Independent Auditors? Report INSPECTOR GENERAL DEPARTMENT OF DEFENSE 4soo MARK CENTER DRIVE ALEXANDRIA. VIRGINIA zzasoisoo December 12, 2017' MEMORANDUM EUR UNDER OF DEFENSE CHIEF FINANCIAL DFFICER, DEFENSE AGENCY SUEIECT: Transmittal of the Disclaimer of Opinion on the Defense Logistics Agency General Fund Financial Statements and Related Footnotes for FY Bill? [Project No. Report No. 1] We contracted with the independent public accounting firm of Ernst 8: Young to audit the Defense Logistics Agency FY 2017 lGeneral Fund Financial Statements and related footnotes as of September 30, 201?, and for the year then ended, and to provide a report on internal control over ?nancial reporting and compliance with laws and regulations. The contract required Ernst Young to conduct the audit in accordance with generally accepted government auditing standards Uttlce ot'Management and Budget audit guidance; and the Government Accountability O?ice??resident's Council on Integrity and Ef?ciency, "Financial Audit Manual," ]uly Ernst 81 Young's Independent Auditor's Reports are attached. Ernst 8i Young's audit resulted in a disclaimer of opinion. Ernst 8.1 Young could not obtain suf?cient, competent evidential matter to support the reported amount within the DLA ?nancial statements. As a result, Ernst 8: Young could not conclude whether the ?nancial statements and related footnotes were fairly presented in accordance with accounting principles generally accepted in the United States of America. Accordingly, Ernst as Young did not express an opinion on the DLA Fr 2017 General Fund Financial Statements and related footnotes. Ernst 8: Young?s separate report on "Internal Control over Financial Reporting" discusses six material weaknesses related to internal controls over ?nancial reporting. Ernst 8; Young?s report also includes a signi?cant de?ciency related to ?nancial reporting. Ernst 8: Young?s additional report on "Compliance and Other Matters Based on an J'tudlt ot'the Financial Statements Performed" discusses four instances of noncompliance with applicable laws and regulations. Defense Logistics Agency General Fund Annual Financial Report 51 a In relation to the contract, we reviewed Ernst 3i Young?s report and related documentation and discussed the audit results with Ernst 8: Youngr representatives. Our review. as differentiated trum an audit conducted in accordance with GAGAS. was not intended to enable us to express, and we did not express, an opinion on the FY Bill? General Fund Financial Statements and related footnotes, conclusions about the effectiveness ofinternal control, conclusions on whether the DLA's financial systems substantially complied with the Federal Financial Management lmprov ement Act of 1996," or conclusions on whether the BIA complied with laws and regulations. Ernst 8: Young is responsible for the attached reports, dated December 12, 201?, and the conclusions expressed in these reports. However, our review disclosed no instances in which Ernst 8: Young did not comply, in all material respects, with We appreciate the courtesies extended to the stat}, Please direct questions tome at [ms] 60 1-5945. ~1 commi- Vow/Ma- Lorin T. Venahle, CPA Assistant Inspector General Financial Management and Reporting Attachments: {is stated Defense Logistics Agency General Fund Annual Financial Report 52 a Eras-t e} Young To? *1 T03 Souleva-Ll 7-3311? '5-5-1115 Ve- 23132 c:r:1 a better world Report of Independent Auditors The Director of the Defense Logistics Agency and The Inspector General ot?the Department ot'Detense Report on the Financial Statements We were engaged to audit the accompanying ?nancial statements of the General Fund of the Defense Logistics Agency which comprise of the balance sheet as of September 30, 2(117, and the related statements ot'net costs, changes in net position, and statement ot'budgetary resources for the year ended September 30, 2017. and the related notes to the ?nancial statements. M'snegemem's die Financiat Statements Management is responsible for the preparation and lair presentation of the financial statements in conformityr with US. generallyr accepted accounting principles; this includes the design, implementation and maintenance of internal control relevant to the preparation and fair presentation of the ?nancial statements that is free of material misstatemenL whether due to fraud or error. Auditor ?s Responsibititv Our responsibility is to express an opinion on these ?nancial statements based on conducting the audit in accordance with auditing standards generally accepted in the United States. and the standards applicable to ?nancial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States and Of?ce of Management and Budget Bulletin No. 1103, Audit Requirements for ii'edercrt Pinon-stat Statements. llecause or the matter described in the Basis For Disclaimer of Opinion paragraph, however, we were not able to obtain suf?cient appropriate audit evidence to provide a basis for an audit opinion. Basis for Disdaimer of Opinirm The Department of Defense, including 131.31. continues to have unresolved accounting issues and material weaknesses in internal controls that cause DILA to be unable to provide suf?cient evidential support for complete and accurate ?nancial statements on a timely basis. As a result, we cannot determine the e?bct or the lack of sul?eienl appropriate audit evidence on ?nancial statements as a whole tor the year ended September 30, 2017?. Disclaimer of Opinion Because of the signi?cance of the matter described in the Basis for Disclaimer of Opinion paragraph, we have not been able to obtain suf?cient appropriate audit evidence to provide a basis for an audit opinion. Accordingly, we do not express an opinion on the ?nancial statements. Defense Logistics Agency General Fund Annual Financial Report 53 a EY Building a better world Other Matters Ne (mired Suppfem entire}? [af?rmation Accounting principles generally accepted in the United States require that the Management?s Discussion and Analysis. as listed in the Table of Contents. be presented to supplement the ?nancial statements. Such infonnation. although not a part ofthe ?nancial statements. is required by the Federal Accolmting Standards Advisorj.-' Board who considers it to be an essential part of financial reporting for placing the ?nancial statements in an appropriate operational, economic. or historical context. We have applied certain limited procedures to the required supplementary information in accordance with auditing standards generally accepted in the United States, which consisted ofinquirics of management about the methods of preparing the inliormation and comparing the inliirmation For consistency with management?s responses to our inquiries, the ?nancial statements, and other knowledge we obtained during our audit ol? the ?nancial statements. We do not express an opinion or provide any assurance on the information because the limited procedures do not provide us with sulTicient evidence to express an opinion or provide any assurance. Other ?nancial tri?e-motion and Other hr?ima?mr Our audit was conducted for the purpose of forming an opinion on the ?nancial statements that collectively comprise basic ?nancial statements. The Other Financial Information, as identi?ed on DLA's Agency Financial Report Table ofConteirts. is presented for purposes of additional analysis and is not a required part {tithe basic ?nancial statements. The Other Financial Information is the responsibility 0 management and was derived from and relates directly to the underlying accounting and other records used to prepare the basic ?nancial statements. Such information has been subjected to the auditing procedures applied in an engagement to perform an audit of the basic ?nancial statements and certain additional procedures. including comparing and reconciling such information the underlying accounting and other records used to prepare the basic ?nancial statements or to the basic ?nancial statements themselves. and other additional procedures in accordance with auditing standards generally accepted in the United States. Because of the significance of the matter described in the Basis for Disclaimer of Opinion paragraph we have not been able to obtain suf?cient appropriate audit evidence to provide a basis For an audit opinion. Accordingly. we do not. express an opinion on the Other Financial Information. The Other Information. as listed in the Table of Contents. has not been subjected to the auditing procedures applied in the engagement to perform an audit of the ?nancial statements, and, accordingly, we do not express an opinion or pmvide any assurance. Defense Logistics Agency General Fund Annual Financial Report 54 a EY ?was? Dther Reporting Required by Government Auditing Standards In accordance with Auditing Standards, we also have issued our reports dated December 12, 2017' on our consideration of internal control over financial reporting and on our tests of its compliance with certain provisions of laws, regulations, contracts and other matters. The purpose of those reports is to describe the scope of our testing ofinternal control over financial reporting and compliance andthe results of that testing, and not to provide an opinion on internal control over financial reporting or on compliance. Those reports are an integral part ofan engagement to perform an audit in accordance with Auditing Standards in considering internal control over financial reporting and compliance. 