DCMA Manual 4301-11, Volume 2
Management Controls: Audits and Remediation
==========================================================
Office of Primary
Responsibility Stewardship Capability
Effective: September 30, 2019
Releasability: Cleared for public release
New Issuance
Implements: DCMA-INST 4301, “Stewardship,” July 18, 2018
Internal Control: Process flow and key controls are located on the Resource Page
Labor Codes: Located on the Resource Page
Resource Page Link: https://360.intranet.dcma.mil/sites/policy/ST/SitePages/4301-
11v2r.aspx
Approved by: David H. Lewis, VADM, USN, Director
__________________________________________________________________
Purpose: This Manual is composed of several volumes, each containing its own purpose. In
accordance with the authority in DoD Directive 5105.64, “Defense Contract Management
Agency (DCMA),” this Manual implements policies and assigns procedures as defined in
DCMA Instruction 4301, “Stewardship,” and incorporates or assigns responsibility for audits and
audit readiness/remediation efforts regarding the Financial Improvement and Audit Readiness
mandate to satisfy the Department’s objective of achieving and maintaining audit readiness.
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Table of Contents 2
TABLE OF CONTENTS
SECTION 1: GENERAL ISSUANCE INFORMATION ..........................................................4
1.1. Applicability .......................................................................................................................4
1.2. Policy .................................................................................................................................4
SECTION 2: RESPONSIBILITIES ............................................................................................5
2.1. Director, DCMA.................................................................................................................5
2.2 Deputy Director, DCMA. ...................................................................................................5
2.3. Executive Steering Group ..................................................................................................5
2.4. Executive Director, Financial and Business Operations .....................................................6
2.5. Chief Financial Officer Compliance Division ....................................................................6
2.6. Financial Improvement and Audit Readiness Branch ........................................................7
2.7. Component Commanders/Directors ...................................................................................8
2.8. Commanders/Directors Of Assessed Activity ....................................................................9
SECTION 3: FINANCIAL AUDIT ........................................................................................... 10
3.1. Audit Readiness Background ........................................................................................... 10
3.2. Support Roles ................................................................................................................... 10
3.3. Internal Reporting to Management ................................................................................... 11
3.4. Entity Level Controls ....................................................................................................... 11
SECTION 4: CONTRACT PAY SERVICE PROVIDER ....................................................... 12
4.1. Contract Pay Assessable Unit ........................................................................................... 12
4.2. Pre-Examination ............................................................................................................... 13
4.3. Examination ..................................................................................................................... 14
4.4. Post-Examination ............................................................................................................. 16
4.5. Communication ................................................................................................................ 16
4.6. Customers ......................................................................................................................... 17
4.7. Sub-Service Providers ...................................................................................................... 17
SECTION 5: REPORTING ENTITY ....................................................................................... 19
5.1. Business Processes ........................................................................................................... 19
5.2. Complementary User Entity Controls .............................................................................. 20
5.3. Pre-Audit .......................................................................................................................... 22
5.4. During the Audit ............................................................................................................... 22
5.5. Post-Audit ........................................................................................................................ 26
GLOSSARY .................................................................................................................................. 28
G.1. Definitions ....................................................................................................................... 28
G.2. Acronyms ........................................................................................................................ 30
REFERENCES ............................................................................................................................. 32
TABLES
Table 1. Audit Opinions .......................................................................................................... 10
Table 2. Contract Pay Control Objectives ............................................................................... 12
Table 3. Reporting Entity Business Processes ......................................................................... 19
Table 4. Non-Agency Owned Systems ................................................................................... 21
Table 5. Planning Phase - Key Tasks ...................................................................................... 23
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Table of Contents 3
Table 6. Internal Control Phase - Key Tasks ........................................................................... 24
Table 7. Testing Phase - Key Tasks ........................................................................................ 25
Table 8. Reporting Phase - Key Tasks .................................................................................... 26
FIGURES
Figure 1. Service Provider Exam and Planning ....................................................................... 14
DCMA-MAN 4301-11, Volume 2,September 30, 2019
Section 1: General Issuance Information 4
SECTION 1: GENERAL ISSUANCE INFORMATION
1.1. APPLICABILITY. This issuance applies to all DCMA activities, but specifically to the
Financial and Business Operations Directorate (FB), the Contract Pay Service Provider Office,
the Financial Improvement and Audit Readiness/Remediation (FIAR) Reporting Entity Office,
and any other organizational element whose functions might have an impact on DCMA’s audit
readiness. For the purposes of this Manual, any reference to the term FIAR implies terms for
“Readiness” and “Remediation” to be used interchangeably.
1.2. POLICY. It is DCMA policy to:
a. Assign responsibility for FIAR program audit and remediation efforts and adhere to policy
issued by the Office of the Under Secretary of Defense (Comptroller) (OUSD(C)) for the
Agency’s Service Provider and Reporting Entity roles to satisfy the Department’s objective of
achieving audit readiness and Statement on Standards for Attestation Engagements (SSAE) 18
compliance. In accordance with the National Defense Authorization Act (NDAA) for Fiscal
Year (FY) 2010, Section 1003 of Public Law 111-84, the DoD should develop and maintain a
FIAR Plan to achieve auditability by September 30, 2017, and maintain semi-annual reporting on
the Plan for subsequent years.
b. Execute this Manual in a safe, efficient, effective and ethical manner.
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 2: Responsibilities 5
SECTION 2: RESPONSIBILITIES
2.1. DIRECTOR, DCMA. The Director, DCMA will:
a. Confirm the Agency is in compliance with the FIAR guidance as issued by the OUSD(C).
b. Be responsible for the overall management of the FIAR Program for the Agency’s Service
Provider and Reporting Entity roles.
c. Review, approve, and sign (or delegate Signature Authority as appropriate) final Agency
annual assertion for audit readiness responses to draft and final audit reports, and follow-up
inquiries.
d. Appoint FIAR Executive Steering Group (ESG) members.
2.2. DEPUTY DIRECTOR, DCMA. The Deputy Director, DCMA will:
a. Exercise overall leadership and oversight responsibility over the Agency’s FIAR program.
b. Serve as Chairman of the FIAR ESG.
c. Provide final concurrence on Notification of Finding and Recommendation (NFR)
responses as required for Contract Pay Service Provider roles in the event the Executive
Director, FB is unavailable.
2.3. EXECUTIVE STEERING GROUP. The FIAR ESG will:
a. Serve as the Agency’s senior advising entity for FIAR initiatives with the end goal of
achieving and sustaining an unmodified audit opinion.
b. Recommend and monitor measurable goals, objectives, and meaningful metrics for
evaluating progress toward achieving and sustaining an unmodified audit opinion.
c. Provide oversight and direction to audit and remediation efforts regarding OUSD(C)
FIAR mandates to Contract Pay Service Provider and Reporting Entity teams.
d. Champion the FIAR vision, goals, and objectives within DCMA and represent FIAR
interests at various Governance Board meetings.
e. Communicate FIAR ESG activity across all DCMA organizations.
f. Execute actions and tasks as agreed upon by the FIAR ESG.
g. Provide FIAR status updates to senior leadership as required.
