and clarifications as a result of our analysis of selected FIPs. To address the second objective, we selected FIPs for two assessable units (Navy Civilian Pay and Air Force Military Equipment) that were scheduled to assert audit readiness in 2010 and were within wave 2 (i.e., Statement of Budgetary Resources) and wave 3 (i.e., Existence and Completeness of Mission Critical Assets) since these waves reflect DOD's priority focus areas. Using the FIAR Guidance, we analyzed the documentation included in the FIPs, such as process flows, control assessments, test plans, test results, and corrective action plans. We did not perform separate audit procedures to assess the effectiveness of the controls or the completeness or accuracy of the Navy civilian pay amounts or the Air Force military equipment. We interviewed the Navy and Air Force FIP directors to obtain explanations and clarifications as a result of our evaluation of the documentation. To address the third objective, we analyzed relevant documentation, such as the FIAR Guidance, FIAR Plan Status Reports, and committee charters and meeting minutes, to identify the entities and officials responsible for monitoring and oversight as well as their roles and responsibilities. We also interviewed officials that play a key role in the monitoring and oversight process, such as Army, Navy, and Air Force officials from the offices of Financial Management and Comptroller and the Deputy Chief Management Officers and DOD officials from the Office of the Under Secretary of Defense (Comptroller), to clarify our understanding of these entities and officials' roles and responsibilities. We then analyzed this information using elements of monitoring discussed in the FAM; the Implementation Guide for OMB Circular No. A-123, Appendix A;[Footnote 30] Standards for Internal Control in the Federal Government;[Footnote 31] the Internal Control Management and Evaluation Tool;[Footnote 32] the COSO Guidance on Monitoring Internal Control Systems; and the FIAR Guidance. We conducted this performance audit from May 2010 to September 2011 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Key Oversight Entities and Their Roles and Responsibilities: The following table summarizes the roles and responsibilities of key individuals and committees involved in monitoring and overseeing the FIP process. Table 4: Key Oversight Entities and Their Roles and Responsibilities. Department of Defense: Group or official: Office of the Under Secretary of Defense (Comptroller) (OUSD(C)); Description of roles and responsibilities: * Reviews FIP status and the progress in meeting both overall FIAR objectives and interim milestones. * Develops and issues detailed financial improvement and audit preparation methodologies and guidance to standardize component FIPs, and provides training on the FIAR Guidance and proper execution of FIP activities. * Develops metrics for monitoring and reporting FIP progress. * Reviews the component FIPs as they are being developed and implemented, provides assistance to components in developing and implementing FIPs (e.g., helping prepare test plans), and provides feedback on the plans. * Reviews component FIPs to ensure management testing results reasonably indicate audit readiness. * Reviews the examination results of the independent public accountant (IPA) or other qualified, independent reviewer; makes a final determination of the assessable unit's audit readiness; and communicates to the reporting entity whether to proceed with the Sustainment/Audit Phase or return to the Corrective Action Phase. Group or official: FIAR Governance Board[A]; Description of roles and responsibilities: * Co-Chaired by the Under Secretary of Defense (Comptroller) [USD(C)] and the DOD Deputy Chief Management Officer (DCMO). * Members include Military Department DCMOs, Military Department Assistant Secretaries-Financial Management and Comptroller (FM&C), DOD functional community senior leaders (e.g., Assistant Secretary- Logistics and Material Readiness), and DOD Office of Inspector General (Advisory Member). * Meets quarterly to provide leadership and oversight of the Department's FIAR plans (including reviewing the progress on each Component's FIP) and identify risks that could prevent the department from achieving its goals. * Ensures sufficient documentation of the FIP assessment results. Group or official: Inspector General; Description of roles and responsibilities: * Reviews the FIP to assess whether it demonstrates audit readiness and notifies the OUSD(C) and component of its assessment. * Performs examination of the component's management audit readiness assertion and issues an examination report opining on management's assertion of audit readiness. * Performs (or engages an IPA to perform) audits of the assessable units and the component's financial statements. Military Components (Air Force, Army, Navy)[B]: Group or