American Society of Military Comptrollers (ASMC) – PDI

June 2, 2017

Office of the Under Secretary of Defense (Comptroller)

Office of the Deputy Chief Financial Officer

Using DoD SSAE 16/18

Service Organization Control (SOC) Reports (to Support Your Audit and A-123 Compliance)

Bradley Keith

Director

PwC Public Sector, LLP

James Davila

Accountant, FIAR

Directorate, Office of the

Deputy Chief Financial

Officer, OUSD(C)

Discussion Topics

2

Using DoD SSAE 16/18 Service Organization Control (SOC) Reports

1) Service Organization Relationships Key Concepts• End-to-End Process Relationships

• Service Organization Identification

2) Addressing Service Organization Controls• Available Options

• Available SOC 1 Reports

• Relevant SOC 1 Reports

3) Using the Service Organization Controls Report• Desired Outcomes

• SOC 1 Report Sections

• Areas for Consideration

• CUECs and CSOCs

• Reliability of Data (and Reports)

• Common Evaluation Pitfalls

• Reporting / User Entity Responsibilities

4) OUSD(C) FIAR Support and Available Resources

Service Organization Relationships Key Concepts

The Reporting Entity is responsible for internal controls over financial reporting.4

End to End Business Process

Parts of audit relevant Reporting Entity business process are

performed by one or more Third Parties.

Reporting

Entity

Third

Party

Financial

Statements

Initiate / Execute

Initiate / Execute

5

What is the specific nature of the relationship (i.e., who does what)?

End to End Business Process

It is critical to determine which Third Parties meet the definition

of a “Service Organization” for A-123 and audit purposes (and which do not).

“Service Organizations”

“Service Providers”“Vendors”

“Third Parties”

“Working Capital Funds”

“Trading Partners”

6

The Financial Statement Auditor will follow the Auditing Standards

End to End Business Process

AU-C 402: Audit Considerations Relating to an Entity Using a Service Organization

.A7 The significance of the controls at the service organization to the user entity's internal control also

depends on the degree of interaction between the service organization's activities and those of

the user entity. The degree of interaction refers to the extent to which a user entity is able to and elects

to implement effective controls over the processing performed by the service organization.

For example, a high degree of interaction exists between the activities of the user entity and those at

the service organization when the user entity authorizes transactions and the service organization

processes and accounts for those transactions. In these circumstances, it may be practicable for

the user entity to implement effective controls over those transactions.

On the other hand, when the service organization initiates or initially records, processes, and

accounts for the user entity's transactions, a lower degree of interaction exists between the two

organizations. In these circumstances, the user entity may be unable to, or may elect not to, implement

effective controls over these transactions at the user entity and may rely on controls at the service

organization.

? and

Accounting Processing

and

InitiatesExecutes / Internally

Records

? ?

Who Does What?

7

You and / or your auditor can’t ignore / assume what happens inside the “Black Box”.

End to End Business Process

Why is this so important?

If a Service Organization relationship / dependency exists….

• The Reporting Entity must address Service Organization (and

Sub-service Organization) controls for OMB Circular A-123

(Appendix A) / ICOFR.

• The Reporting Entity financial statement auditor will also need to

address the Service Organization (and Sub-service Organization)

controls in financial statement audits and examinations.

Service

Organization

Controls

?

“Service Organizations”

“Service Providers”“Vendors”

“Third Parties”

“Working Capital Funds”

“Trading Partners”

8

If a Service Organization relationship exists, all of the pieces need to fit.

Roles and responsibilities must be aligned.

End to End Business Process

Sub-Service

Organizations

User

Auditors

Reporting /

User

Entities

Service

Organizations

Addressing Service Organization Controls

10

It is very inefficient for each / every Reporting Entity and their auditor to

redundantly test Service Organization controls versus relying on the SOC 1 Reports.

Addressing Service Organization Controls

How do I do this?

Financial Statement Audit (must comply with audit independence requirements)

• Reporting Entity financial statement auditors (User Auditor) documents and tests Service Organization

controls.

• Reporting Entity financial statement auditors (User Auditor) obtains / reviews Service Organization Controls

(SOC 1) Reports on the design and operating effectiveness of internal controls over financial reporting at

Service Organizations (and Sub-service Organizations).

Service

Organization

Controls

?

Compliance with OMB Circular A-123 (Appendix A) / ICOFR

• Reporting Entity team documents and tests Service Organization controls.

• Reporting Entity obtains controls documentation and testing performed by Service

Organization management and reviews for adequacy. Reporting Entity team or

Service Organization management addresses gaps.

• Reporting Entity obtains / reviews Service Organization Controls (SOC 1) Reports

on the design and operating effectiveness of internal controls over financial

reporting at Service Organizations (and Sub-service Organizations).

There are a few options.

11

Addressing Service Organization ControlsHow do I do this? What SOC 1 reports are available?

Significant progress has been achieved but much remains to be done.

