FINAL REPORT ON THE EXTERNAL PEER REVIEW OF THE DEFENSE INTELLIGENCE AGENCY, OFFICE OF INSPECTOR GENERAL, AUDIT STAFF (2107-0022-AS) ATTACHMENT B LETTER OF COMMENT

Approved for Release: 2019/12/12 C06803488 UNCLASSIFIED/frefit-effiel*L�USE-0914L�Y� Central Intelligence Agency Office of Insi,ector General Washington, D.C. 20505 29 SEP 2017 (U) Final Report on the External Peer Review of the Defense Intelligence Agency, Office of Inspector General, Audit Staff (2107-0022-AS) (U) Attachment B (U) Letter of Comment (U) We have reviewed the system of quality control for the Defense Intelligence Agency (DIA), Office of Inspector General (OIG), Audit Staff in effect for the three-year period ended 30 April 2017 and have issued our report thereon dated 29 September 2017, in which the Audit Staff received a rating of pass. That report should be read in conjunction with the comments in this letter, which were considered in determining our opinion. The findings described below were not considered to be of sufficient significance to affect the opinion expressed in our report. (U) Assessing Audit Risk and Internal Control Should Be Improved (U) The Audit Staff did not always identify and assess internal control, including information systems controls that were significant within the context of the audit objective during the audit planning phase. Generally accepted government auditing standards (GAGAS) 6.11b states that auditors should assess audit risk and significance by gaining an understanding of internal control as it relates to the specific objectives and scope of the audit. GAGAS 6.16 states that auditors should assess whether internal control was properly designed and implemented and perform procedures to gather sufficient evidence to determine whether controls are effective. GAGAS 6.24 states that auditors should evaluate the design and operating effectiveness of information systems controls determined to be significant to the audit objective. (UhTOU0) The Audit Staff did not adequately assess whether internal control was properly designed and implemented for the Audit of DIA 's Contract Surveillance, the Audit of Other Direct Costs on DIA Contracts, and the Audit of DIA 's Management of Software Licenses) To assess internal control in accordance with GAGAS, auditors should identify business processes and key control activities significant to the objective. In conducting the Audit of DIA 's Contract Surveillance and the Audit of DIA 's Management of Software Licenses, although a high-level assessment of controls was performed, key control activities specific to the audit objectives were not identified. In conducting the Audit of DIA 's Contract Surveillance and the Audit of Other Direct Costs on DIA Contracts, the assessment of internal control was (U#F91:48) The Audit of DIA 's Management of Software Licenses was terminated after completion of the audit planning phase. UNCLASSIFIED//rOR OFFICIAL USE ONLY Approved for Release: 2019/12/12 C06803488 Approved for Release: 2019/12/12 C06803488 UNCLASSIFIED//FOR OFFICIAL USE ONLY SUBJECT: Letter of Comment performed during the fieldwork phase. By not performing the assessment of internal control during the planning phase, the results of the assessment of internal control were not available for use in determining the nature and extent of audit procedures necessary to reduce audit risk. (U//FOU0) In conducting the Audit of DIA 's Management of IT Equipment and Warehouse Inventory, the Audit Staff did not adequately assess information systems controls, including application controls and user controls. GAGAS 6.23 defines information systems controls to include general controls, application controls, and user controls. According to the audit report, the DIA The Audit Staff relied on information obtained from the DIA to report on amounts of stored and disposed IT equipment at th We were unable to identify workpapers that evaluated the significance of application and user controls as part of the Audit Staff's assessment of DIA Application and user controls can be significant when tracking and managing equipment within an IT system. In addition, the audit report identified two systems, the \ We were unable to identify workpapers that assessed the significance of to the audit objective. According to GAGAS 6.24, auditors should assess information systems controls that are significant to the audit objective and obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit. (U//FOU0) The DIA OIG Auditor's Handbook was amended in January 2015 to include additional detail on assessing and documenting internal controls, including information system controls. (U) Recommendation 1: Remind Audit Staff personnel to assess audit risk and internal control, including information systems controls, during the planning phase of the audit in accordance with GAGAS and the Auditor's Handbook. (U) Views of