1' December 12, 2017' Defense Logistics Agency General Fund Annual Financial Report 55 a Ernst Yocng "tel *1 Tut? 1r_.r_r_ -. Boulez-e?. Fe; 7133 747' "Jr's 221112 corn Building a better working world Report of Independent Auditors on Internal Control Over Financial Reporting Based on an Audit of Financial Statements Performed in Accordance with GtNernment .r'lttn'iting Standards 'lhe Director orthe Dct?ense logistics Agency and the Inspector General (tithe Department of Defense We were engaged to audit, in accordance with auditing standards generally accepted in the United States, the standards applicable to ?nancial audits contained in Government dttdi'tt'ng Standards issued by the Comptroller General of the United States and the Office of Management and Budget liullct No- 17-03, .?'lna'it Pattern! Financial Statements, the ?nancial statements or the General Fund of the Defense logistics Agency (Dial), which comprise the balance sheet as of September 30. 201?, and the related statement of net cost. changes in net position, and statement l'hudgetary resources For the ?scal year then ended, and the related notes to the financial statements, and have issued our report thereon dated December i2, 20?. The report states that because of matters described in the Basis for Disclaimer Opinion paragraph, the scope ofour work was not sufli cient to enable us to express, and We do not express an opinion on the ?nancial statements as of and for the ?scal year ended September 3U, 7' and the related notes to the financial statements. Internal lControl Over Financial Reporting In connection with our engagement to audit the ?nancial statements, we considered A's intemal control over financial reporting (?internal control") to determine the audit procedures that are appropriate in the circumstances for the purpose of' expressing our opinion on the financial statement, but not For the purpose of expressing an opinion on the effectiveness ol? As internal control. Accordingly, we do not express an opinion on the effectiveness of'DLA?s internal control. We limited our intcmal control testing to these controls necessary to achieve the objectives described in ()Ml?l Bulletin No. l7-il3. did not test all internal relevant to operating obj ectivcs as broadly defined by the Federal litrtanagers1 Financial httegrity Act of 1982 such as those controls relevant to ensuring efficient operations. A in internal control over financial reporting exists when the design or operation ot?a control does not allow management or employees, in the normal course of perf?onning their assigned functions, to prevent or detect misstatements on a timely basis. A signi?cant deli cieney is a control deficiency, or combination of control deficiencies, that adversely affects the entity?s ability to initiate, authorize, record, process, or report financial data reliably in accordance with US. GAAP such that there is more than a remote likelihood that a misstatement or the entity?s financial statements that is more than inconsequential will not be prevented or detected. A material uteolmess is a significant deficiency, or combination of significant deficiencies, that results in more Defense Logistics Agency General Fund Annual Financial Report 56lPagc EY Buiiding a better working world than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected. Our consideration of internal control was for the limited purpose described in the preceding paragraph and was not designed to identify all de?ciencies in internal control that might be material weaknesses or significant de?ciencies and therefore, material weaknesses or signi?cant de?ciencies may exist that were not identi?ed. As described below we identified certain de?ciencies in internal control that we consider to be material weaknesses and signi?cant de?ciencies. lt?Iaterial weaknesses During our audit. we noted the following matters involving internal control over ?nancial reporting and its operation that we consider to be material weaknesses as defined above. I. Property, Plant, and Equipment (PPSLE) includes internal use so?ware and We found that DLA has not completed an analysis of existence and completeness of records for which they are the FRO. had not completed their process to value PPSLE beginning balances, and have weaknesses in the processes of maintaining and reconciling records. The combination of these ?ndings led us to conclude that there is a material weakness related to The matters identified related to are further described in Appendix A. II. Fund Balance with Treasury DLA is unable to reconcile the ending balances from general ledger directly to the US. Treasury. DLA in conjunction with DFAS, has implemented the Cash Management Reconciliation (CMR) and Defense Reconciliation Reporting Tool (DRRT) processes as mechanisms to reconcile DLr??t's general ledger to Treasury. However, these tools have known control deficiencies and reconciling issues within the process. In addition, DLA does not have sufficient policies. procedures or controls in place for the end?to?end process. These deficiencies supported a conclusion of a material weakness in FBWT. The matters noted are further described in Appendix A. Accounts Payable (AP) - AP falls within the scope of DLAs procure to pay process. We found that DLA was unable to adequately support the accounts payable and related budgetary beginning balances, had issues recording transactions in the proper period. and lacked overall policies. procedures. and internal controls in the procure to pay process. This combination of? deficiencies is considered to be a material weakness. The matters identified related to AP are further described in Appendix A. Defense Logistics Agency General Fund Annual Financial Report 57iPage EY Building a better working world IV. VI. 1. Financial Reporting ?nancial statement preparation process lacks su?icient, appropriate reviews to identify inaccurate balances on the face of the ?nancial statements as well as completeness and accuracy of disclosures. We considered these de?ciencies to be a material weakness. The matters noted are further described in Appendix A. Oversight and Monitoring DLA does not have an effective OMB Circular A-123 program, which impacted ability to appropriately identify and address signi?cant risks for all key business processes. DLA has not implemented appropriate internal controls, including the documentation of policies and procedures that describe environment related to end-to-end business processes, roles and responsibilities, monitoring of service providers, related parties, systems, risks and controls. DLA's lack of documented controls prevent the consistent execution and proper review of data-?reports used in the execution of key controls, as well as appropriate evidence of management review controls. We consider these overall weaknesses in the internal control stiucture to be a material weakness. The matters noted are further described in Appendix A. Information systems Our assessment of IT controls and the computing enviromnent id enti?cd deficiencies which collectively constitute a material weakness in the design and operation of information systems controls over ?nancial data. We reviewed each ?nding individually as well as in aggregate. Based on our review, we have identi?ed four areas of deficiency which, when aggregated, result in a material weaimess. The de?ciencies relate to the following four areas: I Access controls I user access I Con?guration management i" change controls I Segregation of duties controls I Security management govemanee over implementation of security controls Refer to Appendix A for additional detail in these four areas. Signi?cant de?ciencies During our audit, we also noted the following matters involving internal control over ?nancial reporting and its operation that we consider to be a signi?cant de?ciency, as defined above. Enviromnental liabilities is comprised of clean?up costs associated with the restoration of sites on real property that manages. The lack of formal policies, procedures and supporting documentation does not allow for DLA to substantiate the completeness and valuation of its EL. The matters identified related to EL are further described in Appendix ii. Defense Logistics Agency General Fund Annual Financial Report 58lPage EY Buiidinq a better working world Response to Findings response to the findings identi?ed in our engagement, as described above, are included in its letter dated December 12, ZillT, which has been included at the end ol' this report. response was not subjected to the auditing procedures applied in the engagement to audit the ?nancial statements and, accordingly, we express no opinion on it. Purpose of this Report The purpose of this report is solely to describe the scope of our testing ofinternal control and the result of that testing, and not to provide an opinion on the effectiveness of the entity?s internal control. This report is an integral part of an engagement to perform an audit in accordance with Government Auditing Standards in considering the entity?s internal control. Accordingly, this communication is not suitable for an}I other purpose. 64M 1? MLLP December 1 2. 