DFAS Contract Pay

DFAS Standard

Disbursing

DFAS Financial

Reporting

DFAS FBWT Treasury

Distribution

DISA (ATAAPS)

DCMA Contract Pay

2013 2013

2014 20142014

2015

2016

DFAS FBWT Treasury

Reconciliation

DLA SOIDC

DFAS Vendor Pay

U.S. Army

GFEBS

2014

DFAS Military Pay

2013

DLA iRAPT

DMDC DTS

2014

2015

DMDC DCPDS US Bank SYNCADA

2013 2013

AT&L / DLA DPAS

2012

Retail Payment

Processing

2016

2016

2018

2017

DISA (EIS) DFAS Civilian Pay

2005 2005

FY

2018

FY

2018+

FY

2005

FY

2012

FY

2013

FY

2014

FY

2015

FY

2016

FY

2017

DLA DAAS

27

0

DLA DAI

U.S. Army

Conventional Munitions

2017

Treasury

Funds Management

Total Systems

Services

Elavon, Inc.

20162016 2016

2015

US Bank AXOL

2016

Compensation Benefit

& Payment

2016

(OWCP) Bill

Processing

2016

Citigroup Technology

Infrastructure (CTI)

2016

Treasury Admin

Resource Center

2016

Treasury Invest &

Borrowings

TBD

Unqualified /

Unmodified

Opinion

Qualified /

Modified

Opinion

Legend

12Multiple SOC 1s are underway or planned.

Addressing Service Organization ControlsHow do I do this? What SOC 1 reports are available?

Civilian Pay DCPS KPMG Unmodified Oct 2013 - Jun 2014 KPMG Unmodified Oct 2014 - Jun 2015 Yes KPMG Unmodified Oct 2015 - Jun 2016 Aug 12, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 15, 2017

Military Pay DJMS-AC, DJMS-RC, DMO (Web) KPMG Unmodified Oct 2013 - Jun 2014 KPMG Modified Oct 2014 - Jun 2015 Yes KPMG Modified Oct 2015 - Jun 2016 Aug 17, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 17,2017

Standard Disbursing Service

ADS, ADS IPAC MegaWizard

22 MicroApps:

DD 2657 Statement of Accountability, State Tax

Access Database, State Tax Microsoft Excel workbook,

Post Certification Validation Tracking Workbook,

GTN_Month_YR Excel Workbook, DJMSwkstmmyy

excel workbook, Defense Civilian Payroll System

(DCPS) Tracking Spreadsheet, 8522 IPAC Tracking

Workbook (Excel), SSN 8522 ACH Spreadsheet,

MMYYYY Batch Tracker, 6102 Voucher Workbook

(Excel), Cleveland Consolidated Workbook (Excel),

2657 Workbook (Excel), E&C Reconciliation Workbook

(Excel), DIT Tracker Workbook (Excel), IPAC Tracking

Workbook (Excel), Kansas City Central Site IPAC

Wizard (Access)

KPMG Unmodified Oct 2013 - Jun 2014 KPMG Unmodified Oct 2014 - Jun 2015 Yes KPMG Unmodified Oct 2015 - Jun 2016 Aug 15, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 15, 2017

Contract PayMOCAS, EAS, EUD (APVM / PPVM), SCRT, BAM

ERMPGT Unmodified Nov 2013 - Apr 2014 GT Unmodified Oct 2014 - Jun 2015 Yes GT Unmodified Oct 2015 - Jun 2016 Aug 15, 2016 Yes GT TBD Oct 2016 - Jun 2017 Aug 15, 2017

Vendor PayOnePay, CAPS-W, CAPS-W Data Center, ODS,

DCD/DCW, STARS, BAM, APVMNA NA NA NA NA NA No NA NA NA NA Yes GT TBD Feb 2017 - Jul 2017 Sep 15, 2017

FBWT - Transaction Distribution DCAS, SAMS NA NA NA NA NA NA Yes KPMG Modified Mar 2016 - Sep 2016 Nov 14, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 15, 2017

FBWT - Treasury Reconciliation DRRT, CMR NA NA NA NA NA NA No NA NA NA NA No NA NA NA NA

Financial Reporting

DDRS (AFS, B, DCM), 8 MicroApps:

NWCF Trading Partner DB, Eliminator, MOCAS Data

Call, Data Call Validation Tool, OMB Max Recon,

Inventory Control, Employee Benefits, Buyer & Seller

Side Elimations

Kearney Modified Mar 2014 - Nov 2014 Kearney Modified Dec 2014 - Jul 2015 Yes Kearney Modified Oct 2015 - Jul 2016 Sept 15, 2016 Yes Kearney TBD Oct 2016 - Jul 2017 Sept 15, 2017

GT = Grant Thornton

PwC - Price Waterhouse Coopers

Kearney = Kearney & Company

WACO= Williams Adley & Co.

E&Y = Ernst & Young

CBH = Cherry, Bekaert & Holland

RMA = RMA Associates

RESJ = Robins, Eskew, Smith & Jordan

FY 15

OpinionReporting PeriodIPA Firm

IPA

FirmReporting PeriodReporting PeriodIPA FirmAssessable Unit

Service

Provider

FY 14

Opinion

DFAS

DoD SSAE 16/18s as of May 2017

FY 2017

SSAE 16

for FY 17?

IPA

Firm

FY 17

Opinion

Projected

Reporting Period

for FY 17

Expected

Report

Issuance Date

FY 2014SSAE 16/18 FY 2016

SSAE 16 for

FY 16?