Responsible Official: The DIA Acting Inspector General (IG) concurred with the recommendation. On May 1, 2017, the Assistant Inspector General for Audits (AIGA) released a revised Auditor's Handbook (version 5.0). The AIGA updated the Auditor's Handbook using GAGAS requirements and lessons learned from quality assurance activities. The updated Auditor's Handbook clearly outlines the GAGAS requirements, associated audit activities, and expected documentation of audit work related to the assessment of audit risk, internal controls, and information systems controls during the planning phase of the audit. The revised Auditor's Handbook provides added guidance to Audit Staff on the timing and extent of these assessments in the planning phase. Further, on multiple occasions during Audit Staff leadership and All-Hands meetings, the AIGA communicated the peer review recommendations and stressed the need to consistently comply with GAGAS and the Auditor's Handbook. The AIGA and the Quality Assurance Manager (QAM) updated the Quality Assurance Checklist for planning to ensure that these requirements are clear and developed a schedule of "quick-look" 2 UNCLASSIFIED//FOR OFFICIAL USE ONLY Approved for Release: 2019/12/12 C06803488 Approved for Release: 2019/12/12 C06803488 UNCLASSIFIED//FOR OFFICIAL USE ONLY SUBJECT: Letter of Comment reviews for FY 2018 that will include increased oversight of audit risk, internal control, and information systems control assessments during the planning phase. The AlGA expects to complete these oversight activities by the end of FY 2018 and will consider the need for further action based on the outcomes. (U) Assessing Computer-Processed Data Should Be Improved (U) The Audit Staff did not adequately assess the completeness of computer-processed data for one audit. GAGAS 6.66 states that auditors should assess the sufficiency and appropriateness of computer-processed information regardless of whether this information is provided to auditors or auditors independently extract it. (UHFOU0) In conducting the Audit of DIA's Management of IT Equipment and Warehouse Inventory, the Audit Staff relied on computer-processed data to conclude that: in IT equipment was being stored in DIA's warehouse. in IT equipment stored in DIA's warehouse was new IT equipment that had been in the warehouse for over 12 months. � in IT equipment that had never been used was disposed of. � in IT equipment that had been disposed of but could have been repurposed. We were unable to find evidence that the Audit Staff assessed the completeness of the population of of IT equipment stored in the warehouse. We also found no evidence that the Audit Staff tested key data elements represented in the population such as the age or the condition of the equipment, which impact the "useable," "never been used," and "obsolete" equipment balances. (U) Reemmnendation 2: Take action to ensure that auditors adhere to GAGAS requirements when obtaining and assessing the adequacy of audit evidence, including completeness and existence of all key data elements when relying on computer-processed information. (U) Views of Responsible Official: The DIA Acting IG concurred with the recommendation. The AlGA and the QAM updated the Quality Assurance Checklist for planning to ensure that the requirements are clear, and they are in the process of updating the Quality Assurance Checklists for fieldwork and reporting. The AlGA expects to complete the revised checklists by November 2017. The AlGA and QAM also developed a schedule of quick- look reviews for FY 2018 that will include increased oversight of audit risk, which incorporates assessment of the adequacy of audit evidence and reliance on computer-processed information. The AlGA expects to complete these oversight activities by the end of FY 2018 and will consider the need for further action based on the outcomes. 3 UNCLASSIFIED//FOR OFFICIAL USE ONLY Approved for Release: 2019/12/12 C06803488 Approved for Release: 2019/12/12 C06803488 UNCLASSIFIED//FOR OFFICIAL USE ONLY SUBJECT: Letter of Comment (U) Supporting Documentation Was Not Always Consistent With Audit Report (U) We found inconsistencies between the audit report and the supporting documentation for one audit. These discrepancies did not affect the overall conclusions and findings in the report. According to GAS 7.13, auditors should explain how the completed audit work supports the audit objectives, including the evidence gathering and analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives. GAS 7.13 further states that, when sampling significantly supports the auditors' findings, conclusions, or recommendations, the sample design and why the design was chosen should be described in the report, including whether the sample results can be projected to the relevant population. (UHFOU0) The Audit of DIA 's Management of IT Equipment and Warehouse