20] 7 Defense Logistics Agency General Fund Annual Financial Report 59 i a EY Building a better wort-ting world Appendix A Material Weaknesses Property, Plant and Equipment Property, Plant, and equipment (PPSLE), is comprised of internal use software and construction- In this. the initial ?nancial statement audit oi" DLA. we found that OLA was not able to adequately support the existence. completion or valuation of its DLA lacks policies. procedures and controls to vcri the existence and completeness of internal use software due to: I Dla?t does not have documented policies and procedures in place to perform an inventory of assets on a consistent basis. Unlike perfonning an inventory of physical assets, the existence of is validated by verifying that the software functionalities anda?or objects are still in use. DLA policy requires that the inventory is perfonncd on 10% of the population each month. However, DLA does not comply with the policy on a consistent basis. I A has not designed adequate intemal controls to identify when assets are completed and should be placed in service. DLA policy states that ILTS assets are recorded as in-service upon the completion of the asset. However, DLA does not have a process in place to ensure that completed assets are placed in service in the correct period. DIA lacks policies and procedures to reviev.r the balance due to: I Policies and procedures are not in place to ensure that the information reported directly by the construction agent and used for ?nancial reporting is reviewed by There were a signi?cant number olw inactive projects that were reported by the construction agent resulting in misstatements in the ?nancial statements {totaling approximately $465 million). sub-allots l?unds to construction agents such as the Anny Corps ol? Engineers and the Naval Facilities Engineering Command (NA VFAC), for construction projections which DLA is authorized to perform. The funds are tracked separately by each construction agent and reported to the Defmse Finance and Accounting Services DFAS) directly by each construction agent. These amounts are then reported in ?nancial statements. DIA is unable to provide supporting documentation to substantiate construction-in-progress (CIP), including beginning balances. I Supporting documentation is not available or insuf?cient to substantiate approximately $384 million ot?the assets. Defense Logistics Agency General Fund Annual Financial Report 60 a EY Building a better working world DLA was unable to substantiate the values assigned to assets are in accordance with ASAB SFFAS 1t], Aesonntiag?sr internal Use Software. 0 Supporting documentation was not available to substantiate whether the values recorded were in accordance with Si: 1:113 it} l?or approximately $100 million or the It}; beginning balance. 0 DLA was unable to substantiate the in?service date ot'the ILIS assets, which is the basis for the asset amortization. 'lhe documentation, such as the evidence demonstrating that the asset was tested and accepted, is not retained or available. I DLA inappropriately recorded approximately $46 million of assets that DLA does not own in the balance sheet. DLA has not appropriately designed controls to adequately detect material misstatements in the ?nancial statements. 0 DLA has not designed and implemented suf?ciently precise management review controls. including outlining the speci?c procedure required to evidence that the controls were performed. Dl??s control activities include a signi?cant number ol'management review controls. anagemcnt review controls are normally designed to detect and correct cn?ors, whereby the reviewer determines whether information is complete and accurate. accounting is appropriate, and potential errors or misstatements. The internal control activities over PPSeli are not sulTiciently designed to prevent or detect material misstatements in the ?nancial statements. DLA lacks policies and procedures to identil?y and assess lease arrangements and to properly account For lease obligations and disclose lease commitments. in accordance with FASAH SFFAS 5, Accounting fer Liabilities ofihe Government: Capitol Lenses. and SFFAS 6. Accounting for Property. Plant, and Equipment. 0 DLA has not completed procedures to identify all of its leasing arrangements. including assessing whether the leasing arrangements should be accounted for as a capital or operating lease. The ?nancial statements do not include disclosures for its policy to account For lease arrangements; any operating lease commitments; and ?tture minimum payments due. Re comm an (informs EY recommends that DLA consider the following corrective actions related to the de?ciencies identi?ed above: Defense Logistics Agency General Fund Annual Financial Report 61lPage EY Building a better working world I Update the IUS process memos and standard operating procedures to adequately describe the policies and procedures in place to inventory assets. I Design and implement policies and procedures that require for adequate docmnentation to be maintained that evidence how DLA verifies the asset is still in use and that the listing of the assets is complete. I Design and implement policies and procedures that ensures the IUS assets are recorded in the appropriate period. This includes reviewing a complete and accurate list ofall projects that have successfully completed end user testing and verifyingthat the projects have been recorded in EBS as active ILTS assets. I In the short-term. DLA should design and implement a review control that allows DS project management personnel to review the amounts reported by the constructions agents in sutTi cient time for to adjust the amounts reported in their financial statements based on this review. I In the long-term, DLA should pursue a solution where transactions can be recorded in EBS when they occur. a {lbtain and maintain all supporting documentatitm (invoices. contracts. project management reports) related to the (311? Projects from NAVFAC, USAGE, and other construction agents to substantiate the balances recorded for those projects. I Retain all documentation related to Projects in a central repository and organize them For the purposes ofdetennining project status and supporting the val uc turtlte projects. I Design a process where CIP transactions can be recorded in EBS when they occur. a Design and implement policies and procedures that allow 111A installation Management Project Management personnel to review, at least quarterly, the status ol?projects recorded as CIP. invoices. project management reports, and contracts to ensure that all documentation agrees with activity related to the CIP project. I Design and implement policies and procedures to a reconciliation for the construction-in-progress U.S. Standard General Ledger accounts and agree the amounts recorded in 14133 to the invoices, project status reports. and other documentation to substantiate the balances as of the ?nancial statement date. I Design and implement policies and procedures to perform a reconciliation for the USSGL accounts related to providing sub-allotments to its constniction agents. This should include the MILCDN Program Form Form 1390) for the Fiscal Year. the NDAA budget execution. and the receipt of allocated funds from 03D based on the NDAA request. 0 Adopt a policy to prospectively capitalize ltiS assets, as described in Statement Freon etc! A coo arming Standards 50: Establishing Opening Botancesfbr General Property. and (5'14'1'01'3 5ft). Slilit?tS 5U permits the exclusion ol? and 1118 under development li'om the opening balance as ofthe opening balance date. I Design and implement policies and procedures to ensure that DLA maintains suf?cient supporting documentation to demonstrate that its expenditures are appropriately capilalixcd, in accordance with it]. Defense Logistics Agency General Fund Annual Financial Report 62iPage EY Buiidinq a better working world 0 BY recommends that DLA undertake the following corrective actions for the conditions noted: Adjust their PPR balance to remove the asset owned by other agencies- 0 Design and implement policies and procedures for the monitoring of completion of Ill-S assets that DI A is developing I?or other agencies. a Design and implement policies and procedures to ensure that the performance of review controls are adequately documented and supported by evidential matter. 0 Develop a central repository to retain evidence ol? control performance and management review. 0 Design and implement policies and procedures that include variance thresholds to ensure that the review ?nancial data is precise. I Design and implement policies and procedures that detail the related documentation and evidential matter to be inspected as part of the review. I Complete analysis or their leases to determine if DIA has entered into any leasing arrangements that should be accounted for and reported as a capital lease. 0 Design and implement policies and procedures to identify and account for leasing arrangements including whether the leases should be accounted for and repeated as capital or operating leases, in accordance with SFFAS 0 Develop policies and procedures to review all leasing arrangements to gather the necessary to prepare and include the required disclosures For capital and operating leases in the ?nancial statements. in accordance with OMB sir?136 [1.4.9.13. Defense Logistics Agency General Fund Annual Financial Report 63iPage EY Building a better working world Fund Balance with Treasury Fund Balance with Treasury represents the aggregate amount or l?unds in account with Treasury. Through our audit procedures, we identi?ed de?ciencies related to processes of recording and reconciling transactions involving Fund Balance with Treasury. DLA is unable to reconcile from general ledger directly to the U.S. Treasury: I Dist. in conjunction with DFAS, has implemented the Cash Management Reconciliation (CMR) and Defense Reconciliation Reporting Tool (DRRT) processes as mechanisms to attempt to tie HHS to the 'l'reasury. However1 the CMR and DRRT processes are not sufficient to produce a complete and accurate reconciliation of Din-1?s general ledger to 11.5. Treasury. There are known differences between CMR and Treasury. In addition, there are known control de?ciencies in the process. DLA lacks suf?cient policies. procedures and controls around the end?to?end process: I DLA has not ?nalized a FBWT process narrative or systems flow to document the flow of data through DLA and DFAS systems from the initiation of a transaction to rcpo?ing in the financial statements- the key stakeholders within the process, or the [low of data between stakeholders. Additionally, has not identi?ed risks and controls for the end- to- end process. Re comer: ?ctions HY recommends that DIM. consider the following corrective actions related to the conditions described above: a Work with DFAS to obtain a Service Organization Controls Report for the CMR performed by the Defense Finance Accounting Service in order to obtain assurance on whether the CMR process is complete and accurate. I Work with to obtain a Service Organization Controls Report for the Department 97 Report Reconciliation Tool (DRRT) process performed by the Defense Finance Accounting Service -Columhus in order to dctenninc whether the controls in place are operating effectively. 