Report Issuance

Date / Expected

Issuance Date

System(s)

Included

FY 2015

FY 16

Opinion

13Multiple SOC 1s are underway or planned.

Addressing Service Organization ControlsHow do I do this? What SOC 1 reports are available?

Defense Civilian Personnel Data System (DCPDS) DCPDS PwC Modified Oct 2013 - Jun 2014 KPMG Unmodified Oct 2014 - Jun 2015 Yes KPMG Unmodified Oct 2015 - Jun 2016 Aug 15, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 15, 2017

Defense Travel System (DTS) DTS N/A N/A N/A WACO Modified Oct 2014 - Jun 2015 Yes WACO Modified Oct 2015 - Jun 2016 Sep 08, 2016 Yes KPMG TBD Oct 2016 - Jun 2017 Aug 15, 2017

DCMA Contract Pay MOCAS, eTools GT Modified Feb 2014 - Oct 2014 GT Modified Feb 2015 - Sept 2015 Yes GT Modified Jan 2016 - June 2016 Aug 15, 2016 Yes GT TBD Oct 2016 - Jun 2017 Aug 15,2017

Wide Area Work Flow - Invoices Receipt Acceptance

and Property Transfer (WAWF - iRAPT)iRAPT RMA Modified Mar 2014 - Aug 2014 WACO Modified Oct 2014 - Jun 2015 Yes GT Modified Oct 2015 - Jun 2016 Aug 15, 2016 Yes RMA TBD Oct 2016 - Jun 2017 Aug 15, 2017

Defense Agency Initiative (DAI) DAI WACO Modified Jan 2014 - Jun 2014 WACO Unmodified Oct 2014 - Jun 2015 Yes GT Modified Oct 2015 - Jun 2016 Aug 15, 2016 Yes RMA TBD Oct 2016 - Jun 2017 Aug 15, 2017

Defense Automatic Addressing System (DAAS) DAAS E&Y Modified Sep 2013 - Feb 2014 WACO Modified Oct 2014 - Jun 2015 Yes GT Modified Oct 2015 - Jun 2016 Aug 15, 2016 Yes RMA TBD Oct 2016 - Jun 2017 Aug 15, 2017

Service Owned Items in DLA Custody (SOIDC) DSS NA NA NA NA NA NA Yes Kearney Modified Jan 2016 - Sept 2016 Apr 28, 2017 No NA NA NA NA

Defense Property Accountability System (DPAS) DPAS CBH Unmodified Oct 2013 - Jun 2014 CBH Unmodified Jul 2014 - Jun 2015 Yes CBH Unmodified Oct 2015 - Jun 2016 Aug 26, 2016 Yes CBH TBD Oct 2016 - Jun 2017 Aug 15, 2017

Operations Center (FY 15-16 Scope) Mechanicsburg, Ogden, Oklahoma City, Montgomery KPMG Unmodified Oct 2013 - Jun 2014 E&Y Unmodified Oct 2014 - Jun 2015 Yes E&Y Unmodified Oct 2015 - Jun 2016 15-Aug-16 Yes E&Y TBD Oct 2016 - Jun 2017 Aug 15, 2017

Automated Time Attendance and Production System

(ATAAPS)ATAAPS N/A N/A N/A E&Y Modified Oct 2014 - Jun 2015 Yes E&Y Modified Oct 2015 - Jun 2016 15-Aug-16 Yes E&Y TBD Oct 2016 - Jun 2017 Aug 15, 2017

Conventional Ammunition LMP, WARS-NT, SAAS-MOD Yes KPMG TBD Oct 2016 - Mar 2017 TBD

General Fund Enetrprise Business System (GFEBS) GFEBS No NA NA NA NA

Corporate Payment Systems (CPS)

U.S. Bank Freight Payment Transaction Procerssing

System

Syncada E&Y Unmodified Oct 2013 - Sept 2014 E&Y Unmodified Oct 2014 - Sept 2015 Yes E&Y Unmodified Oct 2015 - Jul 2016 Sept 19,2016 Yes E&Y TBD Aug 2016 - Jul 2017 Sept 15, 2017

Total Systems Services (TSYS), Subservice Org to

CPS, for credit management processingTS1 & TS2 Yes KPMG Unmodified Jan 2016 - Sep 2016 Oct 31, 2016 Yes KPMG TBD Jan 2017 - Sep 2017 Oct 2017

Elavon, Inc., Subservice Org to CPS, for daily

processing services related to carrier billingMerchant Processing System (MPS) Yes E&Y Unmodified Nov 2015 - Oct 2016 Dec 19, 2016 Yes E&Y TBD Nov 2016 - Oct 2017 Dec 2016

Retail Payment Processing (RPS), Subservice Org to

CPS, for processing check, electronic payments &

research payment discrepancies

Integrated Card System, Triad, ACAPS, Falcon,

SeQual, CASPER, CME, SAR, CA Web Viewer, IVR,

ARMS

Yes E&Y Unmodified Nov 2015 - Oct 2016 Dec 19, 2016 Yes E&Y TBD Nov 2016 - Oct 2017 Dec 2016

Commercial Card Transaction Processing System

(ELAN)

Access Online, SeQual, Corporate Payments Mgt

Information System (CPMIS), Automated Credit

Application Processing System (ACAPS)

N/A N/A N/A E&Y Unmodified Nov 2014 - Oct 2015 Yes E&Y Unmodified Nov 2015 - Oct 2016 Dec 15, 2016 Yes E&Y TBD Nov 2016 - Oct 2017 Dec 15, 2017

FY 15

OpinionReporting PeriodIPA Firm

IPA

Firm

U.S. Bancorp

DISA

Reporting PeriodReporting PeriodIPA FirmAssessable UnitService

Provider

FY 14

Opinion

DLA

DMDC

U.S. Army

DoD SSAE 16/18s as of May 2017

FY 2017

SSAE 16

for FY 17?

