This is the accessible text file for GAO report number GAO-14-60 entitled 'DOD Financial Management: Improvements Needed in Army's Efforts to Ensure the Reliability of Its Statement of Budgetary Resources' which was released on May 30, 2014. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: DOD Financial Management: Improvements Needed in Army's Efforts to Ensure the Reliability of Its Statement of Budgetary Resources: Report to Congressional Committees: May 2014: GAO-14-60: GAO Highlights: Highlights of GAO-14-60, a report to congressional committees. Why GAO Did This Study: The National Defense Authorization Act for Fiscal Year 2013 requires the Department of Defense (DOD) to describe how its SBR will be validated as ready for audit by September 30, 2014. The DOD Comptroller issued the FIAR Guidance to provide a standard methodology for DOD components to use to develop and implement FIPs, improve financial management, and achieve audit readiness. The Army's FIP for budget execution provides a framework for planning, executing, and tracking essential steps with supporting documentation to achieve audit readiness of its General Fund SBR. GAO is mandated to audit the U.S. government's consolidated financial statements, including activities of executive branch agencies such as DOD. This report identifies the extent to which the Army developed and implemented its General Fund SBR FIP for budget execution in accordance with the FIAR Guidance with regard to (1) determining the scope of activities included in the FIP and (2) completing those activities included in the scope of the FIP. GAO reviewed the Army's FIP to determine whether it contained the elements required by the FIAR Guidance and reviewed test results, status reports, and other deliverables. What GAO Found: The Army has made important progress in developing its financial improvement plan (FIP) for budget execution to help guide its General Fund Statement of Budgetary Resources (SBR) audit readiness efforts. This FIP covers current year activity associated with the recently deployed General Fund Enterprise Business System (GFEBS) emphasizing the implementation of effective business processes. However, the Army did not fully complete certain tasks in accordance with the Financial Improvement and Audit Readiness (FIAR) Guidance to ensure that its FIP adequately considered the scope of efforts required for audit readiness. For example, the Army did not consider the risks associated with excluding current year activity associated with legacy systems and did not adequately identify significant SBR activity attributable to service provider business processes and systems. These activities may continue to represent material portions of future SBRs and, if not auditable, will likely affect the Army's ability to achieve audit readiness goals as planned. For GFEBS-related audit readiness activities within the scope of its FIP for budget execution, the Army documented controls in narratives and flowcharts and performed monthly tests to assess their effectiveness. Based on test results from June 2012 through May 2013, the Army identified extensive deficiencies, such as lack of appropriate reviews or approvals, and had an average failure rate of 56 percent. Figure: Army's Reported SBR Internal Control Test Failure Rates for Commands Tested: [Refer to PDF for image: vertical bar graph] Failure rate: June 2012 (8 commands tested): 64%. July 2012 (8 commands tested): 66%. August 2012 (1 command tested): 68%. September 2012 (0 commands tested): Testing not performed. October 2012 (8 commands tested): 48%. November 2012 (4 commands tested): 28%. December 2012 (1 command tested): 67%. January 2013 (19 commands tested): 46%. February 2013 (19 commands tested): 64%. March 2013 (23 commands tested): 55%. April 2013 (25 commands tested): 54%. May 2013 (26 commands tested): 42%. Average total: 56%. Source: GAO analysis of Army Leadership Briefs, June 2012 through May 2013. [End of figure] The Army did not fully follow the FIAR Guidance in performing the tasks required. For example, the Army's documentation and assessment of controls were not always complete or accurate. Further, extensive deficiencies identified by Army had not been remediated prior to an independent public accountant's (IPA) examination of its audit readiness efforts. Overall, the gaps and deficiencies identified above are largely due to the Army's focus on (1) the audit readiness of new GFEBS processes despite continued reliance on legacy systems and service providers and (2) asserting audit readiness before correcting extensive control deficiencies. Army officials cited adherence to assertion and IPA examination milestones as essential. However, this approach raises serious concerns regarding the likelihood that SBR audit readiness will occur as planned and the Army's ability to ensure the accuracy of financial information used to monitor budgetary resources to achieve its mission. What GAO Recommends: GAO recommends that among other things, the Army take steps to improve implementation of the FIAR Guidance for its General Fund SBR FIP for budget execution and ensure that all significant SBR processes, systems, and risks are adequately considered and identified deficiencies are resolved. The Army concurred with GAO's recommendations. View [hyperlink, http://www.gao.gov/products/GAO-14-60]. For more information, contact Asif A. Khan at (202) 512-9869 or khana@gao.gov. [End of section] Contents: Letter: Background: The Army Did Not Fully Follow FIAR Guidance in Determining the Scope of Its General Fund Budget Execution Audit Readiness Efforts: The Army Did Not Effectively Implement Key Tasks in Its Budget Execution FIP in Accordance with FIAR Guidance: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Appendix II: FIAR Guidance for Reporting Entities: Appendix III: Comments from the Department of the Army: Appendix IV: GAO Contact and Staff Acknowledgments: Table: Table 1: Reporting Entity Methodology for Supporting Audit Readiness Included in DOD's FIAR Guidance: Figures: Figure 1: Interrelated Efforts for Achieving Army General Fund SBR Audit Readiness: Figure 2: Army General Fund Obligations Incurred in GFEBS, Fiscal Year 2013: Figure 3: The Army's Reported SBR Internal Control Test Failure Rates for Commands Tested: Figure 4: Reasons for Internal Controls Deficiencies: Results of Army Testing, January 2013 through March 2013: Abbreviations: CAP: corrective action plan: DFAS: Defense Finance and Accounting Service: DOD: Department of Defense: ERP: enterprise resource planning: FBWT: Fund Balance with Treasury: FIAR: Financial Improvement and Audit Readiness: FIP: financial improvement plan: FORSCOM: Forces Command: GFEBS: General Fund Enterprise Business System: ICOFR: Internal Control over Financial Reporting: IMCOM: Installation Management Command: IPA: independent public accountant: MOU: memorandum of understanding: NDAA: National Defense Authorization Act: OIG: Office of Inspector General: OUSD(C): Office of the Under Secretary of Defense (Comptroller): SBA: Schedule of Budgetary Activity: SBR: Statement of Budgetary Resources: SOA: Statement of Assurance: SSAE: Statement on Standards for Attestation Engagements: TRADOC: Training and Doctrine Command: [End of section] United States Government Accountability Office: GAO: 441 G St. N.W. Washington, DC 20548: May 30, 2014: The Honorable Thomas R. Carper: Chairman: The Honorable Tom Coburn, M.D. Ranking Member: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Darrell E. Issa: Chairman: The Honorable Elijah Cummings: Ranking Member: Committee on Oversight and Government Reform: House of Representatives: The U.S. Army is the largest component within the Department of Defense (DOD), accounting for about $189 billion or 30 percent of DOD's total reported expenditures for fiscal year 2013.[Footnote 1] DOD has been unable to prepare auditable information for department- wide financial statements as required by the Government Management Reform Act of 1994.[Footnote 2] Over the years, we have reported on the Army and other DOD efforts to overcome long-standing financial management weaknesses that have prevented the issuance of auditable financial statements. Pervasive financial and related business management systems and control weaknesses have adversely affected DOD's ability to control costs; ensure basic accountability; anticipate future costs and claims on the budget; measure performance; maintain funds control; prevent and detect fraud, waste, and abuse; address pressing management issues; and prepare auditable financial statements. These issues led GAO to designate DOD financial management as high risk since 1995.[Footnote 3] The National Defense Authorization Act (NDAA) for Fiscal Year 2010 [Footnote 4] requires that DOD develop and maintain the Financial Improvement and Audit Readiness (FIAR) Plan, which includes, among other things, the specific actions to be taken and costs associated with correcting the financial management deficiencies that impair its ability to prepare timely, reliable, and complete financial management information and ensuring that its financial statements are validated as ready for audit by September 30, 2017.[Footnote 5] Since DOD management relies heavily on budget information for day-to-day management decisions, the DOD Comptroller designated the Statement of Budgetary Resources (SBR) as an audit priority.[Footnote 6] The Secretary of Defense underscored the department's SBR priority with an October 2011 memorandum directing the Under Secretary of Defense (Comptroller) to provide a revised plan for achieving audit readiness of the SBR by September 30, 2014, with the aim to provide DOD managers with auditable General Fund information to track spending, identify waste, and improve DOD's business processes.[Footnote 7] Subsequently, the NDAA for Fiscal Year 2013 amended the legal requirement to add that the FIAR Plan's financial management improvement efforts should also support the goal of validating the audit readiness of DOD's SBR no later than September 30, 2014. To facilitate efforts to meet these requirements, the DOD Comptroller issued the FIAR Guidance, which defines DOD's strategy, goals, roles and responsibilities, and procedures for the components to become audit ready.[Footnote 8] Specifically, the guidance provides a standard, multiphased methodology that DOD components are required to follow in developing and implementing financial improvement plans (FIP). These plans, in turn, provide a framework for planning, executing, and tracking essential steps with supporting documentation to achieve auditability. However, the results of our prior work have raised concerns about the ability of DOD components to effectively implement the FIAR Guidance.[Footnote 9] Components may develop multiple FIPs to manage portions of their improvement efforts--such as those related to specific assessable units.[Footnote 10] The Army's approach for achieving General Fund SBR audit readiness is intended to integrate various interrelated efforts to improve business processes and systems and includes separate FIPs for budget execution, military pay, financial reporting, and Fund Balance with Treasury (FBWT).[Footnote 11] The Army's FIP for budget execution is particularly important as it addresses improvement efforts across multiple business processes, including funds distribution, contracts, temporary duty travel, miscellaneous payments, government purchase cards, supply, reimbursements, and civilian pay. Budgetary resources and financial activity (e.g., obligations and expenditures) associated with these processes represent significant portions of amounts reported on the Army's General Fund SBR. Consequently, efforts to develop and implement this FIP will significantly affect the Army's ability to achieve audit readiness. This report was initiated under our mandate to audit the U.S. government's consolidated financial statements,[Footnote 12] including activities of executive branch agencies such as DOD. Serious financial management problems at DOD represent one of the long-standing major impediments that continue to prevent GAO from expressing an audit opinion on the U.S. government's consolidated financial statements.[Footnote 13] We focused on the Army's General Fund SBR budget execution FIP because of its importance to the Army's effort to achieve SBR auditability and, ultimately, audit readiness for DOD's department-wide SBR. Our objectives were to determine the extent to which the Army developed and implemented its General Fund SBR FIP for budget execution in accordance with the FIAR Guidance with regard to (1) determining the scope of activities included in the FIP and (2) completing those activities included in the scope of the FIP. To address our objectives, we analyzed the Army's FIP to determine whether it contained the elements and tasks for the phases of audit readiness efforts under way at the time of our review, as required by the FIAR Guidance. We also identified and reviewed the FIP deliverables required by the FIAR Guidance, such as process narratives and flowcharts, internal control assessments, and test results. In addition, we reviewed the results of independent public accountant (IPA) examinations of audit readiness efforts related to the Army's FIP for budget execution. We interviewed Army, Defense Finance and Accounting Service (DFAS), and FIAR Directorate officials within DOD's Office of the Under Secretary of Defense (Comptroller) (OUSD(C)) to obtain explanations and clarifications on documentation we reviewed. [Footnote 14] Further information on our scope and methodology is provided in appendix I. We conducted this performance audit from June 2012 to May 2014 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: In May 2010, the DOD Comptroller issued the FIAR Guidance to provide a standard methodology for DOD components to follow in developing an audit strategy and implementing FIPs. The FIAR Guidance was most recently updated in November 2013 and describes the following five audit readiness phases and activities that DOD reporting entities (including the Army) are to include in their FIPs. * Discovery Phase: Entities document their processes and identify, test, and assess their controls and evaluate and confirm the existence of documentation supporting relevant financial statement assertions. * Corrective Action Phase: Entities develop and execute plans to address identified deficiencies and verify implementation of corrective actions. * Assertion/Evaluation Phase: The FIAR Directorate reviews assertions by entity management that assessable units are audit ready. An IPA or the DOD Office of Inspector General (OIG) examines readiness, and entity management addresses any reported deficiencies. * Validation Phase: The FIAR Directorate validates audit readiness based on its assessment of the IPA examination report and documentation supporting successful remediation of auditor-identified deficiencies. * Audit Phase: An IPA or the DOD OIG performs an audit of the financial statements or specified elements of them and issues an opinion on whether they are fairly presented in accordance with generally accepted accounting principles. Appendix II provides more specific information on the phases, tasks, and deliverables that the FIAR Guidance requires reporting entities to include in their FIPs. In response to component difficulties in preparing for a full SBR audit, the November 2012 FIAR Plan Status Report and the March 2013 FIAR Guidance included a revision to narrow the scope of initial audits to only current year budget activity and expenditures on a Schedule of Budgetary Activity (SBA).