official: Component Senior Executive Committees[C]; Description of roles and responsibilities: * Chaired by the Assistant Secretary (FM&C) or Deputy Assistant Secretary for Financial Operations (FM&C). * Members include the Deputy Assistant Secretary for Financial Operations (FM&C), Chief Information Officer, and senior leaders from the functional communities (e.g., Assistant Secretary-Research, Development, and Acquisition). * Meets quarterly to review progress of the FIPs in addressing financial management weaknesses, including the identification and remediation of internal control deficiencies. Group or official: Assistant Secretary-Financial Management and Comptroller (FM&C); Description of roles and responsibilities: * Has overall responsibility for the financial improvement and audit readiness efforts within their respective component. * Reviews FIP status and the progress in meeting interim and long-term milestones. * Reviews FIP and determines whether the assessable unit is audit- ready. Group or official: Financial Improvement Plan/Audit Readiness Director; Description of roles and responsibilities: * Manages the development and implementation of FIPs including the identification and assessment of controls; development and execution of test plans; and assessment of test results. * Meets regularly with senior financial management and oversight committees to provide updates on the FIP. * Determines when the results of the FIP work are sufficient to support an assertion of audit readiness for an assessable unit. Source: GAO analysis of DOD documents and interviews with agency officials. [A] FIAR Governance Board is supported by the FIAR Committee, which in turn is supported by the FIAR Subcommittee. [B] The titles of the groups and officials listed are general descriptive titles and do not necessarily reflect actual titles. The roles and responsibilities listed are general characterizations and not a comprehensive listing. [C] For the Navy, this includes the Navy Audit Committee. For the Air Force, this includes its Financial Improvement Executive Steering Committee, Senior Assessment Team and the Accountability and Financial Management Integrated Process Team. For the Army, this includes the Army Audit Committee and the Senior Level Steering Group, Senior Assessment Team. [End of table] [End of section] Appendix III: Comments from the Department of Defense: Under Secretary of Defense: Comptroller: 1100 Defense Pentagon: Washington, DC 20301-1100: August 23, 2011: Mr. Asif A. Khan: Director, Financial Management and Assurance: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Khan: This is the Department of Defense (DOD) response to the Government Accountability Office (GAO) draft report GAO-11-851, "DoD Financial Management: Improvement Needed in DOD Components' Implementation of Audit Readiness Effort" dated August 12, 2011 (GAO Code 198602). Detailed comments are enclosed with this letter. The Department has developed and implemented a streamlined approach to achieve auditable financial statements. This approach focuses on the information that is most used to manage in the Department - budgetary information, and the financial information that most impacts our mission readiness - the existence and completeness of assets. Because of this strategic prioritization, we have more participation in and attention to this effort than in the past. I appreciate the support for this approach and the related methodology for achieving audit readiness that you reflect in your report. I am not surprised your report also indicates your review found instances where the Department needs to improve implementation of this strategy and methodology. While we do not agree with all of your detailed findings, as we have discussed with your audit team, we do agree there is room for improvement in the planning and execution of our audit readiness efforts. The origins of both assertion packages that your team reviews predate the current guidance and may have proceeded with a strategy that was not sufficiently supported. Corrective actions for these assertions are underway and more recent efforts continue to demonstrate improvement in both understanding and application of the audit readiness guidance. That said, it is critical that we continue to look at how effectively we are applying lessons learned across the enterprise and are changing business processes to reflect those lessons. Your recommendations also focus on our governance and management. We agree that achieving audit readiness not only involves improvements to systems, processes, and controls but is dependent on our ability to effectively govern and manage the enormous change management effort. My counterparts in senior leadership and I are working to instill new priorities, skills, and qualifications in personnel throughout the Department to better manage the audit readiness effort. As you report indicates, we