IPA

Firm

FY 17

Opinion

Projected

Reporting Period

for FY 17

Expected

Report

Issuance Date

FY 2014SSAE 16/18 FY 2016

SSAE 16 for

FY 16?

Report Issuance

Date / Expected

Issuance Date

System(s)

Included

FY 2015

FY 16

Opinion

14Multiple SOC 1s are underway or planned.

Addressing Service Organization ControlsHow do I do this? What SOC 1 reports are available?

Compensation Benefit & Payment for Medical

Services for Federal Civilian Employees

Integrated Federal Employees' Compensation System

(iFECS)

Office of the Assistant Secretary for Administration and

Management (OASAM) General Support System (GSS)

Yes KPMG Unmodified Oct 2015 - Jun 2016 Rec'd Oct 13 2016 Yes KPMG TBD Oct 2015 - Jun 2016 Early Sept

Office of Workers' Compensation Program (OWCP)

Bill Processing / Central Bill Processing SystemCentral Bill Processing System Yes RESJ Unmodified Oct 2015 - Mar 2016 Rec'd Oct 13 2016 Yes RESJ TBD Oct 2015 - Mar 2016 Early Sept

Citi

Travel Card

Citigroup Technology Infrastructure (CTI), Global

Information Security (GIS), Global Identity Admin

(GIDA)

Mainframe Systems Include: IBM z/OS, Unisys

ClearPath

Midrange include: Stratus, Nonstop Tandem, & IBM

series and various types of physical & virtual UNIX,

Linux Windows operating systems)

Yes KPMG Unmodified Jan 2016 - Sep 2016 Rec'd Jan 26, 2017 Yes KPMG TBD Jan 2017 - Sep 2017 Dec 2017

U.S. Treasury

Admin

Resource

Center

Accounting, Budgeting, Reporting, Travel,

Procurement, Systems Support & Platform Services

Oracle Federal Financials (Oracle) & Discoverer

Feeder Systems: PRISM, IPP, CGE, moveLINQ & E-

Payroll to Oracle Reporting (EOR). ARC provides

application admin of feeder systems.

Yes KPMG Unmodified Jul 2015 - Jun 2016 Sep 1, 2016 Yes KPMG TBD Jul 2016 - Jun 2017 Sep 2017

U.S. Treasury

Federal

Investments &

Borrowings

Investment Transactions for Government Securities InvestOne Accounting System & FedInvest Subsystem Yes KPMG Unmodified Aug 2015 - Jul 2016 Sep 23, 2016 Yes KPMG TBD Aug 2016 - Jul 2017 Sep 2017

U.S. Treasury

Funds

Management

Management & Accounting Services for Select Gov't

Trust Funds, Treasury managed accounts, accounts

of Treasury's Office of the Asst Sec for Int'l Affairs

InvestOne Accounting System & FedInvest Subsystem Yes KPMG Unmodified Aug 2015 - Jul 2016 Sep 23, 2016 Yes KPMG TBD Aug 2016 - Jul 2017 Sep 2017

FY 15

OpinionReporting PeriodIPA Firm

IPA

FirmReporting PeriodReporting PeriodIPA FirmAssessable Unit

Service

Provider

FY 14

Opinion

U.S.

Department of

Labor

DoD SSAE 16/18s as of May 2017

FY 2017

SSAE 16

for FY 17?

IPA

Firm

FY 17

Opinion

Projected

Reporting Period

for FY 17

Expected

Report

Issuance Date

FY 2014SSAE 16/18 FY 2016

SSAE 16 for

FY 16?

Report Issuance

Date / Expected

Issuance Date

System(s)

Included

FY 2015

FY 16

Opinion

15

User Entities are responsible for report distribution within their organizations.

