This is the accessible text file for GAO report number GAO-11-830 entitled 'DOD Financial Management: Marine Corps Statement of Budgetary Resources Audit Results and Lessons Learned' which was released on September 15, 2011. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to Congressional Requesters: September 2011: DOD Financial Management: Marine Corps Statement of Budgetary Resources Audit Results and Lessons Learned: GAO-11-830: GAO Highlights: Highlights of GAO-11-830, a report to congressional requesters. Why GAO Did This Study: Long-standing weaknesses in Department of Defense (DOD) business processes, systems, and controls have hindered efforts to achieve financial audit readiness. Because DOD relies heavily on budget information for day-to-day management decisions, in August 2009, the DOD Comptroller designated the Statement of Budgetary Resources (SBR) as an audit priority. The U.S. Marine Corps was identified as the pilot military service for an SBR audit. GAO was asked to determine (1) the primary reasons the Marine Corps was unable to obtain an opinion on its fiscal year 2010 SBR; (2) the effectiveness and status of the Marine Corps’ remediation plan, and (3) military service efforts to leverage Marine Corps SBR audit lessons. GAO reviewed auditor findings and recommendations, evaluated the Marine Corps corrective action plans, and reviewed documentation on military service audit readiness and lessons learned efforts. During its work, GAO met with DOD, Marine Corps, military service, and Defense Finance and Accounting Service (DFAS) officials and the auditors. What GAO Found: The Marine Corps received a disclaimer of opinion on its Fiscal Year 2010 SBR because it could not provide supporting documentation in a timely manner, and support for transactions was missing or incomplete. Auditors also reported that the Marine Corps did not have adequate processes, systems controls, and controls for accounting and reporting on the use of budgetary resources. Further, the Marine Corps could not provide evidence that reconciliations for key accounts and processes were being performed on a monthly basis. The auditor also identified ineffective controls in key information technology (IT) systems used by the Marine Corps to process financial data. The auditors provided 139 recommendations to correct identified weaknesses. The Marine Corps developed action items and milestones in response to the auditor’s findings. But its remediation plan was focused on near- term outcomes and did not adequately specify key elements, including goals and objectives, actions for addressing those objectives, and associated performance measures. GAO previously reported that it is standard practice to have strategy that includes these features. GAO found that many of the Marine Corps’ actions did not address the specific auditor recommendations, and other actions were not adequate to correct underlying problems or root causes. Further, many of the remediation actions would require steps on the part of other DOD components, such as DFAS and the Defense Contract Management Agency. As of July 2011, the Marine Corps reported that actions on 88 of the 139 auditor recommendations were fully implemented. Auditors will assess the effectiveness of these actions as part of the fiscal year 2011 SBR audit effort. However, because many of the actions do not address the underlying internal control weaknesses, the Marine Corps risks continuing disclaimers of opinion. The Marine Corps’ fiscal year 2010 SBR audit results provide valuable lessons on preparing for a first-time financial statement audit. GAO identified five fundamental lessons that are critical to success. Specifically, the Marine Corps’ experience demonstrated that prior to asserting financial statement audit readiness, DOD components must: * confirm completeness of populations of transactions and address any abnormal transactions and balances, * test beginning balances, * perform key reconciliations, * provide timely and complete response to audit documentation requests, and, * verify that key IT systems are compliant and auditable. These issues are addressed in Internal Control Standards and audit requirements as well as DOD’s Financial Improvement and Audit Readiness Guidance, which the military services are to follow in developing their respective Financial Improvement Plans (FIP). Navy, Army, and Air Force FIP officials stated that they were aware of the Marine Corps lessons. Navy officials stated that they are in the process of updating their audit readiness plan to address all five areas. Army and Air Force officials indicated their plans addressed some but not all of the lessons. What GAO Recommends: GAO makes recommendations to (1) the Marine Corps to develop a risk- based remediation plan and confirm its actions fully respond to auditor recommendations and (2) DOD to direct other military services to consider key lessons learned in their audit readiness plans, as appropriate. DOD concurred with three of four recommendations but said the recommendation for a risk-based plan was too prescriptive. GAO believes this is needed for the long term. View [hyperlink, http://www.gao.gov/products/GAO-11-830] or key components. For more information, contact Asif A. Khan at (202) 512- 9869 or khana@gao.gov. [End of section] Contents: Letter: Background: Inadequate Support for Accounting Transactions and Ineffective Controls Led to Disclaimer on the Marine Corps' SBR: Marine Corps Remediation Plan Is Focused on Near-Term Outcomes: Lessons Learned from the Marine Corps' SBR Audit Effort: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Appendix II: Reported Status of Marine Corps Actions on Recommendations from the Fiscal Year 2010 Statement of Budgetary Resources Audit Effort: Appendix III: Comments from the Department of Defense: Appendix IV: GAO Contact and Staff Acknowledgments: Tables: Table 1: DOD IG Recommendations, Reported Status of USMC Actions on Accounting and Financial Reporting Process Issues as of July 18, 2011, and DOD IG Confirmation of Status as of August 25, 2011: Table 2: DOD IG Recommendations, Reported Status of USMC Actions on MCTFS Information Technology System Issues as of July 18, 2011, and DOD IG Confirmation of Marine Corps Statuses as of August 25, 2011: Table 3: DOD IG Recommendations, Reported Status of USMC Actions SABRS Information Technology System Issues as of July 18, 2011, and DOD IG Confirmation of Marine Corps Status as of August 25, 2011: Table 4: DOD IG Recommendations, Reported Status of USMC Actions on DDRS Information Technology System Issues as of July 18, 2011, and DOD IG Confirmation of Status as of August 25, 2011: Figure: Figure 1: Marine Corps Trend Analysis on Estimated Obligations and Liquidations Related to Fiscal Year 2010 Officer PCS Moves: Abbreviations: ACAT: Acquisition Category: ACID: Accessor Identification: ADA: Antideficiency Act: AG: Software AG: BIA: Business Impact Analysis: BTA: Business Transformation Agency: CA: Computer Associates: C&A: Certification and Accreditation: CAC: Common Access Card: CCB: Configuration Control Board: CFO: Chief Financial Officer: CI: Configuration Items: CICS: Customer Information Control System: CL: Cleveland: CMB: Configuration Management Board: COE: Commit, Obligate, and Expend: COOP: Continuity of Operations: COTR: Contracting Officer Technical Representative: DAA: Designated Accrediting Authority: DBA: Database Administrator: DCAA: Defense Contract Audit Agency: DCAS: Defense Cash Accountability System: DCMA: Defense Contract Management Agency: DCPS: Defense Civilian Pay System: DDRS: Defense Departmental Reporting System: DDRS-AFS: Defense Departmental Reporting System-Agency Financial Reporting: DDRS-B: Defense Departmental Reporting System-Budgetary: DDRS-DCM: Defense Departmental Reporting System-Data Collection Module: DEAMS: Defense Enterprise Accounting and Management System: DECC: Defense Enterprise Computing Centers: DIC: Document Identifier Code: DLT: Design Logic Tool: DFAS: Defense Finance and Accounting Service: DFAS-CL: Defense Finance and Accounting Service-Cleveland: DFAS-CO: Defense Finance and Accounting Service-Columbus: DFAS-IN: Defense Finance and Accounting Service-Indianapolis: DIACAP: DOD Information Assurance Certification and Accreditation Process: DISA: Defense Information System Agency: DOD: Department of Defense: DON: Department of the Navy: DSSN: Disbursing Station Symbol Number: ELSIG: Electronic Signature: eMASS: Enterprise Mission Assurance Support System: ERP: Enterprise Resource Planning: FASAB: Federal Accounting Standards Advisory Board: FBWT: Fund Balance with Treasury: FIAR: Financial Improvement and Audit Readiness: FIP: Financial Improvement Plan: FM: Functional Manager: FMR: Financial Management Regulation: FOS: Family of Systems: FRD: Functional Requirements Document: GAAP: Generally Accepted Accounting Principles: GDA: Global Data Area: GFEBS: General Fund Enterprise Business System: GL: General Ledger: HQMC: Headquarters Marine Corps: IA: Information Assurance: IAO: Information Assurance Officer: ICOFR: Internal Control over Financial Reporting: IG: Inspector General: IT: Information Technology: JADS: Joint Application Development Sessions: JV: Journal Voucher: LOA: Line of Accounting: MCCAT: Marine Corps Administrative Analysis Team: MCO: Marine Corps Order: MCPDT: Marine Corps Permanent Duty Travel: MCPRT: Marine Corps Program Review Team: MCTFS: Marine Corps Total Force System: MI: Manpower Information: MILSTRIP: Military Standard Requisition and Issue Procedures: MISSO: Manpower Information Systems Support Office: MOA: Memorandum of Agreement: MOCAS: Mechanization of Contract Administration Services: MRCV: Monthly Reconciliation/Certification Voucher: N/A: Not applicable: NDAA: National Defense Authorization Act: NFR: Notice of Findings and Recommendations: OMB: Office of Management and Budget: PanAPT: Panvalet Automated Production Turnover Software: PCS: Permanent Change of Station: PIN: Personal Identification Number: PMO: Program Management Office: POAM: Plan of Action and Milestones: PPA: Prior Period Adjustment: PTR: Production Trouble Report: Pub. L. No.: Public Law Number: RFA: HQMC, Programs and Resources Department, Fiscal Division, Accounting Branch: RFF: HQMC, Programs and Resources Department, Fiscal Division, Finance Branch: SAAR: System Access Authorization Request: SABRS: Standard Accounting, Budgeting, and Reporting System: SAT: System Acceptance Testing: SBR: Statement of Budgetary Resources: SCA: System Connection Agreement: SCR: System Change Request: SDN: Standard Document Number: SDP: System Development Plan: SF: Standard Form: SFIS: Standard Financial Information Structure: SI-DI: System Integration-Data Integrity: SIT: System Integration Testing: SLA: Service-Level Agreement: SMD: System Management Directorate: SMD-CL: System Management Directorate-Cleveland: SOD: Segregation of Duties: SPO: Standard Operating Procedure: SR: Software Release: STARS-FL: Standard Accounting and Reporting System-Field Level: Stat.: Statute: TAR: Tri-Annual Review: TASO: Terminal Area Security Officer: TRF: Transaction Research File: TSO: Technology Services Organization: TSO-CL: Technology Services Organization-Cleveland: UD/MIPS: Unit Diary/Marine Integrated Personnel System: U.S.C.: United States Code: USMC: United States Marine Corps: USSGL: United States Standard General Ledger: WAWF: Wide Area Work Flow: [End of section] United States Government Accountability Office: Washington, DC 20548: September 15, 2011: Congressional Requesters: The Chief Financial Officers Act of 1990 (CFO Act), as amended, established requirements for 24 agencies, including the Department of Defense (DOD) to prepare annual financial statements and have them audited.[Footnote 1] As we have previously reported, DOD's many challenges in resolving its pervasive and long-standing weaknesses in financial management, business operations, and systems, have inhibited its ability to meet this requirement.[Footnote 2] These weaknesses have also adversely affected DOD's ability to control costs; ensure basic accountability; anticipate future costs and claims on the budget; measure performance; maintain funds control; and prevent and detect fraud, waste, and abuse. DOD has undertaken several financial management improvement initiatives over the years, but it remains one of two CFO Act agencies that are unable to prepare auditable financial statements as of fiscal year 2010.[Footnote 3] The National Defense Authorization Act (NDAA) for Fiscal Year 2010 mandated that DOD be prepared to validate (certify) that its consolidated financial statements are ready for audit by September 30, 2017.[Footnote 4] In 2005, the Under Secretary of Defense (Comptroller/Chief Financial Officer) first prepared the Financial Improvement and Audit Readiness (FIAR) Plan to improve DOD business processes with the goal of producing timely, reliable, and accurate financial information that could generate audit-ready annual financial statements. The FIAR Plan is DOD's strategic plan and management tool for guiding, monitoring, and reporting on the department's financial management improvement efforts. As such, the plan communicates progress in addressing the department's financial management weaknesses and achieving financial statement auditability. The DOD Comptroller announced in August 2009 that in DOD's effort to improve its financial management information, priority would be given to improving those processes and controls that produce information on which DOD managers rely most heavily to run the agency. Because budgetary information is widely and regularly used for management, the DOD Comptroller designated as one of DOD's highest priorities the improvement of its budgetary information and processes underlying the Statement of Budgetary Resources (SBR). The SBR is the only financial statement predominantly derived from an entity's budgetary accounts in accordance with budgetary accounting rules, which are incorporated into generally accepted accounting principles (GAAP) for the federal government. The SBR is designed to provide information on authorized budgeted spending authority and links to the Budget of the United States Government (President's Budget), including budgetary resources, availability of budgetary resources, and how obligated resources have been used.[Footnote 5] The United States Marine Corps was identified as the pilot military service for an audit of the SBR. For fiscal year 2010, the Marine Corps reported more than $37.5 billion in total budgetary resources, including over $32.1 billion in net outlays (spending, net of offsetting collections[Footnote 6] and receipts). The Marine Corps is a military service within the Department of the Navy, and its success in achieving audit readiness is intended to pave the way for the Navy to be the second military service to undergo an SBR audit. The DOD Inspector General (IG) contracted with an independent public accounting firm to conduct the audit of the Marine Corps' Fiscal Year 2010 SBR. Based on the results of the auditors' work, the DOD IG issued a disclaimer of opinion[Footnote 7] on the fiscal year 2010 SBR. During a September 2010 hearing held by the Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security, Senate Committee on Homeland Security and Governmental Affairs, DOD witnesses noted that the Marine Corps' SBR audit efforts had identified significant problems with the Marine Corps' documentation of business systems and processes, support for transactions, and proper and timely recording of transactions, which contributed to the disclaimer of opinion. The Subcommittee expressed concern about the current status of the Marine Corps' audit readiness, the effectiveness of its remediation efforts, and the effects on DOD's overall financial audit readiness timeline. This report responds to the request that we determine (1) the primary reasons the Marine Corps was unable to obtain an opinion on its Fiscal Year 2010 SBR, (2) the effectiveness and reported status of the Marine Corps' remediation plan, and (3) the military services' efforts to leverage Marine Corps SBR audit lessons learned. For the first objective, we reviewed pertinent documentation, including the auditors' report and DOD IG audit documentation. For the second objective, we analyzed the Marine Corps' remediation plans to determine whether corrective actions were appropriately designed using relevant criteria and reviewed the Marine Corps' milestone dates and reported status as of July 18, 2011. For the third objective, we met with Army, Navy, Air Force, and Defense Finance and Accounting Service (DFAS) officials responsible for financial improvement and audit readiness efforts to obtain information on corrective actions they have initiated as a result of the Marine Corps SBR audit effort. We also reviewed DOD's FIAR Plan and FIAR Guidance and met with DOD Comptroller officials to obtain information on DOD-wide audit readiness initiatives. We conducted this performance audit from February 2011 through September 2011 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Appendix I provides further details on our scope and methodology. Background: DOD's FIAR Plan focuses on three goals: (1) achieve and sustain audit readiness; (2) achieve and sustain unqualified assurance on the effectiveness of internal controls; and (3) attain Federal Financial Management Improvement Act of 1996 (FFMIA) compliance for financial management systems that support effective financial management. [Footnote 8] The NDAA for Fiscal Year 2010 requires DOD to report to relevant congressional committees on the status of the implementation of the FIAR Plan twice a year--no later than May 15 and November 15. Consistent with prior GAO recommendations[Footnote 9] and the NDAA for Fiscal Year 2010, the DOD Comptroller issued FIAR Guidance in May 2010 to provide standardized guidance for DOD components to follow in developing their Financial Improvement Plans (FIP). DOD components are expected to prepare a FIP in accordance with the FIAR Guidance for each of their assessable units. The FIPs are intended to both guide and document financial improvement efforts. When a component determines that it has completed sufficient financial improvement efforts for an assessable unit so that it is ready for audit, the FIP documentation is used to support its conclusion of audit readiness. The Marine Corps SBR Effort: The United States Marine Corps was established on November 10, 1775, to provide security to naval vessels and boarding parties and to conduct limited land engagements in support of naval operations. While the Marine Corps is a separate military service, it also is a component of the Department of the Navy, accounting for approximately $33.6 billion out of a total $179.4 billion in reported Department of the Navy fiscal year 2010 obligations.[Footnote 10] At the end of fiscal year 2010, the Marine Corps comprised 202,441 active duty Marines and 39,222 reserves. In addition, the Marine Corps employed approximately 17,000 civilian employees. The Marine Corps first asserted financial audit readiness for its General Fund SBR on September 15, 2008. The DOD IG reviewed the Marine Corps' assertion package and, on April 10, 2009, reported that the assertion of audit readiness was not accurate, and that its documentation supporting the assertion was not complete. The DOD IG also reported that the Marine Corps had identified remediation activities that must be accomplished before an audit of its SBR was undertaken. While the Marine Corps made progress toward audit readiness during fiscal year 2009, the DOD IG reported that a number of issues led auditors to conclude that an audit of the Marine Corps' Fiscal Year 2009 SBR would not have positive results. The DOD IG reported that unless the issues were resolved, the risk of a disclaimer of opinion would be high. The DOD IG suggested that the Marine Corps consider requesting an audit of its Fiscal Year 2010 SBR and subsequently awarded a contract for the Marine Corps' Fiscal Year 2010 SBR audit. Purpose of the Statement of Budgetary Resources: The SBR is designed to provide information on budgeted spending authority reported in the Budget of the United States Government (President's Budget), including budgetary resources, availability of budgetary resources, and how obligated resources have been used. The SBR is an agencywide report that aggregates account-level information reported in the SF 133, Report on Budget Execution and Budgetary Resources,[Footnote 11] and links to the Program and Financing schedules in the President's Budget.