have several initiatives already underway to speed our progress along including: * The Service Under Secretaries (Component Chief Management Officers) have committed to achieve specific measurable milestones to full audit readiness in Fiscal Years 2001 and 2012. * Audit readiness goals will be included in the Fiscal Year 2012 performance plans of all relevant Senior Executive Service members. * Each Service has designated a team of experienced auditors to assess, test, and help improve financial processes and controls in Service operational organizations. Thank you for the opportunity to comment. We look forward to your continued involvement in our effort and assistance by recommending improvements. My point of contact for this effort is Mr. Joseph Quinn. lie can be readied at 571-254-2678 or joseph.quinn@osd.mil. Sincerely, Signed by: Robert F. Hale: Enclosure: As stated. [End of letter] GAO DRAFT ReporT DATED August 12, 2001: GAO-11-851 (GAO Code 198602): DOD Financial Management: Improvement Needed in DOD Components' Implementation of Audit Readiness Effort: Department of Defense Comments TO The GAO Recommendations: Recommendation 1: The GAO recommends that to ensure that the Navy develops and implements its Financial Improvement Plan (FIP) in accordance with the Financial Improvement and Audit Readiness (FIAR) Guidance, the Secretary of Defense directs the Secretary of the Navy to put procedures in place to help ensure that the Navy's FIPs include documentation that the Navy performed sufficient control and substantive testing. DoD Response: Concur. Department of Navy (DON) comments acknowledged the importance of compliance with the FIAR Guidance but also noted that the FIAR Guidance was published after the DON Civilian Pay management assertions and had followed a testing strategy that had been judged to be sufficient. On behalf of the Secretary of Defense, the Under Secretary of Defense (Comptroller)/Chief Financial Officer (OSD(C)/CFO) is reviewing DoD/Component Financial Improvement and Audit Readiness (FIAR) plans with appropriate DoD leaders to determine what improvements can be made to address these kind of deficiencies and as a result, speed progress. Upon completion of this review, the Secretary will issue formal direction to the Service Secretaries and other leaders on additional actions they must take to ensure sufficient and qualified resources are devoted to achieving this priority in alignment with the Department's strategy and methodology including the aspects of that methodology noted in this finding. Recommendation 2: The GAO recommends that to ensure that the Navy develops and implements its FIP in accordance with the Financial Improvement and Audit Readiness (FIAR) Guidance, the Secretary of Defense direct the Secretary of the Navy to put procedures in place to help ensure that the Navy's FIPs include documentation that the Navy performed a reconciliation of the complete population of transactions for an assessable unit to the relevant general ledger(s) and to the amount(s) reported in the financial statements, including researching and resolving reconciling items. DoD Response: Partially concur. DON comments noted that its management assertion was limited to the civilian pay transaction population recorded in the general ledgers; DON will be unable to reconcile assessable unit transaction populations to the Statement of Budgetary Resources until it completes continuing work on its Financial Statement Compilation business process. On behalf of the Secretary of Defense, the Under Secretary of Defense Comptroller)/Chief Financial Officer (OSD(C)/CFO) is reviewing DOD/Component Financial Improvements and Audit Readiness (FIAR) plans with appropriate DoD leaders to determine what improvements can be made to address these kind of deficiencies and as a result, speed progress. Upon completion of this review, the Secretary will issue formal direction to the Service Secretaries and other leaders on additional actions they must take to ensure sufficient and qualified resources are devoted to achieving this priority in alignment with the Department's strategy and methodology including the aspects of that methodology noted in this finding. Recommendation 3: The GAO recommends that to ensure that the Navy develops and implements its FIP in accordance with the FIAR Guidance, the Secretary of Defense direct the Secretary of the Navy to put procedures in place to help ensure that the Navy's FIPs include documentation that the Navy performed an assessment of information systems controls that (1) addresses all relevant critical elements, and (2) for any deficiencies identified in a SAS 70 report that is relied upon, show that either mitigating controls exist or actions have been taken to address deficiencies. DoD Response: Concur. DON comments acknowledged the importance of assessment of information system controls. DON will assess the