0 Work with DFAS to establish a process, including a key control, for DLA to monitor the status of signi?cantly aged unreconcilcd transactions in both the CMR and DRRT processes on a frequent basis. a ?Work with DFAS to create an updated policy and procedure for the DRRT process that addresses issues of maintaining sufficient evidential matter to support ongoing remediation efforts on midisttibuted transactions. Defense Logistics Agency General Fund Annual Financial Report 64lPage EY Building a better working world 0 Develop policies and procedures to establish DLA's involvement in monitoring undistributed funds and assisting with the research and the clearing process. I Continue Finalize a Standard Operating Procedure or Process Cycle Narrative that documents the end?to?end process for includingthe initiation, recording, processing and reporting of transactions I Finalize a Standard Operating Procedure or Process Cycle Narrative that documents the policies and procedures that the Defense Logistics Agency has in place to monitor the (3th and DDRT produced by the Defense Finance and Accounting Services. The Standard Operating Procedure or Process Cycle Narrative should include all key controls. process owners, data interfaces and Federal regulations followed. Additionally. it should include a complete list of all input documents, applicable systems and system-generated reports used for the FBWT process. 0 Designate a DLA point of contact responsible for overseeing the FEWT process. understanding the complex process llow as well as key risk points as well as comm unieatinn with DFAS. Defense Logistics Agency General Fund Annual Financial Report 65lPage EY Building a better wort-ting world Accounts Payable Accounts Payable (AP) lalls within the scope or Disks procure to pay process. Through our audit procedures, we identi?ed de?ciencies in DLA processes for recognizing and supporting accounts payable and the related budgetary balances, recording transactions in the proper period and documenting policies, procedures and controls in a sufficient manner. DLA is unable to substantiate Aecotmts Payable and Undelivered Orders due to: 0 Supporting documentation was not provided to substantiate the samples tested from the Following accounts: r. Accounts Payable Negative Payables Undelivered ()rders, Unpaid Upward Adjustments. Goods andt'or services received as of year-end were not recorded as an expensetassct and not applied to the Undelivered Order balance. - UpwardtDowmvard adjustment related to the prior year were recorded in FY 2017. DLA does not have policies and procedures in place to manage stale payablesx?obligations A timely review and monitoring is not per?amied For the Following account balances: Negative Payables There is a significant number (traged transactions that may no longer be valid. Undelivered lOrders (UDUJ, Unpaid Approximately million in that that had no activity (payables, expenses, outlays) or at least two years. does not adhere to the 'l'reasury Financial Manual USSGI. Posting Logic due to the Following: I A general ledger account is inappropriately being used to track accounts payable activity. DLA uses Negative Payables to track outstanding goods receipt and to prevent inventory from showing as available for distribution when the items are not physically available. The related posting logic is not recording assets or expenses at the appropriate point in time. In addition, an Undelivered Order, Paid is recorded for these transactions, but they the proprietary entry for the payment made in advance is not recorded. Defense Logistics Agency General Fund Annual Financial Report 66 a EY Building a better working world DLA does not comply with the Federal Financial Management Improvement Act due to the following: I Transactions were not recorded at the detailed transaction level. DLA recorded transactitms at a summary level or certain budgetary and proprietary accounts. As a result. each HHS summary level record contains multiple individual transactions. in Transactions are posted in detail to the Fund Balance with Treasury [FvaT) account (general ledger account but summarized when posting to the other proprietary and budgetary accounts. A reconciliation is not performed to ensure that all detailed transactions posted to the FvaT agree to the summarized postings to the corresponding budgetary general ledger accounts. in Additionally, budgetary accounts (obligations, expenses, payables) are not tied to the transactions and are posted in within the general ledger. 131A does not have controls that are operating emactively in the accounts payable process due to the following: I Controls for the proper approval of invoice; receiving reports; and purpose, time and amount for the following accounts were not operating effectively: Account Payable. Negative Payables. and l'lxpensc I Control for the government purchase card expenditure approval due to the following was not operating ettectively. The Approvinngilling Otticial (M130) has the ability to approve the statement in US Bank Access Onliue and certify that statement for payment without any secondary review. When the government purchase card holder (GPCII) is not available to reconcile purchase card transactions to the statement, the AFBD has the authority to perform the reconciliation and prepare the form lS'l'JIl (Request for Purchase). Also, the ABC) can approve the GPC hill in US. Bank Online for payment. Hecammcn (lotions E'r' recommends that DLA consider the following corrective actions related to the conditions described above: I Evaluate current policies and procedures against practices in the lield to identify the root cause(s) of conditions. Identify key gaps and inconsistencies in current procedures versus Field implementation. I Based on the evaluation, perform updates to identi?ed policies, procedures, desk guides, andx?or accounting manuals to completely and accurately re?ect current key procure to pay processes as well as provide to areas where diWerenccs between policy and implementation are noted. Defense Logistics Agency General Fund Annual Financial Report 67 a EY Building a better wort-ting world 0 Consider providing trainings and implementation guidance on any current andt'or newt'updaled procedures where issues were noted to ensure consistent application or procedures including: in Ensure procure to pay process owners? document detailed explanation (Le. cause, impact) For discrepancies or missing documentation. cu Ensure documentation standards are clear including supporting documentation that is complete. accurate. and prepared timely. linsurc process owners understand key supporting documentation- I Consider increasing conmumication between DLA HQ and process ownels to ensure sutticient, complete documentation is provided as part of documentation requests. 0 Alter processes have been evaluated and procedures have been updated. as needed- implement author strengthen review procedures to ensure transactions are recorded accurately. timely and process owners can obtain and provide supporting documentation for the transactions. I recommends that DEA write olT residual accounts payable for paid and completed transactions. recommends that DLA removes activity From the general ledger detail that were completed in prior years. 131A should monitor the balances and identi stale UDOs tie-obligation. should examine their account balances on the balance sheet and statement of budgetary resources to determine the magnitude ol? aged balances by account. I Perform an analysis of transactions posted at or near year?end to determine the overall significance of the issue across all general ledger accounts. Based on this analysis. perform corrective action on incorrect transactions, as necessary. 0 Implement andfor enhance DI A's year-end process. including key controls. For mimitoring potential business events that will need to be entered into the general ledger prior to year? end close. 0 Update policies and procedures to document year-end processes for identifying. monitoring and recording transactions prior to Iinaneial statement close. I ET reeonunends that DLA discontinue the use of the negative payable account. In addition. DLA should develop. test. and implement a process to ensure that all transactions related to proper recording and reporting for expenses and inventory items are in compliance with the TFM USSGL postings at the transaction level. This would include developing an entity wide standard process and procedure of identifying the ?nancial events that requires the recognition ol? an account payable based on standard accounting guidance (Es. Treasury FMS US SGL guidance - Recognition of a Liability). EY further recommends. that once the new procedures are in place. stakeholders are educated on the new process. ICY further recommends that any process. procedure. or policy documentation for accounts payable be updated to re?ect the use ot'the asset or expense accounts instead of the negative payable accounts. I ET recommends that Ills-"L implement. and maintain financial management systems that comply substantially with Federal ?nancial management systems requirements and the Defense Logistics Agency General Fund Annual Financial Report 68lPage EY Building a better wort-ting world United States Standard General Ledger at the transaction level. DLA should establish a process that reconciles the transaction level detail to the summarized postings in each account. 