[Footnote 12] The SBR consists of four separate but related sections that provide information about budgetary resources, status of budgetary resources, changes in obligated balances, and outlays for major budgetary accounts. Budgetary Resources. This section shows total budgetary resources made available to the agency for obligation during the reporting period. It consists of new budget authority, unobligated amounts available from prior reporting periods, transfers available from prior-year balances, reimbursements and other income, and adjustments such as recoveries of prior-year obligations. This information ties to information reported in related Program and Financing schedules in the President's Budget. Status of Budgetary Resources. This section displays the status of budgetary resources at the end of the period and consists of obligations incurred and the unobligated balances at the end of the period that are available for future use and those that are unavailable except to adjust or liquidate obligations chargeable to prior period appropriations. The total for this section and for the Budgetary Resources section must be reconciled to the total status reported for the aggregate of all budget accounts on the Marine Corps SF-133, Report on Budget Execution and Budgetary Resources. Change in Obligated Balance. This section displays the change in obligated balances during the reporting period. It consists of unpaid obligations brought forward from the previous year and obligations incurred in the current year, less current year outlays and recoveries of prior year unpaid obligations. The total change in obligated balance reflects the amount of unpaid obligations at the end of the accounting period and brought forward in the next period's financial statements. This information is reported in the related Program and Financing schedules in the President's Budget. Outlays. This section shows the relationship between obligations and outlays and discloses the payments made to liquidate obligations, net of offsetting collections. Obligations are usually liquidated by means of cash payments (outlays) such as currency, checks, or electronic fund transfers. This section reconciles outlays with obligations incurred and the change in obligated balances during the year. Outlays also are reported in the related SF-133 Report and Program and Financing Schedules in the President's Budget. Inadequate Support for Accounting Transactions and Ineffective Controls Led to Disclaimer on the Marine Corps' SBR: The DOD IG reported a disclaimer of opinion on the Marine Corps' Fiscal Year 2010 SBR because the Marine Corps did not provide timely and relevant supporting documentation for accounting transactions and disbursements in key areas, which prevented the auditors from completing the audit by the November 15, 2010, reporting deadline. A lack of documentation limited the scope of work the auditors could accomplish such that they were unable to render an opinion on the information presented. In addition, the auditors reported that ineffective internal control and ineffective controls in key financial systems should be addressed to ensure the reliability of reported Marine Corps financial information.[Footnote 13] The auditors identified 70 findings and made 139 recommendations to address the issues. The 139 recommendations related to support for transactions and internal control over basic accounting and financial systems. (See appendix II for a complete list of the audit findings, related recommendations, and Marine Corps action plans and reported status.) Inadequate Support for Transactions: The auditors reported that they did not receive timely, relevant, and complete supporting documentation for the accounting transactions selected for testing. The Defense Finance and Accounting Service location in Cleveland, Ohio, (DFAS-CL)--which performs accounting, disbursing, and financial reporting services for the Marine Corps--did not have effective procedures in place to ensure that supporting documentation for transactions was complete and readily available to pass basic audit transaction testing. For example, the auditors found that DFAS staff had only retained selected pages of the documents supporting payment vouchers, such as the voucher cover sheet and did not have the purchase order, receiving report, and the invoice to support payments made. Payment voucher documentation should include evidence of a contract or purchase order, a receiving report for the goods delivered, and an invoice showing evidence of review and approval. Documentation should also include evidence that the completeness and accuracy of its support for the related transactions has been verified. To address this problem, DFAS-CL staff took immediate action and conducted an extensive effort to re-image supporting documentation for transactions. GAO's Standards for Internal Control in the Federal Government states that transactions and other significant events need to be clearly documented, the documentation should be readily available for examination for actions such as approvals, authorizations, verifications, reconciliations, monitoring, and performance reviews. [Footnote 14] Without such supporting documentation, it is not possible to verify whether payments were made in the appropriate amount for authorized purposes, and to the appropriate parties. Other problems with documentation included the following: * Difficulty identifying and providing complete populations of transactions that the auditors could confirm and use for substantive testing.[Footnote 15] The auditors made repeated requests to the Marine Corps for transaction-level detail for major accounts in order to select samples for their substantive testing. These delays had a negative effect on the timeline of the audit effort, and as a result, the auditors were able to perform only limited testing. This limited testing, however, identified 14 accounting and financial reporting weaknesses, resulting in 52 recommendations. * Not providing timely and complete supporting documentation in response to auditor requests to support testing of beginning balances. For example, our review of auditor documentation showed that during the testing of four material accounts related to obligations for delivered and undelivered orders totaling $44.1 billion, 86 of the 897 sample items selected, with a dollar value of $1.3 billion, were not supported. Ineffective Internal Control over Basic Accounting and Financial Systems: During the planning phase of an audit, auditors assess the effectiveness of the design and operation of internal controls to determine control risk, which is used in determining the nature, extent, and timing of substantive procedures needed to achieve the desired level of detection risk. Auditors generally rely on the effectiveness of internal controls to reduce the level and amount of substantive testing required. However, in planning the fiscal year 2010 SBR audit effort, the auditors determined that they could not rely on the internal controls in the Marine Corps' processes and systems for assurance of the reliability of financial reporting on the information presented in its SBR. Ineffective internal controls require the auditors to expand their substantive testing. Accordingly, the auditors had to increase their substantive tests for the first- year SBR audit effort. Even with the increased audit testing, many key items remained unauditable as a result of the internal control problems. For example, the auditors reported the following: * The Marine Corps could not provide evidence to the auditors that reconciliations for key accounts and accounting processes were being performed on a monthly basis. Specifically, the auditors could not test Fund Balance with Treasury (FBWT)--a key internal control for SBR audits--because the Marine Corps was unable to tie its balances to Treasury balances and transaction-level detail, leaving the FBWT unauditable. * The Marine Corps recorded payments prior to recording the expense for various transactions, creating abnormal balances in the "Delivered orders, unpaid" account. The Marine Corps lacked effective processes and controls to assure timely recognition of expenses. * The Marine Corps also did not have effective controls in place to support estimated obligations, referred to as "bulk obligations," to record a payment liability and as a result, was not able to reconcile the related payment transactions to the estimates. The Marine Corps estimates obligations in a bulk amount to record payment liabilities where it does not have a mechanism to identify authorizing documentation as a basis for recording the obligations. The auditors also tested the controls over three major information technology (IT) systems used by the Marine Corps and reported numerous problems that required resolution. The three systems are the Marine Corps Total Force System (MCTFS), which is an integrated military personnel and payroll system; the Standard Accounting, Budgeting, Reporting System (SABRS), which is the Marine Corp's general ledger accounting system; and the Defense Departmental Reporting System (DDRS), which is a DOD-wide financial reporting system. The auditors found ineffective IT controls over all three systems. Examples of issues reported by the auditors include the following. * Segregation of duties weaknesses caused by staff with incompatible functional access to the systems. For example, the auditors reported that the lack of segregation of duties allowed a user to both authorize and approve payment of transactions within SABRS. Segregation of duties is a key internal control described in federal government internal control standards as the division of duties and responsibilities among different people to reduce the risk of error or fraud, and it includes the separation of responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets.[Footnote 16] The control is designed to help ensure completeness, accuracy, authorization, and validity of all transactions. * A lack of controls over interfaces between systems to ensure completeness of the data being transferred. System interface controls are critical for ensuring the completeness and accuracy of data transferred between systems. The standards also call for controls to be installed at a system's interfaces with other systems to ensure that all inputs are received and valid and outputs are correct and properly distributed.[Footnote 17] If system interface controls are ineffective, the reliability of the data used for financial management is questionable. * The lack of procedures to provide evidence of periodic review and approval of systems changes to assure their proper and timely implementation. Marine Corps Remediation Plan Is Focused on Near-Term Outcomes: The Marine Corps did not develop an overall corrective action or remediation plan that includes key elements of a risk-based plan. Instead, its approach to addressing auditor findings and recommendations focuses on short-term corrective actions based on extensive manual effort and adjustments to produce reliable financial reporting at year-end. Such efforts may not result in sustained improvements over the long term that would help ensure that the Marine Corps could routinely produce sound data on a timely basis for decision making. We previously reported that using principles of risk management helps policymakers make informed decisions about best ways to prioritize investments, so that the investments target the areas of greatest need.[Footnote 18] We also previously reported that it is standard practice to have a strategy that lays out goals and objectives, identifies actions for addressing those objectives, allocates resources, identifies roles and responsibilities, and measures performance against objectives.[Footnote 19] However, we found that the Marine Corps' SBR Remediation Plan focused on individual initiatives to address 70 auditor Notices of Findings and Recommendations (NFR) that included 139 recommendations, without assessing risks, prioritizing actions, or ensuring that actions adequately responded to recommendations.[Footnote 20] Further, the plan did not identify resources, roles and responsibilities, or include performance indicators to measure performance against action plan objectives.[Footnote 21] Given the current efforts, goals, and timeframes for achieving auditability of the Marine Corps' Fiscal Year 2011 SBR, the current approach is understandably focused on short-term actions. However, achieving financial accountability that is sustainable in the long term will require reliable financial systems and sound internal controls. An effective remediation plan would help ensure that audit recommendations are fully addressed to deal with the short-term and long-term goals. GAO's Standards for Internal Control in the Federal Government states that managers are to (1) promptly evaluate findings from audits and other reviews, (2) determine proper actions in response to findings and recommendations from audits and reviews, and (3) complete within established time frames, all actions that correct or otherwise resolve the matters brought to management's attention. [Footnote 22] The Marine Corps has implemented an extensive SBR remediation effort that is focused on individual initiatives, referred to by the Marine Corps as plans of action and milestones (POAM), to address the 70 audit findings and 139 related recommendations aimed at remediating documentation, internal control, accounting, and information systems weaknesses. The Marine Corps reported that actions on 88 of the 139 recommendations, including weaknesses related to accounting and financial reporting and IT systems, were fully implemented; however, the completeness and effectiveness of most Marine Corps' actions have not yet been tested. DOD IG auditors told us that tests performed during the Marine Corps' fiscal year 2011 SBR audit effort will determine whether and to what extent the problems identified during the fiscal year 2010 SBR audit effort have been resolved. They also confirmed that as of August 25, 2011, the Marine Corps had remediated the problems on 11 of the IT audit recommendations. (Appendix II includes a list of auditor recommendations and the Marine Corps' planned remediation actions, targeted completion dates, and reported status.) Remediation Actions Related to Accounting and Financial Reporting Process Issues: The design of many of the actions taken by the Marine Corps relied on monitoring, a detective control, and high-level initial fixes to account balances that did not address root causes as well as other actions that were not consistent with the related auditors' recommendations. For example: * Numerous action plans relied on issuing guidance and monitoring without correcting root causes. Marine Corps' remediation actions on 22 of the 56 accounting and financial reporting recommendations rely on issuing guidance, monitoring, or both in an attempt to quickly address identified weaknesses. Correcting underlying causes requires process improvements and in some cases, system changes. For example, the Marine Corps does not have a process for capturing actual costs and expenditures for travel and shipments of household goods related to permanent change of station (PCS) moves associated with reassignments and military separations. Instead, it currently relies on data calls to estimate the population of obligations that need to be recorded to reflect a payment liability. As noted previously, these estimates are referred to as "bulk obligations." The auditors reported that the Marine Corps did not ensure that the estimated amount recorded for bulk obligations was reviewed and adjusted to reflect actual costs and expenditures. To address these findings, the Marine Corps developed additional guidance to support its current process for estimating bulk obligations and implemented a process to monitor the liquidation (payment) of bulk obligations. This process includes performing monthly and quarterly trend analysis of the estimated bulk obligations and liquidations. However, the guidance does not address the need for monthly reconciliations to identify and record necessary adjustments to reflect actual costs and expenditures. Marine Corps officials stated that they are working on a process to capture the related travel and household goods shipment authorizations as a basis for establishing and liquidating obligations, but they said they will need to rely on trend analysis and monitoring until process improvements are in place. Recording and liquidating obligations associated with travel and moving expenses often occurs over 2 or more fiscal years because for PCS moves that occur in the summer months, final bills may not be received until after the current fiscal year ends on September 30, or sometimes even later, for example, when household goods are stored during lengthy deployments. As shown in figure 1, during fiscal year 2010, the Marine Corps had recorded $43 million (unaudited) estimated bulk obligations for these types of expenses. As of September 30, 2010, Marine Corps had recorded only $20.2 million (unaudited) payments against those obligations. Payments against the 2010 obligations continued into 2011, with the liquidated amount of 2010 obligations increasing to $28.5 million (unaudited) at June 30, 2011. Figure 1: Marine Corps Trend Analysis on Estimated Obligations and Liquidations Related to Fiscal Year 2010 Officer PCS Moves: [Refer to PDF for image: multiple line graph] Fiscal quarter: Q1, 2010: Cumulative estimated obligation: $11.757 million; Cumulative reported liquidation: $0.204 million. Fiscal quarter: Q2, 2010: Cumulative estimated obligation: $39.272 million; Cumulative reported liquidation: $2.023 million. Fiscal quarter: Q3, 2010: Cumulative estimated obligation: $35.491 million; Cumulative reported liquidation: $5.307 million. Fiscal quarter: Q4, 2010: Cumulative estimated obligation: $43.044 million; Cumulative reported liquidation: $20.248 million. Fiscal quarter: Q1, 2011: Cumulative estimated obligation: $43.318 million; Cumulative reported liquidation: $25.724 million. Fiscal quarter: Q2, 2011: Cumulative estimated obligation: $43.266 million; Cumulative reported liquidation: $27.524 million. Fiscal quarter: Q3, 2011: Cumulative estimated obligation: $43.197 million; Cumulative reported liquidation: $28.48 million. Source: Unaudited Marine Corps data. [End of figure] Ineffective monitoring of estimated bulk obligations is a funds control weakness that can lead to ineffective use of budgetary resources if the estimates are too high and poses a risk of Antideficiency Act (ADA) violations if the estimates are too low. [Footnote 23] For example, if during the second year, the Marine Corps determined that estimated bulk obligations are higher than needed to cover the related payments, these 1-year funds will have expired and cannot be used for other priorities. However, if the estimated bulk obligations were lower than the amount needed to cover the related payments, the Marine Corps could incur an ADA violation if it did not have sufficient funds otherwise available to cover the shortfall. The Army and the Navy experienced ADA violations related to their fiscal year 2008 military personnel appropriations as a result of the failure to monitor bulk obligations and determine whether obligations and expenditures were within statutory allocations of funds and appropriated amounts.[Footnote 24], [Footnote 25] In addition, to assist the Marine Corps in monitoring key accounts, SABRS produces a variety of exception reports on a scheduled basis (daily, weekly, or monthly), which are sent to designated recipients throughout the Marine Corps. The reports identify abnormal transactions and balances that meet certain criteria, such as the transaction resulted in an accounting error, the transaction is dormant or has not been active for an inappropriate time, and the account balance is a negative instead of a positive amount. The guidance for the report recipients contains general instructions on correcting the transactions, but does not include any instruction on how the problem could be avoided in the future. While monitoring key accounts is a helpful tool to ensure the accuracy of the Marine Corps' accounting, it does not resolve the underlying accounting problems that caused the abnormal accounting conditions to occur. * Many planned actions were not consistent with the related recommendations. Our analysis of the Marine Corps' remediation action plans found that actions on 20 of the 139 recommendations were not consistent with recommendations. For example, auditor tests of fiscal year 2010 beginning balances for "Delivered orders-obligations, unpaid" identified unliquidated obligations on old contracts for which performance was substantially complete. The Marine Corps had not reviewed the obligations to determine whether they should be adjusted, as required by DOD policy.