system general and application controls for DON-owned systems and work with its service providers and OUSD(C) for controls assessments (and subsequent corrective action) on systems managed and maintained outside of DON. On behalf of the Secretary of Defense, the Under Secretary of Defense Comptroller)/Chief Financial Officer (OSD(C)/CFO) is reviewing DoD/Component Financial Improvements and Audit Readiness (FIAR) plans with appropriate DoD leaders to determine what improvements can be made to address these kind of deficiencies and as a result, speed progress. Upon completion of this review, the Secretary will issue formal direction to the Service Secretaries and other leaders on additional actions they must take to ensure sufficient and qualified resources are devoted to achieving this priority in alignment with the Department's strategy and methodology including the aspects of that methodology noted in this finding. Recommendation 4: The GAO recommends that to ensure that the Navy develops and implements its FIP in accordance with the FIAR Guidance, the Secretary of Defense direct the Secretary of the Navy to put procedures in place to help ensure that the Navy's FIPs include documentation that the Navy performed preparation and execution of corrective actions plans to address significant control weaknesses. DoD Response: Concur. DON comments noted that its corrective action plans are part of its detailed plan of action and milestones for its Statement of Budgetary Resources. Additionally, DON is dependent on external service providers to complete a number of corrective actions and will work with its service providers and OUSD(C) to facilitate resolution of these actions. On behalf of the Secretary of Defense, the Under Secretary of Defense Comptroller)/Chief Financial Officer (OSD(C)/CFO) is reviewing DoD/Component Financial Improvements and Audit Readiness (FIAR) plans with appropriate DoD leaders to determine what improvements can be made to address these kind of deficiencies and as a result, speed progress. Upon completion of this review, the Secretary will issue formal direction to the Service Secretaries and other leaders on additional actions they must take to ensure sufficient and qualified resources are devoted to achieving this priority in alignment with the Department's strategy and methodology including the aspects of that methodology noted in this finding. Recommendation 5: The GAO recommends that to ensure that the Navy develops and implements its FIP in accordance with FIAR Guidance, the Secretary of Defense direct the Secretary of the Navy to put procedures in place to help ensure that the Navy's FIPs include documentation that the Navy performed assessments of the metrics (e.g., key control objectives and key supporting documents) to ensure that they are consistent with, and supported by, testing results. DoD Response: Concur. On behalf of the Secretary of Defense, the Under Secretary of Defense Comptroller)/Chief Financial Officer (OSD(C)/CFO) is reviewing DoD/Component Financial Improvements and Audit Readiness (FIAR) plans with appropriate DoD leaders to determine what improvements can be made to address these kind of deficiencies and as a result, speed progress. Upon completion of this review, the Secretary will issue formal direction to the Service Secretaries and other leaders on additional actions they must take to ensure sufficient and qualified resources are devoted to achieving this priority in alignment with the Department's strategy and methodology including the aspects of that methodology noted in this finding. Recommendation 6: The GAO recommends that to ensure that the Air Force develops and implements its FIP in accordance with the FIAR Guidance, the Secretary of Defense direct the Secretary of the Air Force to ensure that the At Force's FIPs include documentation that the Air Force performed sufficient control and substantive testing. DoD Response: Partially concur. The Air Force adheres to the OSD FIAR Guidance and any referenced instructions including the GAO Financial Audit Manual (FAM). The Air Force based the extent of its testing procedures on the inherent risk of the asset category. For example, the Air Force did not attempt to test the existence and completeness for ICBMs due to the limited number of assets and the external controls for these assets. The Air Force's initial assessment is supported by recently completed work by the AFAA which tested 60 ICBMs and did not find any exceptions for Existence and Completeness. To support its assertion the Air Force tested 198 aircraft and did not find any exceptions. On behalf of the Secretary of Defense, the Under Secretary of Defense Comptroller)/Chief Financial Officer (OSD(C)/CFO) is reviewing DoD/Component Financial Improvements and Audit Readiness (FIAR) plans with appropriate DoD leaders to determine what improvements can be made to address these kind of