[Footnote 15] Under this approach, beginning in fiscal year 2015, reporting entities are to undergo an examination of their SBAs by an IPA or the DOD OIG reflecting the balances and associated activity related only to funding approved on or after October 1, 2014. As a result, SBAs will exclude unobligated and unexpended amounts carried over from prior years' funding as well as information on the status and use of such funding in subsequent years (e.g., obligations incurred and outlays). [Footnote 16] These amounts will remain unaudited. Over the ensuing years, as the unaudited portion of SBR balances and activity related to this funding decline, the audited portion is expected to increase. The NDAA for Fiscal Year 2010, as amended by the NDAA for Fiscal Year 2013, requires that the FIAR Plan describe specific actions to be taken and the costs associated with ensuring that DOD's SBR is validated as ready for audit by not later than September 30, 2014. Further, the FIAR Plan Status Report is required to include a determination by the Chief Management Officer of each military department concerning its ability to achieve an auditable SBR by September 30, 2014, and if the department is unable to meet this deadline, an explanation as to why it is unable to meet the deadline as well as an alternative deadline and a description of the plan for achieving an auditable SBR by the alternative deadline. In addition, all material amounts reported on the SBR will need to be auditable in order to achieve the mandated goal of full financial statement audit readiness by September 30, 2017. Army General Fund SBR Audit Readiness Strategy: The Army prepared its audit readiness strategy to provide a high-level overview for Army leaders and stakeholders to understand the Army's approach for achieving audit readiness in accordance with the FIAR Guidance.[Footnote 17] In connection with this strategy, the Army's approach for achieving General Fund SBR audit readiness includes four separate FIPs developed to guide improvement efforts in the following areas: (1) budget execution, (2) military pay, (3) financial reporting, and (4) FBWT. The Army also relies on service providers to ensure the audit readiness of service provider systems and business processes that support services provided to the Army and affect its General Fund SBR.[Footnote 18] In addition, as shown in figure 1, establishing the Army's audit-ready systems environment is integral to the Army's audit readiness strategy, including implementation of the General Fund Enterprise Business System (GFEBS) and other key enterprise resource planning (ERP) systems.[Footnote 19] Figure 1: Interrelated Efforts for Achieving Army General Fund SBR Audit Readiness: [Refer to PDF for image: illustration] Audit-ready Army General Fund SBR: Consists of the following: Army-specific audit readiness efforts: * Army-designated FIPs/assessable units: FBWT; Financial Reporting; Military pay; Budget execution (see below for description). * ERP systems environment: GFEBS; Other ERP systems. Service provider audit readiness efforts: Systems; FIPs. Budget execution consists of: funds distribution, contracts, temporary duty travel, miscellaneous payments, government purchase cards, supply, reimbursements, and civilian pay. Source: GAO analysis of Army data. [End of figure] GFEBS is absorbing more than 100 legacy accounting and other systems to standardize business processes and provide more accurate data on funds availability and execution. According to Army sources, GFEBS is one of the world's largest ERP systems, supporting approximately 1 million transactions each day and over 53,000 users at over 200 locations in 71 countries in fiscal year 2013. Also, according to Army sources, obligations incurred associated with contracts, civilian pay, and other business activities that were processed in GFEBS represented about 52 percent of total obligations incurred reported in the Army's General Fund SBR for fiscal year 2013. Based on efforts to record military pay expenditure and accounting data in GFEBS beginning in fiscal year 2014, Army officials stated that GFEBS is expected to be the primary system for processing Army obligations incurred for fiscal year 2014. The Army reported that it completed Discovery Phase audit readiness efforts for all four of its General Fund SBR FIPs, including the FIP for budget execution, in March 2013 and expects to complete the Corrective Action and Assertion/Evaluation Phases by June 2014 and September 2014, respectively. The Army's FIP for budget execution, the focus of this report, is particularly important as it addresses improvement efforts involving significant budgetary resources and financial activity reported in its General Fund SBR across multiple business processes. Further, this FIP focuses on the development of GFEBS-based audit-ready processes, including those that affect obligations incurred reported in the Army's General Fund SBR, and emphasizes incremental "waves" of audit readiness assertions and IPA examinations to assess progress of Army locations and business processes operating in the GFEBS environment. Originally, the Army planned four waves, but in fiscal year 2012 it compressed its assertions to three waves to meet the DOD time frame and NDAA mandate for achieving audit readiness. The activity and timing of these waves are as follows. * Wave 1. In June 2011, the Army asserted audit readiness at 3 of 227 locations with five business processes.[Footnote 20] An IPA completed an examination in November 2011 and reported that the Army did not effectively design test plans for evaluating the operating effectiveness of key controls for several processes. The IPA also reported that the Army did not (1) properly identify all key control objectives and activities and risks of misstatement related to its processes or consider the control environment as a whole and (2) properly identify the financial statement risks related to key control activities and objectives within its processes. * Wave 2. In June 2012, the Army asserted audit readiness at 10 of 227 locations (3 Wave 1 locations and 7 additional locations)[Footnote 21] with eight business processes. An IPA completed an examination in April 2013 and reported several inadequacies in the Army's Wave 2 readiness assertion, as discussed later in our report. * Wave 3. In June 2013, the Army asserted audit readiness for eight GFEBS processes and activities at remaining locations. An IPA is to complete an examination by May 2014. * Full General Fund SBA. The Army is to assert audit readiness for all current year activity and funding by June 2014. The Army Did Not Fully Follow FIAR Guidance in Determining the Scope of Its General Fund Budget Execution Audit Readiness Efforts: To help prioritize and guide its efforts, the Army developed its FIP for budget execution emphasizing the implementation of effective GFEBS processes for achieving SBR audit readiness. However, the Army did not fully complete key tasks to help ensure that its FIP adequately considered the scope of efforts required to achieve audit readiness and addressed significant qualitative risks or other factors affecting its efforts, as required by FIAR Guidance. For example, the Army's analysis identifying Army and service provider business processes and systems supporting its General Fund SBR FIP for budget execution was incomplete. In accordance with the March 2013 FIAR Guidance, the Army limited the scope of its efforts to focus on achieving SBA audit readiness by September 30, 2014. Therefore, the Army excluded measures to ensure the readiness of beginning balances associated with funding received in, and carried forward from, prior years and activity processed in certain legacy systems. While achieving SBA audit readiness can provide a meaningful indicator of progress, the amounts excluded are material to the Army's SBR and may continue to represent material portions of future SBRs. Further, the Army had not performed an assessment to adequately demonstrate the expected magnitude of these amounts in future years and address risks associated with them as required. As a result, the Army lacks important assurance that it will achieve audit readiness goals as planned. Also, the Army did not address whether it will meet the September 30, 2014, deadline for an auditable SBR in its determination of audit readiness included in DOD's November 2013 FIAR Plan Status Report and did not clearly indicate an alternative date for achieving full SBR audit readiness, as required by the NDAA for Fiscal Year 2013. The Army's Identification of Significant SBR Amounts and Processes Was Incomplete: Per the FIAR Guidance, Discovery Phase Task 1 (statement to process analysis) requires reporting entities to identify the assessable units, business processes, systems, and other characteristics associated with amounts reported in each financial statement line item. Also, because of the significant reliance placed on service providers, the FIAR Guidance also requires reporting entities to (1) coordinate with them to ensure that the statement to process analysis identifies significant assessable units associated with service provider processes and systems supporting each line item and (2) formalize and document their relationship with the service providers in a memorandum of understanding (MOU).[Footnote 22] Completing these tasks is essential for understanding the relative importance and multifaceted nature of audit readiness efforts and for developing an effective strategy. However, we found that the Army had not effectively completed these tasks as discussed below. * Statement to process analysis. For this task, the Army prepared a General Fund SBR statement to process analysis supporting its FIP for budget execution Wave 2 readiness assertion, which identified the portions of obligations-incurred activity processed in GFEBS that were attributable to key assessable units, such as civilian pay, contracts, and supplies. However, this analysis did not show the linkage of key SBR financial statement line items to all significant assessable units and therefore was incomplete. Specifically, the Army's analysis focused only on obligations-incurred activity processed in GFEBS, which, as of September 30, 2013, represented about 52 percent, or $119 billion, of total reported General Fund obligations, as shown in figure 2. Figure 2: Army General Fund Obligations Incurred in GFEBS, Fiscal Year 2013: [Refer to PDF for image: illustration] Army FY13 General Fund Statement of Budgetary Resources[A]: Total budgetary resources: $267 billion; Unobligated funds: $39 billion. Obligations incurred: $228 billion: Obligations incurred in other systems: $109 billion (48%); Obligations incurred in GFEBS: $119 billion[B] (52%). Source: GAO analysis of Army data. [A] This consists of budgetary resources, the status of those resources, the change in obligated balances, and gross to net budget authority and outlays. [B] The Army's FIP for budget execution focused audit readiness efforts on obligations incurred in GFEBS. [End of figure] Assessable units and related amounts associated with remaining obligations incurred activity processed in non-GFEBS systems, totaling $109 billion for fiscal year 2013, were not included in the Army's analysis. Further, other SBR activity attributable to service provider business processes and systems was also excluded. According to Army officials, they excluded these amounts because of the Army's expectation that (1) service providers will ensure the readiness of their systems and processes and (2) the Army's reliance on certain legacy systems will decline significantly in connection with its further implementation of GFEBS. In addition, unobligated and unpaid obligated amounts carried forward from prior years--or beginning balances--were excluded from its analysis, which, according to Army officials, was consistent with the March 2013 FIAR Guidance revision to narrow the focus of initial audits to SBAs. Further, Army officials indicated that devoting significant resources to ensure the readiness of these legacy systems and beginning balances was not cost effective, and accordingly, they excluded efforts to ensure their auditability from the scope of the Army's readiness strategy. The Army's consideration of the cost-effectiveness of its readiness efforts is important. However, its exclusion of these amounts and processes did not eliminate the FIAR Guidance requirements to identify all assessable units with processes that result in transactions and balances--including beginning balances--material to the SBR and to consider the risks associated with them in developing its audit readiness strategy. In addition, documentation provided by FIAR Directorate officials supporting the rationale for revising the FIAR Guidance concerning beginning balances specifies that the revision was not intended to affect Discovery Phase requirements. Further, the FIAR Guidance also requires reporting entities to identify processes and systems supporting existing "as-is" environments, in addition to planned "to-be" environments associated with implementing new financial systems. This requirement also recognizes the complexities and challenges associated with implementing large-scale financial systems, such as GFEBS, and the importance of identifying and addressing risks associated with legacy systems and related business processes. Addressing such risks is to be performed during Discovery Phase Task 2 and is essential for developing a cost-effective readiness strategy. * Service provider assessable units and MOU. The Army's analysis did not identify activity attributable to assessable units associated with service provider business processes and systems, as required by the FIAR Guidance, despite the significant impact they have on the Army's SBR and its reliance on them to help achieve readiness. Also, the Army had not established an MOU with its service providers to formally document a shared understanding of roles and responsibilities affecting audit readiness efforts as required by the FIAR Guidance. For example, an MOU would include roles and responsibilities for the authorization, initiation, processing, recording, and reporting of transactions affected by the service provider, including requirements for the retention of supporting documents. Army officials stated they had established a Mission Work Agreement with DFAS, a document that defines the terms of work, describing various types of services DFAS provides to the Army, including those associated with financial reporting, civilian and military pay, contract pay, and other processes. However, it does not contain the level of detail needed in an MOU to help ensure coordination, performance, and accountability of the parties, such as a clear linkage between the services described and specific control activities DFAS is required to perform that affect the Army's financial reporting objectives. According to Army officials, efforts to coordinate with service providers to obtain sufficient information on their business processes and systems and establish MOUs has been challenging as relationships and audit readiness interdependencies with the service providers are very complex. They also indicated that the FIAR Directorate has been taking a lead role in coordinating efforts of service providers to help facilitate the development of MOUs but that time frames for finalizing them had not been determined. Until the relationships between the Army and its service providers are identified and documented in sufficient detail, the Army remains at risk of important tasks necessary to ensure audit readiness not being identified or completed as intended. The Army's Assessment of Key Risks Is Not Documented: Per the FIAR Guidance, Task 2 of the Discovery Phase (prioritizing readiness efforts) requires reporting entities to rank all assessable units based on materiality and to identify and document qualitative risks and other factors associated with each of those identified. Also, this task requires reporting entities to identify and document entity-level controls, including assessments of internal and external risks that may affect their readiness efforts and serve as the basis for their FIPs.