[Footnote 26] The DOD Financial Management Regulation (FMR) requires DOD components to perform Tri-annual Reviews (TAR) to monitor and confirm commitments, obligations, liquidations, accounts payable, and accounts receivable. The auditors found that the Marine Corps did not have an effective process for reviewing undelivered orders and unliquidated obligations, and recommended that they strengthen the TAR controls, whose weaknesses were the root cause of the finding. The lack of review of these "stale obligations" can be a significant problem in managing budgetary resources because unneeded funds are not identified in a timely manner, and once the related appropriation accounts expire, unneeded funds that were obligated cannot be used for other priorities. In response to these findings, Marine Corps officials stated that they have implemented a robust Tri-annual Review and Confirmation process for validating obligations. The auditors reported that the Marine Corps developed effective written procedures, but they found problems with the implementation of those procedures. Marine Corps officials told us that its TAR procedures will be included in its August 2011 review of internal controls over financial reporting. * The Marine Corps has not fully addressed service-provider recommendations. At least 12 of the 139 recommendations and Marine Corps action plans directly address service-provider agreements and coordination. For example, the auditors recommended that the Marine Corps strengthen controls surrounding the monitoring of the coding of expenditures by DFAS to help ensure that contract payments will be recorded properly. The auditors also recommended that the Marine Corps establish policies and procedures for service-provider monitoring of system log-on controls and handling lost or compromised passwords. In addition, the auditors recommended that the Marine Corps strengthen controls over the review of open obligations to identify any related to contracts that were no longer valid or open, or for which deliveries of goods or services were completed and needed to be billed. The effectiveness of contract monitoring efforts by Marine Corps program managers and buying commands and the Defense Contract Management Agency (DCMA) and the Defense Contract Audit Agency (DCAA) are an important element to Marine Corps review and management of commitments, obligations, liquidations, accounts payable, and accounts receivable. Service-provider agreements are important for assuring the effectiveness of contract monitoring, audit, and closeout. As discussed in DOD's FIAR Guidance, service providers working with reporting entities are responsible for audit readiness efforts surrounding service-provider systems and data, processes and controls, and supporting documentation that have a direct effect on reporting entities' auditability. The FIAR Guidance also specifies that service- provider and reporting entity communications and understandings must be documented in a Service-Level Agreement or Memorandum of Understanding. The Marine Corps has been attempting to develop a new service-provider agreement with DFAS for nearly a year. However, the agreement remains in draft. Further, while the Marine Corps has no service-provider agreements with DCMA and DCAA, Marine Corps officials told us they discussed this matter with the FIAR Directorate as a DOD- wide issue. Remediation Actions Related to IT System Weaknesses: The Marine Corps' remediation action plans dealing with IT weaknesses do not adequately address recommendations on a number of issues, including system access controls, feeder systems, and the audit trail on the change-management process. Specific issues include the following: * The Marine Corps disagreed with six auditor recommendations to strengthen SABRS IT system controls over information processing. For three recommendations related to password and log-on controls, the Marine Corps action states that the Defense Information System Agency (DISA) and not DFAS is responsible for the actions. However, Marine Corps officials told us they had not contacted DISA officials to ensure that they would address the recommendations. For two recommendations related to data transfers between feeder system and SABRS, the Marine Corps action states that legacy systems cannot accept acknowledgment of received transactions from SABRS. However, the Marine Corps did not take alternative action to assure the completeness and accuracy of data transfers. The sixth recommendation related to implementing edit checks to assure that transactions processed from a feeder system could only be entered into SABRS once. The Marine Corps action stated that DFAS and the Marine Corps already have sufficient checks in place to prevent the processing of the same transaction more than once. However, the Marine Corps did not explain these edit checks, or indicate that they had been tested and deemed to be effective. * The auditors recommended that the Marine Corps work with DFAS to implement a solution to allow them to track all SABRS system changes being migrated to production and to retain evidence of management approval for all changes to SABRS. The Marine Corps reported that actions on this recommendation have been fully implemented. However, the Marine Corps reported its action on this recommendation as "The signature approval block has been removed as signature is no longer required." This reported action does not explain how the recommendation was addressed and raises questions about whether the recommendation has in fact been addressed. Lessons Learned from the Marine Corps' SBR Audit Effort: The Marine Corps' fiscal year 2010 SBR audit results provide valuable lessons on preparing for a first-time financial statement audit. As we recently testified, lessons learned from the Marine Corps' SBR audit effort can provide a roadmap to help other DOD components achieve audit readiness through strengthening their financial management processes to increase data reliability as they develop their own action plans in preparation for their first-time audits.[Footnote 27] While the Marine Corps SBR effort and resulting auditor findings and recommendations identified numerous issues for the other military services to consider in their audit readiness efforts, we identified five overall lessons that are critical to success. Specifically, the Marine Corps' experience demonstrated that prior to asserting financial statement audit readiness, DOD components must: * confirm completeness of populations of transactions and address any abnormal transactions and balances, * test beginning balances, * perform key reconciliations, * provide timely and complete response to audit documentation requests, and: * verify that key IT systems are compliant and auditable. Officials responsible for Navy, Army, and Air Force FIPs as well as other financial management officials told us that they are aware of the Marine Corps lessons. Navy officials told us they are updating their audit readiness plan to address all five areas. Navy officials discussed several examples of actions they plan to include in their revised audit readiness plan. However, the plan, which is still in draft, is incomplete, and Navy officials did not provide us a copy of the draft document. Navy officials explained that the initial POAM, which is targeted for completion by December 16, 2011, is a living document that would be modified as the evaluation of Navy business and financial processes unfold, deficiencies are identified, and corrective actions are implemented. Army and Air Force officials indicated that they are addressing some but not all of these lessons in their audit readiness efforts. Overall, the procedures required by DOD's FIAR Guidance are consistent with Internal Control Standards and selected procedures for conducting financial statement audits, such as reconciling the population of transactions to be tested and conducting tests of information system controls. We found that the five issues identified as critical lessons from the Marine Corps SBR audit effort are addressed in the FIAR Guidance. As the Navy, Army, and Air Force move forward in developing and implementing their FIPs, it will be critical for them to take into account the lessons learned during the course of pilot audit efforts, such as the Marine Corps SBR. Adherence to the FIAR Guidance in these areas can help ensure that the military service FIPs provide the needed audit readiness procedures. The following sections discuss each of the five lessons resulting from the Marine Corps SBR effort and the status of the military services' efforts to ensure that their respective FIPs address these lessons in accordance with FIAR Guidance. * Confirm completeness of transaction populations. DOD's FIAR Guidance includes steps to address the completeness of transaction populations during the audit readiness work. During the fiscal year 2010 SBR audit effort, the auditors made multiple requests for Marine Corps transaction-level detail for key SBR accounts, such as "Undelivered orders-obligations, unpaid." The multiple attempts caused significant delays and the auditors were not able to complete their audit effort. Navy FIP and other financial management officials told us that they identified problems with the way transactions map to general ledger accounts and make it difficult to identify transaction populations. For example, the officials explained that general ledger account numbers changed over the years, requiring multiple maps from accounting systems to the Defense Departmental Reporting System, and field staff had occasionally created their own general ledger accounts without coordinating with DFAS officials who maintain the U.S. Standard General Ledger (USSGL) chart of accounts. Navy officials noted that these problems prevent the reconciliation of Unadjusted to Adjusted Trial Balances and FBWT reconciliations, and impede overall funds control. The officials explained that the Navy is updating its audit readiness plan to address these problems. Army and Air Force FIP officials we met with said they were aware of the Marine Corps audit findings. However, they did not discuss efforts to identify complete populations of transactions or ensure that transactions properly map to USSGL accounts. * Test beginning balances. DOD's FIAR Guidance discusses the importance of confirming beginning balances. A first-year SBR audit requires substantial testing to confirm beginning balances. Because this testing involves transactions that originated in prior years, the auditors examine documents from current and prior periods, including contracts, receiving reports, invoices, and disbursement records to verify beginning balances. During its fiscal year 2010 SBR audit effort, the Marine Corps did not provide complete supporting documentation, resulting in this key lesson learned. Navy audit readiness efforts and DOD's FIAR Guidance include steps to address the testing of beginning balances during the audit readiness work. The Navy FIP and other financial management officials we interviewed noted that earlier audit readiness discovery efforts were not sufficient to confirm beginning balances, and problems subsequently identified with assignment of USSGL account numbers and mapping of transactions to the proper accounts will need to be resolved to ensure the auditability of beginning balances. DFAS is actively working with the Navy in this effort. Army and Air Force FIP officials recognized the importance of confirming beginning balances, but they did not provide information on their efforts in this area. * Perform key reconciliations. DOD's FIAR Guidance includes steps to perform key reconciliations during the audit readiness efforts. The completion of key reconciliations is essential to financial statement auditability. During the fiscal year 2010 Marine Corps' SBR audit effort, the Marine Corps did not have processes in place to reconcile key accounts. For example, without transaction-level detail, the Marine Corps was unable to reconcile its FBWT. In addition, the Marine Corps had to make repeated attempts to reconcile the Unadjusted Trial Balance to the Adjusted Trial Balance. Navy FIP and financial management officials told us that the Navy has identified Unadjusted to Adjusted Trial Balance and FBWT reconciliations as key requirements to be completed before asserting audit readiness. The Navy's target for FBWT audit readiness is the fourth quarter of fiscal year 2012. In December 2010, the Air Force asserted that its FBWT was auditable. The Air Force FBWT audit readiness assertion is currently under review by an independent public accounting firm The Army's target for FBWT audit readiness is the first quarter of 2015. * Provide timely and complete responses to audit documentation requests. DOD's FIAR Guidance includes steps for achieving a timely and complete response to audit documentation requests during the audit readiness work. The auditors reported that the Marine Corps did not consistently provide timely and accurate audit documentation. DFAS stated that this NFR was its responsibility. Such documentation is needed to determine whether a transaction being tested was authorized, the goods and services were received, the invoice was approved for payment, and the funds disbursed were correct. Navy FIP and other financial management officials told us they are working closely with DFAS-CL and DFAS-Columbus (DFAS-CO) to ensure that audit documentation will be available to support auditor requests. The DFAS-Indianapolis (DFAS-IN) FIAR team officials are aware of this requirement. Army and Air Force FIP officials we met with did not discuss audit readiness efforts in this area. The Marine Corps established a Web site to facilitate the exchange of audit information, including auditor requests for information, samples, and supporting documentation, and financial manager submission of documents in response to auditor requests. Web sites for timely exchange of a high volume of documentation are useful to facilitating audits of large organizations. However, Army and Air Force FIP officials told us they do not have plans to establish such a Web site for exchanging information. * Verify that key IT systems are compliant and auditable. DOD's FIAR Guidance includes steps for verifying that key IT systems are auditable. During the Marine Corps SBR audit effort, the auditors issued numerous Notices of Findings and Recommendations reporting that key application systems used by the Marine Corps did not have effective controls, which impacted their auditability. The auditability of key application systems, including military payroll systems, accounting systems, and financial reporting systems, is essential to achieving and sustaining an audit opinion. The Navy FIP Leader and other Navy officials told us that they have determined that the Navy's Standard Accounting and Reporting System-Field Level (STARS- FL) general ledger accounting system does not append account identifiers to transactions. Without this identifier, the Navy will be unable to reconcile its FBWT at the appropriation level. The lack of an account identifier also impairs the resolution of problem disbursements. The Navy also is implementing the Navy Enterprise Resource Planning System (Navy ERP), which is intended to standardize the acquisition, financial, program management, maintenance, plant and wholesale supply, and workforce management capabilities at Navy commands. Once it is fully deployed, the Navy estimates that the system will control and account for approximately $71 billion, or 50 percent, of the Navy's estimated appropriated funds, after excluding the appropriated funds for the Marine Corps and military personnel pay and allowances. In October 2010, we reported that the Navy ERP schedule for full deployment had slipped 2 years from 2010 to 2012. [Footnote 28] DOD officials have said the successful implementation of enterprise resource planning (ERP) is key to resolving the long-standing weaknesses in the department's business operations in areas such as business transformation and financial management. The Army has acknowledged problems with its General Fund Enterprise Business System (GFEBS). These problems include incomplete data, which affects the reliability of financial reporting and the lack of visibility of available funds and poses a risk of ADA violations. The Army estimates that when fully implemented, GFEBS will be used to control and account for about $140 billion in spending. Army officials told us that GFEBS deployment consists of eight waves with full implementation in July 2012 to support the ultimate goal of audit readiness by 2017. The Air Force is developing a new ERP general ledger system--called the Defense Enterprise Accounting and Management System (DEAMS). DEAMS is intended to provide the Air Force the entire spectrum of General Fund financial management capabilities, including collections, commitments and obligations, cost accounting, general ledger, funds control, receipts and acceptance, accounts payable, and disbursement, billing, and financial reporting. According to Air Force FIP officials, when DEAMS is fully operational, it is expected to maintain control and accountability for about $160 billion. In October 2010, we reported that the Air Force's schedule for full deployment of DEAMS had slipped 3 years from 2014 to 2017.[Footnote 29] The Marine Corps SBR audit effort also identified problems with DOD- wide systems, including the Defense Departmental Reporting System, the Defense Cash Accountability System, and the Mechanization of Contract Administration Services (MOCAS). MOCAS is a 50-year-old legacy system. Navy officials noted that MOCAS processes about one third of the Navy's transactions. Navy officials also told us that DOD has serious data reliability concerns with MOCAS, including proper recording and reporting of contract payment accruals. Navy and Air Force FIP officials told us they are coordinating with DFAS-CO on MOCAS audit readiness support and Army FIP officials said they plan to do so in the fall of 2011 or winter of 2012. Conclusions: The Marine Corps learned some valuable lessons in the attempted fiscal year 2010 audit of its SBR; however, it still faces significant challenges in achieving auditability of its basic budgetary and spending information. In addition, lessons learned from the Marine Corps' SBR audit effort can provide a valuable roadmap to help other DOD components strengthen their financial management processes and achieve audit readiness. The Marine Corps has undertaken numerous actions to correct the many deficiencies identified during its SBR audit effort, but many actions are incomplete, rely on detective controls rather than preventive controls, and do not address the underlying weaknesses. Many of the actions are also dependent on the effectiveness of DOD-wide system and process improvements, which are still in process. In order to help ensure that actions dependent on other components are implemented in an effective manner, it is critical that the Marine Corps develop effective service-provider agreements with DFAS and other DOD service providers. Finally, in meeting DOD's overall goals of financial management improvement and audit readiness, it is essential that the other military services and DOD components, such as DFAS, take timely, diligent action to fully leverage the fundamental lessons resulting from the Marine Corps SBR audit effort. Unless the military services embrace basic accounting and internal control steps, such as confirming beginning balances and performing needed reconciliations, the prospects for achieving audit readiness in any area will remain uncertain. DOD's FIAR Guidance, if effectively implemented, would help the military services ensure that their FIPs include these basic steps. A successful SBR audit is an important tool in providing accountability and discipline over the budgetary resources provided by Congress and ultimately by the American taxpayers. Such accountability and transparency is a basic responsibility made even more critical given the current fiscal constraints faced by our nation. Recommendations for Executive Action: We are making four recommendations to improve Marine Corps and Department of Defense (DOD) audit readiness efforts. First, we make three recommendations to the Secretary of the Navy to direct the Commandant of the Marine Corps to take the following actions: * Using the results of the fiscal year 2010 and 2011 SBR audit efforts, develop a comprehensive, risk-based plan for designing and implementing corrective actions that provide sustainable solutions for SBR auditor recommendations. Such a plan should identify goals and objectives, identify and prioritize actions for addressing those objectives, allocate resources, assign roles and responsibilities, and measure performance against objectives. * Review Marine Corps SBR remediation actions under way and confirm that actions are fully responsive to the auditor recommendations. * For remediation actions that require coordination and action on the part of other DOD components, such as DFAS, DCMA, and DCAA, require the Marine Corps to develop and implement timely and effective service- provider agreements with the appropriate DOD components in accordance with the FIAR Guidance. These agreements should identify roles and responsibilities, the individuals responsible for those activities, and performance measures that establish accountability. In addition, to help fully leverage lessons learned from the first- year Marine Corps SBR audit effort, we recommend that the Secretary of Defense direct the Secretaries of the Army, the Navy, and the Air Force to consider the fundamental lessons resulting from the Marine Corps effort and incorporate the lessons, as appropriate, in their respective FIPs. Agency Comments and Our Evaluation: We received written comments from the Department of Defense (DOD) on September 13, 2011, stating that the department agreed with three of our four recommendations. DOD also stated that as we pointed out, most issues identified are not unique to the Marine Corps and noted that all DOD reporting components are working with the Defense Finance and Accounting Service and other service-providers to address these issues. However, DOD's letter states that the Marine Corps and its service providers have made far more progress in remediation than our report indicates. DOD's letter also states that it disagrees with several of the statements in our report related to the Marine Corps' remediation plan and that the report does not present a fair assessment of the Marine Corps' remediation efforts as a whole. However, most Marine Corps' corrective actions have not yet been confirmed by the DOD Inspector General (IG), and accordingly, the success of the Marine Corps' efforts to date in remediating weaknesses is unknown at this time. DOD's written comments are reprinted in appendix III. We summarize and evaluate DOD's comments and responses to our recommendations below. We made technical corrections and clarifications suggested by DOD in the body of our report, where appropriate. DOD did not agree with our recommendation that the Marine Corps develop a comprehensive, risk-based plan for designing and implementing corrective actions to its Statement of Budgetary Resources, commenting that the recommendation was overly prescriptive. As