deficiencies and as a result, speed progress. Upon completion of this review, the Secretary will issue formal direction to the Service Secretaries and other leaders on additional actions they must take to ensure sufficient and qualified resources are devoted to achieving this priority in alignment with the Department's strategy and methodology including the aspects of that methodology noted in this finding. Recommendation 7: The GAO recommends that to ensure that the Air Force develops and implements its FIP in accordance with the FIAR Guidance, the Secretary of Defense direct the Secretary of the Air Force to ensure that the Air Force's FIPs include documentation that the Air Force performed a reconciliation of the complete population of transactions for an assessable unit to the relevant general ledger(s) and to the amount(s) reported in the financial statements, including researching and resolving reconciling items. DoD Response: Concur. Air Force comments noted that it modified the assertion for Military Equipment, limiting it to the OUSD(C) priorities of Existence and Completeness. Individual asset records reside in the Accountable Property System of Record (APSR) and not in the General Ledger. Therefore it was not necessary or possible to reconcile by asset the records in the APSR to the General Ledger. Other Air Force assertions including the Budget Authority (BA) and Fund Balance with Treasury Reconciliation (FBwT) include reconciliations. On behalf of the Secretary of Defense, the Under Secretary of Defense Comptroller)/Chief Financial Officer (OSD(C)/CFO) is reviewing DoD/Component Financial Improvements and Audit Readiness (FIAR) plans with appropriate DoD leaders to determine what improvements can be made to address these kind of deficiencies and as a result, speed progress. Upon completion of this review, the Secretary will issue formal direction to the Service Secretaries and other leaders on additional actions they must take to ensure sufficient and qualified resources are devoted to achieving this priority in alignment with the Department's strategy and methodology including the aspects of that methodology noted in this finding. Recommendation 8: The GAO recommends that to ensure that the Air Force develops and implements its FIP in accordance with the FIAR Guidance, the Secretary of Defense direct the Secretary of the Air Force to ensure that the Air Force's FIPs include documentation that the Air Force performed an assessment of information systems controls that includes documentation of both testing and results. DoD Response: Concur. Air Force comments acknowledged the importance of compliance with the FIAR Guidance, including assessment of information systems controls but also noted that the FIAR Directorate provided guidance on general and application systems control approximately 45 days after the military equipment assertion. The Air Force took action to have Federal Information Systems Controls Audit Manual (FISCAM) documentation developed subsequent to assertion. The Air Force has enhanced the functionality of the Enterprise Information Technology Data Repository (EITDR) to include additional documentation requirements to meet FISCAM requirement. In addition, the Air Force has worked with Air Force Audit Agency to identify and prioritize financial and financial feeder systems for FISCAM audits. On behalf of the Secretary of Defense, the Under Secretary of Defense Comptroller)/Chief Financial Officer (OSD(C)/CFO) is reviewing DoD/Component Financial Improvements and Audit Readiness (FIAR) plans with appropriate DoD leaders to determine what improvements can be made to address these kind of deficiencies and as a result, speed progress. Upon completion of this review, the Secretary will issue formal direction to the Service Secretaries and other leaders on additional actions they must take to ensure sufficient and qualified resources are devoted to achieving this priority in alignment with the Department's strategy and methodology including the aspects of that methodology noted in this finding. Recommendation 9: The GAO recommends that to ensure that the Air Force develops and implements its FIP in accordance with the FIAR Guidance, the Secretary of Defense direct the Secretary of the Air Force to ensure that the Air Force's FIPs include documentation that the Air Force performed preparation and execution of corrective action plans to address significant control weaknesses. DoD Response: Partially concur. The Air Force comments indicate it evaluates outstanding corrective actions for materiality, impact, and risk when determining when an area is ready for assertion. Air Force management does not believe that the issues that the corrective actions in our Military Equipment assertions are intended to address are significant control weaknesses. The FIAR guidance does not prevent the service from going forward with an assertion that