[Footnote 23] The Army developed its FIP for budget execution to help guide its General Fund SBR audit readiness activities and focus efforts on implementing GFEBS-based audit-ready processes. However, for this task, we found that the Army did not identify and document its consideration of several significant qualitative risks and other factors in developing its General Fund FIP for budget execution. Documentation demonstrating the Army's identification and evaluation of these risks is essential to help ensure that incremental SBA and full SBR audit readiness goals will be achieved. Additional details concerning these risks are highlighted below. Reliance on service providers. The Army relies heavily on service providers, such as DFAS, to process accounting and payment transactions as well as ensure the effectiveness of the controls and information systems they use in providing support to the Army. Accordingly, the FIAR Guidance requires service providers to ensure the readiness of their systems and business processes that have a material impact on reporting entity SBRs. However, as previously discussed, the Army's efforts to better understand and document complex relationships and audit readiness interdependencies with service providers have not been completed, hampering its ability to obtain sufficient information concerning risks associated with their activities. Further, the Army's ability to rely on service providers remains unclear since, as discussed later in this report, IPA or DOD OIG assessments of the audit readiness of service provider systems and processes have not been completed. As a result, the Army is at increased risk that it may not meet its audit readiness goals. Limitations in scope of audit readiness efforts. As previously discussed, the Army's strategy did not include efforts to ensure the audit readiness of (1) SBR beginning balances and (2) certain legacy systems and business processes the Army relies on to support significant portions of its SBR. Risks associated with these scope limitations, if not properly addressed, could adversely affect the Army's ability to achieve audit readiness goals as highlighted below. * Beginning balances. The Army reported beginning balances (as of October 1, 2012) of $44.3 billion and $138.7 billion for unobligated and unpaid obligated balances, respectively, on its General Fund SBR for fiscal year 2013, representing amounts associated with prior year funding brought forward from fiscal year 2012.[Footnote 24] While the FIAR Guidance provides for limiting the focus of initial audits to current year budget activity and expenditures contained in SBAs, it does not eliminate the requirement to identify and assess risks associated with these beginning balances for achieving full SBR auditability. Accordingly, assessing the extent to which amounts associated with prior year funding may affect efforts to achieve this goal is essential. Also, apart from the FIAR requirements, the Army continues to be responsible for the accuracy of reported balances relating to current and prior year budget activity in order to comply with appropriations law, and to accurately report them by appropriation for inclusion in the President's annual budget request. [Footnote 25] Recognizing the need to ensure the accuracy of information contained in agency budget requests, agencies are also required to include information in their audited financial statements showing material differences between key amounts contained in their SBRs and related amounts contained in the President's Budget.[Footnote 26] However, the Army's most recent financial statements for fiscal years 2013 and 2012 remain unaudited and, importantly, do not provide information regarding material differences, if any, between comparable amounts reported in its SBR and the President's Budget. As a result, the extent to which the Army can provide needed assurance regarding the accuracy of reported balances and activity related to prior budget years contained in the President's Budget is limited. Despite these requirements, Army officials told us that the Army had not identified risks associated with beginning balances reported on its SBR or assessed how and when efforts to prepare auditable SBAs would result in full SBR audit readiness. Specifically, at the time of our review, the Army had not determined how achieving audit readiness would be affected by expenditures or other activity associated with beginning balances that are expected to occur in future years. The Army has various appropriated funds that are available for obligation for 1, 2, 3, and 5 fiscal years. After these periods of availability expire, the accounts remain open for 5 additional fiscal years to adjust or liquidate obligations before the accounts are closed and any remaining balances are canceled. For example, the fiscal year 2012 ending balances included five 3-year procurement appropriation accounts containing $12.3 billion that had not been obligated for payment, and $39.2 billion that the Army had obligated to pay but had not yet disbursed. The Army will potentially be required to account for these procurement appropriations into fiscal year 2019, beyond the current audit readiness plan as well as the September 30, 2017, deadline for achieving auditability of its full SBR and other financial statements for fiscal year 2018. Additional analysis documenting and supporting the Army's expectations concerning the extent to which future SBRs may include significant activity and balances associated with these multiyear appropriation funds would assist in assessing risks that could impede audit readiness. * Legacy systems. According to the FIAR Guidance, reporting entities involved in system transformation initiatives are required to assess the target dates of their to-be environments against their audit-ready assertion dates to determine whether existing systems, to-be systems, or both should be included in their current readiness efforts. In this regard, based on transformation efforts associated with implementing GFEBS and other key ERP systems intended to replace certain existing legacy systems, the Army excluded tasks to ensure the readiness of these legacy systems and related business processes from the scope of its readiness efforts. The Army expects the appropriation accounts that would continue to generate transaction data from such systems to be expended or expired and thus amounts would become immaterial over time. However, officials told us that they were uncertain as to how continued reliance on these systems may affect initial audits. For example, officials told us that a timeline for transitioning funding for classified and other associated activity from legacy systems to a GFEBS-based environment has not been determined. Until this transition occurs, ongoing activity accounted for in legacy systems could have a major impact on the Army's SBAs and SBR. Also, processing billions of dollars in unobligated balances and unpaid obligations in the Army's five procurement appropriation accounts that are accounted for in legacy systems as previously discussed could take several years. Therefore, this ongoing activity will likely affect initial examinations of incremental SBAs currently expected to begin with fiscal year 2015 as well as full SBRs to be examined in subsequent years. Army officials acknowledged these risks and that the Army had not documented its assessment of them. Despite the uncertainty associated with how these risks may affect the auditability of the Army's incremental SBAs and full SBRs, according to Army officials, the scope of their efforts and plans for adhering to established audit readiness assertion and examination milestones have remained unchanged. However, without sufficient documentation identifying these risks and assessing their potential impact on producing auditable SBAs and full SBRs within established time frames, the Army is unable to provide needed assurance that its strategy will achieve audit readiness or when it will be achieved. Further, as discussed earlier, the NDAA for Fiscal Year 2013 requires that DOD's FIAR Plan Status Reports include the Army's determination on whether it will achieve an auditable SBR by September 30, 2014. Recognizing the potential impact of audit readiness challenges, the NDAA also requires that the FIAR Plan Status Report include an alternative date for achieving SBR audit readiness if the Army determines that it is unable to meet this deadline. However, the Army's determination, as presented in the November 2013 FIAR Plan Status Report, did not meet these requirements. Specifically, while the Army's determination stated that it would achieve SBA audit readiness by September 30, 2014, it did not address whether full SBR auditability would be achieved by that date or, if not, clearly indicate an alternative deadline for doing so. The Army Did Not Effectively Implement Key Tasks in Its Budget Execution FIP in Accordance with FIAR Guidance: For those budget execution audit readiness activities the Army determined to be within the scope of its FIP for budget execution, the Army has made progress toward implementing the first three phases of Discovery, Corrective Action, and Assertion/Evaluation. For example, the Army identified selected control activities and conducted monthly tests to assess their effectiveness, developed tools to assist commands in assessing controls and remediating deficiencies, and outlined efforts to address IPA-reported deficiencies related to its Wave 2 audit readiness assertion. However, we found that it did not always follow the FIAR Guidance in performing tasks required for these phases. For example, we found that the Army's documentation and assessment of internal controls were not always complete or accurate and that extensive deficiencies had not been remediated prior to an IPA firm's examination of its audit readiness efforts. The Army plans to address remaining tasks required for the Validation and Audit Phases after June 2014. Discovery Phase Tasks Were Not Effectively Implemented: As a result of the Army's decision to limit the scope of its FIP for budget execution, remaining Discovery Phase efforts largely focused on establishing an audit-ready GFEBS environment. In connection with these efforts, the Army prepared narratives, flowcharts, and risk assessments documenting manual and GFEBS automated control activities and financial reporting objectives as well as an inventory of key supporting documents associated with various SBR-related business processes. The Army also prepared a reconciliation of GFEBS activity to help identify the population of transactions to be used for assessing controls and summarized its evaluation of controls in its annual statement of assurance on internal controls over financial reporting and financial systems.[Footnote 27] However, as discussed below, based on our review of efforts as the Army was completing its Discovery Phase activities in June 2013, it had not completed or effectively implemented Discovery Phase Task 3 (document processes and assess/test controls) and Task 4 (evaluate supporting documentation) as required by the FIAR Guidance. Without effective implementation of the Discovery Phase of the FIAR Guidance for its budget execution FIP, the Army is at increased risk that problems that could hinder audit readiness efforts will not be identified and controls for ensuring reliable financial reporting will not be effectively tested, assessed, or documented. Further, without adequate, reliable information on the effectiveness of controls, including those at the command level and those associated with its information technology systems, the Army is at increased risk of not fully addressing deficiencies that may significantly affect its ability to achieve its audit readiness goals. Documentation of Business Processes and Control Assessments Was Incomplete: With regard to Task 3 of the Discovery Phase on documenting processes and related control assessments and testing, we found the following. * Documentation of the linkage of certain financial reporting objectives to related control activities was incomplete.[Footnote 28] The FIAR Guidance requires reporting entities to evaluate control activities to determine if they have been designed to meet financial reporting objectives. However, the Army's listing of controls used to demonstrate this linkage did not identify controls to address 13 of 84 financial reporting objectives, which could lead to weaknesses in financial reporting. For example, the listing did not identify specific control activities to ensure that obligations relate to valid appropriations and do not include any expired, canceled, or rescinded amounts.