0 Update existing internal control documentation to accurately describe the process and identify key internal controls over ?nancial reporting. 0 Monitor, review, and validate whether controls are operating ett?eetivelv on an on-going basis. Update existing internal control activities to produce evidence that the control occurred g. signature) after the control is executed. DLA should implement limiting the AIBO to one key role to either approving GPC- purchases on DLA Itinn or approving payments ol?thc (ll?C bill in US. Bank Unline. Il' INA is unable to properly segregate the duties, l3] should require a secondary reviewer as a mitigating factor to approve the bill or approving the fonn 1901. Defense Logistics Agency General Fund Annual Financial Report 69lPage EY Building a better working world Financial Reporting Financial Reporting encompasses all aspects of operations. alleeting Diffs ability to produce reliable ?nancial statements and disclosures. This process starts 1with establishing an ett'ective governance structure to identify and assess risk and continues with developing a control environment that is ett'ective and ef?cient to manage identified risks. Through our audit procedures, we identified a number of deficiencies in DLA processes related to the accumulation and presentation of their ?nancial position and results of operations. DLA does not have sufficient policies and procedures in place around the implementation and monitoring of EDS: DLA is unable to adequately demonstrate that business events are linked to the correct posting logic. In posting logic reference book, which was manually generated, there are multiple scenarios associated with same transaction description and SAP T?Code HHS doc type). In Dla?t's posting logic reference book. there is no attribute or data field to indicate the type oftransaction posting in the Enterprise Business System (BBS). Therefore, .A is unable to crosswalk the reference book to the RES. :3 DLA is unable to produce a posting logic directly from RES 0 DLA does not have any monitoring or review control in place to ensure that EBS posting logic is configured in accordance with the and that transactions are posting accordingly. 131A does not have suf?cient controls in place to validate that HHS proprietary general ledger accounts agree to budgetary accounts: a DLA has known reconciliation issues between budgetary and proprietary tie points. Based on walktlu'ough procedures perfonned. EY noted that the DFAS posts an tatsupported quarterly J?v?s in Defense Departmental Reporting System to ensure budgetary accounts reconcile to the proprietary accounts. DLA does not have sufficient controls in place around the quarterly reconciliation of EDS to the financial statements: I DLA does not a sufficient [.lnadjusted 'l'rial Balance (It'll-l) to Adjusted Trial Balance (ATE) reconciliation. DLA uses data pulled out of DDR3 as a starting point tor the crosswalk instead using data directly pulled from HHS. Defense Logistics Agency General Fund Annual Financial Report 70lPage EY Building a better working world a: DLA lacks controls to validate the completeness and accuracy of the data and reports used to create the reconciliation. :1 Lack of master listing ol? liles used and the purpose of' each ?le within the reconciliation. 0 Lack of a review to ensure that feeder ?les and adjustments are valid and agree to supporting documentation. DLA does not perfonn the quarterly UTB to ATB reconciliation in a timely manner. a 131.11 does not perform the reconciliation until after the quarter-end as well as liscal year-end has been closed. a Per SOP. DFAS should provide DLA with the data ?les needed for the reconciliation 5 days alter quarter?year-end close. However. the reconciliation is completed approximately two months subsequent to quarter-close. does not perform a sufficient review or quarterly adjustments and .l?v's made by a DFAS: DLA does not have a comprehensive listing of adjustments that occur in DDR8 including: The source or each lite and parameters to generate the tiles The required files or reports needed From DFAS to support each adjustment as well as the parameters of each file or report on 'lhe rationale or business purpose or each adjustment and the evidential matter to support the amouan I .r?t does not review each type of adjustment and Feeder tiles to determine completeness. accuracy, validity and impact ol? inl'onnation posted to ULA's linancial statements. In several cases. prior year adjustments were used in the reconciliation of the unadjusted trial balance (UTE) to the adjusted trial balance (ATE) that did not have evidence of? review by BIA. 0 Trial balance input adjustments occurred during the interface to AFS that were not reviewed by DLA. I [)Ia?t relies on DFAS to make various adjustments that are maintained within DDRS-H versus making the corrective updates within EBS. Within the quarterly reviews. prior year adjustments were used as offsetting entries to current year adjustments. - DLA does not perform a reconciliation in a timely manner to allow for adjustments to be reviewed prior to the generation of the ?nancial statements. - DLA is currently remediating the trading partner elimination process to be completed in FY 2018. BY noted the following during FY 2017: r11 Supporting documentation to reconcile the variances between 131.31 and trading partners is not obtained timely. DLA relies on contractor maintained software tools to determine the balances for trading partners. 'l'he're is no evidence that assesses the completeness or accuracy of data input or output from this tool. Defense Logistics Agency General Fund Annual Financial Report 71lPage EY Building a better working world 0 Adjustments made to Accounts Receivable. Accounts Payable. Revenue. Expenses and undisbursed funds are not appropriately supported. a DFAS perfonns quarterly elimination adjustments to ?nancial statements for both waived and non-waived entities a ICY noted that there is not a complete at the agreement level to the trading partner adjustments that are being made. Trading partner adjustments are recorded in DDRS-AFS as ?top-side" adjustments and are identi?ed as ?unsupported" by During EY's review of the 03 and Q4 ?nancial statements and footnote disclosure, we determined that level of review performed was insulTicient to detect and correct misstatements in the financials and related disclosures: I inaccurate balances reported in the ?nancial statements and notes DLA prepared the year-end AFR package and excluded the funds executed by the United States Army Corps of Enginecis, which is material to the General Fund financial statements. Supporting documentation did not adequately support the balances recorded in the Notes. I Lack of complete and accurate disclosures Note 1 Significant Accounting Peiicies (SAP) did not completely and accurately summarize the accounting principles and methods of applying these principles. r11 Note SAP did not appropriately disclose managenientis judgements relevant to valuation, recognition. and allocation of assets, liabilities, expenses and revenues. Note 1 SAP did not sutticiently describe changes or non?compliance in GAAP reporting. Re com on dotirms EY recommends that DLA consider the following corrective actions related to the conditions described above: I Evaluate E133 posting logic and evidential matter to ensure system posting logic is configured in compliance with and DUI) SFIS. I Evaluate BBS system capabilities and provide a system?generated mapping report which ties EES configured posting logic to EDS transaction codes and movement types and JDUD transaction numbers a Document clear descriptions of business events and varying circumstances that impact or change the posting logic 9 Document transaction description based on the HHS doc type to identify the type of transactions within EBS universe ot'transaetions. Defense Logistics Agency General Fund Annual Financial Report 72 a EY Buiiding a better working world 0 Implement monitoring or review control to ensure EBS transactions are being posted as intended. a Analyze and investigate the known budgetary to proprietary tie point variances at a business process level to determine the root cause. 