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 2: Responsibilities 6
h. Assist the DCMA Director in fulfilling oversight responsibilities by reviewing Contract
Pay Service Provider and Reporting Entity policies and procedures, the effectiveness of internal
controls, and internal/external audit results for adherence to laws, regulations, and financial
accounting standards, to include changes from SSAE 16 as superseded by SSAE 18.
2.4. EXECUTIVE DIRECTOR, FINANCIAL AND BUSINESS OPERATIONS
DIRECTORATE. The Executive Director, FB will:
a. Exercise overall responsibility for audit and remediation efforts regarding the FIAR
mandate to satisfy the Department’s objective of achieving audit readiness.
b. Assess whether the design of agency-wide operations, performance, administrative
processes, and related internal controls and control activities that have an effect on the Agency’s
financial statements are adequately designed, documented, and operating as intended.
c. Ensure that all corrective actions of Agency systemic issues have been resolved and
implemented.
d. Select, appoint, and employ personnel, officials, and representatives as necessary to carry
out the functions, powers, and duties of the Contract Pay Service Provider and Reporting Entity
role-compliant activities.
e. Provide advice and counsel on all FIAR related matters pertaining to the Agency.
f. Provide final concurrence or non-concurrence signature on NFR responses submitted to
auditors.
g. Approve all Corrective Action Plans (CAPs) for submission to OUSD(C).
2.5. CHIEF FINANCIAL OFFICER, COMPLIANCE DIVISION. The Chief Financial
Officer, Compliance Division is responsible for operation of the Contract Pay Service Provider
Office and will:
a. Lead and manage development and deployment of strategies, policies, and procedures for
the Agency’s role as a Contract Pay Service Provider under the OUSD(C) FIAR initiative for the
following DCMA-owned systems:
(1) Mechanization of Contract Administration Services (MOCAS).
(2) MOCAS Contract Closeout (MCC).
(3) Modifications and Delivery Orders (MDO).
b. Serve as the Office of Primary Responsibility (OPR) for Contract Pay Service Provider
efforts for functions that include, but are not limited to:
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 2: Responsibilities 7
(1) Interface with auditors on behalf of the Agency during all examination phases.
(2) Advise senior leadership and the FIAR ESG on all aspects of the Contract Pay
Service Provider audit status.
(3) Interface with OUSD(C) FIAR on Contract Pay Service Provider issues and
communicate the Agency’s status.
(4) Develop the Assertion Package for the Contract Pay Service Provider Assessable
Unit.
(5) Maintain the DCMA 360 Contract Pay Service Provider site:
htps://360.intranet.dcma.mil/directorate/ph-fb/FBL/FIARSP.
(6) Conduct Contract Pay Service Provider internal testing of manual controls.
(7) Prepare and conduct training applicable to the Contract Pay Assessable Unit for the
DCMA workforce.
(8) Facilitate the development of responses to audit findings and corrective action plans.
(9) Brief external customers on the status and outcome of the Contract Pay Service
Provider examination.
(10) Engage with customers and Sub-Service Providers regarding Contract Pay Service
Provider efforts.
(11) Secure and maintain support from other organizations with interdependencies in the
Contract Pay Service Provider’s control environment.
(12) Acquire necessary services for annual audit and program support.
c. Review and provide responses to external auditor NFRs that pertain to the Contract Pay
Assessable Unit.
d. Approve CAPs to progress to remediation efforts and oversee the status of CAP
remediation activities to ensure issues are remediated as scheduled.
2.6. FINANCIAL IMPROVEMENT AND AUDIT READINESS BRANCH. The FIAR
Branch (FBLF) will serve as the OPR for all Reporting Entity efforts and will:
a. Serve as the primary point of contact (POC) for financial statement audits conducted by
independent public accounting firms and serve as the Reporting Entity over FIAR activities.
b. Implement Reporting Entity efforts to include, but not limited to:
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 2: Responsibilities 8
(1) Interface with auditors on behalf of the Agency during all examination phases.
(2) Advise senior leadership and the FIAR ESG on all aspects of the Reporting Entity
audit status.
(3) Interface with OUSD(C) FIAR on Reporting Entity issues and communicate the
Agency’s status.
(4) Develop DCMA’s Assertion Package for Reporting Entity Assessable Unit(s).
(5) Maintain the DCMA 360 FIAR Reporting Entity Office site:
https://360.intranet.dcma.mil/directorate/ph-fb/FBL/FBLF.
(6) Conduct Reporting Entity internal testing of manual controls.
(7) Prepare and conduct training designed to mitigate NFRs, close CAPs, and establish
controls for the workforce.
(8) Facilitate development of responses to audit findings and CAP activity.
(9) Monitor results of the examination under the SSAE 18 for Contract Pay Service
Providers and Sub-Service Providers.
(10) Engage with Contract Pay Service Providers and Sub-Service Providers on
Complimentary User Entity Controls (CUECs) and develop understanding of Reporting Entity
responsibility with regards to these controls.
(11) Secure and maintain support from other organizations with interdependencies in the
Reporting Entity’s control environment.
(12) Acquire necessary services for annual audits and support.
2.7. COMPONENT COMMANDERS/DIRECTORS. The Component Commanders/
Directors will:
a. Serve as focal point and coordinator for all subordinate organization corrective action
activities.
b. Validate subordinate organization corrective actions, determine whether they remain open
or can be closed, and provide letter of assurance (LOA) to FBLF to obtain final closure for all
corrective actions.
c. Participate in meetings to status of CAP activity.
d. Perform corrective action and remediation activities in accordance with approved CAPs.
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 2: Responsibilities 9
e. Support FIAR and Contract Pay Service Providers by synchronizing agency initiatives,
internal testing, and changes to organizations, processes, policies, and/or tools with a strategy for
audit readiness.
2.8. COMMANDERS/DIRECTORS OF ASSESSED ACTIVITY. The Commanders/
Directors of assessed activities will:
a. Ensure the availability, responsiveness, and cooperation of personnel during the
audit/assessment.
b. Ensure requests for data, entrance conferences, responses, and other administrative
matters are coordinated with FBLF prior, during and after audits and assessments.
c. Perform corrective action and remediation activities in accordance with approved CAPs.
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 3: Financial Audit 10
SECTION 3: FINANCIAL AUDIT
3.1. AUDIT READINESS BACKGROUND. Audits provide reasonable assurance that
internal controls are suitably designed, operating effectively, and that the financial statements are
presented fairly and free of material misstatements due to error or fraud in accordance with the
U.S. Generally Accepted Accounting Principles (GAAP). As mandated by the Chief Financial
Officers Act of 1990 and the FY 2010 NDAA, DoD is required to audit internal controls over
financial reporting. In preparation for the audit, DoD implements audit readiness efforts in
accordance with FIAR guidance, the DoD Financial Statement Audit Guide, and any subsequent
issuances issued by the OUSD(C).
a. DCMA is a component of the DoD consolidated audit along with other Fourth Estate
entities and therefore, does not undergo a standalone audit. Under the DoD consolidated audit,
the DoD Inspector General (DoDIG) performs internal control and substantive testing over
activities and balances reported by DCMA on an annual basis.
b. Auditors use their conclusions to form an audit opinion using the descriptions as reflected
in Table 1. Audit Opinions. The primary goal is to obtain an Unmodified audit opinion for the
Agency.
Table 1. Audit Opinions
Opinion
Description
Unmodified
Auditor concludes that the financial statements are presented fairly, in all
material respects, and in accordance with U.S. GAAP.
Modified
Auditor concludes that misstatements, individually or in aggregate, are
material but not pervasive to the financial statements.
Adverse
Auditor obtains sufficient evidence and concludes that misstatements,
individually or in aggregate, are both material and pervasive to the
financial statements.
Disclaimer of
Opinion
Auditor is unable to obtain sufficient audit evidence on which to base an
opinion, and concludes that possible misstatements, individually or in
aggregate, could be both material and pervasive.
3.2. SUPPORT ROLES. DCMA will support audits as a Contract Pay Service Provider and as
a Reporting Entity.
a. Service Provider. Service Providers are also known as service organizations. The
American Institution of Certified Public Accountants defines a service organization as “an
organization or segment of an organization that provides services to user entities, which are
likely to be relevant to those user entities' internal control over financial reporting.”
(1) As a Contract Pay Service Provider, DCMA is responsible for the oversight of
systems, data, processes, internal controls, and supporting documentation that affects the audit
readiness of their user Reporting Entities as outlined in Section 4 of this Manual.
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 3: Financial Audit 11
(2) Contract Pay systems (MOCAS, MCC, and MDO) will undergo an annual
examination under the SSAE 18. This examination requires an annual risk assessment to ensure
the organization’s controls are regularly reviewed and that risks are adequately addressed or
adjusted as needed. The risk assessment is outlined in the System and Organization Control
Report (SOC-1 Report), which accounts for management’s description of DCMA as a service
organization and the suitability of the design and operating effectiveness of controls.
b. Reporting Entity. Reporting Entities are also referred to as customers, and Reporting
Entities of DCMA-owned systems rely on results of the risk assessment. A Reporting Entity is a
component with an obligation to prepare external financial reports. As a Reporting Entity,
DCMA must give an account of how taxpayer dollars are used to operate the Agency and assert
that internal controls are in place to provide reasonable assurance that financial statements are
presented correctly.
c. DoD Consolidated Audit Provided By Client (PBC) Support. The DCMA Contract
Pay Service Provider Office and Reporting Entity teams coordinate heavily with respective
DCMA activities and functions that are under audit. FIAR teams have full access to the FIAR
Audit Response Center (ARC), a tool used to manage workflow for PBC requests from DoD
Consolidated Auditors.
3.3. INTERNAL REPORTING TO MANAGEMENT. The Contract Pay Service Provider
Office and the FIAR Reporting Entity Office are required to report their activities and audit
outcomes to the DCMA Audit Committee and FIAR ESG. These groups provide oversight,
feedback, and direction on DCMA’s audit readiness and remediation efforts.
3.4. ENTITY LEVEL CONTROLS. Entity level controls (ELCs) apply to Contract Pay
Service Provider and Reporting Entity roles. ELCs have a pervasive effect on a an entity’s
internal control system and may include controls related to the entity’s risk assessment process,
control environment, service organizations, management override, and monitoring. ELC
deficiencies or gaps may impact DCMA’s internal control system as a whole. DCMA FIAR
teams will complete a matrix to identify ELCs that require testing during internal control
assessments.
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 4: Contract Pay Service Provider 12
SECTION 4: CONTRACT PAY SERVICE PROVIDER
4.1. CONTRACT PAY ASSESSABLE UNIT. DCMA provides contract administration
services to the DoD Acquisition Enterprise and its partners to ensure timely and cost-effective
delivery of products and services to the warfighter. Before contract award, DCMA will provide
feedback to effectuate solicitations, identify potential risks, and develop decision criteria on
historically best-performing contractors to shape contracts that will meet the needs of the buying
Agency and their warfighting customers. After contract award, DCMA will monitor contractor
performance and management systems to verify that expenditures, delivery schedules, and
products/services are in compliance with contract terms and conditions. Contract Pay Service
Providers are responsible for their systems, data, processes, internal controls, and supporting
documentation that affect a Reporting Entity’s auditability. Customers rely on DCMA to have
reliable internal controls in place to ensure contract administration services are provided
completely and accurately. When key controls have been properly designed and are functioning
effectively, customers and their auditors can place a greater reliance on the Agency’s Contract
Pay system.
a. Contract Pay Service Provider Office. The Contract Pay Service Provider Office may
be staffed with matrixed personnel from varied functional areas, or with permanent staff that
possess functional competencies representing contracting, quality, and information technology
(IT). The Contract Pay Service Provider Office is responsible for executing and overseeing all
Contract Pay Service Provider audit readiness efforts for the agency.
b. Contract Pay End-to-End Process. The Contract Pay End-to-End Process diagram
located on the Resource Page for this Manual reflects the specific processes, sub-processes, and
areas of FIAR related responsibilities provided by DCMA to the contract payment services.
c. Contract Pay Control Objectives. The controls identified in Table 2. Contract Pay
Control Objectives are comprised of automated and manual controls. For further information on
the control activities, please refer to the most recent Contract Pay SOC-1 examination report.
Table 2. Contract Pay Control Objectives
Control Objective Description
CO1: SECURITY
PROGRAM
MANAGEMENT
Controls provide reasonable assurance that an enterprise-wide security
program has been established and approved by management, is being
monitored, tested and maintained.
CO2: ACCESS
Controls provide reasonable assurance that logical access to MOCAS, MCC,
and MDO, as well as physical access to MCC and MDO hardware, is
restricted to authorized individuals.
CO3:
CONFIGURATION
MANAGEMENT
Controls provide reasonable assurance that changes to MOCAS, MCC and
MDO, application programs and database structures are authorized, tested,
implemented and documented.
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 4: Contract Pay Service Provider 13
Table 2. Contract Pay Control Objectives, Continued
Control Objective Description
CO4:
SEGREGATION OF
DUTIES
Controls provide reasonable assurance that management has identified,
provided periodic reviews, and mitigated risks of incompatible duties across
business and IT operations within the Contract Pay process (MOCAS and
other relevant key systems).
CO5:
CONTINGENCY
PLANNING
Controls provide reasonable assurance that back-up procedures exist for
MCC and MDO.
CO6: SETUP
Controls provide reasonable assurance that MCC and MDO data
requirements are defined and documented for transactions which update the
MOCAS database.
CO7: INPUT
Controls provide reasonable assurance that contracts are received from
authorized sources and input into MOCAS completely and accurately.
CO8:
PROCESSING
Controls provide reasonable assurance that contract transactions (e.g.,
receipts and acceptance of goods and services, disallowed costs, invoice
processing, contract closeout, refunds) are authorized and processed
completely and accurately.
CO9: OUTPUT
Controls provide reasonable assurance that contract actions and outputs are
authorized, and transmitted completely and accurately. Controls around
contract and transaction reviews are defined and assessed under Control
Objectives 7 and 8.
4.2. PRE-EXAMINATION. The Contract Pay process is cyclical and many pre-examination
activities for the following FY occur simultaneously with activities for the current FY examination
as depicted in the example timeline in Figure 1. Service Provider Exam and Planning. For
example, the current FY examination starts around November of each year and during this time,
the Contract Pay Service Provider Office supports the audit while discussing, implementing, and
testing changes for the next FY.
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 4: Contract Pay Service Provider 14
Figure 1. Service Provider Exam and Planning
a. Internal Testing. DCMA is responsible for the design and effectiveness of controls
related to MCC and MDO and specific controls related to MOCAS. Defense Finance and
Accounting Service (DFAS) and DCMA share responsibility for maintaining all aspects of
MOCAS under the direction of the MOCAS Joint Program Management Office, which is
comprised of employees from both agencies.
(1) The Contract Pay Service Provider Office is responsible for overseeing internal testing
efforts related to the Contract Pay control objectives.
(2) The Contract Pay Service Provider Office is responsible for managing the monthly
testing process. A monthly timeline for testing manual controls is provided on the Resource Page.
The DCMA Contracting Directorate, Contract Pay Service Provider Office, and operational units
are involved in the monthly testing process and have responsibilities that are included in the
timeline.
b. Reporting. Results from monthly testing of manual controls are compiled and uploaded to
the DCMA 360 Contract Pay Service Provider Office site.
4.3. EXAMINATION. Each FY, an independent public accountant (IPA), also referred to
throughout the document as “external auditor,” is contracted to perform the SOC examination
based on DCMA’s assertion. The assertion period is 1 October to 30 June each FY, and the
auditor’s examination report must be completed by 14 August and submitted to the OUSD(C) by
15 August.
a. Entrance Conference. When a contract for IPA services has been awarded, the
Contracting Officer’s Representative (COR) will provide notification to DCMA with the
awardee’s contact information. Usually an entrance conference is required soon after award as a
contract deliverable. If not contacted by the IPA within two to three business days, the Contract
Pay Service Provider Office should reach out to the IPA and begin scheduling the conference
with the OUSD(C) FIAR COR and senior leadership.
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 4: Contract Pay Service Provider 15
b. Site Visits. The Contract Pay Service Provider Office is notified by the external auditor
of all potential site visits so DCMA may coordinate with the responsible POCs regarding dates,
space, and technology needs. The Contract Pay Service Provider Office will notify Contract
Management Offices (CMOs) of the planned visits, as well as any other planning information or
requirements that are needed. This information will be forwarded to the CMO
Commander/Director in a written memorandum or by email. The external auditors will be
accompanied on all site visits by the Contract Pay Service Provider Office and/or other
designated representative(s).
c. PBC. The Contract Pay Service Provider Office will receive any PBC requests or
equivalents from the external auditor’s SharePoint site. The Contract Pay Service Provider
Office reviews PBC requests for clarity and completeness and notifies responsible directorates to
support completing the requests. PBC responses are uploaded to the applicable FY Evidentiary
Folder on the DCMA 360 Contract Pay Service Provider Office site. Once the PBC is accepted
by the Contract Pay Service Provider Office, the PBC is moved to the applicable FY Auditor
Folder and a notification is sent to the external auditor that the PBC response was uploaded. In
order to protect sensitive information, DCMA is responsible for indicating whether each PBC
item is “releasable” versus “non-releasable.”
d. NFR. Throughout the duration of the examination, deficiencies identified may result in
the issuance of NFRs by the external auditor. Once DCMA leadership and the Contract Pay
Service Provider Office receive the draft NFRs, internal meetings are held with responsible
parties to discuss the NFRs and validate that the condition, cause, effect, and criteria are
accurately stated. DCMA management will draft general comments on the findings and address
and develop planned corrective actions to remediate the deficiencies. Official responses are
consolidated and distributed to all customers and respective auditors and all NFR responses must
be approved by the Contract Pay Service Provider Office. During the SOC-1 examination, the
external auditor may also identify deficiencies that require management’s attention, but do not
rise to the level of an NFR. These deficiencies are called Management Letter Comments
(MLCs) and they appear in the Management Letter, which must be completed by mid-August.
The Contract Pay Service Provider Office tracks and monitors MLCs and NFRs.
e. CAP. As indicated in paragraph 4.3.d., deficiencies in any of the control activities that
affect the Contract Pay Service Provider audit readiness are formally documented in an NFR. A
CAP is created to address each deficiency identified in a NFR. Once the CAP is drafted, it must
be approved by the Contract Pay Service Provider Office or the Executive Director, FB. The
Contract Pay Service Provider Office is responsible for completing the CAP template, executing
CAP remediation, and tracking and monitoring CAP completion. CAP status updates will be
discussed during weekly Contract Pay Service Provider Office status meetings and follow-up
meetings with the Directorates will be conducted based on these discussions, as necessary. The
status of open CAPs will be briefed at monthly DCMA FIAR ESG meetings. When all the
corrective actions identified in the CAP have been completed, the Contract Pay Service Provider
Office must verify completion before recommending the CAP be closed. The Contract Pay
Service Provider Office will verify completion by obtaining all required supporting
documentation and perform sufficient testing to ensure remediation of the deficiency. Test
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 4: Contract Pay Service Provider 16
results will be maintained and be made available for review for a full FY following CAP closure.
All externally identified CAPs relating to the Contract Pay Service Provider control activities
will be officially closed by the IPA in the OUSD(C) NFR Database.
f. Exit Conference. The exit conference is the final official meeting between the external
auditor, Contract Pay Service Provider Office, and Agency leadership. This meeting occurs prior
to the external auditor completing the SOC-1 report.
4.4. POST-EXAMINATION. Numerous actions must take place following the conclusion of
the audit:
a. After Action Meeting. The Contract Pay Service Provider Office will hold an after
action meeting to gather lessons learned from all participants in the engagement.
b. Deactivate IPA System Access. Any access that was established for the IPA system at
the beginning of the engagement will be deactivated upon delivery of the final SOC-1 report.
c. Submit SOC-1 Report. The SOC-1 report will be received by the OUSD(C) FIAR
Directorate and distributed to corresponding agencies, as required, and uploaded to the DCMA
360 Contract Pay Service Provider site.
d. Records Naming and Retention. The Contract Pay Service Provider Office POC will
name and archive all records uploaded to the DCMA 360 Contract Pay Service Provider Office
site and retain source documents according to established timeframes. Records will be stored on
the DCMA 360 site for two years, and then copied onto a disk.
e. Monitor CAPs. CAPs will be monitored to completion and closed prior to the start of the
next FY examination.
4.5. COMMUNICATION.
a. POCs. The Contract Pay Service Provider Office POCs are listed in the “Service Provider
Program Management Office Members” section of the DCMA 360 Contract Pay Service Provider
site.
b. Email Inboxes. The Contract Pay Service Provider Office will manage an internal and
external inbox for tracking and responding to communications.
(1) Internal. The Contract Pay Service Provider Office manages an inbox for internal
testing inquiries: dcma.lee.hq.mbx.fiar-sp-he[email protected].
(2) External. The Contract Pay Service Provider Office manages an inbox for customer
inquiries and responding to communications: dcma.lee.hq.mbx.fiar-sp-in-b[email protected].
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 4: Contract Pay Service Provider 17
4.6. CUSTOMERS. DCMA partners with other DoD entities to provide contract payment
services. A DCMA customer (user entity) is any DoD agency in which contract administration
services are delegated to DCMA.
a. Service Level Agreement (SLA)/Memorandum of Understanding (MOU). The
SLA/MOU is a formal agreement between DCMA and it’s customers describing the type of
service(s) that DCMA provides for audit readiness, remediation, and sustainment. The purpose
of Contract Pay SLAs/MOUs are to outline business processes and sub-processes performed by
DCMA for it’s customers in the contract pay end-to-end cycle. The SLAs/MOUs are managed
by the Contract Pay Service Provider Office.
b. CUECs. The Contract Pay controls were designed with the assumption that certain
controls would be placed in operation by user entities. The implementation and application of
such internal controls are the responsibility of the user entities and are necessary to achieve
certain Contract Pay control objectives. The user entities and user entity auditors are responsible
for determining the applicability of the CUECs to the user entity and identifying CUECs relevant
to the user entity financial statement audit. For a listing of the CUECs, please refer to the most
recent Contract Pay SOC-1 examination report.
c. Customer Audit/Auditor Support. The Contract Pay Service Provider Office manages
customer audit/auditor inquiries through the external customer email inbox. The Contract Pay
SOC-1 examination often satisfies audit/auditor inquiries; however, the Contract Pay Service
Provider Office will engage in Contract Pay related conversations to ensure all parties have
confidence in the services DCMA provides to its customers.
4.7. SUB-SERVICE PROVIDERS. To achieve control objectives for the Contract Pay
Assessable Unit, DCMA relies on the design and operating effectiveness of control activities
performed at sub-service organizations. Control activities performed by subservice
organizations are documented in mutual agreements with DCMA and periodically monitored
through meetings, reports, or status updates.
a. Complementary Sub-service Organization Controls (CSOCs) and Monitoring. The
Contract Pay controls were designed with the assumption that certain controls would be placed in
operation by sub-service organizations. The application of sub-service organization internal
controls is necessary to achieve certain Contract Pay control objectives. When developing
CSOCs, management will review and consider CUECs, other SOC examination reports (if
available), SLAs, and MOUs. Interagency discussions will be held to determine control
effectiveness and to assess risks; and CSOCs will be individually monitored based on the level of
risk. If an issue is discovered during monitoring and risk assessment, DCMA will partner with
the applicable agency to determine the root cause and develop a remediation plan. For a listing
of the sub-service organizations, related CSOCs, and monitoring controls, please refer to the
most recent Contract Pay SOC-1 examination report.
b. Agreements. Service Agreements are in place to outline expectations between DCMA and
sub-service organizations such as Defense Information Services Agency (DISA), DFAS, U.S.
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 4: Contract Pay Service Provider 18
Bank, and the Defense Logistics Agency (DLA). These Agreements are to be reviewed annually
and updated as needed.
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 5: Reporting Entity 19
SECTION 5: REPORTING ENTITY
5.1. BUSINESS PROCESSES. The FIAR Reporting Entity Office is responsible for reviewing
and documenting end-to-end business processes such as those reflected in Table 3. Reporting
Entity Business Processes. These business processes are also known as assessable units. The
FIAR Reporting Entity Office must also create a crosswalk between DoD standard end-to-end
business processes and their own end-to-end business processes which cover all financial
transactions of DCMA.
Table 3. Reporting Entity Business Processes
End-to-End Business
Process/Assessable
Units
Impacted DCMA
Directorates or
External Service
Providers
Process Description
Appropriations
Received
FB - Budget
Receipt and distribution of funds
appropriated by the President’s Budget.
Hire to Retire/
Civilian Pay
FB – Payroll, Human
Capital, Army
Service Team, and
DFAS
Civilian payroll processed in the Defense
Civilian Pay System (DCPS).
Procure to Pay
Financial & Business
– Defense Agencies
Initiative (DAI),
Travel/Defense
Travel System
(DTS), General
Services
Administration
(GSA), Washington
Headquarters
Services (WHS),
Government
Purchase Card (GPC)
Business functions necessary to obtain goods
and services including: all Contract Pay and
Vendor activities, specifically Invoicing,
Receipt, Acceptance and Property
Transfer/Syncada, GSA and WHS Facility
Rental Payments, Government Vehicles,
GPC, DTS, Permanent Change of Station,
and Reimbursable Work Order – Grantor.
Order to Cash
FB –Reimbursables
and Accounting
Business functions necessary to accept and
process customer orders for services and/or
inventory. Reimbursable Work Orders –
Acceptor.
Acquire to Retire/
Property, Plant and
Equipment
FB and IT
Business functions necessary to obtain,
manage, and dispose of DoD accountable
and reportable property through the entire
life-cycle.
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 5: Reporting Entity 20
Table 3. Reporting Entity Business Processes, continued
End-to-End Business
Process/Assessable
Units
Impacted DCMA
Directorates or
External Service
Providers
Process Description
System Generated
Journal Voucher
Entries
FB - Accounting
Entries created in the Defense Departmental
Reporting System (DDRS) to bring General
Ledger (GL) accounts into balance at
specified periods of times during the
financial reporting process.
Financial
Reporting/Balance
Brought
Forward/Year End
Entries
FB - Accounting
Entries created in the source accounting
system to bring GL accounts into balance at
year-end during the financial reporting
process includes Fund Balance with
Treasury (FBWT).
a. Assessable Unit. The FIAR Reporting Entity Office is organized by assessable unit.
Each assessable unit is assigned a lead to perform activities before, during, and after the annual
audit. These activities include managing PBCs, samples, walkthroughs, Subject Matter Experts,
process narratives and flowcharts, NFR reviews and approvals, and managing
comments/concurrence.
b. Process Narratives. The FIAR Reporting Entity Office must document each end-to-end
process in a narrative which provides an independent auditor not familiar with DCMA a
thorough understanding of all activities, transactions, systems, and related controls for each
process. The document identifies the DCMA directorates and Service Providers involved in the
end-to-end process. The process narrative, which is updated annually, must describe the actual
process as it exists and include an overview, flowchart(s), key internal control listing, key
supporting document listing, and key IT system listing for systems used in the process and
CUECs. Relevant DCMA directorates and external Service Providers are frequently consulted to
ensure the completeness and accuracy of the narratives and to ensure key controls are properly
identified.
5.2. COMPLEMENTARY USER ENTITY CONTROLS. CUECs are controls that Service
Providers provide to Reporting Entities for implementation by the Reporting Entity.
Management for the FIAR Reporting Entity is responsible for implementing internal controls
over their financial information and therefore, must ensure that they fully understand what
pecuniary significant activities are outsourced to Service Providers and the effectiveness of the
Service Providers’ related internal controls.
a. The DCMA FIAR Team will coordinate with Service Providers to develop a good
understanding of the Service Provider’s user control assumptions and to test the controls to
ensure they are operating effectively. This includes reviewing SSAE 18 audit reports and related
training provided by OUSD(C). CUEC considerations should relate to the control objectives
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 5: Reporting Entity 21
specified in management’s description of the Service Provider system. DCMA uses the non-
owned systems such as those identified in Table 4. Non-Agency Owned Systems for its business
processes.
Table 4. Non-Agency Owned Systems
No.
Service
Provider
SOC-1
DoD Service Providers Used by DCMA
1
DFAS
DCPS (Civilian Pay)
2
DFAS
MOCAS, Elimination of Unmatched Disbursements, Entitlement
Automation System, Pay Pre-Validation Module, Accounting Pre-
Validation Module (APVM), Business Activity Monitoring (BAM),
Standard Contract Reconciliation Tool (Contract Pay)
3
DFAS
Defense Cash Accountability System - FBWT Distribution
4
DFAS
DDRS (Financial Reporting)
5
DFAS
Automated Disbursing System, Intra-Governmental Payment and
Collection, Megawizard (Standard Disbursing Services)
6
DFAS
Computerized Accounts Payable for Windows (CAPS-W), CAPS-W
Data Center, Operational Data Store, Defense Corporate Database/
Defense Corporate Data Warehouse, BAM, APVM (Vendor Pay)
7
DISA
Enterprise Computing Service
8
DLA
Defense Automatic Addressing System
9
DLA
DAI
10
DLA
Defense Property Accountability System
11
DLA
Invoices, Receipt, Acceptance and Property Transfer
12
Defense
Manpower
Data Center
(DMDC)
Defense Civilian Personnel Data System
13
DMDC
DTS
14
CitiBank
Travel Card
15
U.S. Bank
Access Online
16
DFAS
Department 97 Reconciliation and Reporting Tool / Cash Management
Report (Fund Balance with Treasury Reconciliation)
17
DFAS
Enterprise Local Area Network
b. The FIAR Reporting Entity Office is responsible for monitoring control activities
implemented to complement the controls implemented by Service Providers:
(1) Control activities that provide reasonable assurance that any changes to processing
options (parameters) requested by the Reporting Entity are appropriately authorized and
approved.
(2) Control activities that provide reasonable assurance that output received from the
Service Provider is routinely reconciled to relevant Reporting Entity control totals.
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 5: Reporting Entity 22
(3) Control activities that provide reasonable assurance of password or Common Access
Card-enabled access to Reporting Entity controlled computer terminals or networks resides with
the Service Provider.
5.3. PRE-AUDIT. For each assessable unit, the FIAR Reporting Entity Office is required to
complete narratives, key tasks, and underlying detailed activities as prescribed in guidance issued
by OUSD(C). Before the audit, the Reporting Entity completes preparation activities to include
remediating prior audit findings and addressing internal control gaps. The Reporting Entity
reviews process narratives and flowcharts for each end-to-end process on an annual basis and
revises them as necessary.
a. The FIAR Reporting Entity Office is responsible for performing periodic testing of a
sample of transactions and corresponding control activities to ensure that processes and controls
documented in each end-to-end process narrative are operating as intended. Tests of Design
determine if a documented process control is in place and Tests of Effectiveness determine if the
controls are working as intended. Tests techniques may include one or more forms:
(1) Inquiry. Conducted by oral or written inquiries of personnel involved in the
execution of specific control activities to determine what they do or how they perform a specific
control activity. Inquiries provide the least reliable evidence and requires supplementation with
other types of control tests.
(2) Observation. Conducted by observing personnel performing control activities in the
normal course of their duties. Observations provide sufficient evidence that the control activity
is properly applied during the period; however, it provides no evidence that the control was in
operation at any other time. Observations require supplementation by corroborative evidence
obtained from other tests (e.g., inquiry and inspection) about the operation of control activities at
other times.
(3) Examination. Conducted by examining documents and records of evidence (e.g., the
existence of initials or signatures) that a control activity was applied to those documents and/or
records.
(4) Re-performance. Conducted to obtain sufficient evidence that a control activity is
operating effectively.
b. Combining 2 or more of test techniques provides greater assurance than using only 1 test
technique. The more significant the account, disclosure, or process and the greater the risk, the
more important it is to ensure the evidence extends beyond 1 testing technique.
5.4. DURING THE AUDIT. During the audit, PBCs will be sent by OUSD to the agency with
a short suspense date. The FIAR Reporting Entity Office will assist with providing key
supporting documents (KSDs) of business processes to address the PBC responses from the
agency to OUSD. It is the responsibility of the FIAR team to react quickly and decisively to
ensure the process owner or correct POC has all the available time to respond.
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 5: Reporting Entity 23
a. Once auditors have reviewed PBC responses, KSDs, and any follow-up information on
procedures or clarification of processes, they will request a Universe of Transactions to perform
a sample selection for testing issued via PBC routed through the FIAR Team.
b. When sample request are issued through the ARC Tool, the FIAR Reporting Entity Office
delivers the sample requests to the assessable or sub-assessable unit (depending on the requested
documentation) via the ARC tool. As a Key Control, the FIAR Reporting Entity Office will
establish a due date for the assessable unit process owner and monitor the completion of all
sample requests to ensure KSDs are provided timely.
c. The FIAR Reporting Entity Office receives an auto-generated system notification when
process owners have responded with the requested KSDs within the ARC tool. As a Key
Control, the FIAR team thoroughly reviews each submitted document for accuracy and to ensure
the documents satisfy the request before forwarding them to OUSD(C). In addition, the team
ensures there is no Personally Identifiable Information (PII) embedded within the document(s).
d. The FIAR Reporting Entity Team submits files that have possible PII by a secured
method determined by OUSD(C).
e. Activities that occur during the phases of an audit:
(1) Planning Phase. The FIAR Reporting Entity Office is the primary POC for all phases
of the audit. Table 5. Planning Phase – Key Tasks identifies the key activities for the planning
phase of a financial statement audit.
Table 5. Planning Phase - Key Tasks
Task
Description
Entrance
Conference
The entrance conference will be attended by OUSD(C), the Reporting
Entity, Service Provider teams and leadership to kick off the audit to gain
an understanding of audit requirements, other relevant information and
plans for field and site visits.
Review End-
to-End
Processes
The Reporting Entity and Service Provider teams should review the
Reporting Entity and Service Provider end-to-end process documentation.
The review should ensure that process narratives and flowcharts are both
current and accurate before being provided to the audit team.
Onboarding
Training/
Initial
Requests
As applicable, the FIAR Reporting Entity Office in coordination with the
Program Office, will provide onboarding training to assist the audit team in
gaining an understanding of the Reporting Entity. The training will explain
the organization structure, describe the various Service Providers that are
relevant to the Reporting Entity under audit, and outline the SOC-1
examination reports that are available.
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 5: Reporting Entity 24
Table 5. Planning Phase - Key Tasks, Continued
Task
Description
Obtain SOC-1
Reports
All SOC-1 reports must be obtained from the Service Provider audit
liaisons and made available for review by the audit team.
Maintain
Standard
Operating
Procedures
(SOPs)
The FIAR Reporting Entity Office should maintain and update all SOPs
and manuals for key business processes. These SOPs may ultimately be
requested by an audit team during the course of an audit.
Obtain PBC
List
The Reporting Entity and Service Provider teams should obtain the PBC list
from the audit team and/or from OUSD(C).
Identify and
Research
Significant
Account
Fluctuation
The Reporting Entity and Service Provider teams should analyze financial
statement line items on a comparative basis. Significant year-over-year
fluctuations should be identified and underlying causes researched.
Documentation should also be obtained to support explanations for
significant account fluctuations that are identified (as this information
might be requested by the audit team at a later time).
Obtain Intra-
Departmental
Supporting
Documentation
The FIAR Reporting Entity Office should collaborate with other agency
Reporting Entity audit liaisons to obtain reconciliations, control
documentation, and MOUs to support intra-Departmental funding activity
for applicable reporting entities.
(2) Internal Control Phase. During this phase the audit team will perform risk
assessment procedures and expand its understanding of internal controls from the planning
phase. As part of this phase, the audit team will test the design and operating effectiveness of
key internal control activities. Based on the evaluation of the design, implementation of internal
controls, and the results of control tests, the audit team will preliminarily assess the effectiveness
of the internal controls. The audit team will reevaluate the preliminary assessment at the
conclusion of the testing phase. Table 6. Internal Control Phase – Key Tasks identifies key tasks
involving the FIAR Reporting Entity Office for the internal control phase of a financial statement
audit.
Table 6. Internal Control Phase - Key Tasks
Task
Description
Compile
Systems
Documentation
The FIAR Reporting Entity Office will obtain and provide the auditors with
flowcharts, process narratives, and any relevant SOPs or desktop manuals
for systems used by assessable unit processes to ensure they are reviewed,
organized and made readily available for the audit team.
Coordinate
Systems
Compliance
Testing
The FIAR Reporting Entity Office will coordinate with Service Providers
and the audit team so that tests for compliance with the Federal Financial
Management Improvement Act of 1996 (FFMIA) can be conducted.
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 5: Reporting Entity 25
Table 6. Internal Control Phase - Key Tasks, Continued
Task
Description
Coordinate
Systems
Compliance
Testing
The FIAR Reporting Entity Office will coordinate with Service Providers
and the audit team so that tests for compliance with the Federal Financial
Management Improvement Act of 1996 (FFMIA) can be conducted.
Fulfill Ad Hoc
Internal Control
Requests
The FIAR Reporting Entity Office will obtain various ad hoc requests
relating to internal control environment of the Reporting Entity are likely to
arise during this phase of the audit.
Coordinate
Intra-
Departmental
Internal Control
Review
The FIAR Reporting Entity Office should collaborate with other agency
Reporting Entity audit liaisons to provide process flowcharts, narratives and
internal control documentation to support intra-departmental funding
activity for applicable reporting entities. Process system walkthroughs must
also be coordinated with the audit team as requested.
(3) Testing Phase. During this phase, the audit team obtains evidence to report on the
financial statements, internal controls, systems compliance, and compliance with significant
provisions of laws and regulations. The audit team gathers the appropriate evidence by
requesting KSDs which may be in the form of documents used for recording and processing
information or procedural (systemic and/or manual) process requirements and provides them to
external auditors for testing. Table 7. Testing Phase – Key Tasks identifies key tasks for the
testing phase of a financial statement audit.
Table 7. Testing Phase - Key Tasks
Task
Description
Provide Internal
Controls Testing
Support
The FIAR Reporting Entity Office will coordinate with the respective
DCMA Program Office to assist the audit team in the performance of
walkthroughs and respond to documentation requests to demonstrate the
controls are operating effectively.
Provide
Analytical
Procedures
Response
Support
The FIAR Reporting Entity Office should obtain and provide
documentation to support explanations for significant account fluctuations
that are identified by the audit team.
Provide Detail
Testing Support
The Reporting Entity and Service Provider teams should be prepared to
fulfill a broad range and high volume of requests for documentation from
the audit team. When responding to documentation requests, the FIAR
Reporting Entity Office and the DCMA Program Office must ensure that
documentation is submitted to the audit team (through OUSD(C)) within
the agreed upon timeframes and has undergone a multi-level quality
assurance review.
Conduct
Regular Status
Meetings
The FIAR Reporting Entity Office will attend OUSD(C) hosted status
meetings with the audit team to discuss the status of the audit, any
challenges encountered, and upcoming deadlines.
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 5: Reporting Entity 26
(4) Reporting Phase. The DoDIG will provide a draft audit report to OUSD(C) and
DCMA leadership prior to issuance. Upon receipt of the draft report, DCMA leadership will
review the report and provide written comments back to the audit team regarding the findings,
conclusions and recommendations contained in the draft report. If the draft report contains
NFRs, OUSD(C) and FIAR Reporting Entity Office will hold meetings internally to discuss the
NFRs. Table 8. Reporting Phase – Key Tasks identifies key tasks for the reporting phase of a
financial statement audit.
Table 8. Reporting Phase - Key Tasks
Task
Description
Support Overall
Analytical
Procedures
The FIAR Reporting Entity Office should fulfill documentation requests and
provide responses to inquiries arising as the audit team performs overall
analytical procedures necessary to complete the reporting phase of the audit.
Coordinate Exit
Conference
The FIAR Reporting Entity Office will coordinate the exit conference with
the audit team to review the results of the audit and provide feedback on
conclusions reached and recommendations made. OUSD(C) and DCMA
leadership should be in attendance.
Review Draft
Audit Report
The FIAR Reporting Entity Office will review the draft audit report and
provide it to the appropriate DCMA officials to provide an opportunity to
comment on findings and/or areas of concern.
Provide
Responses to
Audit Findings
The FIAR Reporting Entity Office will prepare, coordinate, and distribute an
official DCMA response from leadership to OUSD(C) and the audit team
5.5. POST-AUDIT.
a. Remediation/Sustainment. DCMA leadership will coordinate with OUSD(C) and
respond to audit report findings by concurring or non-concurring to the audit findings. The
FIAR Reporting Entity Office will track NFRs to resolution, and meet with assessable unit
process owners to develop CAPs with interim milestones. The FIAR Reporting Entity Office
will initiate sustainment by integrating FIAR methodology sustainment activities into the
Managers Internal Control Program.
b. NFR Database. The NFR database is a centralized system developed by OUSD(C) to
track the flow of audit findings and communicate NFRs and corrective actions to internal and
external stakeholders. The NFR Database is used by OUSD(C) to track auditor findings and
work closely with agencies to ensure CAPs are developed and remedies are made to correct the
deficiency. The FIAR Reporting Entity Office is responsible for coordinating activities in
response to NFRs:
(1) Distribution and Analysis. When received, NFRs are provided to the owning
component of the deficiency for review, research, and analysis.
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Section 5: Reporting Entity 27
(2) Response to External Auditor. After the NFR is thoroughly researched, the Agency
prepares a response and addresses auditor recommendation(s). The Agency will either concur or
non-concur with the deficiency/recommendation. The NFR must be signed by the FB Executive
Director upon concurrence and the process owner is required to develop a CAP to address the
finding and correct the problem. All CAP completions must be reported to OUSD(C) within 60
days.
(3) CAPs. A CAP must be developed and tracked for each finding that receives
concurrence on the NFR. The CAP status will be briefed at monthly FIAR ESG meetings.
Current year assertion packages must include relative CAPs with current status and previous
audit findings.
(4) Tracking. External auditor NFRs and CAPs will be tracked in the NFR Database.
c. Corrective Actions. In the Corrective Action process, the FIAR Reporting Entity Office
will:
(1) Identify and define deficiencies in internal controls and supporting documentation.
(2) Develop CAP(s) to resolve each deficiency identified during the Testing Phase, to
include budget estimates of required resources (e.g. funding and staffing) to execute CAPs.
(3) Implement and execute CAP milestones and confirm that all audit readiness critical
capabilities have been addressed.
(4) Close the CAP in the NFR database when all corrective actions have been completed
and verified by FIAR Reporting Entity Office. All CAPs relating to Service Provider assessable
unit control activities will be officially closed by the Contract Pay Service Provider Office, or
designee. Prior to recommending closure, the OPR must obtain required documentation and/or
perform sufficient testing to ensure remediation of the deficiency. Results of testing and
validation must be maintained by the OPR and be available a full FY following CAP closure.
The CAP POC will update the internal CAP Tracker and external NFR Database.
d. Status Reporting. The FIAR Reporting Entity Office will report remediation progress to
the OUSD(C) FIAR Directorate every 60 days via the NDAA Scorecard and an interim
milestone tracking chart, as applicable. The FIAR Reporting Entity Office will also perform
detailed NFR/CAP status reporting to the OUSD(C) FIAR Directorate using the NFR Database
each month. The FIAR Reporting Entity Office is responsible for preparing and/or updating
assessable unit process documentation (e.g., process narratives and flowcharts), assessing the
design, and testing the operating effectiveness of its internal controls. As part of sustainment, the
FIAR Reporting Entity Office is also responsible for identifying and resolving internal control
deficiencies noted during testing in a timely manner (e.g., before the next annual reporting
cycle). The FIAR Reporting Entity Office does so by implementing concrete, measurable and
attainable CAPs.
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Glossary - Definitions 28
GLOSSARY
G.1. DEFINITIONS.
Assertion. A management assertion letter declaring that a financial statement/selected elements
of the financial statement are audit ready in conformity with the internal control and supporting
documentation criteria.
Assessable Unit. A process that is capable of being evaluated or audited. Functions include
documentation, identification, and insertion of controls associated with a specific sub-functions
in order to mitigate identified risks.
Assessments. Encompasses inspections, evaluations, assistance, and teach and train functions of
the identified entity.
CAP. The detailed plan identifying management controls, tactics, techniques, procedures,
training, resources, and working environment changes likely to preclude future non-compliance.
ELC. Established internal guidelines around governance that sets forth an organization’s values
through policies and procedures to provide reasonable assurance that objectives related to the
entity as a unit are met.
FIAR Guidance. A document that defines the Department’s goals, strategy and methodology
for becoming audit ready, including roles and responsibilities, and processes for reporting
entities, Service Providers, and executive agents.
Finding. Areas that are non-compliant with a regulation or policy/instruction requirement. Any
finding will have a recommendation associated with it. Each finding will also quantify whether
it is systemic in nature or a one-time occurrence.
Key Control. The policies, procedures (manual and automated) and activities that are part of a
control framework, designed and operated to ensure that risks are contained within the level that
an organization is willing to accept.
Line of Accounting. A document that captures the component’s level of assurance over internal
controls over reporting, internal controls over operations, and internal controls over compliance.
The lines of accounting must take one of the following forms: Unmodified (no material
weaknesses); Modified (one or more material weaknesses identified), Adverse (one or more
misstatements are both material and pervasive), and Disclaimer of Opinion (auditor unable to
provide sufficient audit evidence on which to base an opinion). Letter of Assurance is also
known as Statement of Assurance.
NFR. Document issued by the auditors indicating there is a potential audit finding.
PBC. A request for information or documentation from the auditors which allows them to
perform testing of management assertions in the financial statement audit.
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Glossary - Definitions 29
Reporting Entity. A unit where it is reasonable to expect that there are users dependent on a
general purpose financial report to gain an understanding of the financial position and
performance of the unit, and to make decisions based on this financial information and other
information contained in the financial report.
Service Provider. An agency that provides other organizations with accounting, consulting,
legal, education, communications, storage, processing, or other services.
Universe of Transactions. The entirety of underlying, individual, and accounting actions that
support a financial statement line or balance. Accounting actions that support a financial
statement.
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Glossary – Acronyms 30
GLOSSARY
G.2. ACRONYMS.
APVM Accounting Pre-Validation Module
ARC Audit Response Center
BAM Business Activity Monitoring
CAP Corrective Action Plan
CAPS-W Computerized Accounts Payable for Windows
CMO Contract Management Office
COR Contracting Officer’s Representative
CSOC Complementary Sub-service Organization Control
CUEC Complementary User Entity Control
DAI Defense Agencies Initiative
DCPS Defense Civilian Pay System
DDRS Defense Departmental Reporting System
DFAS Defense Finance and Accounting Service
DMDC Defense Manpower Data Center
DTS Defense Travel System
ELC Entity Level Controls
ESG Executive Steering Group
FB Financial and Business Operations Directorate
FBLF Financial Improvement and Audit Remediation Branch
FBWT Fund Balance with Treasury
FFMIA Federal Financial Management Improvement Act of 1996
FIAR Financial Improvement and Audit Readiness/Remediation
FY Fiscal Year
GAAP Generally Accepted Accounting Principles
GL General Ledger
GPC Government Purchase Card
GSA General Services Administration
IPA Independent Public Accountant
IT Information Technology
KSD Key Supporting Document
MCC MOCAS Contract Closeout
MDO Modification and Delivery Order
MLC Management Letter Comments
DCMA-MAN 4301-11, Volume 2, September 30, 2019
Glossary – Acronyms 31
MOCAS Mechanization of Contract Administration Services
MOU Memorandum of Understanding
NDAA National Defense Authorization Act
NFR Notification of Finding and Recommendation
OPR Office of Primary Responsibility
OUSD(C) Office of the Undersecretary of Defense – Comptroller
PBC Provided by Client
PII Personally Identifiable Information
POC Point of Contact
SLA Service Level Agreement
SOC 1 Report System and Organization Controls Report
SOP Standard Operating Procedure
SSAE Statement on Standards for Attestation Engagements
WHS Washington Headquarters Services
DCMA-MAN 4301-11, Volume 2, September 30, 2019
References 32
REFERENCES
Chief Financial Officers Act of 1990 (Public Law 101-576)
DoD Directive 5105.64, “Defense Contract Management Agency (DCMA),” January 10, 2013
DoD Financial Statement Audit Guide, May 2018
Federal Financial Management Improvement Act of 1996 (FFMIA)
National Defense Authorization Act (NDAA) For Fiscal Year 2010 (Public Law 111-84),
Section 1003, October 28, 2009
Office of the Under Secretary of Defense (Comptroller)/CFO, “DoD Financial Statement Audit
Guide,” May 2018
Statement on Stadards for Attestation Engagements No. 18, May 1, 2017