[Footnote 29] Based on our review of the missing linkages we identified and discussions with officials, the Army did not sufficiently monitor the preparation of the listing to ensure its completeness. Effective monitoring controls to detect or prevent such omissions are essential as the lack of complete, accurate information on the control activities the Army relies on to achieve its financial reporting objectives could impede future efforts to audit its financial statements. * Documentation of the criteria and processes used for identifying key information technology systems was incomplete. Specifically, the FIAR Guidance required the Army to identify key systems and feeder systems affecting audit readiness assertions and to consider various types of systems, such as general ledger systems, source/feeder systems, disbursing systems, reporting systems, and property management systems, as well as system interfaces. According to documentation provided by Army officials, the Army identified 16 of 66 systems as key systems affecting SBR audit readiness. This included GFEBS and other systems used to process detailed transactions and provide accounting data to be recorded in GFEBS, such as the Army's key military pay system. Army officials told us that its determination that a system was key was based on the number and value of transactions initiated or processed by the system and by other factors, such as whether the system would be replaced. While its assessments were discussed in various meetings with FIAR Directorate and DFAS officials, the Army did not document the specific criteria and assessment process used to support its determination. Without adequate documentation to support the identification of key systems, the Army could not provide assurance that all key systems had been identified and that they were included in its audit readiness efforts. * According to the FIAR Guidance, the Army is required to assess the effectiveness of its internal controls. Further, the Army has determined that individual commands are responsible for the implementation of controls within their command. Therefore, the effectiveness of controls Army-wide depends largely on efforts to ensure that they are operating effectively at each command.[Footnote 30] However, Army officials told us that assessments of the effectiveness of controls at specific commands were not always reliable. The results of assessments performed by commands in 2012 using a checklist indicated that 64 percent of controls assessed were operating effectively.[Footnote 31] However, Army officials stated that the checklist was to help commands understand their roles and responsibilities, and acknowledged that the Army could not rely on self-reporting by commands as a useful measure of audit readiness. While a checklist can provide guidance and assist in identifying weaknesses, officials at the commands we visited told us that users may not be sufficiently knowledgeable to accurately complete it. Also, officials at all three commands we visited told us that their ability to review and assess the effectiveness of controls has been hampered by a lack of funding and staffing. For example, an official in the organization responsible for reviewing control assessments at one command told us that its ability to perform this function was limited because of a 34 percent vacancy rate in staffing. In addition, this official told us that internal control assessments prepared at the specific garrison level within a command were not always reliable. [Footnote 32] Officials attributed this, in part, to those preparing them not having appropriate skills or not performing sufficient testing to adequately assess whether controls were operating effectively. Command officials also explained that much of the information they have on control assessments relates to results associated with the Army's centralized testing of the operating effectiveness of manual controls. In connection with this testing, the Army established a failure rate of 5 percent or less as its goal for assessing the effectiveness of controls. Results of this testing on the number of commands tested through May 2013, when the Army was completing its Discovery Phase efforts, indicated failure rates that averaged 56 percent, as shown in figure 3.[Footnote 33] Figure 3: The Army's Reported SBR Internal Control Test Failure Rates for Commands Tested: [Refer to PDF for image: vertical bar graph] Failure rate: June 2012 (8 commands tested): 64%. July 2012 (8 commands tested): 66%. August 2012 (1 command tested): 68%. September 2012 (0 commands tested): Testing not performed. October 2012 (8 commands tested): 48%. November 2012 (4 commands tested): 28%. December 2012 (1 command tested): 67%. January 2013 (19 commands tested): 46%. February 2013 (19 commands tested): 64%. March 2013 (23 commands tested): 55%. April 2013 (25 commands tested): 54%. May 2013 (26 commands tested): 42%. Average total: 56%. Source: GAO analysis of Army Leadership Briefs, June 2012 through May 2013. Notes: Monthly failure rates shown above are reported in Leadership Briefs along with data used to calculate them, including the total number of sample items tested (i.e., specific control activities associated with selected transactions) and number of sample item failures (i.e., control activities not operating effectively). The average total failure rate, calculated by GAO, represents the total number of sample item failures divided by sample items tested across all months, based on monthly data reported in the Leadership Briefs. While Army operates through 23 commands, the number of commands tested also includes headquarters, and other direct reporting units. [End of figure] Army officials attributed the November 2012 drop in failure rates to 28 percent, in part, to the experience gained by the use of GFEBS by the four commands that were tested that month. As indicated in figure 3, beginning in January 2013, Army greatly expanded its testing to include all remaining installations migrating to GFEBS. With the substantial increase in new users, test results indicated failure rates for January and February 2013 of 46 percent and 64 percent, respectively. Also, the Army found that all the controls tested for February and March 2013 (14 and 15 controls, respectively) were operating ineffectively. As installations become more experienced with GFEBS, the Army expects the failure rate to decrease. However, the methodology for the Army's centralized testing was designed to produce reliable results Army-wide, and as command officials pointed out, it was not designed to produce reliable assessments of controls at the specific command level. Further, these officials highlighted how Army-wide assessments can vary significantly from more detailed assessments performed at the command level. For example, controls tested for 6 of 15 Army Reserve Command sample items associated with two business processes (i.e., temporary duty travel and supply) were found to be ineffective during the Army's February 2013 centralized testing process, equating to a 40 percent failure rate. Army Reserve Command conducted its own tests using a larger sample of 412 items across eight business processes that resulted in a much higher (77 percent) failure rate.[Footnote 34] Command officials described plans for performing additional assessments to better understand the effectiveness of their controls; however, they acknowledged that insufficient information on the effectiveness of controls has hampered their ability to develop and execute appropriate corrective actions to address control deficiencies. * The FIAR Guidance requires reporting entities to document their understanding of business processes, systems, and related control activities with narratives, flowcharts, risk assessments, and internal control worksheets. However, documentation describing Army SBR-related processes and systems was incomplete. The documentation did not address complete end-to-end processes, including those related to legacy systems and service provider activities and feeder systems, thus limiting the Army's ability to perform complete control assessments.[Footnote 35] Service providers are responsible for the systems they operate and processes they perform on behalf of reporting entities, and tasks for preparing process and system narratives and assessing controls associated with four service providers are included in the Army's FIP for budget execution.[Footnote 36] However, we found that the Army had not completed these tasks and, as a result, did not have sufficient information to effectively assess how service provider- related activities may affect its ability to achieve SBR audit readiness. Army officials told us that except for DFAS, service providers had not provided sufficient documentation of their control activities as required by the FIAR Guidance. Such documentation is needed for a clear understanding of how the Army's financial reporting objectives may be affected by service provider controls and documentation. According to the FIAR Guidance, to assess and provide assurance on the effectiveness of their controls, service providers are to undergo annual examinations in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization.[Footnote 37] Army officials told us that they are participating in a FIAR Directorate working group established to direct and coordinate service provider-related audit readiness efforts. According to Army officials, this group is working to help map out complete end-to-end business processes involving responsibilities shared by service providers and reporting entities. In addition, Army officials told us that the group is working to facilitate and monitor service provider efforts to prepare for SSAE No. 16 examinations to be conducted by IPA firms to provide an independent assessment on the effectiveness of service provider control activities. Because of the Army's reliance on service provider controls to achieve its General Fund SBR financial reporting objectives, Army officials told us that their readiness efforts greatly depend on the results of service provider SSAE No. 16 examinations. According to the November 2013 FIAR Plan Status Report, initial SSAE No. 16 examinations for 7 of 13 service provider assessable units and systems are scheduled for completion from April 2014 through September 2015. The adequacy of controls associated with units and systems to be assessed through these examinations--such as those focused on contract pay at DFAS and the Defense Contract Management Agency--will affect the Army's SBR audit readiness goal. Accordingly, the Army's efforts to obtain the results of service provider SSAE No.16 examinations and assess them to determine the adequacy of controls supporting complete end-to-end business processes will be essential. Audit Readiness Progress Reports Were Not Accurate: With regard to Task 4 of the Discovery Phase on the evaluation of supporting documentation, the status of audit readiness efforts was not accurately reflected in the Army's budget execution FIP status reports.[Footnote 38] For example, some activities that have been ongoing since 2010 were, as of May 31, 2013, reported in the Army's FIP status report at zero percent complete although they were expected to be 100 percent complete in April 2013. An Army official acknowledged that there were several tasks on the FIP status report that were erroneously reported as zero percent completed that in fact had been completed. Further, according to DOD's May 2013 FIAR Plan Status Report, the Army's SBR Discovery Phase efforts were completed as of March 2013. However, this report was in conflict with the most recent FIP status report at the time. The March 2013 status report indicated that 62 percent of Discovery Phase tasks were completed, with many tasks not expected to be completed until after March 2013. Also, Army officials told us that they had limited time to update FIP status reports because of efforts focused on preparing for the Wave 3 assertion in June 2013 and because OUSD(C) did not require updated reports during the 90-day period leading up to readiness assertions. According to Standards for Internal Control in the Federal Government, entities must have relevant, reliable, and timely communications to run and control their operations and determine whether performance plans and accountability goals are being met.[Footnote 39] The lack of accurate and consistent information on progress and plans for completing remaining audit readiness tasks limits the ability to effectively manage risks and assess performance. Corrective Action Phase Tasks Were Not Effectively Implemented: While some progress had been made on the Army's SBR FIP for budget execution tasks we reviewed through May 2013 when it was preparing its readiness assertion for Wave 3 GFEBS processes and locations, it was still in the process of completing its corrective action efforts. However, for actions taken through this date, we found that the Army's efforts did not effectively address the FIAR Guidance requirements for the Corrective Action Phase tasks for the budget execution FIP of identifying appropriate corrective actions, validating their effectiveness, and adequately tracking progress. As a result, the Army is at increased risk that problems identified during the Discovery Phase may not be addressed and may therefore hinder its ability to ensure that audit readiness goals are effectively achieved. As defined in the FIAR Guidance, the Corrective Action Phase comprises five tasks: (1) design of the audit-ready environment, to include requirements for remediating deficiencies in internal controls and supporting documentation; (2) development of corrective actions, to include concrete corrective action plans (CAP) to resolve each deficiency identified during the Discovery Phase; (3) development of resource requirements, to include budget estimates of funding and staffing to execute the CAPs; (4) execution of the CAPs, to include performing procedures to verify that the CAPs have successfully remediated the deficiencies; and (5) notification to the FIAR Directorate that the reporting entity is ready for an examination of its assessable unit.