DCMA - Service Provider

No. DoD Component Tier Standard Disbursing Services

(ADS)

Military Pay

(DJMS & DMO)

Financial Reporting

(DDRS)

Civilian Pay

(DCPS)

Contract Pay

(MOCAS, EAS, EUD

(APVM/PPVM), SCRT, BAM-

ERMP)

Vendor Pay

(CAPSW, OnePay, ODS,

DCD/DCW, STARS, CAPSW Data

Center, BAM-ERMP, APVM)

Fund Balance with Treasury -

Transaction Distribution

Defesne Cash Accountability System

(DCAS)

Defense Automatic Addressing System

(DAAS)

Wide Area Work Flow - Invoices Receipt

Acceptance and Property Transfer

(WAWF - iRAPT)

Defense Agency Initiative

(DAI)

Service Owned Items in DLA Custody - SOIDC

Distribution Standard System (DSS)

Corporate Payment Systems - Freight

Payments System

(Syncada)

Defense Property Accountability System

(DPAS)

Commercial Credit Card Processing System

(Access Online)

Defense Civilian Personnel Data System

(DCPDS)

Defense Travel System

(DTS)

Contract Pay

(MOCAS)

Automated Time Attendance

and Production System

(ATAAPS)

Enterprise Computing Service

1 Air Force GF 1

2 Air Force WCF 1

3 Army GF 1

4 Army WCF 1

5 Navy GF & WCF 1

6 USACE 1

7 USMC GF & WCF 1

8 DIA (Defense Intelligence Agency) 2

9 NGA (National Geospatial-Intelligence Agency) 2

10 NRO (National Reconnaissance Office) 2

11 NSA (National Security Agency) 2 See Note Below

12 DCAA 2

13 DeCA (GF & WCF) 2

14 DFAS (as reporting entity) 2

15 DHA-CRM 2

16 DHA (FOD, NCR, Comptroller) 2

17 SMA-Army 2

18 SMA-Navy 2

19 SMA-USAF 2

20 DISA (GF & WCF) 2

21 DLA (GF, WCF & Strategic Materials) 2

22 USSOCOM 2

23 USTRANSCOM 2 USTRANSCOM reviewing USTRANSCOM reviewing USTRANSCOM reviewing

24 USUHS 2

25 CBDP 3

26 DARPA 3

27 DCMA 3

28 DoDEA 3

29 DSCA 3

30 DTRA 3

31 MDA 3

32 Office of Chairman of JCS 3

33 WHS 3

34 DAU 4

35 DHRA 4

36 DLSA 4

37 DMA (Defense Media Activity) 4

38 DMEA (Defense Micro-Electronics Activity) 4

39 DoDIG 4

40 DPMO / DPAA (Def POW/MIA Accounting Agency) 4

41 DSS 4

42 DTIC 4

43 DTSA 4

44 NDU 4

45 OEA 4

46 AT&L DPAS (as a service provider) N/A

47 DCMA Contract Pay (as a service provider) N/A

48DFAS (Std Disb, Mil Pay, Fin Rpting, Civ Pay, Contract

Pay, FBWT-DCAS (as a service provider)N/A

49 DLA (iRAPT, DAI & DAAS) (as a service provider) N/A

50 DISA ATAAPS (as a service provider) N/A

51 DMDC DTS (as a service provider) N/A

Projected FY 2017 SSAE 18 Distribution List to DoD Components (Based on Components' Responses)As of Jan 27, 2017

DFAS - Service Provider DLA - Service Provider AT&L - Service Provider DoDHRA DMDC - Service Provider DISA - Service Provider

Addressing Service Organization ControlsHow do I do this? Which SOC 1s do I need?

16Expected FY 17 Subservice Organizations updates / changes are probable.

Addressing Service Organization ControlsHow do I do this? Which SOC 1s do I need?

Service Organization - SOC 1

(expected FY 17)

DIS

A E

nte

rpri

se S

ervi

ces

(ES

)

DIS

A J

oin

t In

tero

per

abili

ty T

est C

om

man

d (J

ITC

)

DF

AS

Acc

ou

ntin

g O

per

atio

ns

Dir

ecto

rate

Def

ense

Fin

ance

an

d A

cco

un

ting

Ser

vice

(DF

AS

)

DF

AS

(AT

AA

PS

)

DF

AS

(DC

PS

)

Def

ense

Lo

gis

tics

Ag

ency

(DL

A)

Def

ense

Co

ntr

act M

anag

emen

t

Ag

ency

(DC

MA

)

Def

ense

Man

po

wer

Dat

a C

ente

r (D

MD

C)

Fed

eral

Ret

irem

ent T

hri

ft In

vest

men

t Bo

ard

(FR

TIB

)

To

tal S

yste

m S

ervi

ces,

Inc.

(TS

YS

)

Ela

von

, In

c.

Car

pat

hia

(Ho

stin

g F

acili

ty C

on

trac

tor)

Co

nve

rgys

Co

rpo

ratio

n

U.S

. Ban

k R

etai

l Pay

men

t So

lutio

ns

(RP

S)

U.S

. Ban

k N

atio

nal

Ret

ail L

ock

bo

x

Xer

ox

Ver

izo

n

Fir

st F

eder

al

Sp

rin

t an

d S

un

Gar

d

Ed

gew

eb

DFAS - Civilian Pay X X X

DFAS - Military Pay X X X X

DFAS - Standard Disbursing X X

DFAS - Contract Pay X X X

DFAS - Vendor Pay* X

DFAS FBWT - Transaction Distribution X

DFAS FBWT - Treasury Reconciliation*

DFAS - Financial Reporting X

DMDC - Defense Civilian Personnel Data System (DCPDS)

DMDC - Defense Travel System (DTS) X

DCMA - Contract Pay X

DLA - Invoice Receipt Acceptance and Property Transfer (iRAPT) X X

DLA - Defense Agency Initiative (DAI) X X

DLA - Defense Automatic Addressing System (DAAS)

DLA - Service Owned Items in DLA Custody (SOIDC) X

DLA - Defense Property Accountability System (DPAS) X

DISA - Enterprise Services (Hosting)

DISA - Automated Time & Attendance Production System (ATAAPS) X X X

U.S. Bancorp - Freight Payment Transaction Processing X X X

U.S. Bancorp - Commercial Card Transaction Processing System X X X X

U.S Department of Labor Integrated Federal Employees'

Compensation System.

(Relates to Federal Employees' Compensation Act (FECA))

X X X X X

Subservice Organizations

DISA Other (Non-DoD)Other (DoD)

17

DFAS FBWT

Transaction

Distribution

(DCAS)

DISA

Enterprise

Services

Defense Civilian

Personnel Data

System

(DCPDS)

DFAS Civilian

Payroll

(DCPS)

DAI / ATAAPS

Time &

Attendance

Civilian Pay SOC 1 – Page 41- DISA ES provides the physical hosting and

administration of DCPS. Specific functions /

responsibilities include:

- Maintenance of the hardware and system

software supporting DCPS.

- Protection of computer platforms and resident

software and data from unauthorized physical

access and environmental hazards.

- Administration of logical access to ACF 2.

- Performance of certain computer operations

activities for the mainframe platforms

supporting DCPS, including monitoring of

processing, and resolution of any deviations

from the pre-defined processing schedule.

- Administration of data transmission utilities and

monitoring of data transmissions to and from

the mainframe platforms supporting DCPS.

- Performance of uptime monitoring and

assistance with the resolution of availability

issues related to DCPS.

- System software, application, and data backup

and recovery.

DFAS

Standardized

Disbursing

(ADS)

Civilian Pay SOC 1 – Page 29- Some user entities send their T&A data into DCPS

using batch files generated from separate, user-

entity operated T&A systems.

Civilian Pay SOC 1 – Page 41- DCPDS is and HR information support system for

maintaining civilian personnel data in the DoD.

DCPDS is used to provide HR / personnel support

such as applicant ratings, employee appointments,

reassignments, and promotions.

Civilian Pay SOC 1 – Page 33- The DD 592 file is sent to ADS for processing by

Disbursing Operations and to the Defense Cash

Accountability System (DCAS) for use in

downstream reconciliations and financial reporting.

- Check and EFT Payment Files: On a bi-weekly

basis, DCPS produces check and EFT payment

files interfaced to ADS for disbursement to user

entity civilian employees.

Note: The DLA DAAS SOC 1 may also be applicable for those entities routing interface files through this system.

Civilian Pay FY 16 SOC 1 “Family”

SOC 1 reports may point you / your auditor where to go.

Follow the End-to-End Process.

Addressing Service Organization ControlsHow do I do this? Which SOC 1s do I need?

Using the Service Organization Controls Report

19

An Unqualified SOC 1 does not automatically result in User Auditor reliance.

User Auditors Place Reliance on the SOC 1 Reports(as allowed by the auditing standards … ex., AU-C 402)

What are we trying to achieve?

Unqualified / Unmodified SOC 1 Opinions(performed under the examination standards SSAE 18,

AT-C 105, AT-C 205, AT-C 320)

User Entities Place Reliance on the SOC 1 Reports(following A-123 Appendix A / ICOFR requirements)

How do I use the SOC 1 report?Desired Outcomes

Controls Reliance

Rep

ort

ing

/ U

ser

En

tity

20

An Unqualified SOC 1 does not automatically result in User Auditor reliance.

How do I use the SOC 1 report?Desired Outcomes

Auditor Sample SizesLevel of Controls Reliance

Minimum Sample Sizes

High Internal Controls Reliance

Reduced Sample SizesSome Internal Controls Reliance

Optimum for a large financial statement audit

Sufficient for a financial statement audit

Maximum Sample Sizes

No Internal Controls Reliance

10s to 100s of thousands of

sample items across DoD

Inefficient and Unsustainable

The User Auditor’s ability to rely on internal controls

directly affects audit and audit support costs

21

Read the report and assess the impact on your risk of financial misstatement.

A SOC 1 Report typically includes the following sections:

Section 1Independent Service Auditor’s Report

Section 2Assertion Provided by Management of the Service Organization

Section 3Description of the Service Organization, including an overview of relevant operations and applications

• Complementary User Entity Controls (CUECs)

• Subservice Organizations and Complementary Subservice Organization Controls CSOCs

Section 4Service Organization’s Control Objectives and Related Controls (Control Objectives, Controls, and Test of

Operating Effectiveness)

Section 5Other Information Provided by Service Organization Management (UNAUDITED)

How do I use the SOC 1 report?SOC 1 Report Structure

22

Your auditor will consider these …. So should you.

How do I use the SOC 1 report?Areas for Consideration

Evaluation of relevant controlsService auditor competency

5

1

2

3

4 9

6

7

8

10

Scope exclusions

Carve-outs

CUECs

CSOCs

Reliability of data

Results of tests

Opinion

Gap Periods

23

Appropriate controls need to be in place at the Reporting Entity, Service Organization(s),

and Sub-service Organization(s) to achieve the Control Objective.

How do I use the SOC 1 report?What are CUECs and CSOCs

Example DFAS Control Objective:Controls provide reasonable assurance that logical access to DCPS programs and data is

restricted to authorized users.

DFAS ControlsDesigned & Operating Effectively

User Entity ControlsDISA Controls

CUECs (SAS 70, SSAE 16, and SSAE 18)

DFAS controls were designed assuming

certain controls were in place at the

customer (Reporting Entity).

These assumptions have been and will

continue to be included in Management’s

Description.

Some basis is needed for the assumptions

but DFAS is not responsible for monitoring

customers.

CSOCs (SSAE 18)

DFAS controls were designed assuming

certain controls were in place at the Sub-

service Organization (DISA).

These assumptions will now be included in

Management’s Description for each Sub-

service Organization.

Some basis is needed for the assumptions

and DFAS is responsible for monitoring

Sub-service providers.

24

Appropriate controls need to be in place at the Reporting Entity, Service Organization(s),

and Sub-service Organization(s) to achieve the Control Objective.

How do I use the SOC 1 report?What are CUECs and CSOCs

Controls

Controls

DISA Hosting

Services

SOC 1

Reporting

Entity / User

Auditors

Reporting /

User

Entities

DFAS Civilian

Pay Service

SOC 1

CUECs

CSOCs

CUECs

Controls

Controls

Controls

CUECs (SSAE 16 & 18)

DFAS controls were designed assuming

certain controls were in place at the

customer (Reporting Entity).

CUECs (SSAE 16 & 18)

DISA controls were designed assuming

certain controls were in place at the

customer (DFAS).

CSOCs (SSAE 18)

DFAS controls were designed assuming

certain controls were in place at the Sub-

service Organization (DISA).

25

User Entities should understand what reports are being generated by the Service Organization and

then confirm whether those reports are included in the SOC 1.

How do I use the SOC 1 report?Reliability of Data (and Reports)

Background:• The clarified standards require the service auditor to evaluate

whether system generated information is sufficiently reliable for the

service auditor’s purposes “by obtaining evidence about its

accuracy and completeness and evaluating whether the

information is sufficiently precise and detailed.”

• They also require the service auditors and the service organization

to validate system generated information and reports by detailing

how they are generated, who prepares such reports and ensuring

the requisite level of detail in such reports.

Classes of system generated information:The following are the types of data that should be evaluated as part of the SOC 1 attestation:

• Information used in the execution of controls within the SOC 1 report.

• Information provided by the service organization to the service auditor to perform testing of

controls.

• Information provided to the user entity.

Effectiveness of

controls depends in part

on the controls over the

accuracy and

completeness of the

system-generated data

or reports.

26

User Entities should understand what reports are being generated by the Service Organization and

then confirm whether those reports are included in the SOC 1.

How do I use the SOC 1 report?Reliability of Data (and Reports)

Translation:

1. Reports / data that are relied upon by the Service Organization to perform

controls in their SOC 1 (e.g., user access list, reconciliation reports,

spreadsheets, etc.)

2. Reports / data that are used by the Service Auditor to perform SOC 1

testing (e.g., user access listings, transaction populations).

3. Reports / data that are provided to the User Entity and are relied upon in

your financial reporting (e.g., reporting package, external outputs).

27

Your auditor will consider these …. So should you.

How do I use the SOC 1 report?Common Evaluation Pitfalls

• Certain applications, interface programs used by some user

entities might not be included in the scope of the report and / or

important IT controls may be scoped out.

• The report may be directed at only a limited number of user

entities or the coverage is only for certain locations.

• Relevant reports from the Service Organization may not be

included within the scope of the procedures performed by the

Service Auditor.

• All exceptions (not just those within qualified objectives) are not

considered for relevance and impact to the User Entity.

• Subservice Organization SOC 1 reports are not obtained and

reviewed.

Sub-Service

Organizations

User

Auditors

Reporting /

User

Entities

Service

Organizations

Reporting Entity Responsibilities for

Service Organization Controls

1. Identify all Service Organizations (Service Providers) that impact the

Reporting Entity’s internal controls over financial reporting.

2. Document an understanding of the Service Providers impact on the

Reporting Entity’s Financial Reporting and Associated Risks.

3. Document the Reporting Entity’s Understanding of Service Provider

Controls in Place to Mitigate Financial Reporting Risks.

4. Evaluate the Design and Operating Effectiveness of Service Provider

Controls in Place to Mitigate Financial Reporting Risks.

5. Address Complementary User Entity Controls (CUECs) Identified by

the Service Provider (i.e., implement effective controls within the

Reporting Entity).

6. Establish Regular Communications with Service Providers to Monitor

Performance and Identify Events that may Impact Internal Controls Over

Financial Reporting.

28

Establish MOUs that clearly identify who is responsible for what.

D

O

C

U

M

E

M

T

Attend and actively participate in the Service Provider Working Group meetings.

29

Communication Protocols Must be Established and Maintained

• Update the FIAR System Database (FSD) to reflect changes. At a minimum,

this should be completed to support the bi-annual FIAR Plan Status Report.

• Notify OUSD(C) FIAR of needed SOC 1s

• Notify OUSD(C) FIAR if points of contact for SOC 1 distribution have

changed.

• Distribute SOC 1 reports within your own organization, in a timely manner, to

all personnel who need them.

Reporting Entity Responsibilities for

Service Organization Controls

Other Important Responsibilities

OUSD(C) FIAR Support and Available Resources

31

User / Reporting Entity participation is essential.

• Service Provider Working Group Meetings (January, May, and August)• Dates / timing requested by User Auditor’s performing financial statement audits.

• Updates provided on SOC 1 scope changes, CUEC changes, status of NFRs, progress on

current SOC 1s, etc.

• IPA Roundtable Meetings• Periodic meetings with GAO, DOD IG, and IPA firms performing financial statement audits,

audit readiness examinations, and SOC 1 engagements to solicit input on SOC 1 report

usability and other audit relevant topics.

• CUEC Workshops• Nine separate workshops were conducted covering audit relevant SOC 1 reports.

• Included participants from User/Reporting Entities and Service Organizations.

• MILSTRIP workshops with DLA and customer entities.• Detailed walkthroughs of multiple MILSTRIP buy / sell scenarios.

• Focus on financial statement audit impacting roles and responsibilities.

OUSD(C) FIAR Support

& Available Resources

OUSD(C) FIAR Support Activities

Deputy Chief Financial Officer Policy Memo Issued in February 2016

Identified Ten Required Changes to SOC 1 Reports

1. SOC 1 Reports to be Issued by August 15th of each year.

2. Nine Month Attestation Period (October 1 – June 30).

3. Bridge Letters to be Issued by October 8th of each year.

4. CUECs to be Aligned to Control Objectives

5. Describe Service Provider Controls in Place to Monitor Subservice Providers and Identify Service Provider Controls in

Place to Address Subservice Provider CUECs.

6. Establish an Interim Milestone of April 30th to Obtain Service Auditor Feedback.

7. Identify Key Inputs and Management’s Rationale / Approach.

8. Identify Edit Checks and Management’s Rationale / Approach.

9. Identify Interfaces and Management’s Rationale / Approach.

10. Identify Outputs and Management’s Rationale / Approach.

32

Action has been taken on IPA feedback and status updates provided.

OUSD(C) FIAR Support

& Available Resources

Available Resources – SOC 1 Improvement Policy Memo

http://comptroller.defense.gov/fiar/fiarguidance/tools_tips_workproducts.aspx#policymemo

Memo was sent to Service Organizations for comment and addresses the

following key points:

1. Service Organizations to meet with their IPA(s) to establish an understanding of

SSAE 18 impact by January 13, 2017.

2. Service Organization to validate the reliability of key output reports / data.

3. Service Organizations to document Complementary Subservice Organization

Controls (CSOCs), their basis for assuming the CSOC is in place at the Subservice

Organization, and the associated monitoring controls in place at the Service

Organization.

4. Service Organizations to communicate of CSOCs to Subservice Organizations by

January 23, 2017.

5. Provides a deadline for Subservice Organizations to inform Service Organizations

that they do not plan to have controls in place to address the CSOCs.

6. Provides a deadline for Subservice Organizations to provide corrective plans to

Service Organizations for those instances where remediation is needed to put

controls in place to address the CSOCs..

33

Input was solicited from IPAs performing financial statement audits and SOC 1 engagements.

http://comptroller.defense.gov/fiar/fiarguidance/tools_tips_workproducts.aspx#policymemo

OUSD(C) FIAR Support

& Available Resources

Available Resources – SSAE 18 Policy Memo

34

Important to make timely updates to support FIAR Plan Status Report

and responses to ad-hoc requests.

OUSD(C) FIAR Support

& Available Resources

Available Resources – FIAR Systems Database

Home Page

System Owner

Data Entry

System User

Data Entry

http://comptroller.defense.gov/fiar/fiarguidance/tools_tips_workproducts.aspx#FIARToolAccess

35

• An Excel file containing all CUECs from all relevant SOC 1 reports (with additions,

deletions, changes from the prior year highlighted

• “Baseline” control descriptions that can be customized to address CUECs.

• Test plans for the “Baseline” controls.

OUSD(C) FIAR Support

& Available Resources

Available Resources – CUECs

OUSD(C) maintains and has distributed the following:

If you have questions or needs, please ask!

36

• Auditing Standards based Service Organization vs. Trading Partner Assessment Template

• Complementary Subservice Organization Controls (CSOCs) Identification Template

OUSD(C) FIAR Support

& Available Resources

Available Resources – Service Organization Vs. Trading Partner

Assessment & CSOCs

http://comptroller.defense.gov/fiar/fiarguidance/tools_tips_workproducts.aspx#supplementalGuidance

If you have questions or needs, please ask!

37

OUSD(C) FIAR Support

& Available Resources

Available Resources – Contact Information

If you have questions or needs, please ask!

James DavilaAccountant, FIAR Directorate, Office of the Deputy Chief Financial Officer, OUSD(C)

james.r.davila2.civ@mail.mil

(703) 571-1654

Bradley Keith

Director, PwC Public Sector, LLP

bradley.d.keith.ctr@mail.mil

(571) 256-2693

bradley.keith@us.pwc.com

(703) 918-3564

Questions