has corrective actions. As an example, Air Force Budget Authority received an unqualified opinion for an IPA even though there were outstanding corrective actions. The Air Force considers its oversight process extensive and has delayed important assertions for missile motors and spare engines when the corrective actions were material and not supportable. On behalf of the Secretary of Defense, the Under Secretary of Defense Comptroller)/Chief Financial Officer (OSD(C)/CFO) is reviewing DoD/Component Financial Improvements and Audit Readiness (FIAR) plans with appropriate DoD leaders to determine what improvements can be made to address these kind of deficiencies and as a result, speed progress. Upon completion of this review, the Secretary will issue formal direction to the Service Secretaries and other leaders on additional actions they must take to ensure sufficient and qualified resources are devoted to achieving this priority in alignment with the Department's strategy and methodology including the aspects of that methodology noted in this finding. Recommendation 10: The GAO recommends that to ensure that other FIPs from DOD components comply with the requirements in the FIAR Guidance, the Secretary of Defense directs the Secretary of the Army and the heads of other DOD components to consider the weaknesses identified in this report when preparing their FIPs. DoD Response: Concur. On behalf of the Secretary of Defense, the Under Secretary of Defense Comptroller)/Chief Financial Officer (OSD(C)/CFO) is reviewing DoD/Component Financial Improvements and Audit Readiness (FIAR) plans with appropriate DoD leaders to determine what improvements can be made to address these kind of deficiencies and as a result, speed progress. Upon completion of this review, the Secretary will issue formal direction to the Service Secretaries and other leaders on additional actions they must take to ensure sufficient and qualified resources are devoted to achieving this priority in alignment with the Department's strategy and methodology including the aspects of that methodology noted in this finding. In addition, The Assistant Secretary of the Army (Financial Management and Comptroller) has begun a comprehensive review to validate the Army's FIP fully meets OUSD(C) FIAR Guidance. Specifically, the Army has placed increased priority on the recommendations where appropriate. Recommendation 11: The GAO recommends that the Secretary of Defense direct the Co-Chairs of the FIAR Governance Board to ensure that the Board carries out its responsibilities for identifying risks that could prevent the Department from achieving its goals and ensuring sufficient documentation of FIP assessment results. Dod Response: Concur. The Department has instituted several actions to help ensure that Component's perform sufficient analysis, testing, and documentation in their financial improvement efforts. These actions include the establishment of a quality assurance team composed of experienced financial statement auditors within the Office of the Under Secretary of Defense (Comptroller)/Chief Financial Officer (OUSD(C)/CFO) Financial Improvement and Audit Readiness (FIAR) Directorate. The FIAR quality assurance team reviews Components plans and documentation as they are completed to provide valuable feedback and avoid assertions of audit readiness not supported by sufficient testing and analysis. The Co-Chairs of the FIAR Governance Board will require the FIAR Directorate to report to the Board at each meeting on the results of these reviews in order to identify and address risks to achieving audit readiness goals. Recommendation 12: The GAO recommends that the Secretary of Defense direct the Secretary of the Navy to ensure that all responsible parties within the Navy, including the Assistant Secretary of the Navy (Financial Management and Comptroller), carry out their responsibilities for ensuring that FIP development and implementation complies with the FIAR Guidance and that the FIP contains sufficient information to indicate audit readiness before it is signed. Dod Response: DON will continue to engage all relevant business process owners, at all levels, as they gage audit readiness in assessable units. For example, Assistant Secretary of the Navy (Manpower and Reserve Affairs) co-signed the Civilian Pay management assertion, and it was reviewed by the DON Audit Committee. On behalf of the Secretary of Defense, the Under Secretary of Defense Comptroller)/Chief Financial Officer (OSD(C)/CFO) is reviewing DoD/Component Financial Improvements and Audit Readiness (FIAR) plans with appropriate DoD leaders to determine what improvements can be made to address these kind of deficiencies and as a result, speed progress. Upon completion of this review, the Secretary will issue formal direction to the Service Secretaries and other leaders on additional actions they must take to ensure sufficient