[Footnote 40] The Army has taken steps toward completing these tasks, such as developing The SBR Audit Support Handbook--a reference tool to assist commands in implementing GFEBS- based processes and remediating deficiencies--and estimates of resources required to execute CAPs and conduct other audit readiness activities. However, as discussed below, we found that the Army's efforts to develop and execute corrective actions (Corrective Action Phase Tasks 2 and 4) did not provide adequate assurance that deficiencies identified during the Discovery Phase will be resolved as required by the FIAR Guidance. Effectiveness of Efforts to Develop and Execute Corrective Actions Unclear: According to its FIP status report, the Army began efforts to develop and execute corrective actions in March 2011 and June 2011, respectively, to address deficiencies identified during the Discovery Phase. Army officials explained that the primary components of the Army's corrective action strategy are to provide targeted feedback to commands on control failures identified through monthly testing; perform targeted follow-up visits at commands to address specific challenges; and provide training, guides, and other tools to support corrective action within commands. However, for the Corrective Action Phase, the Army was unable to clearly demonstrate the extent to which (1) CAPs had been developed containing specific actions to resolve each identified deficiency (Task 2) and (2) required actions had been completed and deficiencies had been resolved (Task 4). These limitations resulted from a corrective action strategy and related oversight activities that were not designed to provide sufficient detail on corrective action efforts and to ensure their effectiveness. Additional information on these limitations is discussed below. * Extent to which CAPs were developed to resolve identified deficiencies unclear. The effectiveness of the Army's corrective actions depends on its efforts to ensure the completeness and effectiveness of CAPs containing specific actions planned to resolve identified deficiencies and their underlying causes. Recognizing the need to ensure the completeness of corrective actions and provide a means for tracking their status, the FIAR Guidance requires reporting entities to include corrective actions to resolve each deficiency identified in the corrective action sections of their FIP status reports. However, actions listed in the Army's report were not linked to specific CAPs developed to address identified deficiencies, and as a result, the Army's ability to demonstrate the completeness of its corrective actions was limited. Rather than listing specific tasks or references to specific CAPs, actions listed on the Army's report largely consisted of references to specific control activities that were not effectively implemented based on the results of monthly control testing. Further, in many instances these references were outdated, as they cited controls in existence prior to the Army's realignment of controls in February 2013.[Footnote 41] Additionally, we found that the Army's FIP status report did not include corrective actions for addressing other known deficiencies and assessing the severity of each as a deficiency, a significant deficiency, or a material weakness, as required by the FIAR Guidance.[Footnote 42] For example, we found that the Army's FIP status reports did not indicate the severity or include actions to correct deficiencies associated with (1) service provider controls and systems, (2) GFEBS system issues, and (3) the lack of supporting documentation identified through substantive testing.[Footnote 43] In addition, the effectiveness of the Army's corrective actions for resolving deficiencies largely depends on the effectiveness of its discovery efforts. However, as previously discussed, the Army had not effectively implemented Discovery Phase tasks, including efforts to document processes and assess controls. Consequently, its ability to ensure the effectiveness of corrective actions was limited. Further, we found that CAPs at the command level were not always effective. For example, at one of the commands we visited, corrective actions contained in the commander's checklist were not specific enough to address the extensive weaknesses reported. Command officials explained that this occurred, in part, because sufficient efforts to assess controls had not been completed to effectively determine the causes of identified deficiencies, thus limiting their ability to develop effective corrective actions to remediate the deficiencies. In addition, command officials told us that other issues hampering their discovery efforts also adversely affected their ability to effectively develop and execute corrective actions. These issues included the lack of sufficient resources and personnel with appropriate skills. Also, identifying the underlying causes of identified deficiencies is essential for developing specific tasks to remediate them. As part of its centralized monthly testing, the Army identified the reasons for each sample-item failure and communicated them to affected commands. In Leadership Briefs summarizing test results, the primary reason provided for these failures was documents not being signed and dated as evidence of review. However, other reasons contributed to sample- item failures but the Army had not analyzed them to better understand their relative significance and assist in identifying underlying causes. Accordingly, we analyzed the reasons for the failures for January 2013 through March 2013 by grouping them into four categories based upon data provided at the time of our review in May 2013.[Footnote 44] (See figure 4.) Figure 4: Reasons for Internal Controls Deficiencies: Results of Army Testing, January 2013 through March 2013: [Refer to PDF for image: horizontal bar graph] Why did internal controls fail? Insufficient documentation: 60%; Lack of appropriate review or approval: 20%; Documentation does not agree with GFEBS data: 11%; Other (e.g., reconciliations not performed, control not completed timely, documentation not legible): 9%. Source: GAO analysis of Army testing results. [End of figure] Our analysis showed that over half of the failures identified were due to supporting evidence not being provided. This category also included samples for which a command had not provided a response to requests for documentation within required time frames.[Footnote 45] Officials at the three selected commands we visited told us that providing the supporting documentation within 15 days as required by the Army's monthly testing schedule was often difficult because they needed to coordinate with other entities to obtain the documentation. Also, Army officials stated that they have been analyzing the nonresponses to better understand why they occurred and attributed them, in part, to the need to more timely obtain documentation from third-party stakeholders, such as DFAS. They also acknowledged that some deficiencies extended across commands and, in some instances, were outside the control of individual commands. For example, command officials told us that their test failures sometimes resulted from following the Army's guidance for executing business process activities that had not been updated to reflect changes in procedures resulting from previously implemented systems changes. However, the ability to assess the extent to which the Army's corrective actions are targeted at addressing the underlying causes contributing to sample-item failures is limited as corrective actions to address identified deficiencies were not linked to specific tasks or references to specific CAPs. * Extent to which required actions were completed and effective unclear. Recognizing the need for information to measure efforts to execute corrective actions, the FIAR Guidance requires reporting entities to (1) verify that CAPs have been effectively implemented and have remediated identified deficiencies and (2) update FIP status reports to reflect corrective action progress each month. These updates are to include any scope and timeline changes resulting from their efforts. However, we found that the Army was unable to effectively demonstrate its verification that CAPs had been effectively implemented. This occurred because corrective actions listed in its FIP status report were not linked to CAPs containing specific tasks and time frames for their completion to remediate deficiencies. Army officials explained that the Army was relying on the results of its centralized monthly control testing as its primary means to monitor the effectiveness of corrective actions. These results indicated failure rates of 56 percent on average, raising questions concerning the effectiveness of the Army's corrective actions. Further, while such results may be a useful indicator of progress, they do not identify the root causes for testing failures or provide needed assurance that deficiencies have been resolved. Verification that tasks have been completed and have effectively remediated deficiencies would enable the Army to better demonstrate that it has sufficient assurance concerning the effectiveness of its efforts. In addition, the Army's progress toward completing corrective actions as reported in its FIP status reports was not accurate and the reliability of its estimates for completing them was unclear. Specifically, Army status reports indicated the status of many corrective action tasks as zero percent complete. According to Army officials, this status was based largely on results associated with its monthly control testing. They also explained that although the Army has been working on corrective actions since 2011, it had difficulties in estimating interim percentages to accurately reflect the extent of progress achieved. In addition, Army FIP status reports indicated that corrective actions would be completed by March 2014. This estimate, according to Army officials, was based largely on dates previously established to meet audit readiness assertions. However, since the Army's reported progress and estimates for completing corrective actions are not linked to CAPs containing specific actions already taken and time frames for completing those still remaining to remediate deficiencies, their accuracy and reliability remain unclear. According to its corrective action strategy, the Army placed responsibility on commands to resolve identified deficiencies. However, the limitations we identified resulted from insufficient oversight steps to clearly demonstrate the completeness and effectiveness of the Army's efforts to resolve deficiencies within planned time frames. Such steps would include linking corrective actions on its FIP status report to CAPs containing specific tasks required to resolve identified deficiencies and their underlying causes and time frames for their completion. Without such oversight of its corrective actions, the Army lacks needed assurance concerning whether efforts to achieve auditability of its SBAs and full SBRs will occur as planned. The Army Did Not Follow FIAR Guidance in Implementing Assertion/ Evaluation Phase Tasks: Some progress had been made in completing Assertion/Evaluation Phase tasks, including IPA examinations of the Army's Wave 1 and 2 audit readiness assertions, and examination of its Wave 3 assertion is expected to be completed by May 2014. However, for actions taken through June 2013, when it was completing its Wave 3 readiness assertion, we found that the Army's efforts did not effectively address the FIAR Guidance requirements for the Assertion/Evaluation Phase tasks for the budget execution FIP in assessing whether the reporting entity was ready for an independent audit of its readiness assertion. As defined by the FIAR Guidance, the Assertion/Evaluation Phase comprises five tasks: (1) the FIAR Directorate evaluates the documentation to determine the state of audit readiness; (2) the FIAR Directorate provides feedback to the reporting entity on its status of audit readiness; (3) reporting entity management asserts audit readiness and an auditor is engaged to examine and identify any deficiencies in its assertion; (4) the reporting entity evaluates the nature and extent of deficiencies noted by the auditor on its assertion and implementation of corrective actions to remediate them; and (5) the reporting entity verifies that corrective actions successfully remediated auditor-identified deficiencies. The FIAR Guidance was revised in March 2013 to accelerate the involvement of IPAs in performing independent assessments to better identify control deficiencies. However, the guidance continues to require reporting entities to perform procedures to verify that corrective action plans were implemented and that they successfully remediated deficiencies prior to engaging an IPA. Upon the FIAR Directorate's review of readiness documentation and approval to proceed with an IPA examination, reporting entities are required to prepare a written assertion declaring that the subject matter to be examined is audit ready in conformity with the internal control and supporting documentation criteria contained in the guidance. For the Assertion/Evaluation Phase tasks, the FIAR Directorate evaluated documentation supporting the Army's Wave 2 audit readiness assertion, and the Army outlined efforts to address deficiencies reported by an IPA based on its examination of the Army's assertion. However, we found that the Army did not follow the FIAR Guidance for Assertion/Evaluation Phase Tasks 2 (FIAR Directorate feedback on audit readiness) and 3 (reporting entity evaluation of audit readiness assertion) as discussed below. Feedback on Audit Readiness Status Highlighted Significant Concerns: With regard to task 2 on providing feedback on the Army's status of audit readiness, the FIAR Directorate concluded, based on its review of the FIP for budget execution efforts contained in the Army's Wave 2 assertion package that Army commands within the scope of the assertion were not ready for the type of examination envisioned under the FIAR Guidance. Specifically, OUSD(C) noted in a July 2012 memorandum to the Assistant Secretary of the Army (Financial Management and Comptroller) that the Army's testing indicated that (1) 33 percent of identified manual controls were not implemented, 31 percent were not tested, and 1 percent was operating effectively and (2) 30 percent of general and application information technology controls tested were operating effectively.