0 Assess their current policies and procedures around the budgetary to proprietary reconciliations including the design ot?key controls in the process. Dist should design a control that focuses on addressing the root cause of the variances in order to resolves current underlying issues as well as prevent future variances from occurring. I Evaluate the current process I?or creating li'l?l?i to All}: Identify areas to create efficiencies through automating the process. Consider other reconciliation options to design a reconciliation that is per?inned in conjunction with the production of the DDRS-AFS trial balance and not subsequent to the production. Consider the design of the reconciliation and ensure data is being pulled From the proper sources to ensure completeness and accuracy ol?data interfaces. Consider documenting the list of reports generated by IDEAS and the speci?c parameters used to generate the reports I As a part of the Managers htternal Controi Program assess the risks associated with the process to generate the financial statements including the complexity, extent of manual processes. on and reliance on third party data. Based on the assessed risks, determine if suf?cient policies. procedures and controls are in place to address risks related to the compilation of the ?nancial statements. I Evaluate the curTent support agreement with DFAS to determine if agreement su?iciently documents roles. responsibilities. communications and timeliness needed to support DLA's reconciliation requirements. I Evaluate the policies and procedures in place over the ?nancial reporting process including the speci?c roles of DLA and DITAS: on Document the list oi? reports generated by UFAS and the speci?c parameters used to generate the reports Include a control(s) for reviewing all the files that are used to adjust the ending balances within EHS in the creation ofthc adjusted trial balances. r. Document the business need for adjustments and the appropriate evidential matter required to support adjustments 0 Evaluate current quarterly adjustments and prior year adjustments to determine which of those recorded in could be eliminated by making the adjustment within EBS. Evaluate trading partner adjustments. prioritize based on dollar value and risk and begin a reconciliation process at the agreement level. 0 Implement additional controls for agreement level reconciliations with DLA trading partners and develop a process For resolving differences at the agreement level in a timely manner. 0 Defense Logistics Agency General Fund Annual Financial Report 73iPage EY Buitdinq a better working world Evaluate system capabilities to include recording and monitoring transactions at the trading partner and agreement level 9 Finalize updated policies and procedures or identifying. researching and reconciling variances between DLA general ledger data and trading partners. Include considerations For: r; Review or appropriate classi?cation between federal and non-federal r3 Review impact on both proprietary and budgetary general {edger accounts 0 Work with 01-1515 and 031) as necessary to continue to resolve issues with trading partners at the Department level. I Evaluate all components of 0le 13?136 and determine if disclosures are complete, accurate and compliant. Incorporate updates to footnotes as necessary. I tie-assess review controls associated with the financial statement review process and consider including: It review ot? revised requirements to ensure updated guidance is evaluated and incorporated in a timely manner. Other reviews by business process areas to ensure disclosures are complete. accurate and compliant. 'l'hese reviews should ensure that Footnote disclosure are consistent with business activity},' occurring throughout the year. An assessment current checklists used in the financial reporting process to determine iteliecklists need to include enhanced review procedures. Defense Logistics Agency General Fund Annual Financial Report 74tPage EY Buiidinq a better working world Oversight and Monitoring l[Tunersight and monitoring relates to Dld?i?s lack of establishment and implementation oi? a suf?cient control environment, enterprise?wide. DI lacks a sutiicient control environment related to Internal Controls over Financial Reporting including a sutticient 123 program: a A sufficient risk assessment, performed at the appropriated level, related to reporting such as documenting the complexity of programs, accounting estimates, related party transactions. and extent ofnianuai processes. I An evaluation of fraud risks and the approach to implement ?nancial and administrative control activities to mitigate identi?ed material fraud risks. I A ?nalized policy or procedure to develop and implement ERle and internal control, including anti-deficiency act reporting, that includes the appropriate doctuncntation requirements that are necessary as a part of an effective intemal control system. DLA lacks su?'icient policies and procedures around ?nancial reporting including: I Suiticient written policies and procedures do not exist related to Management Review Controls For the ['"inancial Reportin Process. 'lhe idenlilied management review controls do not accurately describe the procedures performed to detect or correct an error. I Policies or procedures are not in place to verify the accuracy and completeness of system generated reports used in the execution of controls. DLA does not perform suf?cient oveisight and monitoring ofseivice organization control reports: I [31.31 has not associated each relevant Complementary User Entity Controls (CUHCs) to speci?c DIA controls. I DLA has not identified speci?c DLA compensating controls for DFAS controls deemed ineffective in the 1 report. I DLA has unresolved control gaps relate both to addressing control issues identified in the DFAS SOC report as well as with CUECs .r?t?s evaluation was not perl?onned by the subject matter experts in a timely manner. ?ts of May 21, 201?. the Sit-{Es had not reviewed the evaluation and the controls identi?ed were identi?ed as possible mitigating controls. HY recommends that DIA consider the Following corrective actions related to the conditions described above: 0 'Continue to design and implement SUA policy at all levels throughout the organization and emphasize the importance of? the Manager?s Internal Control Program Defense Logistics Agency General Fund Annual Financial Report 75 i a EY Buitding a better working world (MICP) ti'oin DLA leadership. This will help bring visibility, education and support to the program from across the organization. 0 Ensure 131A policy includes proper detail and guidance for conducting the risk assessment process, including: all aspects of the risk management process are reviewed at least once a year; r; risks themselves are subjected to review with appropriate frequency; and provisions for alerting the appropriate level of management to new or emerging risks, as well as changes in already identi?ed risks, so that the change can be appropriately addressed 0 Identify, document and communicate MICP roles and responsibilities. Ensure proper groups and personnel are involved at the appropriate leveis to produce the most results based, cost effective control environment. I Develop, document and maintain supporting documentation as a part of the MICP and for the Statement of Assurance as evidence that DLA developed management control plans- performed risk assessments, perfonned ongoing monitoring. developed corrective action plans and tracked progress towards remediation for each separate fund 0 Provide formal training and guidance, on an annual basis, to those involved in the to ensure roles, responsibilities and objectives are properly understood, carried out in a timely manner, and executed consistently across the organisation- 0 Increase the resources dedicated to the A-123 program, as needed, to completely execute all aspects ofthe program requirements on an on?going basis. a Utilizing the updated risk assessment, DIAL should design and implement a control testing strategy appropriate to address the risks. 0 DLA should evaluate the current review controls identi?ed to operate over an entire process: Evaluate single controls to detennine if multiple controls actually exist in the process Asses control descriptions to ensure they are documented completely including how the control is applied, who is responsible, hovv.r frequently it is perfonned. and how the control is evidenced. 0 Evaluate the current policies and procedures for evaluating information produced by the entity. Foot system generated ?nancial reports a Perform a tie-out of system generated reports to the trial balance Verify that the parameters used to generate the reports or data are appropriate Judgmentally select a sample of transactions or balances in the report and validate that the transactions are accurate. Implement a process to identify, monitor and maintain related parties and material related Additionally, management should perform a review sales transactions on a regular basis and disclose any material related party transactions in the notes to their ?nancial statements. Defense Logistics Agency General Fund Annual Financial Report 76tPage EY Building a better working world DLA should develop and maintain internal control docmnentation relating to the identi?cation of? related parties and related party transactions. DIA should analyze il' currenl policies and procedures are sufficient for the process and update if necessary. I Ensure that appropriate personnel are involved in the process I Evaluate that proper roles and responsibilities are identified and communicated I Ensure timelines are defined DLA should determine if controls need to be established for the SOC 1 review process and ensure controls are properlyr identi?ed, designed and operating effectively DLA should associate specific DLA controls to CUECs as well as DFAS controls determined to be ineffective Defense Logistics Agency General Fund Annual Financial Report 77iPage EY Buiiding a better working world Financial Information Systems Information systems controls are a critical component of the Federal govermnent?s operations to manage the integrity. confidentiality and reliahility or its programs and activities and assist with reducing the risk of errors, Fraud or other illegal acts. Information management security, access controls, segregation of duties, and configuration management controls are fundamental to the integrity of financial data and can help manage risks such as unauthorized access, changes to critical data, and preventing compromised data. The nature, size and complexity ol? DIa?t?s operations require the agency to administer its programs under a decentraliZed