and qualified resources are devoted to achieving this priority in alignment with the Department's strategy and methodology including the aspects of that methodology noted in this finding. Recommendation 13: The GAO recommends that the Secretary of Defense direct the Secretary of the Air Force to ensure that all responsible parties within the Air Force, including the Assistant Secretary of the Air Force (Financial Management and Comptroller) carry out their responsibilities for ensuring that FIP development and implementation complies with the FIAR Guidance and that the FIP contains sufficient information to indicate audit readiness before it is signed. DoD Response: Concur. Air Force comments indicate Air Force leadership carries out its responsibilities for all aspects of audit readiness including the development and execution of Financial Improvement Plans through the assertion review and submission process until final validation by an IPA or DoDIG. The Air Force will rely on its success operating under the May 15, 2919 FIAR guidance to demonstrate its oversight of audit readiness efforts. The Air Force received an unqualified opinion on its Budget Authority assertion, its Fund Balance with Treasury Reconciliation assertion was validated by OSD and is undergoing examination by an Independent Public Accounting firm. The Air Force FIAR governance process has delayed assertions that Air Force leadership determined were not supportable (missile motors and spare engines). On behalf of the Secretary of Defense, the Under Secretary of Defense Comptroller)/Chief Financial Officer (OSD(C)/CFO) is reviewing DoD/Component Financial Improvements and Audit Readiness (FIAR) plans with appropriate DoD leaders to determine what improvements can be made to address these kind of deficiencies and as a result, speed progress. Upon completion of this review, the Secretary will issue formal direction to the Service Secretaries and other leaders on additional actions they must take to ensure sufficient and qualified resources are devoted to achieving this priority in alignment with the Department's strategy and methodology including the aspects of that methodology noted in this finding. [End of section] Appendix IV: GAO Contact and Staff Acknowledgments: GAO Contact: Asif Khan, (202) 512-9095 or khana@gao.gov: Staff Acknowledgments: In addition to the contact named above, the following individuals made key contributions to this report: Abe Dymond, Assistant Director; Paul Foderaro, Assistant Director; J. Mark Yoder; Kristi Karls; Michael Bingham; Carmen Harris; Adrienne Walker; David Yoder; Jason Kelly; and Jason Kirwan. [End of section] Footnotes: [1] The Chief Financial Officers Act of 1990, Pub. L. No. 101-576, title III, § 303, 104 Stat. 2838, 2849 (Nov. 15, 1990), initially required annual audited financial statements of certain DOD components and activities, but the Government Management Reform Act of 1994, Pub. L. No. 103-356, § 405, 108 Stat. 3410, 3415 (Oct. 13, 1994) expanded the annual requirement to departmentwide financial statements beginning with fiscal year 1996, which at the time had to be prepared no later than March 1, 1997. See 31 U.S.C. § 3515. [2] Pub. L. No. 107-107, § 1008, 115 Stat. 1012, 1205 (Dec. 28, 2001). [3] Pub. L. No. 111-84, § 1003(a),(b), 123 Stat. 2190, 2439-40 (Oct. 28, 2009). [4] The DOD FIP is a framework for planning and tracking the steps and supporting documentation necessary to achieve auditability within the FIAR Methodology. [5] GAO, Department of Defense: Financial Management Improvement and Audit Readiness Efforts Continue to Evolve, [hyperlink, http://www.gao.gov/products/GAO-10-1059T] (Washington, D.C.: September 2010). [6] GAO and the President's Council on Integrity and Efficiency (PCIE), Financial Audit Manual (FAM), [hyperlink, http://www.gao.gov/products/GAO-08-585G] (Washington, D.C.: July 2008); Federal Information System Controls Audit Manual (FISCAM), [hyperlink, http://www.gao.gov/products/GAO-09-232G] (Washington, D.C.: February 2009); Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999); Office of Management and Budget (OMB) Circular No. A- 123, Management's Responsibility for Internal Control (revised December 2004). [7] An assessable unit can be any part of the financial statements, such as a line item or a class of assets (e.g., civilian pay or military equipment), a class of transactions, or it can be a process or a system that helps produce the financial statements. [8] FIP documentation includes evidence of the components' implementation of financial improvement plans as well as results of those efforts. Throughout this report, we use the term "FIP" to mean the documentation that was used to support a component's assertion of audit readiness, which is a key step in the FIAR Methodology. [9] OMB Circular No. A-123, Appendix A, Internal Control Over Financial Reporting. [10] DOD, Fiscal Year 2010 