[Footnote 46] Further, OUSD(C) highlighted other concerns in its memorandum--such as key process and control gaps in end-to-end processes, an inadequate reconciliation of complete populations of transactions to the general ledger, and insufficient substantive testing to support general ledger transaction and account balances. According to the memorandum, OUSD(C) also noted that Army representatives stated that corrective actions had been implemented and controls were operating effectively. However, the Army had not fully retested remediation actions because of time constraints and, as a consequence, had not provided evidence to demonstrate effective implementation of corrective actions. Nonetheless, OUSD(C) documentation indicated that it supported the Army's efforts to proceed to an IPA examination, in part, to enable it to accelerate efforts with clear and independent feedback on its approaches, assumptions, and judgments. However, based on the extensive nature of the deficiencies noted above, accelerating these efforts prior to remediating them may not be cost effective, given the likelihood that an IPA would identify similar deficiencies during its examination. Effectiveness of the Army's Audit Readiness Assessment Was Unclear: With regard to Task 3 on assessing audit readiness, the Army's June 2012 assertion memorandum for Wave 2 stated that all applicable control activities had been effectively implemented. However, specific information on the effectiveness of controls contained in its assertion package indicated the existence of extensive deficiencies and control gaps. Nevertheless, the Army proceeded to have its Wave 2 audit readiness assertion examined by an IPA firm despite extensive uncorrected internal control deficiencies. In April 2013, the IPA reported several inadequacies in the Army's Wave 2 readiness assertion. The IPA reported one material deviation (the Army did not identify all financial reporting objectives and controls in GFEBS and its processes or complete end-to-end process reviews in accordance with the FIAR Guidance); three material weaknesses (in GFEBS information technology controls, journal voucher processing, and documentation supporting the design and operating effectiveness of controls); and one significant deficiency (in evidence of internal control implementation). Army officials stated that the IPA exams were beneficial in giving commands experience in undergoing an audit. However, an IPA exam to validate audit readiness assertions can be costly, not only in terms of IPA fees, but also in terms of focusing the Army's efforts on a validation process likely to identify deficiencies already known to exist and potentially delaying efforts to remediate them. Accordingly, conducting IPA exams prior to the Army taking steps to verify that significant known deficiencies have been addressed is not a cost-effective approach for achieving audit readiness. To help minimize the inefficient use of resources when previously identified deficiencies have not been addressed, the NDAA for Fiscal Year 2002 offered DOD some relief from the cost and time associated with preparing and auditing unreliable financial statements.[Footnote 47] Similarly, redirecting resources toward addressing known deficiencies rather than validating their existence could enhance the Army's ability to ensure the completeness and accuracy of its audit readiness assertion and achieve SBR auditability in a more cost-effective and timely manner. Conclusions: The Army has made a commitment to audit readiness and taken steps to follow the FIAR Guidance. This commitment has resulted in some progress and helped to develop an essential foundation on which further progress can be achieved. However, in implementing its General Fund SBR FIP for budget execution, the Army has not completed tasks required by the FIAR Guidance to ensure that risks and other key aspects of its efforts, including business processes, key systems, and controls that it and its service providers rely on to achieve audit readiness, are adequately documented and evaluated. Also, extensive deficiencies identified have not been resolved, increasing the likelihood that audit readiness of the Army's SBR will not be achieved as planned. DOD's FIAR Plan and Guidance describe steps for achieving audit readiness of its full SBR and other financial statements by September 30, 2017, as mandated by the NDAA of Fiscal Year 2010, as well as incremental SBA readiness by September 2014. However, the Army had not documented its assessment for how and when its approach is expected to achieve the goal of producing an audit-ready SBR, including risks related to excluding steps to ensure the audit readiness of billions of dollars of beginning balances and legacy system activity from the scope of its efforts. Overall, the gaps and deficiencies we identified throughout the various phases of the Army's efforts to develop and implement its FIP for budget execution were largely due to its focus on (1) an approach that emphasizes establishing audit-ready GFEBS-based processes and (2) meeting scheduled dates and asserting audit readiness before correcting extensive control deficiencies. However, this approach raises serious concerns regarding the reliability of the Army's readiness assertions, the likelihood that SBA and full SBR audit readiness will occur as planned, and the Army's ability to ensure the accuracy of financial information used to monitor budgetary resources to achieve its mission. Recommendations for Executive Action: To improve the Army's implementation of the FIAR Guidance for its General Fund SBR FIP for budget execution and facilitate remaining efforts to achieve SBR auditability, we recommend that the Assistant Secretary of the Army, Financial Management and Comptroller, take the following 10 actions: * identify activity attributable to assessable units associated with service provider systems and business processes having a significant impact on the Army's SBR; * coordinate efforts with service providers to obtain and document within MOUs a shared understanding of roles and responsibilities for processing Army data; * identify and document qualitative risks and other factors, including those associated with the Army's reliance on service provider readiness efforts as well as other processes and systems supporting significant portions of its SBR that the Army excluded from the scope of its readiness efforts and assess their potential impact on SBA and full SBR auditability and established timelines required to effectively achieve audit readiness; * update the Army's determination for achieving SBR audit readiness included in DOD's FIAR Plan Status Report to address NDAA requirements; * completely and accurately document the linkage of financial reporting objectives to control activities; * document criteria and processes for identifying key information technology systems that have a significant impact on the Army's SBR audit readiness; * obtain and assess the results of service provider SSAE No. 16 examinations upon completion to determine the adequacy of internal controls and document complete end-to-end business processes; * update the Army's FIP status reports to include actions to address identified deficiencies related to service providers, systems, and other known issues, along with an assessment of their severity, including references to current control activities with accurate estimates of the completion status; * link corrective actions and estimates for their completion in FIP status reports to (1) specific CAP tasks to resolve deficiencies and their underlying causes and (2) dates for their expected completion; and: * correct significant deficiencies or material weaknesses identified before asserting audit readiness and engaging an IPA to validate the assertion. Agency Comments and Our Evaluation: We provided a draft of this report to the Army for review and comment. In its written comments, reprinted in appendix III, the Army concurred with our recommendations. The Army also described planned and ongoing actions that are being taken in response to our recommendations. These actions include identifying and defining service providers' responsibilities, systems, and controls; assessing risks and additional feeder systems; and updating its FIP status reports to accurately reflect the status of its current and planned efforts. Generally, these actions, if effectively implemented, will help improve the Army's implementation of its General Fund SBR FIP for budget execution and facilitate remaining efforts to achieve SBR audit readiness. The Army's comments did not fully address our recommendation that the Army update its determination for achieving SBR audit readiness included in DOD's FIAR Plan Status Report. Specifically, as indicated in its comments, the Army's Chief Management Officer's determination included in the May 2014 FIAR Plan Status Report stated that most of the Army is well postured to achieve audit readiness of the Schedule of Budgetary Activity by September 30, 2014. The Schedule of Budgetary Activity is expected to reflect the amount of budgetary resources and associated activity related only to funding approved on or after October 1, 2014, and therefore represents an incremental step building toward an audit-ready SBR. As discussed in our report, the NDAA for Fiscal Year 2013 included requirements for the FIAR Plan Status Report to include a determination by the Chief Management Officer of each military department concerning its ability to achieve an auditable SBR by September 30, 2014, and, if unable to meet this deadline, provide an explanation as to why it is unable to meet the deadline as well as an alternative deadline and a description of the plan for achieving an auditable SBR by the alternative deadline. The Army's response did not address the deadline for full SBR auditability, and the May 2014 FIAR Plan Status Report does not presently comply with the NDAA requirements. Updating the FIAR Plan Status Report as required would provide Congress and DOD decision makers with important information on DOD's progress toward meeting auditability and financial management improvement goals. We are sending copies of this report to the Secretary of Defense, the Under Secretary of Defense (Comptroller), the Secretary of the Army, and the Chief Management Officer of the Army. In addition, the report is available at no charge on the GAO website at [hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report, please contact me at (202) 512-9869 or khana@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix IV. Signed by: Asif A. Khan: Director: Financial Management and Assurance: [End of section] Appendix I: Objectives, Scope, and Methodology: The objectives of our review were to determine the extent to which the Army developed and implemented its General Fund Statement of Budget Resources (SBR) financial improvement plan (FIP) for budget execution in accordance with the Financial Improvement and Audit Readiness (FIAR) Guidance with regard to (1) determining the scope of activities included in the FIP and (2) completing those activities included in the scope of the FIP. To address our objectives, we reviewed the Department of Defense (DOD) FIAR Guidance and selected provisions of the National Defense Authorization Acts (NDAA) for fiscal years 2013 and 2010 to understand the methodology the Army is required to use, and related responsibilities, for achieving audit readiness.[Footnote 48] We analyzed the Army's FIP to determine whether it contained elements, such as audit readiness tasks, required by the FIAR Guidance for the portions of the Discovery, Corrective Action, and Assertion/Evaluation Phases completed at the time of our review. The Army plans to address tasks required by the FIAR Guidance for the Validation and Audit Phases after June 2014. Appendix II provides specific information on the phases, tasks, and deliverables required by the FIAR Guidance for reporting entities to include in their FIPs. We also analyzed the SBR FIP deliverables required by the FIAR Guidance, such as process narratives and flowcharts, internal control assessments, and test results as well as results of independent public accountant examinations of the Army's audit readiness efforts. We analyzed other documentation, such as DOD FIAR Plan Status Reports, the Army's Audit Readiness Strategy, and periodic leadership briefs and presentations, to understand the Army's approach for achieving General Fund SBR budget execution audit readiness and high-level efforts to monitor and manage progress and risks, and to determine whether the Army's FIP accurately reflected the status of tasks required to achieve audit readiness. We interviewed the Army's General Fund Audit Readiness Director responsible for the Army's General Fund SBR FIP for budget execution and Army representatives supporting these efforts, as well as officials in the Office of the Under Secretary of Defense (Comptroller), FIAR Directorate, and Defense Finance and Accounting Service, to obtain explanations and clarifications associated with our evaluation of the documentation. We reviewed SBR FIP and audit readiness issues at the Army command level by conducting on-site audit work and interviewing installation officials at Installation Management Command, Fort Sam Houston, Texas, and Forces and Reserve Commands, Fort Bragg, North Carolina. We conducted this performance audit from June 2012 to May 2014 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: FIAR Guidance for Reporting Entities: Table 1 presents the reporting entity methodology in the Financial Improvement and Audit Readiness (FIAR) Guidance, which the Army is required to follow in implementing its financial improvement plan (FIP) for General Fund Statement of Budget Resources budget execution. Table 1: Reporting Entity Methodology for Supporting Audit Readiness Included in DOD's FIAR Guidance: Discovery Phase tasks: FIAR Guidance phases and tasks: 1. The reporting entity performs statement to process analysis (i.e., the identification of assessable units, business processes, systems, and other characteristics associated with amounts reported in financial statement line items), to include activities such as developing and documenting: * a process and system drilldown depicting asset/transaction classes, underlying processes, assessable units and subunits, and associated systems, including "as-is" and any planned "to-be" environments, and; * quantitative and qualitative drilldowns depicting the dollar activity (or balances) resulting from assessable units and subunits; Required deliverables: * Statement to process analysis and drilldowns. FIAR Guidance phases and tasks: 2. The reporting entity prioritizes audit readiness efforts, to include activities such as: * ranking each assessable unit in order of quantitative materiality and developing a list of qualitative risks or factors affecting audit readiness; * documenting audit readiness strategy, and; * developing a systems inventory list to include all current and future systems; Required deliverables: * Assessable unit and audit readiness strategy document systems inventory. FIAR Guidance phases and tasks: 3. The reporting entity documents processes and assesses/tests controls, to include activities such as the following: * Preparing process and system documentation to include narratives, flowcharts, risk assessments, and internal control worksheets documenting financial statement assertion risks, financial reporting objectives, control activities (manual and automated), and information technology general computer controls for significant systems, applications or microapplications, system certifications/ accreditations, system and end user locations, and descriptions of hardware, software, and interfaces; * Planning and executing internal control testing to obtain evidence about the achievement of control objectives and assess the effectiveness of controls that would prevent or; * detect potential misstatements in financial statements, and summarizing and evaluating results and classifying identified deficiencies; * Submitting an annual Internal Control over Financial Reporting (ICOFR) Statement of Assurance (SOA) memorandum and material weakness Corrective Action Plan (CAP) summary based on test results; Required deliverables: * Process and system documentation narratives and flowcharts describing the end-to-end process for an assessable unit; internal control assessments; * Test