Inventory stated: erd We assessed the sufficiency and appropriateness of th ata we used by comparing the description of the IT equipment items to the relevant U. . federal stock number. We found no discrepancies in this test. Although the audit report states there were no discrepancies found when comparing the description of the IT equipment items to the relevant US federal stock number, the supporting documentation in the audit workpapers noted 417 discrepancies. (U//FOU0) The same audit report stated that: We also selected a statistical sample of 124 items from the universe of 3,080 IT equipment items stored at the DLOC as of 30 September 2013. We compared the description and unit cost of the item to the relevant DIA contract, or to results of Google searches when LOG [Office of Logistics and Global Readiness] was unable to provide supporting information. We identified minor cost differences for 111 of the 124 items, and we were unable to verify the cost of 13 items because of insufficient information. We found no evidence in the audit workpapers that the Audit Staff performed analysis to project the "minor cost differences" to the relevant population or explain in sufficient detail the impact of the differences. (U) Recommendation 3: Take action to ensure that auditors adhere to GAGAS for presenting sufficient, appropriate evidence in the audit report to support the findings and conclusions in relation to the audit objectives, including relevant sampling information. (U) Views of Responsible Official: The DIA Acting IG concurred with the recommendation. On 1 May 2017, the MGA released a revised Auditor's Handbook (version 5.0). The A1GA updated the handbook using GAGAS requirements and lessons learned from quality assurance activities. The updated Auditor's Handbook clearly outlines the GAGAS requirements, associated audit activities, and expected documentation of audit work related to the assessment of sufficiency and appropriateness of evidence to support audit conclusions, findings, 4 UNCLASSIFIED//FOR OFFICIAL USE ONLY Approved for Release: 2019/12/12 C06803488 Approved for Release: 2019/12/12 C06803488 UNCLASSIFIED//FOR OFFICIAL USE ONLY SUBJECT: Letter of Comment and recommendations and the use of sampling in audits. The Auditor's Handbook also includes a new chapter on independent reference reviews that details requirements, expectations, and best practices to strengthen this key quality assurance activity. (U) Documentation of Monitoring of Independent Public Accountants Was Not Prepared Timely (U) In addition to reviewing the Audit Staff's system of quality control to ensure adherence with GAGAS, we applied limited procedures in accordance with guidance established by the Council of the Inspectors General on Integrity and Efficiency concerning the monitoring of audit work performed by Independent Public Accountants (IPAs) under contract where the IPA served as the auditor. The matters described below were identified based on a review of the OIG's monitoring of the audit of DIA's FY 2016 Financial Statements. (U) Documentation concerning monitoring of the IPA was not prepared timely. Section 4(b) of the Inspector General Act of 1978 requires OIGs to ensure that the work of non- federal auditors adheres to GAGAS. The Auditor's Handbook states that OIG auditors should follow Government Accountability Office/President's Council on Integrity and Efficiency Financial Audit Manual (PAM) 650 guidance to demonstrate active monitoring of IPAs.2 (U//FOU0) The Audit Staff did not always ensure that audit documentation supporting the conclusions in the transmittal letter accompanying the Agency Financial Report (AFR) was prepared and approved in the project files before the report's issuance. We found that 77 of 148 TeamMate procedures were not approved until after the AFR issuance date of 15 November 2016. (U) Recommendation 4: Take action to ensure that adequate documentation is prepared and reviewed in the project files to assess the TA's performance prior to the issuance of the AFR. (U) Views of Responsible Official: The DIA Acting IG concurred with the recommendation. The AlGA communicated these findings to the financial statement audit oversight team for awareness and correction. On 12 September 2017, the AIGA reviewed the financial statement audit oversight project and provided feedback to the financial statement audit branch manager on observations related to the timeliness of workpaper review. The A1GA and QAM will increase oversight in this area to ensure that adequate documentation is prepared and reviewed in the project files prior to issuance of the IPA's final reports. 2 (U) FAM 650 provides guidance to auditors on designing and performing oversight and other procedures when using the work of other auditors and specialists. 5 UNCLASSINED//FOR OFFICIAL USE ONLY Approved for Release: 2019/12/12 C06803488