business model by using numerous geographically dispersed operating locations and extensive inllinnation systems. lOur assessment of the 'l?echnology controls and the computing environment identilied de?ciencies in the design and operation of in fonnation systems controls. We reviewed each ?nding individually as well as in aggregate. "the deficiencies relate to the Rillowing areas: Access controls i" user access Cordiguration management I change controls Segregation of duties controls Security management govemance over implementation of security controls Access controls! user access Access controls include those related to protecting system boundaries, user identi?cation and authentication, authorization, protecting sensitive system resources, audit and monitoring, and physical security. When properly implemented, access controls can help ensure that critical systems assets are physically safeguarded and that logical access to sensitive computer programs and data is granted to users only when authorized and appropriate. Weaknesses in such controls can compromise the integrity of sensitive data and increase the risk that such data may he inappropriately used andr'or disclosed. The identified access control weaknesses that represent a significant risk to the ULA financial management information systems environment include the following: I Access was not restricted to authorized users and was not assigned in accordance with the principle of least privilege. I Lack rirnttinittiring and auditing security violations and sensitive user activities, including activities of privileged users logs were not documented, not being performed, or not con?gured appropriately within systems. Defense Logistics Agency General Fund Annual Financial Report 78iPage EY Building a better working world I Lack of enforcement and documentation of session inactivity parameters. I Lack of enforcement for procedures related to establishing new users, monitoring unused IDs, locked IDs, terminated users. or access rc-ccrtifications. I Lack of policies and procedures for account authorization, provisioning= and termination. Con?guration management 1? change controls lthanligurati on management involves the identilication and management ofsccurity features for all hardware and software components of an information system at a given point and systematically controls changes to that configuration during the system's life cycle. By implementing configuration management controls, DLA can ensure that only authorised applications and software programs are placed into production through establishing and maintaining baseline con?gurations and monitoring changes to these cordigurations. Weaknesses in such controls can compromise the integrity of sensitive data and increase the risk that such data may he inappropriately used and disclosed. The identified change control weaknesses that represent a significant risk to the financial management information systems environment include the following: Inability to identify all application changes made to production durin the audit period. I Lack of monitoring and recording of changes made to applications by DLA management. 0 Users have access privileges enabling them to bypass the con?guration management process and make changes directly to production. I Testing of new changes does not include documentation of'reyicw and approval per DLA policies. Segregation of duties controls An effective control environment guards against a particular user having incompatible functions within a system. Segregation of duties controls provide policies- procedures- and an organizational structure to prevent one or more individuals from controlling key aspects of computer-related operations and thereby' conducting unauthorized actions or gaining unauthorized access to financial management infonnation systems. The identified weaknesses that represent a significant risk to the financial management information systems environment include the following: I DLA management did not identify segregation of duties conflicts that consider both and business process roles and activities across DLA-owned applications. I Segregation of Duties review within the user provisioning process is not performed consistently across all applications. Defense Logistics Agency General Fund Annual Financial Report 79lPage EY Buiidinq a better working world 0 Administrator and super user privileges are not restricted through user groups and permissions- in some cases. users can create and assign roles to themselves roles including [)ISr?t administrators. 0 Business end users have access to roles intended for IT privileged users. Security Management! governance over implementation of security controls An entity-wide information security management program is the foundation of a security control structure and a re?ection of senior management?s commitment to addressing security risks. The security management program should establish a framework and continuous cycle of activity for assessing risk. developing and implementing effective security procedures. and monitoring the effectiveness ofthesc procedures. Overall policies and plans are developed at the entity-wide level. System and application?speci?c procedures and controls implement the entity?wide poiicy. Without a well-designed program, security controls may be inadequate: responsibilities may he unclear, misunderstood. or improperly implemented; and controls may be inconsistently applied. Such conditions may lead to insufficient protection of sensitive or critical resources and disproportionately high expenditures For etmtrols over low-risk resources. The identi?ed Security Management control weaknesses that represent a signi?cant risk to the BIA ?nancial management information systems environment include the Following: a Service Organization Control (SOC) reports are not reviewed. specifically. to assess Complementary User Entity Controls (CUECs). In addition, Sifts with DISA are not reviewed and updated in a timely manner. 0 Lack of application specific access control policiesfproeedures to consider unique business mlesr'processes. roles and responsibilities. and technologies. 0 System Security Plan (3 SP) does not re?ect the existing IT controls environment or include all requirements of 8510.01. - DLA does not perfonn complete risk assessments on an annual basis to facilitate identi?cation of new threats and vulnerabilities. Recommdorions DIA should implement controls to address de?ciencies in access controls, con?guration management. segregation of duties. and security management procedures to include: Access controls I user access I segregation of duties 0 Restrict access to authorized users in accordance with least privilege principles. 0 Document and follow procedures related to user account management and segregation of duties. 0 Implement stronger security controls and restricting user access to programs and data to Defense Logistics Agency General Fund Annual Financial Report 80iPage EY Building a better working world the minimum level required by the user?s responsibilities, to include sensitive data. Identify sensitive business transactions in application business and privileged roles. segregate these roles and where conflicting roles are required or unavoidable. document business rationale and monitor activities of users. Configuration management I change controls I Identify: and monitor applications changes made in the production environment. I Segregate developers? access to the development and production environments, 9 Review. approve. and monitor application changes completeness and accuracy, ineludin emergency changes. Security governance over implementation of security controls I Implement stronger security controls to improve the security documentation and testing of applications. I Establish a process to evaluate and incorporate service providers" into security documentation and the current application control environment. Defense Logistics Agency General Fund Annual Financial Report 81 a EY Building a better working world Appendix 11 - Signi?cant De?ciency Environmental Liabilities sites that DLA manages. Tin?ough our audit procedures. we identi?ed de?ciencies in internal controls listed below, which. when aggregated, we consider to be a signi?cant de?ciency. DLA is unable to substantiate the cost to complete estimates for enviromnental liabilities. I Policies and procedures are not in place that adequately demonstrates the methodology used to derive the estimate was appropriate. I The supporting documentation does not appropriately substantiate the estimate For the cost to complete the clean-up and restoration. DIA is unable to substantiate the program management cost estimates [or environmental liabilities. I Policies and procedures not in place that adequately documean the methodology used to derive the estimate. The supporting documentation does not appropriately substantiate the estimate For the program management costs. has not appropriately designed controls to adequatelyI detect material misstatements in I Controls are not designed to verify the completeness and accuracy of the system generated reports or data used in executing the control activity. EL control activities- including deriving the EL estimates, are dependent upon system-generated reports or data produced by infonnation systems. He comm an dart ens that DLA consider the following corrective actions related to the de?ciencies identi?ed above: I Design and implement policies and procedures to ensure that process for preparing the cost to complete estimate is adequately documented and describes the methodology used to derive the estimate. A should include procedures to verify that the supporting documentation used to derive the estimate properly reconciles to the cost to complete estimate. I DLA should adequately document the quali?cations of the specialist used in deriving the estimate to ensure and demonstrate that the specialists have the necessary competence, capabilities, and objectivity. Environmental Liabilities (EL) is comprised of clean-up costs associated with the restoration of Defense Logistics Agency General Fund Annual Financial Report 82lPagc EY Buifdinq a better working world 0 Design and implement policies and procedures that adequately describe the process for preparing the estimate ol? the lil. PM costs. The description should include sufficient detail For a reviewer to understand the process and evaluate whether the process used is reasonable and consistent with the policy. Implement policies and procedures to verify that the system generated reports or data used in the (tithe control is eomplete and aeeurate such as: Foot system generated inventory reports; Perform a tie-out of the system generated reports to the trial balance: Verifying that the parameters used to generate the reports or data are appropriate Judgmentallv selecting a sample of transactions or balances in the report and validating that the transactions are accurate. Defense Logistics Agency General Fund Annual Financial Report 83 a Emsl 3 LLP rel 72-3.