plans and results, updated control assessments, and classification of identified deficiencies; * Annual ICOFR SOA memorandum and material weakness CAP summary. FIAR Guidance phases and tasks: 4. The reporting entity evaluates supporting documentation, including activities to prepare the population, data mine, identify and document supporting documentation, test existence of documentation supporting transactions and balances, and summarize and report test results; Required deliverables: * Populations and reconciliations, data mining results, criteria matrices, aging analysis, test plans and test results, and evaluation and reporting of test results. Corrective Action Phase tasks: FIAR Guidance phases and tasks: 1. The reporting entity designs audit-ready environment, including requirements for remediating deficiencies in control activities and supporting documentation; Required deliverables: * "To-be" process flows and narratives with description of how documentation deficiencies will be resolved. FIAR Guidance phases and tasks: 2. The reporting entity develops CAPs to resolve deficiencies identified during the Discovery Phase, including efforts to update the corrective action section of the FIP to include the classification of the deficiencies (material weakness, significant deficiency, or control deficiency); Required deliverables: * CAP, updated FIP. FIAR Guidance phases and tasks: 3. The reporting entity develops resource requirements, including estimates of funding and staffing required to execute CAPs; Required deliverables: * Budget estimates and justifications. FIAR Guidance phases and tasks: 4. The reporting entity executes CAPs to reflect progress and accomplishments, including any scope and timeline changes, and verifies that deficiencies have been successfully remediated; Required deliverables: * Updated FIP. FIAR Guidance phases and tasks: 5. The reporting entity notifies the FIAR Directorate of implementation and readiness for examination; Required deliverables: * Notification to the FIAR Directorate of CAP implementation. Assertion/Evaluation Phase tasks: FIAR Guidance phases and tasks: 1. The FIAR Directorate evaluates the reporting entity's FIP documentation to assess whether the reporting entity is ready for an audit; Required deliverables: * Reporting entity FIP documentation. FIAR Guidance phases and tasks: 2. The FIAR Directorate provides feedback to the reporting entity on its status of audit readiness; Required deliverables: * Results of the FIAR Directorate review. FIAR Guidance phases and tasks: 3. If ready for audit, the reporting entity asserts readiness in a management assertion letter and the FIAR Directorate engages an independent public accountant (IPA) or the Department of Defense (DOD) Office of Inspector General (OIG) to perform an examination of the reporting entity's readiness assertion, and the auditor identifies any deficiencies; Required deliverables: * Reporting entity's management assertion letter; IPA or DOD OIG examination report. FIAR Guidance phases and tasks: 4. The reporting entity evaluates deficiencies identified by the IPA or DOD OIG and implements corrective actions to remediate them; Required deliverables: * Updated FIP. FIAR Guidance phases and tasks: 5. The reporting entity verifies that corrective actions successfully remediated auditor-identified deficiencies; Required deliverables: * Updated FIP. Validation Phase tasks: FIAR Guidance phases and tasks: 1. The reporting entity submits additional documentation to the FIAR Directorate demonstrating that deficiencies identified by the auditors have been successfully remediated and audit readiness has been achieved; Required deliverables: * Documentation demonstrating remediation of deficiencies. FIAR Guidance phases and tasks: 2. The FIAR Directorate reviews the examination report and additional documentation demonstrating remediation of deficiencies and makes a final determination of the reporting entity's audit readiness state; Required deliverables: * FIAR Directorate's final determination of audit readiness. Audit Phase tasks: FIAR Guidance phases and tasks: 1. The FIAR Directorate engages an IPA or DOD OIG to perform annual audits; Required deliverables: * Procurement contract. FIAR Guidance phases and tasks: 2. The reporting entity supports the audit process; Required deliverables: * Engagement letter. FIAR Guidance phases and tasks: 3. The auditor issues an audit opinion; Required deliverables: * Audit opinion. Source: DOD FIAR Guidance, March 2013. [End of table] [End of section] Appendix III: Comments from the Department of the Army: Department of The Army: Office of The Assistant Secretary of The Army: Financial Management and Comptroller: 109 Army Pentagon: Washington, DC 20310-0109: SAFM-ZA: Memorandum For: Government Accountability Office, 441 G Street, NW, Washington, DC 20548: Subject: Army Response to the Government Accountability Office Draft Report (GAO-14-60) issued 18 April 2014. 1. Enclosed please find the Army response to recommendations in the Government Accountability Office (GAO) Draft Report on Department of Defense (DoD) Financial Management. 2. The point of contact for this action is Mr. Thomas C. Steffens. He can be reached by e-mail at thomas.c.steffens2.civ@mail.mil or by telephone at 703-601-0512. Signed by: Robert M. Speer: Acting Assistant Secretary of the Army: Enclosure: GAO Draft Report Dated April 18, 2014: GAO-14-60 (GAO Code 197122): "DOD Financial Management: Improvements Needed in Army's Efforts for Ensuring the Reliability of Its Statement of Budgetary Resources" Department Of Defense Comments To The GAO Recommendation: Recommendation 1: The GAO recommends that the Assistant Secretary of the Army, Financial Management and Comptroller identify activity attributable to assessable units associated with service provider systems and business processes having a significant impact on the Army's SBR. Army Response: Concur. Army continues to work with service providers, such as the Defense Finance and Accounting Service (DFAS) and Defense Logistics Agency (DLA) to implement policies and procedures for financial reporting; an example includes coordinating an automated solution with DF AS to reconcile the Army's Fund Balance with Treasury which significantly impacts the SBR. In preparation for Examination 3, the Anny identified each Service Provider and their systems by business process that had a significant impact on the Anny's SBR. Recommendation 2: The GAO recommends that the Assistant Secretary of the Anny, Financial Management and Comptroller coordinate efforts with service providers to obtain and document within Memorandums of Understanding a shared understanding of roles and responsibilities for processing Anny data. Army Response: Concur. To date, Anny updates and creates service provider agreements that define roles, responsibilities and support for ongoing audit readiness efforts. These agreements are updated periodically and used as templates for future coordination requirements. Recommendation 3: The GAO recommends that the Assistant Secretary of the Anny, Financial Management and Comptroller identify and document qualitative risks and other factors, including those associated with the Anny's reliance on service provider readiness efforts as well as other processes and systems supporting significant portions of its SBR that the Army excluded from the scope of its readiness efforts and assess their potential impact on SBA and full SBR auditability and established timeliness required to effectively achieve audit readiness. Army Response: Concur. Anny completed Examination 3 of its SBR by an external auditor which provided a list of findings and recommendations. The Anny is implementing a comprehensive corrective action plan to remediate external auditor findings prior to the FY 2015 audit of the SBA. This plan includes an assessment of risk and important factors associated with service provider coordination and systems supporting portions of the SBR in order to take into account full scope audit readiness of Army business processes. Recommendation 4: The GAO recommends that the Assistant Secretary of the Army, Financial Management and Comptroller update the Army's determination for achieving SBR audit readiness included in DOD'S FIAR Plan Status Report to address NDAA requirements. Army Response: Concur. The Anny May 2014 FIAR Plan Status Report submission was coordinated with the Office of the Under Secretary of Defense (Comptroller) to ensure compliance with reporting requirements. The Chief Management Officer (CMO) message in the May 2014 FIAR Plan Status Report states most of the Anny is well postured to achieve audit readiness of the Schedule of Budgetary activity(SBA) by September 30,2014. Recommendation 5: The GAO recommends that the Assistant Secretary of the Army, Financial Management and Comptroller completely and accurately document the linkage of financial reporting objectives to control activities. Army Response: Concur. As part of ongoing audit readiness efforts, the Army maintains a catalog of internal controls associated with SBR business processes. The Army will revise the internal controls catalog to ensure the proper linkage of financial reporting objectives and control activities. Upon completion of Examination 3, the IPA assessed the linkage of financial reporting objectives to control activities to be a low/minimal risk factor in terms of receiving a clean audit opinion. Recommendation 6: The GAO recommends that the Assistant Secretary of the Army, Financial Management and Comptroller document criteria and processes for identifying key information technology systems that have a significant impact on the Army's SBR audit readiness. Army Response: Concur. In preparation for Examination 3, the Army documented each material feeder system and the business process that impacts the SBR. The IPA performed walk-throughs and documented the exact feeder systems the Army had identified during its discovery efforts. As a result of this discovery the Army modified the scope of the Examination 3 to include system assessments of 13 Army owned feeder systems that materially impacted the SBR. Recommendation 7: The GAO recommends that the Assistant Secretary of the Army, Financial Management and Comptroller obtain and assess the results of service provider SSAE No. 16 examinations upon completion to determine the adequacy of internal controls and document complete end-to-end business processes. Army Response: Concur. As part of Examination 3, an IPA reviewed all applicable service provider SSAE 16 documentation and identified findings and recommendations for consideration. As a result, the Army will be assessing the complimentary end user controls listed in the SSAE16 reports prior to September 30, 2014. The Army, in coordination with OUSD(C) FIAR Directorate, will continue to coordinate with service providers to obtain and assess internal control documentation for audit readiness. Recommendation 8: The GAO recommends that the Assistant Secretary of the Army, Financial Management and Comptroller update the Anny's FIP status reports to include actions to address identified deficiencies related to service providers, systems, and other known issues, along with an assessment of their severity, including references to current control activities with accurate estimates of the completion status. Army Response: Concur. The Army will update the FIP to account for challenges identified in this report and other feedback received from the completion of Examination 3. In addition, the Army will continue to track corrective actions from previous examinations leading up to the FY 2015 SBA audit. Recommendation 9: The GAO recommends that the Assistant Secretary of the Army, Financial Management and Comptroller link corrective actions and estimates for their completion in FIP status reports to specific CAP tasks to resolve deficiencies and their underlying causes and dates for their expected completion. Army Response: Concur. The Army will update the FIP to include CAP tasks and associated completion dates. Recommendation 10: The GAO recommends that the Assistant Secretary of the Army, Financial Management and Comptroller correct significant deficiencies or material weaknesses identified before asserting audit readiness and engaging an independent public account to validate the assertion. Army Response: Concur. The Army is implementing a comprehensive corrective action plan to remediate external auditor findings prior to the FY 2015 audit of the SBA. The OUSD(C) FIAR Directorate will assess the Army's assertion of audit readiness and grant the authority to engage an IPA to validate. [End of section] Appendix IV: GAO Contact and Staff Acknowledgments: GAO Contact: Asif A. Khan, (202) 512-9869 or khana@gao.gov: Staff Acknowledgments: In addition to the contact named above, the following individuals made key contributions to this report: Roger Stoltz (Assistant Director), James Kernen, Richard Kusman, Marc Oestreicher, Laura Pacheco, Francine DelVecchio, Maxine Hattery, and Jason Kelly. [End of section] Footnotes: [1] In fiscal year 2013, the Army represented 5 percent of the U.S. government's total reported expenditures of $3.5 trillion. The Army operates through 23 commands and direct reporting units, including foreign military operations in Iraq and Afghanistan, with a component strength of over 1.1 million uniformed servicemembers, about 270,000 civilian employees, and thousands of contract employees. [2] Pub. L. No. 103-356, § 405 (Oct. 13, 1994), codified as amended at 31 U.S.C. § 3515. [3] GAO, High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-13-283] (Washington, D.C.: February 2013). [4] Pub. L. No. 111-84, div. A, § 1003(a), (b) (Oct. 28, 2009). [5] To be ready for an audit, entities must be able to provide sufficient evidence and other information such that the auditor is able to (1) obtain reasonable assurance about whether the financial statements are presented fairly, in all material respects, in conformity with United States generally accepted accounting principles; (2) obtain a sufficient understanding of internal control over financial reporting and compliance to plan the audit; and (3) perform tests regarding compliance with certain laws and regulations and other procedures. Further, the NDAA for Fiscal Year 2014, Pub. L. No. 113-66, div. A, § 1003 (Dec. 26, 2013) also mandates a full audit of DOD's fiscal year 2018 financial statements, and that those results be submitted to Congress by March 31, 2019. [6] The SBR and related disclosures provide information about budgetary resources made available to an agency as well as the status of those resources at the end of the fiscal year. [7] The Army's General Fund includes appropriated funding for military and civilian payroll, facility operations and maintenance, various overseas operations, procurement, research and development, and military construction. It does not include the Army's Working Capital