stated in our report, we are concerned that the Marine Corps' approach to addressing auditor findings and extensive manual effort and adjustments to produce reliable financial reporting at year-end. Such efforts may not result in sustained improvements over the long term that would help ensure that the Marine Corps routinely produces sound data on a timely basis for decision making. In response to DOD's comment, we clarified our recommendation to indicate that fiscal year 2010 and 2011 audit results should be considered in developing a comprehensive plan to address auditor recommendations. DOD also stated that the Marine Corps contends that the referenced Standards for Internal Control in the Federal Government[Footnote 30] does not have a requirement that management must identify resources, roles and responsibilities, or include performance indicators to measure performance against action plan objectives. DOD stated that the Marine Corps fully complied with the three requirements noted in the standard to (1) promptly evaluate findings from audits and other reviews, (2) determine proper actions in response to findings and recommendations from audits and reviews, and (3) complete within established time frames, all actions that correct or otherwise resolve the matters brought to management's attention. Our reference to the internal control standards relates to our finding that the Marine Corps had not fully addressed all audit recommendations. As stated in our report, the Marine Corps' remediation action plans dealing with information technology (IT) system weaknesses do not adequately address recommendations on a number of issues, including system access controls, federal systems, and the audit trail on the change- management process. In addition, as noted in appendix II of our report, the Marine Corps disagreed with several IT system recommendations and did not plan corrective actions to address them. However, our overall concern with the Marine Corps' remediation plan is that given the large number of recommendations and the need for long-term actions that will result in sustainable improvement, the Marine Corps could benefit from a risk-management approach to its remediation plan. Such an approach helps policymakers make informed decisions about the best ways to prioritize investments, so that the investments target the areas of greatest need. This is particularly important in an environment where resources are limited. Further, as additional findings and recommendations are identified during the Marine Corps' Fiscal Year 2011 SBR audit, it will be important to assess risk and prioritize actions to address them. We therefore continue to believe that this recommendation, as revised, has merit. We are sending copies of this report to the Secretary of Defense, the Under Secretary of Defense (Comptroller/Chief Financial Officer), the Secretary of the Navy, the Assistant Secretary of the Navy for Financial Management and Comptroller, the Commandant of the Marine Corps; the Fiscal Director of the Marine Corps; the Directors of DFAS, DFAS-Cleveland, and DFAS-Columbus; the Director of the Office of Management and Budget; and appropriate congressional committees. In addition, the report is available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you or your staffs have any questions about this report, please contact me at (202) 512-9869 or khana@gao.gov. Contact points for our Office of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix IV. Signed by: Asif A. Khan: Director, Financial Management and Assurance: List of Requesters: The Honorable Thomas R. Carper: Chair: The Honorable Scott P. Brown: Ranking Member: Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Claire McCaskill: Chair: Subcommittee on Contracting Oversight: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Tom Coburn: Ranking Member: Permanent Subcommittee on Investigations: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable John McCain: United States Senate: [End of section] Appendix I: Objectives, Scope, and Methodology: We were requested to determine (1) the primary reasons why the Marine Corps was unable to obtain an opinion on its Fiscal Year 2010 SBR, (2) the effectiveness and reported status of the Marine Corps' remediation plan design and implementation, and (3) military service and Defense Finance and Accounting Service (DFAS) efforts to leverage Marine Corps SBR audit lessons learned. To determine the primary reasons for the disclaimer of opinion, we reviewed DOD IG audit documentation, the auditor notices of findings and recommendations (NFR), the Marine Corps' response to the auditors' findings and conclusions, the Marine Corps' management assertion letter, the auditors' report and more detailed management letter, and the Marine Corps' response to the report. To determine the effectiveness and reported status of the Marine Corps' remediation plan design and implementation, we reviewed the Marine Corps' action plans for addressing auditor NFRs, which are described in Program Objectives and Milestone (POAM) documents. We considered corrective action guidance included in DOD's Financial Improvement and Audit Readiness (FIAR) Guidance as well as GAO's Standards for internal Control in the Federal Government.[Footnote 31] We analyzed the Marine Corps' remediation plans to determine whether Marine Corps corrective actions were appropriately designed to resolve the problems identified during the audit effort, including actions to address identified weaknesses in accounting and financial reporting and key information technology (IT) systems. We also reviewed the Marine Corps' milestone dates for completing remediation actions, the reported status of Marine Corps actions as of July 18, 2011, and DOD IG confirmation of Marine Corps implementation. To determine the military service efforts to leverage Marine Corps SBR audit lessons learned, we met with Army, Navy, Air Force, and Defense Finance and Accounting Service (DFAS) financial managers to discuss actions they had initiated as a result of the Marine Corps audit effort. We also reviewed DOD's FIAR Plan and FIAR Guidance and met with DOD Comptroller and FIAR officials to determine the status of their efforts to ensure the lessons are addressed in the military service's audit readiness plans. We reviewed lessons learned documentation provided by the military services. We also reviewed the FIAR Guidance to determine whether it included information that would help address the key lessons learned from the Marine Corps SBR audit effort. We conducted this performance audit from February 2011 through September 2011 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate audit evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Reported Status of Marine Corps Actions on Recommendations from the Fiscal Year 2010 Statement of Budgetary Resources Audit Effort: This appendix presents the recommendations related to accounting and financial reporting findings and information technology (IT) system findings from the United States Marine Corps (USMC) Fiscal Year 2010 Statement of Budgetary Resources (SBR) audit effort. The auditors communicated 14 notices of findings and recommendations (NFR) related to accounting and financial reporting processes and 56 findings related to IT system weaknesses. These NFRs resulted in 139 recommendations, which are shown in tables 1 through 4. The USMC has indicated that several actions had been completed as of July 18, 2011, but the effectiveness of all but 11 Marine Corps' actions had not yet been confirmed by the auditor. Department of Defense (DOD) Inspector General (IG) auditors stated that ongoing testing for the audit of the Marine Corps Fiscal Year 2011 Statement of Budgetary Resources likely would confirm the effectiveness of Marine Corps remediation actions. The DOD IG's report on the Marine Corps' fiscal year 2011 SBR audit will be issued in November 2011. Table 1 presents the recommendations related to the Marine Corps' accounting and financial reporting processes; the Marine Corps' action plans to remediate these recommendations, reported implementation status, and targeted completion dates; and notes whether the DOD IG has confirmed the effectiveness of the Marine Corps' implementation. Table 1: DOD IG Recommendations, Reported Status of USMC Actions on Accounting and Financial Reporting Process Issues as of July 18, 2011, and DOD IG Confirmation of Status as of August 25, 2011: NFR 1: Improper Accrual of Delivered Orders, Unpaid: Recommendations: 1. Analyze or reconcile all delivered orders recorded as commit, obligate, and expend (COE) for the noted types of bulk obligations and any other obligation types that are known to management as of 9/30/09; USMC action plan: NFR 1: Improper Accrual of Delivered Orders, Unpaid: All USMC Commands and HQMC participated in a data call to identify the universe and value of all bulk obligations and expense transactions using a standard document template. Improper accrual transactions are closely related to the bulk obligations that are referenced in "NFR 2: Lack of Review of Estimated Bulk Obligations"; Targeted completion date: 7/21/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: The USMC Marine Corps Programs, Resources, Accounting and Financial Systems Branch (commonly referred to as the Accounting Branch, or RFA) independently queried the core accounting system to identify the universe of manually entered COE transactions into SABRS; Targeted completion date: 8/18/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: Analyzed validity of Delivered and Undelivered Orders; Targeted completion date: 10/1/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: Audit Support team selected a sample of documents related to COE transactions under review to evaluate implementation of management guidance and the adjusted values reported on the financial statements. This review included a validation of a system change that eliminates the manual entry of a COE in SABRS; Targeted completion date: 10/14/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 2. For any unsupported amounts and/or any amounts that may no longer be necessary to remain in delivered or open status, adjustments should be recorded to reverse or decrease the accrued delivered orders; USMC action plan: Developed a Prior Period Adjustment (PPA) package which contained JV adjustments and approvals for unsupported COE transactions and which will be corroborated by a detail schedule of unsupported transactions; Targeted completion date: 10/20/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 3. Stop recording COEs unless there are strong reconciliation controls implemented to ensure that amounts that remain open beyond fiscal year-end are related to amounts that will actually be delivered against the related obligation; USMC action plan: USMC initiated Systems Change Requests (SCR) to eliminate the Document Identifier Code (DIC) COE for the movement of household goods via the Marine Corps Permanent Duty Travel (MCPDT) application as well as for manual COEs in SABRS; Targeted completion date: 9/1/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 4. Strengthen internal controls surrounding the substantiation of obligated amounts recorded for bulk obligations by preparing and maintaining detailed schedules that agree to the amounts recorded within the general ledger; USMC action plan: The USMC has developed and distributed bulk obligation and expense management guidance to define monitoring efforts to ensure obligation accuracy, accrual estimation, and sustainment via reconciliation procedures; Targeted completion date: 8/13/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 5. Make sure that all recorded amounts are supported by sufficient, competent audit evidence, such as the calculation bases or historical analysis for any recorded estimates; USMC action plan: Based on remediation actions and previous efforts to monitor abnormal condition, the USMC effectively eliminated the recognition of manual accruals that are unsupported or lack appropriate audit evidence given the system changes which have eliminated manual expense entries. Therefore, historical analysis is only applicable to timing differences at period end (e.g., MOCAS JV process) where additional analysis is ongoing. The USMC is proceeding with improved accrual estimation via the implementation of an automated accrued liability module that will allow for accurate recognition of period-end expenses. SABRS functional requirements have been designed and implemented; Targeted completion date: 6/30/2010; Status according to Marine Corps: Partially implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 6. Implement review controls at least annually, if not quarterly, to reconcile amounts of accrued delivered orders and identify potential amounts that should be deobligated; USMC action plan: The USMC has developed and distributed bulk obligation and expense management guidance to define monitoring efforts that ensure obligation accuracy, accrual estimation, and sustainment via reconciliation procedures; Targeted completion date: 8/13/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. NFR 2: Lack of Review of Estimated Bulk Obligations: Recommendations: 1. Correct all noted errors identified during Beginning Balance Testing; USMC action plan: The USMC analyzed the validity of delivered and undelivered orders recorded in the Statement of Budgetary Resources; Targeted completion date: 7/21/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: For unsupported amounts, the USMC prepared adjusting journal entries to correct the overstatement of unpaid obligations impacting the presentation of the Fiscal Year 2010 Statement of Budgetary Resources; Targeted completion date: 10/20/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 2. Ensure that expenses are recorded when a liability exists and not at the time of obligations; USMC action plan: USMC initiated Systems Change Requests (SCR) to eliminate the Document Identifier Code (DIC) COE for the movement of Household Goods via the Marine Corps Permanent Duty Travel (MCPDT) application as well as for manual COEs in SABRS. This essentially eliminates the manual recording of the expense at the time when the obligation is entered into the core accounting system (SABRS). Additional monitoring via abnormal and periodic reporting requirements has consistently been a component to the USMC "Deadly Sins" reporting package and Tri-Annual Review (TAR) process. These are monitoring mechanisms that are codified within Marine Corps Order (MCO) 7300.21A, Marine Corps Financial Management Standard Operating Procedure Manual. Action beyond these steps would reside within the Marine Corps' accrual estimation process that is currently under implementation (referenced above); Targeted completion date: 9/1/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 3. The use of bulk/estimated obligations should be limited to extreme instances when actual amounts are not known; USMC action plan: The USMC developed and distributed bulk obligation and expense management guidance to define monitoring efforts that ensure obligation accuracy, accrual estimation, and sustainment via reconciliation procedures; Targeted completion date: 8/13/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 4. When bulk/estimated obligations are necessary, strengthen the controls regarding the use of estimates and support the estimation methodology; USMC action plan: The USMC developed and distributed bulk obligation management guidance to define monitoring efforts that ensure obligation accuracy, accrual estimation, and sustainment via reconciliation procedures; Targeted completion date: 8/13/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 5. Ensure existing bulk obligation documents must be reviewed for activity and the beginning balance for obligation be adjusted accordingly; USMC action plan: The USMC analyzed the validity of delivered and undelivered orders recorded in the Statement of Budgetary Resources; Targeted completion date: 7/21/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: For unsupported amounts, the USMC prepared adjusting journal entries to correct the overstatement of unpaid obligations; Targeted completion date: 10/20/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 6. All current year and future transactions that used the bulk/estimated obligation and expense must be reviewed and fully supported as proper; USMC action plan: The USMC developed and distributed bulk obligation management guidance to define monitoring efforts that ensure obligation accuracy, accrual estimation, and sustainment via reconciliation procedures; Targeted completion date: 8/13/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: The Marine Corps audit support team selected a sample of bulk documents in order to evaluate both the implementation of the guidance and the adjusted values reported on the financial statements; Targeted completion date: 10/21/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. NFR-3: Liquidation Precede the Recording of Expenses: Recommendations: 1. Strengthen controls surrounding the recordation of expenses prior to, or at the point, of funds disbursal; USMC action plan: Developed management guidance and produce monthly reports from which USMC Commands and HQMC can monitor and address abnormal accounting conditions; Targeted completion date: 8/23/2010; Status according to Marine Corps: Fully Implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: Created and implemented a rigorous TAR and Confirmation process to ensure accurate and judicious financial information that provides USMC financial managers and senior leadership with a clear financial picture in order to be good stewards of public funds, accurately account for funds spent, and to comprehend the impact when expending limited financial resources; Targeted completion date: 2/1/2011; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: NFR 1: As a normal course of business, intragovernmental transactions often result in disbursement processing where the USMC is not in receipt of substantiating documentation to ensure delivery, receipt and acceptance of goods or service. While the USMC has published guidance to address proper due diligence in obtaining substantiating evidence to support the proper recording of the expense, the performing activities are remiss in supporting our requests. Therefore, this matter has been elevated for support and substantiation by the Defense Finance and Accounting Service (DFAS) and other service support agencies and departments; Targeted completion date: 10/1/2011; Status according to Marine Corps: Action initiated; Confirmed by DOD IG (yes/no): No. Recommendations: 2. Correct the errors noted during testing of the beginning balances; USMC action plan: Initiated an adjusting journal entry to address auditor identified concerns relating to the noted NFR and other similarly identified issues in order to effect the correct representation on the financial statement; Targeted completion date: 10/20/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 3. Record the liability prior to the disbursement/ liquidation so that account 4801 - Undelivered Orders is reduced and amounts are posted to 4901-Delivered Orders, Unpaid; USMC action plan: Implementing automated accrued liability module that will allow for accurate recognition of period-end expenses. SABRS functional requirements have been designed and implemented. Monthly accruals are anticipated to begin 30 June 2011; Targeted completion date: 6/30/2011; Status according to Marine Corps: Partially implemented; Confirmed by DOD IG (yes/no): No. NFR-4: Lack of Sufficient Audit Evidence to Substantiate Obligations, Expenses, and Disbursements Recorded;: Recommendations: 1. Analyze the identified transactions from Beginning Balance Testing that were unsupported and obtain the related supporting documentation. If not available, record adjustments to remove any unsubstantiated amounts from the general ledger; USMC action plan: USMC initiated a JV adjusting entry in the DDRS-AFS for bulk transactions where no support can be obtained or derived; Targeted completion date: 10/20/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: For COE transactions where no support or adjustment is evident, RFA initiated a comprehensive adjustment initiative that will effectively eliminate all remaining balances for all manually entered COE transactions; Targeted completion date: 10/1/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: NFR 1: Initiated Internal Control over Financial Reporting (ICOFR) review of TAR functions and management support for TAR certifications in order to strengthen responsiveness and reliability of fund holder review of obligation, expenses, and liquidations; Targeted completion date: 6/17/2011; Status according to Marine Corps: Partially implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 2. Identify if there are any consistent themes noted during the analysis of the noted errors, such as common transaction types or any specific commands that seem to have a higher error rate than others, we recommend that further efforts be undertaken to perform additional review of these types of transactions or transactions running through any identified commands. If any common themes and/or problem commands are identified, we recommend that management develop and implement the appropriate internal controls guidance, and provide training to the necessary personnel; USMC action plan: Performed analysis of core remediation areas and implemented updates and corrections to systems and management guidance on proper recording and review of financial events. Guidance updates include improved FBWT Standard Operating Procedure (SOP), Military Payroll reconciliation SOPs, and updates to MCO 7300.21A with forthcoming Document Type Code and Reimbursable Type Code documentation and analysis. Audit remediation efforts also yielded improved systems functionality and representation of transaction-level details; Targeted completion date: 7/11/2011; Status according to Marine Corps: Partially implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 3. Implement internal controls to ensure that sufficient, competent, and independent evidence is maintained and readily available upon request pursuant to USMC, DOD, GAO, and OMB guidance. Additionally, we recommend that the USMC ensure this documentation traces to and supports the amounts recorded within SABRS; USMC action plan: Published management guidance that empowers Commands and HQMC with information resource tools that enable the timely retrieval of source documentation to support audit requirements and assist in providing complete audit sample documentation; Targeted completion date: 9/3/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. NFR-5: Advances Recorded That Are Actually Contract Financing Payments: Recommendations: 1. Correct errors noted during the performance of Beginning Balance Testing; USMC action plan: The Marine Corps and DFAS teams have identified all 6W transactions impacting all general ledger balances. The universe was confirmed as accurate via a comparative assessment of independent data extracts that were independently performed by DFAS and USMC RFA (resources and accounting and personnel); Targeted completion date: 8/31/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: Based on the universe identified with the above corrective action, the DFAS audit support team engaged in an exhaustive reconciliation of the 6W transaction type code processing in order to ensure that progress payments are properly classified and/or updated for noted variances; Targeted completion date: 10/1/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: RFA initiated a comprehensive adjustment initiative that will effectively reclassify progress payments from general ledger accounts 4802 to 4902; Targeted completion date: 9/30/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 2. Strengthen controls surrounding the monitoring of the coding of expenditures by the accounting service provider (DFAS) so that the contract financing payments will be recorded properly; USMC action plan: An SCR has been processed that effectively eliminates the automatic change of the transaction type code reflected in Defense Cash Accountability System. Subsequent to SCR processing, DFAS review of associated Marine Corps transactions indicates that the system change was successful. In addition, DCAS users at DFAS-Columbus were provided instruction on the proper processing of transaction type codes; Targeted completion date: 4/10/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 3. Evaluate contract payments at the transaction level to determine if the payment should be classified as an advance or as a contract financing payment and correct the beginning balances accordingly; USMC action plan: The USMC and DFAS teams are engaged in processing appropriate redistribution of payments to correct the erroneous transaction type code postings; Targeted completion date: 10/1/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: The USMC has initiated a process to correct the SABRS table posting logic to correctly classify contract financing payments; Targeted completion date: 10/1/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: RFA has initiated a comprehensive adjustment initiative that will effectively reclassify progress payments from general ledger accounts 4802 to 4902; Targeted completion date: 9/30/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 4. Correct current year transactions that used the same process to contract payments and ensure future payments are recorded properly; USMC action plan: RFA has initiated a comprehensive adjustment initiative that will effectively reclassify progress payments from general ledge accounts 4802 to 4902; Targeted completion date: 9/30/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. NFR-6: Lack of Review of Stale Obligations Recorded: Recommendations: 1. Analyze the noted errors in appropriate U.S. Standard General Ledger (USSGL) accounts 4801, 4802, and 4901, and determine whether these amounts are still valid. Analyze all other open undelivered orders and delivered orders to make sure that these amounts remain valid. If not, then adjustments need to be recorded accordingly; USMC action plan: For each bulk transaction identified in the data call, HQMC have initiated an analysis of the validity of delivered and undelivered orders recorded in the SBR; Targeted completion date: 7/15/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: For each COE transaction identified, RFA has initiated an analysis of the validity of delivered and undelivered orders recorded in the SBR; Targeted completion date: 10/1/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: The USMC developed management guidance and produce monthly reports from which Marine Corps Commands can monitor and address abnormal accounting conditions; Targeted completion date: 8/23/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: Initiated Internal Control over Financial Reporting (ICOFR) review of Tri-annual Review (TAR) functions and management support for TAR certifications in order to strengthen responsiveness and reliability of fund holder review of obligation, expenses and liquidations; Targeted completion date: 6/17/2011; Status according to Marine Corps: Partially implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 2. Identify if there are any consistent themes within these problem items, such as common transaction types or any specific commands that seem to have a higher error rate than others, we recommend that further efforts be undertaken to perform additional review of these types of transactions or transactions running through any identified commands, and adjustments be made accordingly to correct any noted error. If so, we also recommend the development and implementation of guidance and training to prevent these deficiencies from occurring in the future; USMC action plan: Performed analysis of core remediation areas and implemented updates and corrections to systems and management guidance on proper recording and review of financial events. Guidance updates include improved FBWT SOP, Military Payroll reconciliation SOPs, and updates to MCO 7300.21A with forthcoming Document Type Code and Reimbursable Type Code documentation and analysis. Audit remediation efforts also yielded improved systems functionality and representation of transaction-level details; Targeted completion date: 7/11/2011; Status according to Marine Corps: Partially implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 3. Strengthen controls for those contracts that are managed internally by USMC contracting officers surrounding the review of open obligations and more specifically related to the use of procurement appropriations to ensure a more timely and active review of the contracts and identification of needs that are no longer valid. Funds Managers, Contracting Officer Technical Representatives (COTR), and Contracting Activities should be corresponding on or about, if not prior to the expiration of the period of performance to ensure timely contract closeout; USMC action plan: Created and implemented a rigorous TAR and confirmation process to ensure accurate and judicious financial information provides Marine Corps financial managers and senior leadership with a clear financial picture in order to be good stewards of public funds, accurately account for funds spent, and comprehend the impact when expending limited financial resources; Targeted completion date: 2/1/2011; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 4. For those contracts that are managed externally by trading partners, strengthen the controls surrounding the review of open obligations and have the COTRs, Funds Managers, and/or using units more actively communicate with the trading partners to close any contracts that are no longer valid/open, or for which deliveries of goods/services are completed and need to be billed/invoiced. These communications should take place on or about, if not prior to, the expiration of the period of performance to ensure timely contract closeout; USMC action plan: The USMC updated the verbiage within Military Interdepartmental Purchase Request (MIPR) with an explicit clause highlighting the need by the performing activity to provide supporting documentation on a monthly basis; Targeted completion date: 10/1/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: Provided consistent guidance and update in maintaining all level of due diligence to ensure that supporting documentation is obtained from the performing activity. This is explicitly highlighted in MCO 7300.21A; Targeted completion date: 10/1/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: The USMC coordinated improved retention and transmission practices by DFAS in order to strengthen Intra- Governmental Payment and Collection processing. This requires DFAS to provide substantiating details that support the processing of intra- departmental disbursements; Targeted completion date: 9/30/2011; Status according to Marine Corps: Action; initiated; Confirmed by DOD IG (yes/no): No. Recommendations: 5. Ensure compliance with USMC policy on daily Funds Manager reviews; USMC action plan: Developed management guidance and produce monthly reports from which Marine Corps Commands and HQMC can monitor and address abnormal accounting conditions; Targeted completion date: 8/23/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 6. Strengthen the Tri-annual Review Controls to ensure reviews of all open obligations, travel advances, and accrued expenses are occurring as required by the DOD FMR and that any necessary adjustments are being made in a timely manner; USMC action plan: Created and implemented a rigorous TAR and Confirmation process to ensure accurate and judicious financial information provides USMC financial managers and senior leadership with a clear financial picture in order to be good stewards of public funds, accurately account for funds spent, and comprehend the impact when expending limited financial resources. Inaccurate accounting of limited financial resources ultimately leads to lost opportunities to provide critical support to the war-fighter; Targeted completion date: 2/1/2011; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. NFR-7: Lack of Completeness of Delivered Orders: Recommendations: 1. Analyze the subsequent disbursements identified in the Beginning Balance Testing and record the necessary adjustments to the financial statements; USMC action plan: Initiated an adjusting journal entry to address auditor identified concerns relating to the noted NFR and other similarly identified issues in order to effect the correct representation on the financial statement; Targeted completion date: 10/20/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 2. Strengthen internal controls surrounding the recording of delivered orders by ensuring that receivers understand how to assign the dates of receipt and acceptance to correspond to the actual dates of delivery of goods and/or services; USMC action plan: Performed analysis of core remediation areas and implemented updates and corrections to systems and management guidance on proper recording and review of financial events. Guidance updates include improved FBWT SOP, Military Payroll reconciliation SOPs, and updates to MCO 7300.21A with forthcoming Document Type Code and Reimbursable Type Code documentation and analysis. Audit remediation efforts also yielded improved systems functionality and representation of transaction-level details; Targeted completion date: 7/11/2011; Status according to Marine Corps: Partially implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 3. Develop a search for unrecorded liabilities at fiscal year-end to be accrued during preparation of the annual financial statements; USMC action plan: Implementing automated accrued liability module that will allow for accurate recognition of period-end expenses. SABRS functional requirements have been designed and implemented. Monthly accruals are anticipated to begin by 30 June 2011; Targeted completion date: 6/30/2011; Status according to Marine Corps: Partially implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 4. Implement a review control for Wide Area Work Flow (WAWF) invoices entered at fiscal year-end that do not have accounting station codes assigned to identify items to be accrued; USMC action plan: Action is congruent with policy and guidance updates associated with Marine Corps Order (MCO) 7300.21A. The USMC is coordinating with its service providers in order to ensure proper data entry in WAWF; Targeted completion date: 7/11/2011; Status according to Marine Corps: Action initiated; Confirmed by DOD IG (yes/no): No. Recommendations: 5. Develop and deploy policy guidance to ensure personnel in the field record accruals for delivered orders as required by the Federal Accounting Standards Advisory Board (FASAB), Treasury, DOD, and USMC requirements; USMC action plan: Action is congruent with policy and guidance updates associated with MCO 7300.21A. The USMC is coordinating with its service providers in order to ensure proper data entry in WAWF; Targeted completion date: 7/11/2011; Status according to Marine Corps: Action initiated; Confirmed by DOD IG (yes/no): No. NFR-8: Lack of Timely Funds Manager Reviews: Recommendations: 1. Correct errors noted during the performance of Beginning Balance Testing,; USMC action plan: Initiated USMC command review of abnormal accounting conditions with emphasis on resolving all errors identified in RFA provided reports; Targeted completion date: 8/18/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 2. Strengthen controls surrounding daily Funds Manager reviews; USMC action plan: Developed management guidance and produce monthly reports from which Marine Corps Commands and HQMC can monitor and address abnormal accounting conditions; Targeted completion date: 8/23/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 3. Implement reviews of Military Standard Requisition and Issue Procedures (MILSTRIP) transactions/orders in an effort to limit post closeout adjustments that cause abnormal balances; USMC action plan: Developed management guidance and produce monthly reports from which Marine Corps Commands and HQMC can monitor and address abnormal accounting conditions; Targeted completion date: 8/23/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 4. Implement/improve financial reporting controls over abnormal balances to ensure timely reviews, investigations, and corrections of abnormal balances; USMC action plan: Developed management guidance and produce monthly reports from which Marine Corps Commands and HQMC can monitor and address abnormal accounting conditions; Targeted completion date: 8/23/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. NFR-9: Recording of 6W Transactions in the MOCAS System: Recommendations: 1. Correct errors noted during the Beginning Balance Testing for the identified sample items; USMC action plan: The Marine Corps and DFAS teams have identified all 6W transactions impacting all general ledger balances. The universe was confirmed as accurate via a comparative assessment of independent data extracts that were independently performed by DFAS and RFA personnel; Targeted completion date: 8/31/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: The DFAS audit support team engaged in an exhaustive reconciliation of the 6W transaction type code processing in order to ensure that progress payments are properly classified and/or updated for noted variances; Targeted completion date: 9/30/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 2. Strengthen controls surrounding the use of the 6W and 6W--Credit Mechanization of Contract Administration Services (MOCAS) transactions; USMC action plan: An SCR has been processed that effectively eliminates the automatic change of the transaction type code reflected in DCAS. Subsequent to SCR processing, DFAS review of associated Marine Corps transactions indicates that the system change was successful. In addition, DCAS users at DFAS-Columbus were provided instruction on the proper processing of transaction type codes; Targeted completion date: 4/10/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: Marine Corps has initiated a process to correct the SABRS table posting logic to correctly classify contract financing payments to the correct budgetary account; Targeted completion date: 10/1/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 3. Use the 6W transactions be used only when the USMC truly has an advance and not in the instance of a contract financing payment; USMC action plan: Marine Corps has initiated a process to correct the SABRS table posting logic to correctly classify contract financing payments to the correct budgetary account; Targeted completion date: 10/1/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 4. Review the 6W MOCAS transactions those that are actually contract financing payments be reclassified into USSGL 4902 - Delivered Orders, Paid and out of USSGL 4802 Undelivered Orders, Paid; USMC action plan: RFA will initiate a comprehensive adjustment initiative that will effectively reclassify progress payments. This will involve initiating a JV adjusting entry in DDRS-AFS that will be corroborated by a detailed schedule of unsupported transactions and their amounts; Targeted completion date: 9/30/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. NFR-10: Reconciliation of MCTFS to MRCV to DCAS Disbursement Data to SABRS Balances: Recommendations: 1. Strengthen controls surrounding the monthly reconciliation of MCTFS to Monthly Reconciliation/Certification Voucher (MRCV) to DCAS Disclosure Data to SABRS. Specifically, USMC needs to perform these four-way reconciliations starting October 2009; USMC action plan: Implemented military (active duty) entitlements pay reconciliation that compares the interfaced amounts from MCTFS, SABRS, and DCAS by document number, voucher, appropriation, and Disbursing Station Symbol Number (DSSN); Targeted completion date: 10/1/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. NFR-11: Temporary and Permanent MILPAY Standard Document Numbers (SDN) Balances: Recommendations: 1. Strengthen controls surrounding the timely recording of net payroll reversals to temporary SDNs so that such reversals are completed in the same month as the payroll to which they correspond; USMC action plan: The Marine Corps Program Review Team (MCPRT) refined its reconciliation practices to better account for current-year temporary SDN balances. SOPs and other operating documents have been developed to ensure process transparency, consistency, and repeatability; Targeted completion date: 10/14/2010; Status according to Marine Corps: Fully Implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 2. Reconcile the temporary SDNs for prior years and adjust the beginning balance of 4902-Delivered Orders, Paid, accordingly; USMC action plan: MCPRT refined its reconciliation practices to better account for current-year temporary SDN balances. SOPs and other operating documents have been developed to ensure process transparency, consistency, and repeatability; Targeted completion date: 10/14/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 3. Perform reconciliations of temporary and permanent SDNs for the current year and all future periods; USMC action plan: MCPRT communicated that approximately 52,000 transactions have been reviewed for correctness and appropriate posting to a permanent SDN. The remaining 4,000 transactions are currently under review; Targeted completion date: 9/1/2010; Status according to Marine Corps: Partially implemented; Confirmed by DOD IG (yes/no): No. NFR-12: Improper Use of Recoveries (Upward/Downward Adjustments): Recommendations: 1. Correct the exceptions noted, and examine amounts recorded in accounts to identify other items that also require adjustment, and record corrections for those items; USMC action plan: DFAS to reclassify current year amounts from General Ledger Accounts 4871/4881 to 4801/4901, respectively, to ensure the accurate reporting of Recoveries; Targeted completion date: 6/30/2011; Status according to Marine Corps: Partially implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 2. Develop, document, and implement policies and procedures to ensure that the subsequent adjustments are recorded in the USSGL accounts; USMC action plan: System adjustment in SABRS will be implemented ahead of DFAS reclassification in order to ensure the proper posting of Recoveries for all future transactions; Targeted completion date: 6/30/2011; Status according to Marine Corps: Partially implemented; Confirmed by DOD IG (yes/no): No. NFR-13: Lack of Timely and Accurate Recording of Transactions: Recommendations: 1. Correct noted errors identified during the performance of Beginning Balance Testing,; USMC action plan: Initiated USMC command review of bulk transactions in order to support the accuracy or adjustment to the transaction balance; Targeted completion date: 8/18/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 2. Strengthen internal controls over the recording of obligations and any related changes by requiring periodic reconciliations of obligations, as well as the recording of corresponding delivered orders; USMC action plan: Initiated USMC command review of abnormal accounting conditions with emphasis on resolving all errors identified in RFA provided reports; Targeted completion date: 8/18/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: Initiated Internal Control over Financial Reporting (ICOFR) review of TAR functions and management support for TAR certifications in order to strengthen responsiveness and reliability of fund holder review of obligation, expenses, and liquidations; Targeted completion date: 6/17/2011; Status according to Marine Corps: Partially implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 3. Improve the management review process over recorded transactions ensuring that the recorded amounts are entered properly and supported with appropriate documentation; USMC action plan: Developed management guidance and produce monthly reports from which Headquarters Marine Corps (HQMC) can monitor and address abnormal accounting conditions; Targeted completion date: 8/23/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: Published management guidance that empowers Commands and HQMC with information resource tools that enable the timely retrieval of source documentation to support audit requirements and assist in providing complete audit sample documentation; Targeted completion date: 9/3/2010; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. NFR-14: Improper Recording of Shared Appropriations with Navy: Recommendations: 1. Correct the misclassifications noted; USMC action plan: Analyzed allocation of Shared Appropriations and provided amplifying guidance on financial statement disclosures related to Shared Appropriations; Targeted completion date: 4/29/2011; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. USMC action plan: Analyzed Shared Appropriations reconciliations to Fund Balance with Treasury (FBWT) and demonstrated relationship to component level Report on Budget Execution and Budgetary Resources (SF- 133); Targeted completion date: 5/4/2011; Status according to Marine Corps: Fully implemented; Confirmed by DOD IG (yes/no): No. Recommendations: 2. Establish policy to record shared appropriations as non-expenditure transfers and implement internal controls to ensure the policy is followed; USMC action plan: Prepared response to support USMC actions in recording the Shared Appropriations with the Department of the Navy (DON). With no specific line for reporting on Allocations Received, the USMC contends that the current representation on the financial statement is accurate and supportable; Targeted completion date: 5/2/2011; Status according to Marine Corps: Partially implemented; Confirmed by DOD IG (yes/no): No. Source: Marine Corps SBR remediation action plan information and DOD IG confirmation of status. [End of table] Table 2 shows the recommendations related to the Marine Corps Total Force system (military payroll system); the Marine Corps' action plans to remediate these recommendations, reported implementation status, and targeted completion dates; and notes whether the DOD IG confirmed the effectiveness of the Marine corps' implementation. Table 2: DOD IG Recommendations, Reported Status of USMC Actions on MCTFS Information Technology System Issues as of July 18, 2011, and DOD IG Confirmation of Marine Corps Statuses as of August 25, 2011: NFR-1: MCTFS Certification and Accreditation Process/DOD Information Assurance Certification and Accreditation Process (DIACAP) Was Still in Process and not Complete: Recommendations: 1. USMC management should complete the DIACAP process and continue to remediate any identified weaknesses to attempt to achieve a full Authority To Operate (ATO). 2. USMC management should ensure that an up-to-date ATO is available for all feeder applications that interface with MCTFS; USMC action plan: NFR-1: MCTFS Certification and Accreditation Process/DOD Information Assurance Certification and Accreditation Process (DIACAP) Was Still in Process and not Complete: The Technology Services Organization (TSO) has completed the DOD Information Assurance Certification and Accreditation Process (DIACAP) process for MCTFS and has received ATO from the USMC Designated Accrediting Authority (DAA); Targeted completion date: 5/31/2011; Status according to USMC: Fully implemented; Confirmed by DOD IG (yes/no): No. NFR-2: Logging and monitoring is not performed at the local application level. Formal policy and procedures for the monitoring performed by third party providers have not been documented: Recommendations: 1. USMC management establish a formal process for monitoring activity, including the interaction with third party service providers and execute that process on a periodic basis. 2. USMC management ensure that responsibilities for logging and monitoring of logs are addressed and defined in service level agreements (SLA) with third party providers. 3. USMC management incorporate Privacy Act compliance into the SLA; USMC action plan: The TSO Management will update and incorporate the following in our guidance documents: - Formal policy and procedures for monitoring third-party providers - Formal requirements to review audit logs on a periodic basis; Targeted completion date: 10/01/2011; Status according to USMC: Partially implemented; Confirmed by DOD IG (yes/no): No. NFR-3 Marine Corps Total Force System (MCTFS) Password Management: Recommendations: 1. USMC management formally document a policy and procedures for MCTFS password management. 2. USMC management implement an electronic signature (ELSIG) personal identification number (PIN) expiration setting that will force PIN changes on a periodic basis.; USMC action plan: The TSO Management has updated its Desk-Top- Procedures to incorporate policy and procedures for password management; Targeted completion date: 5/31/2011; Status according to USMC: Fully implemented; Confirmed by DOD IG (yes/no): Yes. NFR-4 Supporting Documentation for 7 out of 45 Change Management Sample Items Could not Be Provided: Recommendations: 1. USMC management should establish a policy to review the system change request (SCR) approval package to ensure all Configuration Items (CI) are included. 2. Management should also ensure an audit trail exists that includes a mapping of System Change Requests (SCR) to their associated CIs and classification of change; USMC action plan: NFR-1: MCTFS Certification and Accreditation Process/DOD Information Assurance Certification and Accreditation Process (DIACAP) Was Still in Process and not Complete: These seven items referenced were either non-MCTFS related modules that are not associated with any MCTFS SCR or symbolic maps which are generated out of a Customer Information Control System (CICS) map compile. These are system generated and not a CI maintained by MCTFS; Targeted completion date: N/A; Status according to USMC: Non-concur; Confirmed by DOD IG (yes/no): No. NFR-5 Emergency Changes Are not Able To Be Separately Identified from the Overall Change Management Population: Recommendations: 1 USMC management should implement a process or identifier to enable the identification of changes that relate to emergency changes so they may be tracked and analyzed.; USMC action plan: The TSO understands and accepts the risks identified; Targeted completion date: 5/31/2011; Status according to USMC: Fully implemented; Confirmed by DOD IG (yes/no): No. NFR-6 Marine Corps Total Force System (MCTFS) Configuration Management Compliance Audit: Recommendations: 1. USMC management establish a periodic review of changes that are migrated to production that includes a complete, accurate population of CIs (both PanAPT and non-PanAPT changes). The frequency of review should be commensurate with the level of risk. 2. USMC management follow-up and research potentially unauthorized changes be performed by individuals not involved with the CI migration process and the follow-up should be formally documented.; USMC action plan: The TSO Management has established criteria and has started performing periodic reviews of changes that are migrated into production. In addition, the TSO Management has established guidance, performed, and documented follow- up for any authorized changes that are found; Targeted completion date: 5/31/2011; Status according to USMC: Fully implemented; Confirmed by DOD IG (yes/no): No. NFR-7 Marine Corps Total Force System (MCTFS) Contingency Plan Has not Been Approved or Tested: Recommendations: 1. USMC management finalize the MCTFS contingency plan so that it can be approved by the appropriate individual of the organization. 2. USMC management develop a Business Impact Analysis (BIA) for MCTFS. 3. USMC management test the MCTFS contingency plan to evaluate its effectiveness on an annual basis; USMC action plan: A test of the MCTFS Contingency Plan is planned for 2011. A MCTFS BIA is being developed; Targeted completion date: 10/01/2011; Status according to USMC: Partially implemented; Confirmed by DOD IG (yes/no): No. NFR-8 Marine Corps Total Force System (MCTFS) Data Strategy and Design Is not Formally Documented: Recommendations: 1. USMC management develop a data management strategy and design that includes requirements specific to MCTFS, including regulatory requirements and database standards; USMC action plan: TSO will coordinate with the Functional Managers (FM) to formalize the Data Management Strategy, which is an FM responsibility; Targeted completion date: 10/01/2011; Status according to USMC: Actions underway; Confirmed by DOD IG (yes/no): Yes. NFR-9 Marine Corps Total Force System (MCTFS) Tolerance and Parameter Review: Recommendations: 1. USMC management implement a periodic review of the input processing edit checks, warnings/alerts, parameters, and tolerance values for the MCTFS application. If an improper configuration status is identified in the review, changes should follow an established change management process; USMC action plan: The same processes that are currently in place for new legislative changes are also in place for Marine Corps identified issues above and beyond legislation mandated changes to the system. Marine Corps Administrative Analysis Team (MCAAT) performs monitoring activities and provides feedback reports. The Manpower Information Systems Support Office (MISSO) also holds training and feedback sessions with the administrative units to solicit changes. MI and RFF hold annual MCTFS conferences and workshops to solicit changes. Also, the Configuration Management Board (CMB) holds a periodic review where system changes are reviewed. The semi-annual Configuration Control Board (CCB) performs another periodic review. In fact, the TSO submits technical projects (developed as a result of internal periodic reviews as well as joint application development sessions (JADS)) to the functional managers for approval and subsequent inclusion into the CCB approval process; Targeted completion date: N/A; Status according to USMC: Non-concur; Confirmed by DOD IG (yes/no): Yes. NFR-10 There Is No Data Design and Strategy Documentation or Operating Procedures Available for Data Processing Between the Unit Diary/Marine Integrated Personnel System (UD/MIPS) and the Marine Corps Total Force System (MCTFS): Recommendations: 1. USMC management develops interface design and strategy documentation for the data processing between Unit Diary Marine Integrated Personnel System (UD/MIPS) and MCTFS in order to reasonably assure that the data processed is accurate and complete; USMC action plan: Both UD/MIPS and MCTFS Certification and Accreditation (C&A) package contain system interface information wherein both interfaces are annotated and described. Both these systems are in the same family of systems (FOS), meaning that they are internal interfaces not external. No system interface agreement (SIA) is needed. Additionally, all interfaces are documented in data manager and a file layout is included in the Design Logic Tool (DLT). We have documentation for all MCTFS interfaces in Data Manager, but not "interface design documentation". We keep purely meta data about the interface: Dataset names, input or output, sponsors etc.; Targeted completion date: N/A; Status according to USMC: Non-concur; Confirmed by DOD IG (yes/no): No. NFR-11 Developer Access to Production Environment of the MCTFS Collection Server: Recommendations: 1. USMC management enforce a user account policy for the collection server that establishes accountability at the individual user level. 2. USMC management should grant administrative level access only if the individual's job functions require such access. 3. USMC management limit any developer access to production as read- only access; USMC action plan: This issue will be mitigated once the TSO completes its migration to the Kansas City IT Center and are connected to Active Directory allowing Common Access Card (CAC) authentication and logging for each user; Targeted completion date: 11/01/2011; Status according to USMC: Partially implemented; Confirmed by DOD IG (yes/no): No. NFR-12 Not all transactions are properly recorded between the entitlements and feeder applications into MCTFS: Recommendations: 1. USMC management implement a mechanism that ensures that all transactions entered and processed through MCTFS are backed up and are able to be restored and recreated if required. 2. Additionally, it is recommended that USMC management implement a mechanism that ensures that transactions processed through MCTFS cannot be back-dated; USMC action plan: This issue is the risk that transactions will fall off the Transaction Research File (TRF) after 180 days. If a diary that was 190 days old was certified, it's true that it would immediately fall off the TRF, however, the input transaction datasets could be restored from the archives. There is no possibility of data not being able to be restored; Targeted completion date: N/A; Status according to USMC: Non-concur; Confirmed by DOD IG (yes/no): N/A. NFR-13 Marine Corps Total Force System (MCTFS) System Authorization Access Request (SAAR) Forms: Recommendations: 1. USMC management should implement a procedure to properly retain the System Access Authorization Request (SAAR) forms for authorizing access to MCTFS; USMC action plan: TSO Management will work with the FM to implement procedures to retain SAAR forms for establishing and authorizing user access to MCTFS and will update the Security Management Plan to include the SAAR Retention process; Targeted completion date: 9/01/2011; Status according to USMC: Partially implemented; Confirmed by DOD IG (yes/no): No. NFR-45 Marine Corps Total Force System (MCTFS) User Account Review: Recommendations: 1. USMC management develop a formal procedure to properly document the daily user access audits. 2. USMC management develop a procedure to ensure that a member cannot have multiple MCTFS end-user Accessor Identification (ACID); USMC action plan: The TSO management has established procedures to formally document that daily audits are performed when the TSO mainframe security personnel perform reviews to ensure that MCTFS application users are limited to one end-user ACID; Targeted completion date: NFR-1: MCTFS Certification and Accreditation Process/DOD Information Assurance Certification and Accreditation Process (DIACAP) Was Still in Process and not Complete: 5/31/2011; Status according to USMC: Fully implemented; Confirmed by DOD IG (yes/no): No. NFR-46 The Software Development Plan for MCTFS Release SR 2-10 Has not Been Formally Approved and Signed by Management: Recommendations: 1. USMC management formally document their review and approval for System Development Plans (SDP) for every scheduled configuration management release; USMC action plan: The SDP for SR 2-10 is signed indicating approval. Future SDPs will be signed for scheduled configuration management releases as is the documented practice; Targeted completion date: 5/31/2011; Status according to USMC: Fully implemented; Confirmed by DOD IG (yes/no): Yes. NFR-56 MCTFS A-123 Assessment: Recommendations: 1. USMC management should perform a review of internal controls in accordance with OMB Circular A-123 for MCTFS; USMC action plan: TSO will support higher headquarters A-123 Compliance Assessment initiatives as directed; Targeted completion date: 9/30/2011; Status according to USMC: Actions underway; Confirmed by DOD IG (yes/no): No. Source: Marine Corps SBR remediation action plan information and DOD IG confirmation of status. [End of table] Table 3 shows the recommendations related to the Marine Corps; Standard Accounting, Budgeting, and Reporting System (general ledger accounting system); the Marine Corps' action plans to remediate these recommendations, reported implementation status, and targeted completion dates; and notes whether the DOD IG has confirmed the effectiveness of the Marine Corps' implementation. Table 3: DOD IG Recommendations, Reported Status of USMC Actions SABRS Information Technology System Issues as of July 18, 2011, and DOD IG Confirmation of Marine Corps Status as of August 25, 2011: NFR-14 Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) Package Inherited Services: Recommendations: 1. USMC management coordinate with DFAS management to assign ownership and responsibility for those information assurance (IA) controls identified under USMC control and ensure all other IA controls are handled by third-party providers; USMC action plan: System Management Directorate (SMD)-CL will coordinate with DFAS-CL and TSO-KC & correctly assign ownership and responsibility for all IA controls not inherited by DISA. SABRS DIACAP packages will be updated to reflect changes; Targeted completion date: 8/05/2011; Status according to USMC: Partially implemented; Confirmed by DOD IG (yes/no): No. NFR-15 Standard Accounting, Budgeting and Reporting System (SABRS) Feeder Systems Authority to Operate (ATO) and Security Control Validation: Recommendations: 1. USMC management coordinate with DFAS management to request an up-to-date ATO (or equivalent authorization) and verification of the last time security controls were tested for each of its feeder application systems that interface with SABRS; USMC action plan: Authority to operate documentation has been requested from System Managers and will be provided once received; Targeted completion date: 10/01/2011; Status according to USMC: Partially implemented; Confirmed by DOD IG (yes/no): No. NFR-16 Standard Accounting, Budgeting and Reporting System (SABRS) Application Level Logging and Monitoring: Recommendations: 1. USMC management coordinate with DFAS management to establish a formal process for monitoring activity, including the interaction with third-party service providers and execute that process on a periodic basis. 2. USMC management coordinate with DFAS management to establish policies and procedures for handling of lost or compromised passwords, including interaction with third-party service providers. 3. USMC management coordinate with DFAS management to ensure that responsibilities for logging and monitoring of logs are addressed and defined in Service Level Agreements (SLA) with third- party providers; USMC action plan: All logging application level logging and monitoring is controlled by the DISA's Defense Enterprise Computing Centers (DECC); Targeted completion date: Date not provided; Status according to USMC: Non-concur; however, partially implemented; Confirmed by DOD IG (yes/no): No. NFR-17 Standard Accounting, Budgeting and Reporting System (SABRS) Emergency Changes: Recommendations: 1. USMC management coordinate with DFAS management to implement a process or identifier to enable the identification of changes that relate to emergency changes so they may be tracked and analyzed; USMC action plan: Configuration management policy and procedures have been updated; Targeted completion date: 1/15/2010; Status according to USMC: Non-concur; however, fully implemented; Confirmed by DOD IG (yes/no): No. NFR-18 SABRS User Provisioning Process: Recommendations: 1. USMC management coordinate with DFAS management to ensure that all access to SABRS, including changes to previous access rights and privileges, follow a consistent process that includes timely documented supervisory review and approval as well as identification and documentation of the specific privileges requested and granted; USMC action plan: Marine Corps order (MCO) P7300 will be updated; Targeted completion date: 8/31/2011; Status according to USMC: Actions underway; Confirmed by DOD IG (yes/no): No. NFR-19 Inappropriate Access to SABRS Tables 204 and 205: Recommendations: 1. USMC management coordinate with DFAS management to remove access to any user who has the ability to execute transactions in both spending and authorization tables to resolve the segregation of duties conflict. 