Financial Improvement and Audit Readiness (FIAR) Guidance (May 15, 2010); DOD, Financial Improvement and Audit Readiness (FIAR) Plan Status Report (November 2010); DOD, Financial Improvement and Audit Readiness (FIAR) Plan Status Report (May 2011). [11] GAO, High Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-11-278] (Washington, D.C.: February 2011). [12] OMB Circular No. A-136; OMB Bulletin No. 07-04, as amended; and DOD Financial Management Regulation, Volume 6B, Chapters 1 and 2. [13] GAAP for federal agencies are issued by the Federal Accounting Standards Advisory Board, a federal advisory committee sponsored by OMB, the Treasury, and GAO. [14] [hyperlink, http://www.gao.gov/products/GAO-09-373]. [15] The Antideficiency Act generally requires that all appropriations to DOD be apportioned by the President, who has delegated this authority to OMB, and that all appropriations, apportionments, and re- apportionments be controlled by DOD through an OMB-approved system of funds control under which DOD makes allotments or further subdivisions of apportionments, such as suballotments. See 31 U.S.C. §§ 1513, 1514. [16] Substantive tests are performed to obtain evidence on whether amounts reported on the financial statements are reliable. [17] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999); and OMB Circular No. A-123, Appendix A, Internal Control Over Financial Reporting. [18] A general ledger is a book or financial information system of final entry summarizing all financial transactions from books of original entry (e.g., a payroll system). It contains a collection of all asset, liability, equity, revenue, and expense accounts, and is the final record from which financial statements are prepared. [19] The control environment refers to the discipline, structure, and climate throughout an organization that sets an attitude toward internal control and conscientious management. [20] Exception and change reports are designed to provide reasonable assurance that data received for computer processing have been properly authorized and converted into machine sensible form, and that the data have not been lost, suppressed, added, duplicated, or improperly changed. [21] DCPS is a DOD-wide payroll system that is managed by the Defense Finance and Accounting Service (DFAS). [22] Navy's general ledger systems include the Standard Accounting and Reporting System - Field Level (STARS-FL), the Standard Accounting and Reporting System - Headquarters Claimant Module (STARS-HCM), the Navy Enterprise Resource Planning (ERP), and the Standard Accounting, Budgeting, and Reporting System (SABRS). [23] A SAS 70 report is issued by an independent auditor and discusses the effectiveness of internal controls over the processing of transactions by a service organization. (Statement on Standards for Attestation Engagements (SSAE) 16 reports will replace the SAS 70 reports for periods ending on or after June 15, 2011.) [24] Control activities are the policies, procedures, techniques, and mechanisms that enforce management's directives and accomplish an agency's control objectives. Control objectives are stated objectives that, if achieved, provide reasonable assurance that individual and aggregate misstatements (whether caused by error or fraud), losses, or noncompliance material to the financial statements would be prevented or detected. [25] Net book value equals the recorded acquisition cost of an asset minus its accumulated depreciation. [26] The Air Force accountable property systems consist of the Reliability and Maintainability Information System (REMIS) and the Reliability, Availability, and Maintainability of pods (RAMPOD). [27] The cost of a modification is added to the recorded value of the modified piece of military equipment (i.e., the cost is "capitalized") if the cost of the modification is over $100,000 and the modification adds capability to the weapon system or extends its useful life beyond the original useful life. [28] GAO and the President's Council on Integrity and Efficiency (PCIE), Financial Audit Manual (FAM); Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999); OMB Circular No. A-123, Management's Responsibility for Internal Control (revised December 2004); Committee of Sponsoring Organizations of the Treadway Commission, Internal Control -Integrated Framework, Guidance on Monitoring Internal Control Systems (January 2009). [29] The FIAR Governance Board is co-chaired by the DOD Comptroller and the DOD Deputy Chief Management Officer. [30] OMB Circular No. A-123, Appendix A, Implementation Guide for Internal Control Over Financial Reporting (Dec. 21, 2004). [31] Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington D.C.: November 1999). [32] Internal Control Management and Evaluation Tool, [hyperlink, http://www.gao.gov/products/GAO-01-1008G] (Washington D.C.: August 2001). [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: