We in the U.S. Army Corps of Engineers (USACE) just received our seventh consecutive unmodified, "clean" audit opinion--the third with no material weaknesses. So what's next? Plenty! In this article, we'll take you on a year-long journey of activities (planning steps, testing, reporting, and audit report issuance) from pre-audit through the next audit report date, and give you an insider's view of what Department of Defense components should expect.
Many leaders believe the Chief Financial Officers (CFO) Act of 1990 created a momentous hurdle but one that, once cleared, allows the organization to divert resources from the audit process to other priorities. Not true! Financial audits require a year-round review and Improvement process repeated every year. From the review of the previous year's audit findings to the next audit, we continually work to Improve internal controls, processes, and Internal control testing within the framework of the program specified In Office of Management and Budget (OMB) Circular A-123, Appendix A. So, let's get started.
PRE-AUDIT--Getting Ready for the Next One (November--February)
You have just spent nine months working with your Independent Public Accounting (IPA) firm and have an unmodified opinion In hand. Once
again, all the hard work put In by your dedicated folks at headquarters and In the field--and In USACE's case, our USACE Finance Center (UFC)--has paid off. Most Individuals believe the coveted "clean opinion" Is what we spend millions of dollars for each year; however, the true value of going through a financial statements audit and running a robust OMB A-123 program Is In the findings and test results.
After the audit Is complete, your IPA more than likely has left you with numerous Notices of Findings and Recommendations (NFRs) that detail their audit findings. At USACE, we use the NFRs, as well as our own OMB-123 program test results, both to mitigate the findings in the next audit and to Improve our internal controls and processes going forward. Let me walk you through how we use each of these results, update cycle memoranda, and brief senior leaders even before the audit begins.
Notices of Findings and Recommendations
Let's begin with our use of the IPA NFRs. The IPA divides Its NFRs Into two areas--financial and Information technology (IT). For this article, I'll focus on the financial NFRs; even so, I'll Include some advice regarding IT NFRs.
Audit Tip: You need to work on mitigating the findings in the year prior to the audit. IT controls are only operating effectively if they are in place on or before the beginning of the fiscal year (1 October). You don't get partial credit for mitigating an IT control during the audit.
On the financial side, the NFRs include findings related to the IPA's control testing, statistical sampling of transactions, financial reporting, and estimated Legal and Environmental liabilities. Within USACE, we have three focus areas: the UFC (financial reporting), Field Operating Activities (FOAs) (statistical sampling), and Headquarters (HQ) (Legal and Environmental liabilities).
Using this breakdown, we assess and address our financial NFRs In one of three ways. The first one is correction of auditor identified transaction errors not corrected during the audit. The USACE corrects most auditor identified transaction errors before 30 September. Therefore, although the IPA still issues the NFR, the financial statements are accurate. In other cases, transactions errors relating to, for example undelivered order balances are identified after 30 September; we need to ensure those corrections are made in the next fiscal year. Applying this logic, we analyze each NFR and Issue to our FOAs a list of transaction errors needing correction. Audit Tip: The IPA also has a list of the NFRs and during the next audit cycle, will seek evidence to validate that the FOA made the correction.
The second way we address NFRs is by sending the full list (regardless of break down) to all Finance and Accounting Officers within USACE. This enables everyone to review all findings and determine whether a similar condition is present at their locations, but just not detected during the preceding audit. The third approach to addressing NFRs--which we believe is the most Important and beneficial--Is analyzing each finding to determine whether we can tighten the associated internal control through one of three actions: (1) policy changes to either add or modify an existing manual control; (2) possible Corps of...