2. USMC review current user privileges for SABRS are reviewed to identify any additional SOD conflicts; USMC action plan: MCO P7300 will be updated; Targeted completion date: 8/31/2011; Status according to USMC: Non-concur; however, actions underway; Confirmed by DOD IG (yes/no): No. NFR-20 Management Does not Perform Formal Periodic Reviews to Recertify SABRS Account Access: Recommendations: 1. USMC management coordinate with DFAS management to establish policies and procedures for access recertification of SABRS users and communicate the requirements to USMC commands and activities that utilize the system. USMC management should coordinate with DFAS to perform periodic reviews of SABRS users in the DFAS organization to detect inappropriate or excessive access and modify user accounts as necessary; USMC action plan: USMC has coordinated with DFAS and established policies/procedures for periodic recertification for SABRS access; Targeted completion date: 8/31/2011; Status according to USMC: Fully implemented (completed ahead of schedule); Confirmed by DOD IG (yes/no): No. NFR-22 The SABRS Change Management Process Does not Include Formal Procedures Documented for Addressing Mass Global Changes: Recommendations: 1. USMC management coordinate with DFAS management to ensure that mass global changes are authorized, approved, and can be audited back to the originating account or transaction prior to the global change. The policies and procedures for mass global changes should provide for the traceability to the associated Configuration Items (CI); USMC action plan: Reference to the Software AG Manual has been added to SABRS Configuration Management Plan to further clarify how Global Data Area (GDA) changes are handled; Targeted completion date: 5/31/11; Status according to USMC: Fully implemented; Confirmed by DOD IG (yes/no): No. NFR-23 Standard Accounting, Budgeting and Reporting System (SABRS) Change Management Process: Recommendations: 1. It is recommended that USMC management coordinate with DFAS management to implement a solution to allow them to track all changes that are moved to production for the SABRS system. This will allow for a complete audit trail to exist and management will have an accurate population of changes being migrated to production. 2. When CIs are deleted from production, evidence of management approval should be retained. Finally, all changes moved to production should have documented authorization and approval from management.; USMC action plan: Part 1: The signature approval block has been removed as signature is no longer required. Part 2: Addressed in NFR 22; Targeted completion date: NFR- 14 Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) Package Inherited Services: 2/28/2011; Status according to USMC: Fully implemented; Confirmed by DOD IG (yes/no): No. NFR-24 The Standard Accounting, Budgeting and Reporting System (SABRS) Continuity of Operations Plan (COOP): Recommendations: 1. USMC management coordinate with DFAS management to obtain the approval for the Continuity of Operations (COOP) from the appropriate individuals of the organization. 2. USMC management coordinate with DFAS management to develop a Business Impact Analysis and a Crisis Communication Plan. 3. USMC management coordinate with DFAS management to test for unauthorized access during a SABRS COOP test exercise; USMC action plan: SABRS Program Management Office has updated the COOP to include test scenarios to restrict access of unauthorized personnel during the test and coordinate for approval. A Business Impact Analysis and Crisis Communication Plan has been developed and included in the appendix of the COOP; Targeted completion date: 4/30/2011; Status according to USMC: Fully implemented; Confirmed by DOD IG (yes/no): No. NFR-25 SABRS Transaction Logging and Monitoring: Recommendations: 1. USMC management coordinate with DFAS management to formalize policies and procedures for conducting periodic reviews of SABRS transactions. The policies and procedures should be established and communicated to DFAS and USMC commands that utilize the SABRS system; USMC action plan: MCO P7300.21 will be updated to task all commands with certification of corrective action on prescribed basis. Updates will include a stronger emphasis on the requirement for continuous review and validation of all financial events recorded in SABRS; Targeted completion date: 8/31/2011; Status according to USMC: Actions underway; Confirmed by DOD IG (yes/no): No. NFR-26 SABRS Business Process Input Edit Checks: Recommendations: 1. USMC management coordinate with DFAS-CL to review the SABRS system to ensure the existing edit check configurations are established in accordance with current and approved Functional Requirements Documents (FRD). 2. USMC management coordinate with DFAS-CL management to establish a method to ensure GL accounts are auto-balanced, and duplicate transactions are blocked/prevented from further processing; USMC action plan: The SABRS Program Management Office and the USMC TSO has included test scenarios for all business rules, validations, and edit checks contained in the design document as part of System Integration Testing (SIT) and System Acceptance Testing (SAT); Targeted completion date: 4/30/2011; Status according to USMC: Fully implemented; Confirmed by DOD IG (yes/no): No. NFR-27 Interface Reconciliation Reports Are not Available for Six SABRS Feeder Systems: Recommendations: 1. USMC management coordinate with DFAS management to develop a reconciliation report for interface data transfer for all feeder systems and develop a policy and procedure for review and investigation of error transactions. 2. DFAS-CL assign responsibility to feeder system owners for adequately confirming that the interface data transfer totals are complete and accurate between the feeder system and SABRS.; USMC action plan: USMC management is coordinating with DFAS management to reviewing internal controls and identifies ways to improve the process by defining additional procedures and policies. The parties are also reviewing the internal reject report and file to provide positive assurance; Targeted completion date: 5/31/2011; Status according to USMC: Non-concur; however, fully implemented; Confirmed by DOD IG (yes/no): No. NFR-28 Retired Document Identifier Codes (DIC) Still Exist in the Active Production SABRS Environment: Recommendations: 1. It is recommended that USMC management coordinate with DFAS management to develop guidance governing the management of SABRS table 200 and perform periodic reviews of all DICs in table 200 to ensure that only DICs that provide valid and current business process functionality are included. Retired DICs should be removed from SABRS table 200, the active production repository for all SABRS DICs, so that users cannot process transactions within SABRS using retired DICs; USMC action plan: SABRS software release (SR) 1-11 was implemented on February 19, 2011, to include comments on retired DICs. USMC management is developing guidance to identify retired DICS and to prevent inappropriate use of the DICS; Targeted completion date: 2/19/2011; Status according to USMC: Non-concur, however, fully implemented; Confirmed by DOD IG (yes/no): No. NFR-29 Functional Requirements Document and Memorandum of Agreement Documentation for SABRS Interfaces Are not Current, Finalized, and Approved by Management: Recommendations: 1. USMC management coordinate with DFAS management to perform a comprehensive review of Functional Requirements Documents (FRD) and Memoranda of Agreement (MOA) for all key feeder systems that interface with SABRS. Documents should include error handling procedures and have formal review and approval from management; USMC action plan: SABRS Program Management Office will coordinate with TSO-KC to perform a comprehensive review of FRDs and System Connection Agreements (SCA) for all feeder systems that interface with SABRS. As necessary, FRDs and SCAs will be updated to include error handling procedures and have formal review and approval from management; Targeted completion date: 8/30/2011; Status according to USMC: Partially implemented; Confirmed by DOD IG (yes/no): No. NFR-30 General Ledger Table Data and User Maintenance Policies, Procedures, and Audit Trail: Recommendations: 1. USMC management coordinate with DFAS management to develop an audit trail to systematically track changes to the GL tables and establish a periodic review policy and procedure for these changes. 2. USMC management coordinate with DFAS management to review the individual user IDs that have the ability to modify the GL tables and remove any individuals whose job description and role do not warrant further access (based upon the concept of least privilege).; USMC action plan: SABRS Program Management Office (PMO) is reviewing additional controls to add an audit trail to maintain the central tables. SABRS PMO is also reviewing profiles for who should have access to the GL tables. General Ledger Team is making changes to the related tables and updating the polices and procedures accordingly.; Targeted completion date: 6/30/2011; Status according to USMC: Non-concur; however, fully implemented; Confirmed by DOD IG (yes/no): No. NFR-31 SABRS Interface Error Reports: Recommendations: 1. USMC management coordinate with DFAS-CL to develop an interface error report for MCTFS and the Defense Civilian Pay System (DCPS). 2. USMC management coordinate with DFAS-CL to establish a policy so that Management can identify and correct any errors that occur during the data transfer between feeder applications and SABRS.; USMC action plan: SABRS Program Management Office has modified the interface with DCPS. DCPS interface errors are now captured in a report that previously did not exist; Targeted completion date: 5/31/2011; Status according to USMC: Non-concur; however, fully implemented; Confirmed by DOD IG (yes/no): No. NFR-32 SABRS Interface Edit Checks to Prevent Duplicate Transactions: Recommendations: 1. USMC management coordinate with DFAS management to implement edit checks that provide reasonable assurance that all transactions processed through a feeder application into SABRS are accepted and processed only once; USMC action plan: DFAS and the USMC have sufficient checks in place to prevent the processing of the same transactions more than once; Targeted completion date: N/A; Status according to USMC: Non-concur; Confirmed by DOD IG (yes/no): N/A. NFR-33 Accountability acknowledgment of received transactions between a feeder system and SABRS: Recommendations: 1. USMC management coordinate with DFAS management to develop a method that would ensure data transfers between a feeder application and SABRS are properly accepted and acknowledged. 2. DFAS-CL develop a method to properly communicate any error notifications to feeder applications in the even of a rejected transaction; USMC action plan: Legacy systems can not accept acknowledgment of received transactions from SABRS; Targeted completion date: Date not provided; Status according to USMC: Non-concur; however, fully implemented; Confirmed by DOD IG (yes/no): No. NFR-47 Inappropriate Access Rights for SABRS Accounts: Recommendations: 1. USMC management coordinate with DFAS management to ensure that all SABRS accounts are reviewed and validated for instances of administrators with access to end user transactions and individuals with multiple Accessor IDs (ACID) assigned to them.; USMC action plan: USMC management coordinated the DFAS management to establish and publish new procedures in April. Complete implementation was completed by June 1, 2010 that required RFA/System Integration- Data Integrity (SI-DI) to validate both (ACID) and name in CA Top Secret (security tool) to prevent the duplicate assignment. USMC management also implemented procedures that when a name is "changed" on an ACID, the Terminal Area Security Officer (TASO) must submit a "delete" request for the old name prior to updating profile with new name; Targeted completion date: 3/31/2011; Status according to USMC: Fully implemented; Confirmed by DOD IG (yes/no): No. NFR-48 Standard Accounting, Budgeting and Reporting System (SABRS) Configuration Management Baseline Audit: Recommendations: 1. USMC management coordinate with DFAS management to establish procedures that formally document, retain follow-up and research potentially unauthorized changes. 2. Additionally, it is recommended that investigations of CI discrepancies be performed by individuals not involved with the CI migration process; USMC action plan: SABRS Program Management revised configuration management baseline procedures; Targeted completion date: No date provided; Status according to USMC: Non-concur, however fully implemented; Confirmed by DOD IG (yes/no): No. NFR-49 Standard Accounting, Budgeting and Reporting System (SABRS) Interface Edit Check: Recommendations: 1. USMC management coordinate with DFAS management to review and ensure that the existing edit check configurations for interface data processing are established in accordance with current and approved Functional Requirement Documents (FRD); USMC action plan: An SCR was submitted and completed to ensure that the program code and design were in alignment; Targeted completion date: 5/31/2011; Status according to USMC: Fully implemented; Confirmed by DOD IG (yes/no): Yes. NFR-50 SABRS Data Strategy and Design: Recommendations: 1. USMC management coordinate with DFAS management to develop a data management strategy and design that includes specific requirements for SABRS, including regulatory requirements and database standards; USMC action plan: USMC will coordinate with DFAS to see if the Data Management Strategy can be strengthened; Targeted completion date: 10/30/2011; Status according to USMC: Non-concur; however actions underway; Confirmed by DOD IG (yes/no): Yes. Source: Marine Corps SBR remediation action plan information and DOD IG confirmation of status. [End of table] Table 4 shows the recommendations related to the Defense Departmental Reporting System (financial reporting system); the Marine Corps' action plans to remediate these recommendations, reported implementation status, and targeted completion dates; and notes whether the DOD IG has confirmed the effectiveness of the Marine Corps' implementation. Table 4: DOD IG Recommendations, Reported Status of USMC Actions on DDRS Information Technology System Issues as of July 18, 2011, and DOD IG Confirmation of Status as of August 25, 2011: NFR-34 DDRS User Provisioning Process: Recommendations: 1. USMC management coordinate with Business Transformation Agency (BTA) management to ensure that all access to DDRS including changes to previous access rights and privileges follow a uniform process that includes timely documented supervisory review and approval as well as identification and documentation of the specific privileges requested and granted; USMC action plan: DFAS Cleveland Accounting Operations will coordinate with various interested parties from USMC, BTA, and within the various DFAS operational areas to thoroughly review and document the existing process, identify internal control weaknesses and process deficiencies, including the finding under this NFR, and take appropriate action to strengthen policies and procedures; Targeted completion date: 4/30/2011; Status according to USMC: Partially implemented; Confirmed by DOD IG (yes/no): Yes. NFR-35 Configuration Management and Table Maintenance Policies and Procedures: Recommendations: 1. USMC management coordinate with BTA management to formally document their review and approval of the Configuration Management Policy. Additionally, it is recommended that BTA management develops and approve policies and procedures for DDRS table maintenance; USMC action plan: BTA has obtained the required management approval and signatures for the existing Configuration Management Plan and Policies. BTA has included a table maintenance policy within the Configuration Management Plan; Targeted completion date: 4/30/2011; Status according to USMC: Fully implemented; Confirmed by DOD IG (yes/no): Yes. NFR-36 DDRS Third-Party Monitoring: Recommendations: 1. USMC management coordinate with BTA management to establish a formal process for monitoring activity, including the interaction with third-party service providers and execute that process on a periodic basis. 2. USMC management coordinate with BTA management to ensure that responsibilities for logging and monitoring of logs are addressed and defined in agreements with third-party service providers.; USMC action plan: The Information Assurance Officer (IAO) has requested evidence of monitoring from the service providers, and post the artifacts in eMASS and will continue to do so on a regular basis. The IAO has verified that each Service Level Agreement (SLA) covers responsibilities for logging and monitoring; Targeted completion date: 3/2/2011; Status according to USMC: Non-concur; however fully implemented; Confirmed by DOD IG (yes/no): No. NFR-37 DDRS Complete Listing of Configuration Items (CI): Recommendations: 1. USMC management coordinate with BTA and DFAS management to establish a methodology to systematically track all DDRS configuration items that are migrated to production. This will provide an audit trail that will allow closer monitoring and management of the CM process; USMC action plan: TSO Cleveland has modified their policies and procedures to ensure that changes are properly documented before a modification, both normal releases and release exceptions, is applied to DDRS Production. TSO Cleveland, the DDRS developers, has updated Policy 12-Functional Configuration Audit and the DDRS Configuration Management Plan to specify that a listing of CIs will be maintained to support each system modification for normal releases. For Emergency Releases, Policy 18--Release Exceptions has been updated to specify that a monthly audit of all release exceptions will be performed and that a PTR must be created prior to a modification being applied to Production in CMIS for all production problems; Targeted completion date: 3/1/2011; Status according to USMC: Fully implemented; Confirmed by DOD IG (yes/no): No. NFR-38 DDRS Inappropriate Access: Recommendations: 1. USMC management coordinate with BTA and DFAS management to appropriately restrict access to shared drives and user groups that allow access to source code repositories; USMC action plan: TSO Cleveland has implemented new procedures to limit the number of developers authorized to send code to Release Management. All other developers now have "read access" only to the shared drive. TSO Cleveland has updated Policy 13 - Release Management and the DDRS/Corporate Services MOA to specify this new procedure, and have created a new shared drive folder with limited access rights. TSO Corporate Services has removed the five identified users with inappropriate access to the DDRS Production source code from the "dba" user group. All other users in the "dba" user group with appropriate access will continue to have access to the Production source code; Targeted completion date: 3/15/2011; Status according to USMC: Partially concur; however, fully implemented; Confirmed by DOD IG (yes/no): No. NFR-39 DDRS Interface Design and Strategy Documentation: Recommendations: 1. USMC management coordinate with BTA management and DFAS management to develop interface design documentation for the data processing between SABRS and DDRS in order to reasonably assure that the data processed are accurate and complete; USMC action plan: The DDRS Program Management Office (PMO) will modify the SABRS/DDRS Memorandum of Agreement (MOA) to include edits validations, ownership of interface processing, and error correction; Targeted completion date: 9/30/2011; Status according to USMC: Partially implemented; Confirmed by DOD IG (yes/no): Yes. NFR-40 DDRS Interface Data Reconciliation: Recommendations: 1. USMC management coordinate with BTA management and DFAS management to develop a process that would ensure data transfers between SABRS and DDRS are properly accepted and acknowledged. 2. USMC management coordinate with BTA management to establishes a process for data reconciliation between SABRS and DDRS in the interface MOA; USMC action plan: The DDRS PMO has modified the SABRS/DDRS MOA to describe the reconciliation process and include information that addresses how to ensure the data are complete and accurate. (Also see response for NFR #39); Targeted completion date: 4/4/2011; Status according to USMC: Non-concur, however fully implemented; Confirmed by DOD IG (yes/no): No. NFR-41 DDRS Interface Preprocessing Error Report: Recommendations: 1. USMC management coordinate with BTA management and DFAS management to implement a mechanism that would allow for an audit trail to exist for the data received from SABRS that is manually directed to the corresponding line of accounting (LOA) through the preprocessing phase. 2. Once the audit trail exists for data processed through the preprocessing phase, BTA should develop a report so that it can be reviewed by management in order to ensure that data is being corrected and resubmitted to the corresponding LOA; USMC action plan: An SCR has been submitted and implemented to now provide a preprocessing audit report; Targeted completion date: 6/29/2011; Status according to USMC: Fully implemented; Confirmed by DOD IG (yes/no): No. NFR-42 DDRS Interface Input Program Documentation- Edit Checks. Recommendations: 1. USMC management coordinate with BTA and DFAS management to perform a comprehensive review of the input process program in order to list, identify, and explain all the edit conditions contained in the program; USMC action plan: TSO Cleveland will document all the edit checks and validations contained in the DDRS input process applicable to the SABRS interface. Two documents will be produced, one detailing general interface edits and one detailing SABRS specific edits; Targeted completion date: 10/1/2011; Status according to USMC: Partially implemented; Confirmed by DOD IG (yes/no): No. NFR-43 DDRS Data Strategy and Design: Recommendations: 1. USMC management coordinate with BTA and DFAS management to incorporate the concepts of cryptography and middleware to the DDRS data management plan; USMC action plan: Documentation has been provided that evidences that a Data Management Plan is not required by DOD for Acquisition Category (ACAT) III Systems; Targeted completion date: 2/11/2011; Status according to USMC: Non-concur; however, fully implemented; Confirmed by DOD IG (yes/no): Yes. NFR-44 DDRS Application Security Logging and Monitoring: Recommendations: 1. USMC management coordinate with BTA management to establish a formal process for logging and monitoring activity, including the interaction with third-party service providers and execute that process on a periodic basis.; USMC action plan: The Information Assurance Officer (IAO) has requested evidence of monitoring from the service providers, and post the artifacts in eMASS and will continue to do so on a regular basis. The IAO has verified that each Service Level Agreement (SLA) covers responsibilities for logging and monitoring; Targeted completion date: 3/2/2011; Status according to USMC: Non-concur; however fully implemented; Confirmed by DOD IG (yes/no): No. NFR-51 No evidence of Periodic Review for Changes Migrated to Production: Recommendations: 1. USMC management coordinate; with BTA and DFAS management to establish a periodic review of changes that are migrated to production that includes a complete, accurate audit trail of Configuration Items (CI). 