- 17' Use-:5 E-tuleui For Tar-om; Building a better world Report of Independent Auditors on Compliance and Other Matters Based on an Audit of the Financial Statements Performed in Accordance with Government Auditing Standards The Director ofthe Del?ense Logistics Agency and the Inspector General (lithe Department ()t])ere11se ?Nc were engaged to audit, in accordance with auditing standards generally accepted in the United States of America, the standards applicable to ?nancial audits contained in Government Auditing Standards issued by the Comptroller General of the United States and the Office of Management and Budget Bulletin No. 17-03. .4 edit Requirements for Federot Ftnonctot Statements. the ?nancial statements of the General Fund of the Defense Logistics Agency which comprise of the balance sheet as of September 30, 201?. and the related statement of net costs- changes in net position, and combined statement or budgetary resources for the year ended September 30. 2017, and the related notes to the ?nancial statements and have issued our report thereon dated December 12, 2017. That report states that because of matters described in the Basis for Disclaimer ot?Opinion paragraphs, the scope of our work was not suf?cient to enable us to express, and we do not espress, an opinion on the ?nancial statements as ot?and for the year ended September 30, 201? and the related notes to the ?nancial statements. Compliance and Uther Matters In connection with our engagement to audit the ?nancial statements, we performed tests of its compliance with certain provisions ol?laws, regulations, and contracts, noncompliance with which could have a direct and material effect on the determination of ?nancial statement amounts, and certain other laws and regulations speci?ed in Bulletin No. l?-tl3, including the requirements rel'erred to in the Federal Financial Management Improvement Act of 19%: (P. L. 104?208). However, providing an opinion on compliance with those provisions was not an objective of our engagement, and accordingly, we do not express such an opinion. We limited our tests of compliance to these provisions, and we did not test compliance with all laws and regulations applicable to DLA. The results ot'our tests ol?compliance with laws and regulations described in the second paragraph ol? this report disclosed instances of noncompliance and other matters that are required to be reported under Government Auditing Stondto'ds and 0MB Bulletin No. lT-Ul as described below. Additionally, if the scope of our work had been sufficient to enable us to express an opinion on the financial statements, other instances oi' noncompliance or other matters may have been identified and reported herein. Defense Logistics Agency General Fund Annual Financial Report 84 a EY Building a better world FF MIA Under we are required to report whether ?nancial management systems substantially comply with federal ?nancial management systems requirements, applicable federal accounting standards, and the United States Standard General Ledger at the transaction level. To meet this requirement. we performed tests ofcompliance with MIA Section 303(a] requirements. The results of tests disclosed instances in which financial management systems did not substantially comply with federal ?nancial management systems requirements, applicable federal accounting standards or the USSGL. Federal ?nancial management system requirements HY identi?ed as part ofthe Financial Information Systems material weakness, contained in the Report of'lndependenrAndtiors on Internal Control Over Financial Reporting Based on an Audit of the Financial Statements Peij?oi'med in Accordance with Government Auditing Standards (?Report on Internal Control?), where we identified noncompliance with federal ?nancial management system requirements for multiple systems. Weaknesses identi?ed include those associated with user access, configuration managementichange controls, segregation of duties and security management. These financial system deficiencies prevent Din/t from being compliant with federal ?nancial [management system requirements and inhibit ability to prepare complete and accurate ?nancial repolting. Noncompliance with applicable federal aecomrting standards As referenced in Note LB. to the ?nancial statements. DLA self-identi?ed that the design of their ?nancial and non??nancial systems does not allow DLA to comply with applicable federal accounting standards- including not being able to collect and record ?nancial information as required by U.S. generally accepted accounting principles. E'r' also identi?ed noncompliance with federal accounting standards during our testing, which was included in our Report on lnlenial Control. Noncompliance with USSGI. posting logic at the transaction level EY also identi?ed noncompliance with USSUL posting logic during our testing. which was included in our Report on Internal Control. FMFIA Federal Managers? Financial Integrity Act requires ongoing evaluations and reports of the adequacy ofthe systems of internal accounting and administrative control. The Di ,l?t was not able to provide evidence that they are in compliance with significant aspects of Defense Logistics Agency General Fund Annual Financial Report 85 a EV mama Imam Circular Jill-123, which implemented FMIFIA. The DLA provided a FY 2017? Statement of As surance, however there was not sufficient evidence that each process identified bv DLr'i'i fully completed an organizational risk assessment, identified relevant risks related to the ?nancial statement assertions, documented the internal control standards as it relates to those assertions, performed internal control testing, and reported and tracked control deficiencies at the control level. Eased on the evidence received, ET notes that DLA has an it's?123 testing strategv, however DLA is unable to provide evidence that the extent oftesting and review performed is sufficient to meet the requirements of FLTFIA. DLA ?s Resp nnse tn Findings Slur Report on Internal Control dated December 12, 201? includes additional information related to the financial management svstems and internal controls that were found not to complv with the requirements, relevant facts pertaining to the noncompliance with FFMA and Fluff?Fm, and our recommendations to the specific issues presented. Management agrees with the facts as presented and relevant comments from DLr'l'i?s management responsible for addressing the noncompliance are provided in their letter dated December 12, 201?. We did not audit management?s comments and accordinglv, we express no opinion on them. Purp use of this Rep art The purpose ofthis report is solelv to describe the scope ofourtesting of compliance and the result ofthat testing, and not to provide an opinion on compliance. This report is an integral part of an engagement to perform an audit performed in accordance with damning Standards in considering compliance. Accordingly, this communication is not suitable for anv other purpose. 123W 1? December 12, 201? Defense Logistics Agency General Fund Annual Financial Report 86 a IQ Management?s Response to Auditors? Report DEFENSE LOGISTICS AGENCY HEADQUARTERS 3725 JOHN J. KINGMAN ROAD FORT BELVOIR, VIRGINIA 22060-6221 DEC 1 2 201? MEMORANDW FOR DEPARTMENT OF DEFENSE OFFICE OF THE INSPECTOR GENERAL SUBJECT: Fiscal Year (FY) 2017 Financial Statement Audit General Fund Thank you for the opportunity to comment on the Independent Auditors? report on the audit of the Defense Logistics Agency?s FY 2017 ?nancial statements. We agree with the Independent Public Accountant?s (lPAj conclusions for the DLA inaugural Financial Statement Audit. This initial audit has provided us with a valuable independent View of our current ?nancial operations. We concur with the reported ?ndings as presented by the IPA. For FY 2017, the engagement with the IPA was a positive partnership that faciliated an effective and ef?cient audit. The lPA?s continual updates to our management team provided cit-going insight during the audit. We are committed to resolving the material weaknesses and strengthening internal controls around operations. I look forward to working collaboratively with the Of?ce of the Inspector (teneral and the IPA to strengthen DLA ?nancial management and internal controls. K. WILLIAMS Lieutenant General, USA Director Defense Logistics Agency General Fund Annual Financial Report 87 a