Fund, which is funded primarily from fees charged for goods and services provided to customers. Business processes consist of a sequence of activities that are performed in order to accomplish work and achieve the business's objectives. [8] Under the FIAR Guidance, DOD components include reporting entities (i.e., DOD entities or funds that prepare stand-alone financial statements included in the DOD-wide financial statements) and service providers that provide a variety of accounting, personnel, logistics, systems, or other support services. Further, audit readiness assertions specify that (1) control activities are suitably designed and implemented, operating effectively, and sufficiently documented to provide reasonable assurance that applicable financial reporting objectives are achieved; (2) key supporting documents are readily available for review; and (3) account balances and transactions are accurately recorded. [9] GAO, DOD Financial Management: Improvement Needed in DOD Components' Implementation of Audit Readiness Effort, [hyperlink, http://www.gao.gov/products/GAO-11-851] (Washington, D.C.: Sept. 13, 2011), and DOD Financial Management: Ongoing Challenges with Reconciling Navy and Marine Corps Fund Balance with Treasury, [hyperlink, http://www.gao.gov/products/GAO-12-132] (Washington, D.C.: Dec. 20, 2011). [10] According to the FIAR Guidance, components are required to establish assessable units for all processes, systems, or classes of assets that result in material transactions and balances in their financial statements to help focus their improvement efforts. For example, assessable units may represent business processes associated with specific functions (e.g., civilian pay) or financial activity associated with specific systems (e.g., the Army's General Fund Enterprise Business System). [11] Fund Balance with Treasury is an asset account representing the future economic benefit of monies that an agency can spend for authorized transactions. It primarily consists of all funds on deposit with the Department of the Treasury. Federal agencies use this account to record appropriations, receipts, transfers, and disbursement activity. According to the Army's strategy and the FIAR Guidance, the Army has focused audit readiness efforts on its General Fund, and has not yet finalized its strategy for achieving audit readiness for its Working Capital Fund, which reported $13.7 billion or 4.9 percent of the Army's total budgetary resources for fiscal year 2013. [12] 31 U.S.C. § 331(e). [13] GAO, Financial Audit: U.S. Government's Fiscal Years 2013 and 2012 Consolidated Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-14-319R] (Washington, D.C.: Feb. 27, 2014). [14] The FIAR Directorate provides management of the FIAR Plan to ensure integration of DOD-wide financial improvement efforts through various activities, including (1) the development and issuance of the FIAR Guidance, (2) performing monthly detailed reviews of component FIPs and evaluating related deliverables, and (3) the development of metrics for monitoring and progress reporting. [15] DOD's FIAR Plan Status Reports describe the status of FIAR Plan implementation and, as required by the NDAA for Fiscal Year 2010, Pub. L. No. 111-84, § 1003(b), are submitted to Congress semiannually by May 15 and November 15. As amended by the NDAA for Fiscal Year 2013, Pub. L. No. 112-239, div. A, § 1005(a) (Jan. 2, 2013), the FIAR Plan is statutorily required to "describe specific actions to be taken and the costs associated with ... ensuring ... the statement of budgetary resources of the Department of Defense is validated as ready for audit by not later than September 30, 2014." [16] Unobligated amounts are the cumulative portion of an entity's obligation authority that has not yet been obligated. Obligations incurred include the amounts of orders placed, contracts awarded, services received, and similar transactions during a given period. Obligations are usually liquidated by payments (outlays). Unexpended amounts represent unobligated funds or obligated amounts that have not yet been liquidated. [17] The Army's audit readiness strategy was prepared by the Office of the Assistant Secretary of the Army, Financial Management and Comptroller, which is responsible for managing the Army's audit readiness activities with appropriate direction, guidance, and oversight. [18] Reporting entities are required to monitor the effectiveness of the internal control over the systems and services provided by service organizations that affect classes of transactions significant to their financial statements. [19] An ERP system is an automated system using commercial off-the- shelf software consisting of multiple, integrated functional modules that perform a variety of business-related tasks, such as general ledger accounting, payroll, and supply chain management. According to the Army's fiscal year 2013 audit readiness strategy, auditability depends on an audit-ready systems environment and the successful deployment of ERP systems. This includes the Logistics Management Program, which was fully deployed in October 2010; GFEBS, which was fully deployed in July 2012; and the Global Combat Support System- Army, which is in the process of deployment with completion expected in 2017. GFEBS is a web-enabled accounting, asset management, and financial reporting system and represents the Army's system of record for general fund financial reporting. Although fully deployed, GFEBS is not fully integrated with feeder systems such as military pay, whereby detail transactions are summarized into GFEBS. [20] The Army's Wave 1 locations included the Installation Management Command (IMCOM) and Training and Doctrine Command (TRADOC) at Fort Benning and Fort Jackson and the IMCOM and Forces Command (FORSCOM) at Fort Stewart. [21] In addition to the Army's Wave 1 locations, Wave 2 locations included IMCOM and FORSCOM at Fort Bragg, Fort Campbell, Fort Drum, and Fort Polk; IMCOM and TRADOC at Fort Gordon and Fort Rucker; and IMCOM at Fort Knox. [22] According to the FIAR Guidance, in addition to coordinating with service providers to perform statement to process analyses and prioritize audit readiness efforts, reporting entities' consideration of service providers' activities and how they affect the entities' financial processes should be embedded within the various phases of audit readiness efforts. Also, service providers are to prepare documentation illustrating the financial reporting aspects of their operations through end-to-end business processes and identify and evaluate control activities and supporting documentation over those processes that affect the reporting entities' financial reporting objectives (i.e., the outcomes needed to achieve proper financial reporting and serve as a point against which the effectiveness of financial controls can be evaluated). [23] According to the FIAR Guidance, entity-level controls refer to control environment, risk assessment, control activities, information and communication, and monitoring as described in GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). [24] As of September 30, 2013, the Army reported unobligated and unpaid balances of $38.6 billion and $120.7 billion, respectively, on its General Fund SBR for fiscal year 2013. Accordingly, these amounts will be reported as beginning balances on its General Fund SBR for fiscal year 2014. [25] If the Army does not have assurance that its available balances are accurate, it is at risk of overobligating or overspending its budgetary authority in violation of the Antideficiency Act, 31 U.S.C. §§ 1341-42, 1349-52, 1511-19. [26] Statement of Federal Financial Accounting Standards No. 7, Accounting for Revenue and Other Financing Sources and Concepts for Reconciling Budgetary and Financial Accounting, requires agencies to provide a schedule in the notes to their financial statements displaying material differences between the SBR and President's Budget. At a minimum, material differences for comparable line items related to budgetary resources, obligations, distributed offsetting receipts, and outlays should be displayed accompanied by explanations of the differences. [27] DOD components are required to annually submit a statement attesting to the level of assurance on the effectiveness of internal controls over financial reporting and financial systems and compliance with applicable laws and regulations. [28] According to the FIAR Guidance, financial reporting objectives are defined as the outcomes needed to achieve proper financial reporting and serve as a point against which the effectiveness of financial controls can be evaluated. Control activities are defined as policies, procedures, and mechanisms in place to help ensure that objectives are met. [29] Appropriations available for a specified period of time expire at the end of that period and the unexpended portion of the appropriation can be carried forward for a maximum of 5 years. At the end of the fifth fiscal year after availability ends, the appropriation account is closed and any remaining balance is canceled. Further, appropriation accounts may be closed if rescinded by law. [30] An Army command is defined as an Army force, designated by the Secretary of the Army, performing multiple required functions across multiple disciplines. [31] In 2012, the Army Accountability and Audit Readiness Directorate created the Commander's Checklist to assist commands in identifying specific controls and required commands to verify whether they were in place and operating effectively. [32] Garrisons assist in managing certain Army installations by supporting readiness and mission execution and providing services and facilities for efficient delivery of base support services. [33] In connection with its centralized internal control testing, the Army evaluated whether the applicable manual control activities or attribute(s) associated with each transaction selected for testing were operating effectively and determined an overall failure rate based on monthly test results. These results do not include assessments of information technology controls. [34] The Army Reserve Command's February 2013 testing included sample items from the following business processes: Army-wide, contracts, temporary duty travel, permanent change of station travel, other travel, government purchase card, supply, and miscellaneous payments. While the same SBR-related control activities are applicable across all commands, the specific controls tested may vary depending on their applicability to the transactions selected for testing at specific commands. [35] According to the FIAR Guidance, DOD end-to-end processes involve actions necessary to plan, formulate, execute, report, or perform other activities associated with various business functions, including (1) budget-to-report, (2) hire-to-retire, (3), order-to-cash, (4) procure-to-pay, (5) acquire-to-retire, and (6) plan-to-stock. Portions of these business functions (e.g., civilian pay and military pay) may focus on specific aspects of an end-to-end process (e.g., hire-to- retire). [36] The Army's FIP for budget execution contained tasks associated with the following service providers: DFAS, Defense Logistics Agency, Defense Contract Management Agency, and Defense Information Systems Agency. [37] SSAE No.16 provides standards for auditors to follow for reporting on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities' internal control over financial reporting. [38] According to the FIAR Guidance, reporting entities and service providers are required to use a standard template for reporting information to improve their ability to manage their FIPs and DOD's ability to monitor progress indicators, such as task start and finish dates, percentage complete, and persons responsible for their completion. [39] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [40] According to the Army, its audit-ready environment focuses on the implementation of effective GFEBS-based processes. [41] According to Army officials, the Army realigned controls in February 2013 by consolidating similar, but more specific, control activities used in various business processes into fewer, broader control activities applicable to multiple processes. [42] A material weakness is a deficiency, or combination of deficiencies, in internal control over financial reporting such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit the attention of those charged with governance. [43] According to the May and November 2013 FIAR Plan Status Reports, service providers identified various deficiencies associated with their controls and systems and mentioned corrective actions to address them. [44] In connection with its monthly testing, the Army identified the reason for each sample-item control failure and, in selected instances, attributed the failure to more than one reason. GAO's analysis is based on all reasons identified by the Army for the sample- item failures supporting its monthly failure rates for January 2013 through March 2013 (as shown in fig. 3). [45] Prior to June 2013, commands were required to provide supporting documentation associated with sample test items within 15 days of their being requested. In May 2013, the time frame for providing documentation was revised to 5 days beginning in June 2013. [46] The memorandum did not specify whether percentages indicated were mutually exclusive of each other. General information technology controls apply to all information systems, including entity-wide security program planning, system software acquisition and maintenance, and access security. Application controls focus on the processing of data within application software and help ensure the completeness, accuracy, authorization, and validity of transactions processed. [47] The NDAA for Fiscal Year 2002, Pub. L. No. 107-107, div. A, § 1008 (Dec. 28, 2001), requires that DOD assess the reliability of its financial statements each year and report the results to the DOD OIG and others. If DOD asserts that a financial statement is not reliable, DOD and the DOD OIG are required to limit the work performed to develop, compile, report, and audit the unreliable financial statements. [48] The NDAA for Fiscal Year 2010, Pub. L. No. 111-84, div. A, § 1003(a) (Oct. 28, 2009), requires that the DOD FIAR Plan describe the actions and costs associated with ensuring that DOD validate (certify) that its consolidated financial statements are ready for audit by September 30, 2017. Further, the NDAA for Fiscal Year 2013, Pub. L. No. 112-239, div. A, § 1005(a) (Jan. 2, 2013), amended this provision to require that the FIAR Plan's descriptions also cover ensuring that DOD's consolidated SBR is validated as ready for audit no later than September 30, 2014. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO's actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO's website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, DC 20548. [End of document]