2. USMC followup and research of potentially unauthorized changes be performed by individuals not involved with the CI migration process and the follow up should be formally documented; USMC action plan: TSO Corporate Services has created a new procedure to be executed as part of each release that captures the state of the application prior to release and after release. The resulting changes are reconciled with the Release documentation to verify all changes are accounted for. The results of this procedure are maintained by the DDRS PMO; Targeted completion date: 5/6/2011; Status according to USMC: Fully implemented; Confirmed by DOD IG (yes/no): No. NFR-52 DDRS Segregation of Duties Conflict Monitoring: Recommendations: 1. USMC management coordinate with BTA management to review all users with dual access to DDRS and submit appropriate waivers to reflect management's acceptance and acknowledgment of risk. These waivers should be updated in a timely manner prior to granting dual access to a user. 2. USMC management implement the mitigating control of periodically reviewing dual access user activity; USMC action plan: BTA and DFAS have streamlined and modified the role assignment process to ensure that a waiver is obtained prior to granting dual access to a user; BTA has requested that DFAS Standards and Compliance accept the risk of not having tools that permit reviewing activity of specific dual access users. The following risk mitigation controls are in place; (a) A user cannot approve a Journal Voucher or Data Adjustment that it created. (b) Dual user role profiles are reviewed monthly by Security Administrators and Reporting Managers. (c) Users have all agreed to behave responsibly in accepting the BTA Rules of Behavior. (d) Financial statements and reports are all reviewed and/or certified; Targeted completion date: 6/29/2011; Status according to USMC: Fully implemented; Confirmed by DOD IG (yes/no):No. NFR-57 DDRS Access Recertification: Recommendations: 1. USMC management coordinate with BTA management to establish policies and procedures to ensure the actions requested as a result of periodic access recertification of DDRS users (i.e., remove privileges for a Responsible Work Area, disable an account, etc.) are carried out to completion; USMC action plan: DFAS Cleveland Accounting Operations has coordinated with various interested parties from USMC, BTA, and within the various DFAS operational areas to thoroughly review and document the existing process, including the finding under this NFR, and take appropriate action to strengthen the policies and procedures; Targeted completion date: 4/27/2011; Status according to USMC: Fully implemented; Confirmed by DOD IG (yes/no): No. Source: Marine Corps SBR remediation action plan information and DOD IG confirmation of status. [End of table] [End of section] Appendix III: Comments from the Department of Defense: Under Secretary Of Defense: Comptroller: Defense Pentagon: Washington, DC 20301-1100: September 13, 2011: Mr. Asif A. Khan: Director, Financial Management and Assurance: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Khan, This is the Department of Defense (DoD) response to the Government Accountability Office (GAO) draft report GA0-11-830, "DoD Financial Management: Marine Corps Statement of Budgetary Resources Audit Results and Lessons Learned," dated August 29, 2011, (GAO Code 197096). Our responses to the recommendations made in the draft report and additional technical comments are enclosed with this letter. Improving DoD financial management information is one of the Department's most important management goals. Over the last two years, your audit reports and testimony have recognized that the Department now has a sound strategy and approach to achieve audit readiness. In July you stated, "GAO supports DoD's current approach of focusing and prioritizing efforts." We appreciate this validation and support, and have taken steps to focus leadership and management on executing this strategy. A key component of the Department's approach is to, where reasonable, engage auditors to validate the progress being made; the United States Marine Corps (USMC) audit does just that. When successful, the USMC financial statement audit will be a significant achievement, as the first such accomplishment for a military service. The audit will have a wider impact beyond the Marine Corps by providing clear, concrete actions to be taken to achieve auditability. As you have pointed out, most issues identified are not unique to the USMC and, therefore, inform the efforts of other DoD Components. The fiscal year 2010 USMC audit has highlighted specific process and systems changes needed to achieve audit. All of our reporting Components are working with the Defense Finance and Accounting Service and other service providers to address these issues and succeed in their audit efforts. Your audit report focuses on the planning of these remediation efforts, rather than on their outcomes. Given our available resources, the USMC and their service providers have made far more progress in remediation than your audit report indicates. It is because of this progress revealed in the fiscal year 2011 USMC audit, in areas such as complete transaction populations and Funds Balance with Treasury reconciliations, that we disagree with several of the statements in your audit report related to the USMC remediation plan. We have included the justification for several technical comments in an attachment to this letter. We have actions underway in the Department to address auditor findings across all service providers and Components consistent with three of your recommendations. We feel that your remaining recommendation on the content of our remediation plans is overly prescriptive. I believe our remediation plans are reasonable and will continue to hold leaders accountable to execute their plans and judge their efforts based on near-term outcomes rather than attempt to manage their plans. I appreciate your recent testimony that -the Department is heading in the right direction and making progress." Additional corrective actions are underway, and there are certainly more needed which have yet to be identified; however, we feel that the USMC audit is on the road to success. While in this case we do not agree with all of the findings in your report, and feel it does not present a fair assessment of the USMC remediation efforts as a whole, we look forward to your continued involvement in and recommendations for improvement of our effort. My point of contact for this effort is Mr. Joseph Quinn. He can be reached at 571-256-2678 or joseph.quinn@osd.mil. Sincerely, Signed by: Robert F. Hale: Enclosures: As stated: [End of letter] GAO Draft Report Dated August 29, 2011: GA0-11-830 (GAO Code 197096): "DOD Financial Management: Marine Corps Statement Of Budgetary Resources Audit Results And Lessons Learned" Department Of Defense Comments To The GAO Recommendations: Recommendation NO. 1: The GAO recommends that the Secretary of the Navy direct the Commandant of the Marine Corps: "develop a comprehensive, risk-based plan for designing and implementing corrective actions to SBR auditor recommendations. Such a plan should identify goals and objectives, identify and prioritize actions for addressing those objectives, allocate resources, assign roles and responsibilities, and measure performance against objectives." (See page 26/GAO Draft Report.) Response: Non-Concur. The Secretary of the Navy does not need to direct the Commandant of the U.S. Marine Corps (USMC) to develop a plan that conforms to GAO's requirements. The USMC contends that the referenced standard (Standards for Internal Control in the Federal Government) does not state that management must "identify resources, roles and responsibilities, or include performance indicators to measure performance against action plan objectives." The USMC fully complied with the three requirements noted in the standard, which are: 1) promptly evaluate findings from audits and other reviews; 2) determine proper actions in response to findings and recommendations from audits and reviews; and 3) complete within established time frames, all actions that correct or otherwise resolve the matters brought to management's attention. In this regard, the USMC will continue to employ all manner of due diligence and professional scrutiny in developing courses of actions and remediation activities, as necessary, in order to correct audit findings given known and anticipated audit workstreams. Furthermore, the remediation efforts taken heretofore may demonstrate appropriate correction of the underlying audit deficiencies as a consequence and outcome to the Fiscal Year (FY) 2011 Statement of Budgetary Resources (SBR) audit. Recommendation NO. 2: The GAO recommends that the Secretary of the Navy direct the Commandant of the Marine Corps to: "review Marine Corps SBR remediation actions under way and confirm that actions are fully responsive to the auditor recommendations." (See page 26/GAO Draft Report.) Response: Concur. Additional actions beyond those currently in support the FY 2011 SBR audit will be undertaken to assess remediation responsiveness to auditor recommendation. This will involve an assessment of financial statement supportability through concurrent review of account balances, system processing and internal control design and effectiveness. Furthermore, the auditors are currently examining corrective actions related to FY 2010 SBR audit findings and have confirmed that several of the FY 2010 SBR audit Notices of Findings and Recommendations have been corrected. Thus, sufficient insight of corrective action adequacy or insufficiency shall be obtained via these ongoing and overlapping remediation review efforts. Recommendation NO. 3: The GAO recommends that the Secretary of the Navy direct the Commandant of the Marine Corps to: "for remediation actions that require coordination and action on the part of other DOD components, such as DFAS, DCMA, and DCAA, require the Marine Corps to develop and implement timely and effective service-provider agreements with the appropriate DOD components in accordance with the FIAR Guidance. These agreements should identify roles and responsibilities, the individuals responsible for those activities, and performance measures that establish accountability. (See pages 26 through 27/GAO Draft Report.) Response: Concur. The USMC will undertake a comprehensive review of its service provider agreements and implement updates that account for improved business processing and audit supportability. The USMC has long recognized the need for coordinated and codified service support from the Defense Finance and Accounting Service (DFAS). To this end, the Marine Corps established a signed Service Level Agreement (SLA) with DFAS-Kansas City before accounting support and financial reporting services were transferred to the consolidated service center in Cleveland, OH. This change was due to a Base Realignment and Closure (BRAC) requirement and the USMC maintained a close relationship with DFAS-Cleveland in order to aid in their BRAC transition and acclimatization. After a short period, efforts were undertaken to begin developing an updated SLA. These continue today and are expected to conclude in FY 2012. With respect to additional agreements with the Defense Contract Management Agency and Defense Contract Audit Agency, these organizations provide Defense-wide services that are not segmented across the Military Services, as in the case with the DFAS centers. Therefore, while the USMC concurs with the recommendation, it requests that such agreements be established and applicable to all of DoD, with the Office of the Under Secretary of Defense (Comptroller) Financial Improvement and Audit Readiness Directorate responsible for coordinating these SLA actions. Recommendation NO. 4: "In addition, to help fully leverage lessons learned from the first-year Marine Corps SBR audit effort, we recommends that the Secretary Defense direct the Secretaries of the Army, the Navy, and the Air Force to consider the fundamental lessons resulting from the Marine Corps effort and incorporate the lessons, as appropriate, in their respective FIPs. (See page 27/GAO Draft Report.) Response: Concur. On behalf of the Secretary of Defense, the Under Secretary of Defense (Comptroller)/Chief Financial Officer (USD(C)/CFO) has directed the military Military Services and other DoD components to consider the key lessons learned from the USMC audit effort, as outlined in this audit report, in their audit readiness plans. The USD(C)/CFO recognizes the importance of sharing audit readiness lessons across the Department, and this direction will serve to underscore an initiative already underway. The Military Services are, in fact, currently in the process of addressing the recommendations from the GAO audit of the Navy Civilian Pay and Air Force Military Equipment financial improvement plans, as well as those from the audit of the USMC SBR, in their audit readiness plans. It has always been the Department's approach to incorporate lessons learned from audit readiness efforts into all future preparations. [End of section] Appendix IV: GAO Contact and Staff Acknowledgments: GAO Contact: Asif A. Khan, (202) 512-9869 or khana@gao.gov: Staff Acknowledgments: In addition to the contact named above, Gayle L. Fischer, Assistant Director; Jacquelyn N. Hamilton, Acting Assistant General Counsel; William F. Wadsworth, Assistant Director, Information Security; Francine DelVecchio; Jason Kirwan; Richard D. Mayfield, Auditor-in- Charge; Carol T. Nguyen; Kerry A. Porter; Eric H. Stalcup; and Carroll M. (CJ) Warfield, Jr., Auditor-in-Charge, made key contributions to this report. [End of section] Footnotes: [1] Pub. L. No. 101-576, § 303, 104 Stat. 2838, 2849 (Nov. 15, 1990), codified, as amended, at 31 U.S.C. § 3515. [2] GAO, DOD Financial Management: Numerous Challenges Must Be Addressed to Improve Auditability, [hyperlink, http://www.gao.gov/products/GAO-11-864T] (Washington, D.C.: July 28, 2011); DOD Financial Management: Numerous Challenges Must Be Addressed to Improve Reliability of Financial Information, [hyperlink, http://www.gao.gov/products/GAO-11-835T] (Washington, D.C.: July 27, 2011); and High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-11-278] (Washington, D.C.: February 2011). [3] The other agency with a disclaimer was the Department of Homeland Security. [4] Pub. L. No. 111-84, § 1003(a), (b), 123 Stat. 2190, 2439-40 (Oct. 28, 2009). [5] Budgetary resources include the amount available to enter into new obligations and to liquidate them. Budgetary resources are made up of new budget authority (including direct spending authority provided in existing statute and obligation limitations) and unobligated balances of budget authority provided in previous years. [6] Offsetting collections are collections from government accounts or from transactions with the public. These collections are credited to appropriation or fund accounts. [7] In a disclaimer of opinion, the auditor does not express an opinion on the financial statements. A disclaimer of opinion is appropriate when the audit scope is not sufficient to enable the auditor to express an opinion, or when there are material uncertainties involving a scope limitation--a situation where the auditor is unable to obtain sufficient appropriate audit evidence. [8] CFO Act agencies' financial management systems are required by the Federal Financial Management Improvement Act of 1996 (FFMIA) to comply with federal financial management systems requirements, applicable federal accounting standards, and the United States Government Standard General Ledger at the transaction level. Pub. L. No. 104-208, div. A, title VIII, § 803, 110 Stat. 3009, 3009-390 (Sept. 30, 1996). [9] GAO, Financial Management: Achieving Financial Statement Auditability in the Department of Defense, [hyperlink, http://www.gao.gov/products/GAO-09-373] (Washington, D.C.: May 6, 2009). [10] An obligation is a definite commitment that creates a legal liability of the government for the payment of goods and services ordered or received. [11] According to OMB Circular No. A-11, the SF-133, Report on Budget Execution and Budgetary Resources, is intended to provide a consistent presentation of data across programs within each agency, and across agencies, which helps program, budget, and accounting staffs to communicate. SF-133s provide historical reference that can be used to help prepare the President's Budget, program operating plans, and spending estimates. The reports also provide a basis to determine obligation patterns when programs are required to operate under a Continuing Resolution. An agencywide SF-133 should generally agree with an agency's Statement of Budgetary Resources. [12] GAO, Financial Audit Guide: Auditing the Statement of Budgetary Resources, [hyperlink, http://www.gao.gov/products/GAO-02-126G] (Washington, D.C.: December 2001). [13] Internal control comprises the plans, methods, and procedures to provide reasonable assurance that objectives are being achieved in the following areas: (1) effectiveness and efficiency of operations, (2) reliability of financial reporting, and (3) compliance with applicable laws and regulations. [14] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00.21.3.1] (Washington, D.C.: November 1999). [15] Testing of the reasonableness of account balances or amounts in financial statements is commonly referred to as substantive testing. This is in contrast to testing of the internal controls related to a particular account or balance. [16] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00.21.3.1]. [17] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00.21.3.1]. [18] GAO, Defense Business Transformation: DOD Needs To Take Additional Actions to Further Define Key Management Roles, Develop Measurable Goals, and Align Planning Efforts, [hyperlink, http://www.gao.gov/products/GAO-11-181R] (Washington, D.C.: Jan. 26, 2011); and Risk Management: Strengthening the Use of Risk Management Principles at Homeland Security, [hyperlink, http://www.gao.gov/products/GAO-08-904T] (Washington, D.C.: June 25, 2008). [19] GAO, Intelligence, Surveillance, and Reconnaissance: DOD Needs a Strategic, Risk-Based Approach to Enhance Is Maritime Domain Awareness, [hyperlink, http://www.gao.gov/products/GAO-11-621] (Washington, D.C.: June 20, 2011); High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-11-278] (Washington, D.C.: February 2011). [20] The Marine Corps SBR Remediation Plan consists of a written plan covering the initial 11 financial statement process notices of findings and recommendations (NFR) to comply with DOD IG audit requirements and 59 additional NFRs that were addressed in separate plans of action and milestones. [21] Some of these elements are consistent with the FIAR Guidance requirements for a corrective action plan, such as identifying required resources and ensuring that actions address the identified deficiencies. [22] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [23] The Antideficiency Act requires agencies to establish a system for administrative control of funds to, among other things, prevent obligations and expenditures in excess of appropriations and apportionments. 31 U.S.C. §§ 1341, 1514(a), 1517(a). [24] GAO, Department of the Army--The Fiscal Year 2008 Military Personnel, Army Appropriation and the Antideficiency Act, B-318724 (Washington, D.C.: June 22, 2010). [25] Under Secretary of Defense (Comptroller/CFO), March 16, 2011, letter reporting a Department of the Navy violation of the Antideficiency Act, case number 10-03. [26] DOD Financial Management Regulation, Volume 3, Chapter 8, Standards for Recording and Reviewing Commitments and Obligations, Section 0804. [27] GAO, DOD Financial Management: Numerous Challenges Must Be Addressed to Achieve Auditability, [hyperlink, http://www.gao.gov/products/GAO-11-864T] (Washington, D.C.: July 28, 2011). [28] GAO, DOD Business Transformation: Improved Management Oversight of Business System Modernization Efforts Needed, [hyperlink, http://www.gao.gov/products/GAO-11-53] (Washington, D.C.: Oct. 7, 2010). [29] [hyperlink, http://www.gao.gov/products/GAO-11-53]. [30] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [31] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00.21.3.1] (Washington, D.C.: November 1999). [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: