Defense Information Systems Agency
Annual Financial Report - GF
Fiscal Year 2018
Table of Contents
Management Discussion and Analysis ........................................................................................ 1
Principal Statements ................................................................................................................... 32
Notes to the Principal Statements .............................................................................................. 37
DoD OIG Transmittal Letter ..................................................................................................... 65
Independent Auditors’ Report ................................................................................................... 67
Attachment 1 DISA Management’s Comments on the Auditor’s Report ............................. 89
i
Fiscal Year 2016 Defense Information Systems Agency General Fund Agency Financial Report
Management’s Discussion and Analysis (v4)
The Defense Information Systems Agency (DISA) is pleased to present a Management
Discussion and Analysis (MD&A) to accompany the financial statements and footnotes for its
fiscal year (FY) 2018 Consolidated Financial Statements. The key sections within this MD&A
include the following:
1. Mission and Organizational Structure
2. Performance Goals, Objectives & Results
3. Analysis of Entity’s Financial Statements
4. Management Systems, Controls & Compliance with Laws and Regulations
5. Limitations of the Financial Statements
1. Mission and Organizational Structure
History & Enabling Legislation: DISA is an operationally focused Department of Defense
(DoD) combat support agency that delivers information technology to enhance the capabilities of
the nation's warfighters and all who support them in defense of the nation. DISA’s roots go back
to 1959 when the Joint Chiefs of Staff (JCS) requested the Secretary of Defense (SECDEF)
approve a concept for a joint military communications network to be formed by consolidation of
the communications facilities of the Military Departments. This would ultimately lead to the
formation of the Defense Communications Agency (DCA), established on 12 May 1960, with
the primary mission of operational control and management of the Defense Communications
System (DCS). On 25 June 1991, DCA underwent a major reorganization and was renamed the
Defense Information Systems Agency to reflect its expanded role in implementing the DoD's
Corporate Information Management (CIM) initiative, and to clearly identify DISA as a combat
support agency. DISA established the Center for Information Management to provide technical
and program execution assistance to the Assistant Secretary of Defense (C3I) and technical
products and services to DoD and military components. DISA's role in DoD information
management continued to expand with implementation, in September 1992, of several Defense
Management Report Decisions (DMRD), most notably DMRD 918. DMRD 918 created the
Defense Information Infrastructure (DII), and directed DISA to manage and consolidate the
Services' and DoD's information processing centers into 15 megacenters. In FY 2018, the
organization that came to be known as the Joint Service Provider (JSP) declared full operational
capability and moved into its new place in the Defense Department’s organizational chart as a
subcomponent of DISA. It marked a major expansion of mission and budget authority for DISA,
which now controls the funding and personnel that provide most IT services for the Pentagon
and other DoD headquarters functions in the National Capital Region. DISA continues to offer
DoD information systems support, taking data services to the forward deployed warfighter.
The DISA Vision: To be the trusted provider to connect and protect the warfighter in
cyberspace.
The DISA Mission: To conduct DODIN operations for the joint warfighter to enable lethality
across all warfighting domains in defense of our nation.
1
Organization: To fulfill its mission and meet strategic plan objectives, DISA operates under the
direction of the DoD Chief Information Officer (CIO) who reports directly to the Secretary of
Defense.
The Agency is budgeted to support the IT needs and requirements of the entire Defense
Department, including the offices of the Secretary of Defense and of the Chairman and Vice
Chairman of the Joint Chief of Staff, the Joint Staff, military services, combatant commands, and
Defense agencies. DISA also provides support to the White House and many federal agencies
through a number of capabilities and initiatives.
During FY 2015, DISA embarked on the most extensive reorganization in over ten years. The
reorganization presented many challenges Agency-wide. In FY 2018, the Agency further
enhanced the outcome of the initial reorganization, and as a result, optimized the organizational
structure in order to more effectively execute strategy, optimize force posture into an agile cyber
force, improve accountability, reduce duplication, and improve cost management.
DISA's Appropriated Budget
Through its appropriated budget, DISA is funded by Congress through the National Defense
Authorization Act, the U.S. federal law specifying the budget and expenditures for DoD, and
defense appropriations bills authorizing DoD to spend money. This budget enables the Agency
to implement the White House's national security strategy, the secretary's planning and
programming guidance, and the initiatives of the DoD CIO.
DISA aligns its program resource structure across six mission areas, which reflect DoD's goals
and allows DISA to execute its core missions and functions:
1. "Transition to the Net-Centric Environment" funds capabilities and services that
transform the way that DoD shares information by making data continuously available in
a trusted environment. This mission area includes enterprise services, engineering
services, and technical strategies developed by DISA's chief technology officer (CTO).
2. "Eliminate Bandwidth Constraints" focuses on capabilities and services that build and
sustain the Global Information Grid (GIG) transport infrastructure, while eliminating
bandwidth constraints and rapidly surging to meet demands. Capabilities funded in this
category include the Pathways Program, DoD Teleport Program, Defense Spectrum
Organization (DSO) activities, and Defense Information System Network (DISN)
enterprise activities, such as non-recurring costs for commercial circuits, commercial
satellites, and special communications requirements.
3. "GIG Network Operations and Defense" funds the operation, protection, defense, and
sustainment of the enterprise infrastructure and information-sharing services, as well as
enabling command and control. This mission area includes funding for network
operations (NetOps); the information assurance/public key infrastructure (IA/PKI)
program; cybersecurity initiatives; and budgets for DISA's field offices, which support
2
the combatant commands, and for the Joint Staff Support Center (JSSC), which supports
the Chairman, Vice Chairman, and Joint Chiefs of Staff in the Pentagon.
4. "Exploit the GIG for Improved Decision Making" focuses on transitioning to DoD
enterprise-wide capabilities for communities of interest, such as command and control,
and combat support that exploit the GIG for improved decision-making. This mission
area funds the Global Command and Control System – Joint (GCCS-J) program, Global
Combat Support System – Joint (GCSS-J) program, and senior leader and coalition
information-sharing activities.
5. "Deliver Capabilities Effectively/Efficiently" finances the means by which the Agency
effectively, efficiently, and economically delivers capabilities based on established
requirements. This area funds the command staff and the personnel costs for DISA's
shared service units.
6. "Special Mission Areas" enables the Agency to execute special missions to provide the
communications support required by the president as Commander-in-Chief, including
day-to-day management, fielding, operation, and maintenance of communications and
information technology. The White House Communications Agency (WHCA) and the
Communications Management Control Activity (CMCA) in the Network Services
Directorate are budgeted out of this mission area.
DISA's Defense Working Capital Fund (DWCF)
DISA also operates a DWCF budget. Unlike the appropriated budget, which is provided through
direct congressional appropriations, the working capital fund relies on revenue earned from
providing IT and telecommunications services and capabilities to finance specific operations.
Mission partners order capabilities or services from DISA and make payment to the working
capital fund when the capabilities or services are received.
A DWCF business unit is not profit-oriented and, therefore, only tries to break even, charging
prices set using the full-cost-recovery principle, which accounts for all costs — both direct and
indirect (or "overhead") costs. It is intended to generate adequate revenue to cover the full cost
of its operations and to finance the fund's continuing operations without fiscal year limitation.
DISA operates the information services activity within the DWCF. This activity consists of two
main components. The first component includes two lines of service, telecommunications
services and enterprise acquisition services. The second component includes computing
services. The major element of the telecommunication services component is the DISN, which
provides interoperable telecommunications connectivity and accompanying services that allow
the Department to plan and operate both day-to-day business and operational missions through
the dynamic routing of voice, data, text, still and full-motion imagery, and bandwidth services.
Some DISN services are provided to mission partners in predefined packages and sold on a
subscription basis via the DISN subscription service, while others are made available on a cost-
reimbursable basis.
3
The line of service for enterprise acquisition services enables the Department to procure best
value, commercially competitive IT services and capabilities through DISA's Defense IT
Contracting Organization (DITCO). DITCO provides complete contracting support and services.
The computing services component of DISA's DWCF activities comprises Computing
Ecosystem, which provide mainframe and server-processing operations, data storage, production
support, technical services, and end-user assistance for command and control, combat support,
and enterprise applications across DoD. These facilities and functions provide a robust
enterprise computing environment to more than four million users through 30 mainframes, more
than 7,000 servers, 8,000 terabytes of data, and approximately 450,000 square feet of raised
floor.
The organizational structure for DISA as of 30 September 2018 is depicted below with a detailed
description of major offices outlined following the chart:
Defense Information Systems Agency
Figure 1 – Snapshot of DISA organization chart to include organizations directly or indirectly supporting DWCF missions
4
Command Staff – The DISA Director, with the assistance of a Vice Director, an
Executive Deputy Director, their support staff, Fifth Estate Center (Special Missions),
Special Advisors, a Resource Management Center, a Development and Business Center,
and a Center for Operations that directly support DISA’s critical mission, and several
other direct reports, leads a global organization of military and civilian personnel.
Fifth Estate Center – Comprised of Special Program Offices, Special Mission
Organizations, Units and Offices that support a wide range of objectives within
Department of Defense including Information Assurance, IT acquisition management,
White House Communication Support, Joint Information Environment (JIE) Support, and
other critical services for the Department. These programs and offices are primarily
funded through Congressional appropriations at this time.
Special Advisors - These advisors ensure that DISA’s decision makers have accurate,
timely, reliable, and useful information needed to make sound decisions, serve as the
principle advisor to the DISA Director for their areas of expertise, and represents and
defends the Agency’s position on all matters within their areas of expertise.
Development and Business Center – The Development and Business Center (DBC)
provides the engineering and solution analysis, infrastructure development, testing and
evaluation, assured communications of optimized cyber solutions for the rapid design,
development, integration and transition of Business, Enterprise, and Command and
Control systems, services and capabilities for our Agency, the DoD, other U.S.
Government agencies, and our allies across the full spectrum of military operations.
Center for Operations – The Center for Operations (OC) coordinates and synchronizes
DISA’s Operate and Assure Line of Operation in support of the full spectrum of military
requirements and operations, and supports United States Cyber Command in its mission
to provide secure, interoperable and reliable operation of the DoD net-centric Enterprise
Infrastructure. The Center for Operations also provides available, reliable, and secure
capabilities in support of the DoDIN such as enterprise services (voice, video, and
collaboration), migration to cloud based services, application migration to core data
centers, cyber services, and virtualization, standardization, and automations services in
support of the DoDIN.
Resource Management Center/Comptroller – The Resource Management Center
(RMC) serves as the principal financial advisor to the Agency’s Director; develops
financial strategies; develops and controls the formulating budget submissions process;
ensures financial controls; and conducts program and organizational assessments. It also
represents and defends the Agency’s position on all financial matters and provides
financial management guidance and oversight for the efficient and effective use of
resources. The RMC establishes financial management policies for DISA including its
component parts and ensures that decision makers have accurate, timely, reliable, and
useful financial information needed to make sound decisions.
5
Resources: DISA is a combat support agency of the DoD with a 10.6 billion-dollar annual
budget.
DISA is a global organization of approximately 6,000 civilian employees; approximately 1,300
active duty military personnel from the Army, Air Force, Navy, and Marine Corps, and
approximately 10,000 defense contractors. With a presence in 22 states (and the District of
Columbia) and seven countries and Guam (US territory), the Agency’s mission is to conduct
Department of Defense Information Network (DODIN) operations for the joint warfighter to
enable lethality across all warfighting domains in defense of our Nation.
Global Presence: DISA’s headquarters is at Fort Meade, MD with 55% of its people based at
Fort Meade and the national capital region (NCR), and 45% based in field locations. In addition,
the following organizations are a part of DISA: White House Communications Agency, White
House Situation Support Staff, Joint Information Environment (JIE) Technical Synchronization
Office, Defense Spectrum Organization, Defense Information Technology Contracting
Organization, Joint Interoperability Test Command, and the Joint Force Headquarters DoDIN.
DISA provides a core enterprise infrastructure of networks, Computing Ecosystem centers, and
enterprise services (internet-like information services) that connect 4,300 locations reaching 90
nations supporting DoD and national interests. The following map portrays the global presence
of DISA operations.
6
2. Performance Goals, Objectives & Results
DISA is charged with the responsibility for planning, engineering, acquiring, testing, fielding,
and supporting global net-centric information and communications solutions to serve the needs
of the President, the Vice President, the Secretary of Defense, and the DoD components under all
conditions of peace and war. The challenges faced by the Department impact DISA directly in
achieving success with respect to these responsibilities. DISA provides, operates, and assures
command and control, information-sharing capabilities, and a globally accessible enterprise
information infrastructure in direct support to joint warfighters, national-level leaders, and other
mission and coalition partners across the full spectrum of operations. DISA’s number one
priority is enabling information superiority for the warfighter and those who support them.
Warfighters on all fronts require DISA's continued support because immediate connection,
sharing, and assured access to information capabilities are essential to our mission partners'
operational success.
The JIE is designed to create an enterprise information environment that optimizes use of the
DoD IT assets, converging communications, computing, and enterprise services into a single
joint platform that can be leveraged for all Department missions. These efforts improve mission
effectiveness, reduce total cost of ownership, reduce the attack surface of our networks, and
enable DISA’s mission partners to more efficiently access the information resources of the
enterprise to perform their missions from any authorized IT device anywhere in the world. DISA
continues its efforts towards realization of an integrated Department-wide implementation of the
JIE through development, integration, and synchronization of JIE technical plans, programs, and
capabilities.
DISA is uniquely positioned to provide the kind of streamlined, rationalized enterprise solutions
the Department is looking for to effect IT transformation. The DISA owns/operates enterprise
and cloud-capable DISA Data Centers, the world-wide Defense Information Systems Network
7
(DISN), and the Defense IT Contracting Organization (DITCO). DISA Data Centers routinely
see workload increases – this trend will increase as major new initiatives begin to fully impact
the Department. As part of the Department’s transition to the Joint Information Environment
(JIE), DISA Data Centers have been identified as Continental United States (CONUS) Core Data
Centers (CDCs), and Defense Enterprise Email (DEE) has been identified as a DoD Enterprise
Service.
DISA also anticipates continuation of partnerships with other federal agencies. The
DoD/VA Integrated Electronic Health Record (iEHR) agreement to host all medical records in
the DISA Data Centers and the requirement for DoD to provide Public Key Infrastructure (PKI)
services to other federal agencies on a reimbursable basis are examples. We continue to move
forward on several new initiatives, including: accelerated implementation of multiprotocol label
switching (MPLS) technology; deploying and sustaining Joint Regional Security Stacks (JRSS)
to fundamentally change the way the DoD secures and protects its information networks;
operating a Joint Enterprise License Agreement (JELA) line of business with a low fee of 0.25
percent, and a new management concept in Computing Services that aligns like-functions across
a single computing enterprise to prioritize excellence in service delivery, process efficiency, and
standardization.
DISA Strategic Goals as outlined in the 2015-2020 Strategic Plan include:
Provide Global Infrastructure – DISA will develop, test, deploy, sustain, and maintain
a global elastic infrastructure, spectrum, computing, and storage capabilities that will
support full spectrum collaboration. The foundational elements of those services will be
comprised of reusable components. All elements will be normalized, converged, and
available at reduced cost, increased usability, and maximize portability to mobile
platforms. DISA will expand delivery of enterprise services to the Services, agencies,
and DoD and national-level leadership.
Provide Mission Partner and Leadership Support – DISA will design, develop,
implement, and maintain optimized, cost-efficient, interoperable decision support
systems to be used by mission partners at all levels of senior leadership. DISA will
ensure senior leadership has a modernized, reliable suite of services and capabilities that
enhance the execution of crisis management, coalition, and deliberate planning activities.
Provide Command and Control (C2) and Enable Cyberspace Sovereignty – DISA
will execute synchronized DoD Information Network (DODIN) command, operations,
and cyber defense missions to ensure freedom of maneuver for the warfighter and
mission partners. DISA will establish, train, and implement cyber workforce elements,
shape readiness through continuity programs, and execute synchronized operations that
will offer more visibility and response to cyber threats.
Program Performance
DISA’s information services play a key role in supporting the DoD’s operating forces. As a
result, DISA is held to high performance standards. In many cases, performance measures are
8
detailed in Service Level Agreements (SLAs) with individual customers that exceed the general
performance measures discussed in the following paragraphs.
Computing Services Performance Measures
The Computing Service business area tracks its performance and results through the Agency
Director’s Quarterly Performance Reviews. There are two key operational metrics which are
presented to the DISA Director in conjunction with regular, recurring Quarterly Program
Reviews. These two metrics depicted in the table below, reflect the availability of critical
applications in the Computing Centers. The first metric, “Core Data Center Availability,”
expressed as a percentage of availability, represents application availability from the end user’s
perspective and includes all outages or downtime regardless of root cause or problem ownership.
Tier II requires achieving 99.75% availability, which results in about 1,361 minutes of downtime
per year. Tier III, the standard for all DoD-designated Core Data Centers, requires achieving
99.98% availability, which results in about 95 minutes of downtime per year. A continuing
series of electrical and mechanical investments in the DISA Computing Ecosystem facilities
since 2008 have resulted in a steady decline in facility downtime. The second metric, “Capacity
Service Contract Equipment Availability” represents DISA’s equipment availability by
technology, i.e., how well DISA is executing its responsibilities exclusive of factors outside the
Agency's control such as last mile communications issues, base power outages or the like. The
Threshold refers to system uptime and capacity availability for intended use; this is the level
required by contract. The Objective is the value agreed on by the vendor and the government to
be an ideal target, and Actual is reported by the vendor monthly.
Core Data Center Availability
9
Capacity Service Contract Equipment Availability
Threshold Objective Actual
IBM System z Mainframe
99.95%
99.99%
100%
Unisys Mainframe
99.95%
99.99%
99.999%
P Series Server
99.95%
99.99%
100%
SPARC Server
99.95%
99.99%
100%
X86 Server
99.95%
99.99%
99.999%
Itanium
99.95%
>99.95%
99.994%
Storage
99.95%
>99.95%
99.999%
Communications Devices
99.95%
>99.95%
99.98%
Telecommunications Services Performance Measures
The DISN has operating metrics tied to the Department’s strategic goals of information
dominance. These operational metrics include the cycle time for delivery of data and satellite
services as well as service performance objectives such as availability, quality of service, and
security measures. Additionally, the Information Technology Enterprise Services Roadmap sets
a DISN performance target of 99.997% operational availability at all Joint Staff-validated
locations. DISA is working to meet the intent of this guidance through the evolving JIE
architecture and by building out the network as necessary to provide a growing number of
enterprise services. These categories of metrics have guided the development of the
Telecommunication Services budget submission. Shown below are major performance and
performance improvement measures:
Enterprise Acquisition Services Performance Measures
Enterprise Acquisition Services provides contracting services for information technology and
telecommunications acquisitions from the commercial sector and provides contracting support to
the DISN programs, as well as to other DISA, DoD, and authorized non-Defense customers.
These contracting services are provided through the DISA’s DITCO and include acquisition
planning, procurement, tariff surveillance, cost and price analyses, and contract administration.
10
These services provide end-to-end support for the mission partner. The following performance
measures apply for Enterprise Acquisition Services (EAS):
In addition to the program performance measures outlined above, DISA has increased
accountability of its assets by linking performance standards to internal control standards. Each
Senior Executive Service member at DISA has included in their performance appraisal a
standard to achieve accountability of property. This standard has filtered down to many of the
managers across the Agency. This increased focus on accountability has had a significant impact
on the focus these leaders have in the critical area of safeguarding assets.
3. Analysis of Entity’s Financial Statements
Background
DISA prepares annual financial statements in conformity with accounting principles generally
accepted in the United States. The accompanying financial statements and footnotes are
prepared in accordance with OMB Circular A-136, Financial Reporting Requirements. DISA
records accounting transactions on both an accrual and budgetary basis of accounting. Under the
accrual method, revenue is recognized when earned and costs/expenses are recognized when
incurred, without regard to receipt or payment of cash. Budgetary accounting facilitates
compliance with legal constraints and controls over the use of federal funds.
Since FY 2005, DISA has had an established Audit Committee to oversee progress towards
financial management reform and audit readiness. DISA leadership participates in Audit
Committee meetings to fully support the audit and in order to maintain senior leader tone-at-the-
top. The DISA Audit Committee is comprised of three members not part of DISA. The current
mission of the DISA Audit Committee is to serve in an advisory role to the DISA senior
managers. The committee is tasked with developing, raising, and resolving matters of financial
compliance and internal controls with the purpose of ensuring DISA’s consistent demonstration
of accurate and supportable financial reports. The committee develops and enforces guidance
established for this purpose. Amounts reflected as FY 2017 are unaudited.
11
DWCF Financial Highlights
The following section provides an executive summary and a brief description of the nature of
each financial statement, significant fluctuations, and significant balances to help clarify their
link to DISA operations.
Executive Summary – The DISA WCF reflects the results of budget execution that saw the
fund decrease $146.9 million (13%) for a total of $979.2 million on its unobligated balance
available, as compared to 4
th
Quarter, FY 2017. The Consolidated Statement of Net Cost reflect
a loss, through 4
th
Quarter, FY 2018 of $61.3 million and includes the non-recoverable
depreciation expense for network equipment transferred into TSEAS (PE55).
Obligations incurred increased by $536.3 million (8%), in comparison to the 4
th
Quarter
of last year partially driven by DISN IS Cybersecurity programs, and a $50 million
obligation for contracted support of the National Leadership Command Capabilities
(NLCC) Center.
The Consolidated Statement of Net Cost reflect a loss, through 4
th
Quarter, FY 2018 of
$61.3 million and includes the non-recoverable depreciation expense for network
equipment transferred into TSEAS (PE55).
Cash levels remained positive through the 4
th
Quarter, FY 2018 at 21.2 days of operating
cash.
All general ledger subsidiary detail has been reconciled to the field level accounting system trial
balances, and all journal vouchers posted to DDRS-B and DDRS-AFS have been reviewed,
reconciled and approved by DISA RM333 to ensure that the DDRS-AFS trial balance is 100%
supported by transaction detail.
Consolidated Balance Sheet
The balance sheet presents amounts available for use by DISA (assets) against amounts owed
(liabilities) and amounts that comprise the difference (net position).
Assets
Total assets of $1.9 billion are comprised primarily of Fund Balance with Treasury
($538.9 million), intragovernmental accounts receivable ($603.3 million), and Property,
Plant & Equipment (PP&E) ($756.6 million).
Fund Balance with Treasury - Fiscal year-to-date (FYTD) net cash flow from current
year operations (collections less disbursements) reported to Treasury for FY 2018, along
with the impact of the current year transfers in and out and the inception-to-date (ITD)
balances are presented below:
12
During FY 2017, $96.9 million of prior year cash transferred from back to CS
from TSEAS (zero impact at consolidated level).
The $538.9 million cash balance at 30 September 2018 is comprised of a
$633.9 million current year beginning balance and a FYTD $95 million decrease
from current year operations (includes capital outlays).
All DISA WCF cash balances are reconciled monthly to Treasury via the Cash
Management Report (CMR).
General Property, Plant and Equipment, Net – General Property, PP&E consists
primarily of equipment used by DISA organizations to deliver computing services to
customers in the DISA Computing Ecosystem and telecommunication services over the
DISN. PP&E includes capital assets funded by DISA WCF operations to include one
facility, capital assets supporting the infrastructure of the services offered by the WCF
that are transferred in from the DISA GF, and capital assets associated with JRSS
transferred in from the Army. The depreciation expense associated with the capital assets
transferred into the DISA WCF is non-recoverable.
Liabilities
As of 30 September 2018, DISA reported liabilities of $743.4 million. Liabilities are
probable and measurable future outflows of resources arising from past transactions or
9/30/2018 9/30/2017 Inc./(Dec.) % Chg.
CS Beg 194,236$ 85,124$ 109,112$ 128%
CS YTD 68,776$ 12,212$ 56,564$ -463%
Transfers -$ 96,900$ (96,900)$ -100%
CS Total 263,013$ 97,336$ 56,564$ -100%
TS Beg 439,660$ 341,754$ 97,905$ 29%
TS YTD (163,742)$ 194,805$ (358,547)$ -184%
Transfers -$ (96,900)$ -$ 0%
TS Total 275,918$ 536,559$ (260,642)$ -49%
Consolidated Beg. Balance 633,896$ 426,878$ 207,018$ 48%
Total From Operations - FYTD (94,966)$ 207,018$ (301,983)$ -146%
CY Transfers -$ -$ -$ 0%
Consolidated ITD Balance 538,930$ 633,459$ (94,966)$ -56%
($ Thousands)
9/30/2018 9/30/2017 Inc./(Dec.) % Chg.
CS 162,592$ 146,425$ 16,167$ 11%
TSEAS 593,982$ 539,362$ 54,620$ 10%
Consolidated 756,574$ 685,787$ 70,788$ 10%
($ Thousands)
13
events. The largest component of liabilities as of 30 September 2018 was $659 million in
accounts payable due to the public.
Accounts Payable - The table below compares current year to prior year
intragovernmental and public accounts payable balances.
Accounts Payable decreased 23% from prior year:
The largest portion of the Accounts Payable balance is comprised of TSEAS
(PE56) public contract payables.
From a customer funding perspective, the DISA General Fund and Army continue
to provide the most customer funded contract requirements associated with the
Public Accounts Payable balance.
The decrease in Non-Federal Payables (to the Public) is primarily attributed to a
drop in PE56 Other Reimbursable Orders from the DISA GF, Army, and Air
Force customers.
Consolidated Statement of Net Cost
The Statement of Net Cost presents the cost of operating DISA programs. The goal of the
revolving fund is to break even over the long term, thus driving toward an objective where the
Statement of Net Cost does not produce a profit or loss over the long term, but rather nets zero.
Net Cost of Operations decreased 47% between fiscal years.
9/30/2018 9/30/2017 Inc./(Dec.) % Chg.
CS
Intragov. 119,037$ 97,760$ 21,277$ 22%
Public 3,350$ 721$ 2,629$ 364%
TSEAS
Intragov. 17,463$ 35,958$ (18,495)$ -51%
Public 659,973$ 858,191$ (198,218)$ -23%
Component
Intragov. (100,870)$ (89,563)$ (11,307)$ 13%
Public (4,372)$ 309$ (4,681)$ -1517%
Consolidated
Intragov. 35,630$ 44,155$ (8,525)$ -19%
Public 658,951$ 859,221$ (200,269)$ -23%
Total Cons. 694,581$ 903,376$ (208,795)$ -23%
($ Thousands)
14
WCF Net Cost of Operations includes non-recoverable costs such as depreciation expense, future
funded FECA and imputed costs totaling 145.5 million. The Recoverable Net Operating Results
is $206.8 million for FY 2018.
Gross Cost - Gross Cost for the DISA WCF increased 7% from the prior year. In accordance
with regulations and guidance, this reflects the full cost of the DISA WCF to include recoverable
and non-recoverable cost.
The primary drivers contributing to the increase in gross costs are PE56 Information
Technology Contracts and PE55 DISN Cyber Security Infrastructure Services and DISN
Reimbursable Satellite Services.
PE54 Computing Services had increases for Reimbursable Converged Solutions and
Pass-Through Other Reimbursable Services.
Earned Revenue - Earned Revenue increased 8% from FY 2017.
PE56 Information Technology Contract for Other Reimbursable Requirements had a
significant increase of $338 million.
The Army and Air Force continue to be DISA WCF’s biggest customers.
The bar chart below reflects earned revenue per customer for FY 2017 and FY 2018.
($ Thousands)
9/30/2018 9/30/2017 Inc./(Dec.) % Chg.
CS (33,471)$ 1,762$ (35,233)$ -2000%
TSEAS 94,807$ 113,423$ (18,616)$ -16%
Consolidated 61,336$ 115,185$ (53,848)$ -47%
($ Thousands)
15
Consolidated Statement of Changes in Net Position
The Consolidated Statement of Changes in Net Position (SCNP) presents the change in net
position during the reporting period. The DISA WCF net position is affected by changes to its
two components, Other Financing Sources (transfers in/out without reimbursement and imputed
financing from costs absorbed by others), and Net Cost of Operations (Cumulative Results of
Operations). The SCNP format displays both components of net position separately to enable
the user to better understand the nature of changes to net position as a whole.
Transfers in/out without reimbursement increased $47.3 million primarily due to an
increase in capital assets transferred into the DISA WCF.
Imputed financing costs absorbed by others increased $7 million primarily due to an
increase in imputed cost related to employee benefits.
Net Cost of Operations decreased $53.8 million from FY 2017.
Statement of Budgetary Resources
The Statement of Budgetary Resources provides information on the budgetary resources
available to DISA as of 30 September 2018, and 30 September 2017, and the status of those
budgetary resources. The results and variances of key amounts reported in the Statement of
Budgetary Resources not described elsewhere are outlined below.
Obligations Incurred:
The major drivers for Obligations Incurred for the DISA WCF are as follows:
16
30 September 2018 balances include a $234.9 million downward adjustment for (PE56) and
$77.3 million for (PE55). This adjustment was done after a review of Undelivered Orders
(UDOs) without activity was performed. It was determined that aged UDOs that are dormant (no
activity within 12 months) should be considered to be invalid and adjusted for financial
statement purposes; regardless of whether a contract closeout action has been processed and a
source document is available to support the adjustment. The adjustment represents ledger detail
at the project level that has not had activity within the last 12 months.
PE56 30 September 2018 balance includes a $50 million obligation for contracted
support of the NLCC Center.
Largest increases for TSEAS (PE55) were in the DISN Infrastructure Services business
line programs to include Cybersecurity and CSS MIPR Process, offset by a decrease in
Information Assurance Net Operations.
Largest increases for CS (PE54) were in Reimbursable Pass through Server Converged
Solutions, Reimbursable Pass through Other Reimbursable Services, HW/SW
Application Support, and Customer Management. Also contributing to the increase is
Rate Based Services for IBM Mainframe Processing, GIG Content Deliver Services and
milCloud 2.0.
9/30/2018 9/30/2017 Inc./(Dec.)
Total Obligations Incurred 7,611,279$ 7,074,976$ 536,303$
Less: PE56 Obligations Incurred 4,691,864$ 4,418,993$ 272,871$
Total DISA WCF Funded Obligations 2,919,416$ 2,655,983$ 263,433$
TSEAS (PE55)
CSS-MIPR Process 565,446$ 422,956$ 142,490$
CYBERSECURITY-Perimeter Defense-Other 65,913$ -$ 65,913$
CYBERSECURITY-Public Key Infras-Other 45,077$ -$ 45,077$
Info Assurance Net Ops Other 12,819$ 149,382$ (136,563)$
CS (PE54)
Reimbursable Pass Through Server Converged Solutions 59,938$ 40,052$ 19,886$
Rate Based IBM Mainframe Processing 42,814$ 31,363$ 11,451$
Reimbursable Pass-Through Other Reimbursable Services 15,978$ 5,829$ 10,150$
Reimbursable Pass Through Server HW/SW Application Support 15,766$ 9,797$ 5,968$
Reimbursable Pass Through Customer Management 18,575$ 14,205$ 4,370$
Reimbursable Server Implementation 15,369$ 11,097$ 4,272$
Rate Based GIG Content Delivery Service 32,864$ 29,217$ 3,647$
Rate Based MilCloud 2 3,580$ -$ 3,580$
Reimbursable Pass Through Server Reimbursable (w/o Comm) 20,537$ 17,080$ 3,457$
All Other Programs Balances 2,004,742$ 1,925,006$ 79,736$
($ Thousands)
17
GF Financial Highlights
The DISA General Fund Financial Statements for the year ended 30 September 2018 reflect a
fund that had a significant increase in overall appropriations in FY 2018 compared to FY 2017.
See table below for comparative data for appropriations received between these two fiscal years.
Consolidated Balance Sheet
The balance sheet presents amounts available for use by DISA (assets) against amounts owed
(liabilities) and amounts that comprise the difference (net position).
Assets
Total assets of $3.5 billion are comprised primarily of Fund Balance with Treasury
($3 billion) and PP&E ($500.4 million).
Fund Balance with Treasury - Amounts recorded in the general ledger for Fund Balance
with Treasury (FBwT) have been 100% reconciled to amounts reported in the CMR,
representing DISA General Fund’s portion of the TI97 appropriated account balances
reported by Department of Treasury. All reconciling differences (i.e., undistributed) have
been identified at the voucher level.
General PP&E Net – (PP&E) consists primarily of equipment used by DISA
organizations achieve the Agency’s missions. The table below reflects the net book value
of PP&E recorded as of 30 September 2018 and 30 September 2017.
9/30/2018 9/30/2017 Inc./(Dec.) % Chg.
O&M (0100) 2,059,810$ 1,498,556$ 561,254$ 37%
PROC (0300) 719,245$ 988,419$ (269,174)$ -27%
RDT&E (0400) 270,820$ 250,275$ 20,545$ 8%
MILCON (0500) 1,175$ 5,218$ (4,043)$ -77%
Consolidated 3,051,050$ 2,742,468$ 308,582$ 11%
(in thousands)
9/30/2018 9/30/2017 Inc./(Dec.) % Chg.
O&M (0100) 951,680$ 743,155$ 208,525$ 28%
PROC (0300) 1,725,382$ 1,635,560$ 89,822$ 5%
RDT&E (0400) 269,622$ 247,990$ 21,632$ 9%
MILCON (0500) 37,852$ 37,149$ 702$ 2%
Consolidated 2,984,536$ 2,663,854$ 320,681$ 12%
(in thousands)
18
Liabilities
As of 30 September 2018, DISA reported liabilities of $263.8 million. Liabilities are
probable and measurable future outflows of resources arising from past transactions or
events. The largest component of Liabilities as of 30 September 2018 was $189.9 million
in federal accounts payable due to conducting business with intragovernmental trading
partners.
Accounts Payable - Balances reported as of 30 September 2018 and 30 September 2017
consist of the following:
Consolidated Statement of Net Cost
The Statement of Net Cost presents the cost of operating DISA programs. The GF consolidated
net cost for the Agency in FY 2018 totaled $2.5 billion and represented an overall increase of
$337 million from FY 2017.
9/30/2018 9/30/2017 Inc./(Dec.) % Chg.
O&M (0100) 378,715$ 386,524$ (7,809)$ -2%
PROC (0300) 108,657$ 73,696$ 34,961$ 47%
RDT&E (0400) 3,681$ 5,275$ (1,594)$ -30%
MILCON (0500) 9,382$ 9,857$ (475)$ -5%
Consolidated 500,436$ 475,352$ 25,083$ 5%
(in thousands)
9/30/2018 9/30/2017 Inc./(Dec.) % Chg.
O&M (0100)
Intragov. 118,602$ 137,457$ (18,855)$ -14%
Public (2,357)$ 15,802$ (18,158)$ -115%
PROC (0300)
Intragov. 38,293$ 11,748$ 26,545$ 226%
Public 3,648$ 23,508$ (19,860)$ -84%
RDT&E (0400)
Intragov. 32,966$ 22,134$ 10,832$ 49%
Public 8,870$ 8,686$ 184$ 2%
MILCON (0500)
Intragov. -$ 1$ (1)$ -100%
Public (4)$ 0$ (4)$ 0%
Intragov. 189,861$ 171,340$ 18,521$ 11%
Public 10,158$ 47,996$ (37,838)$ -79%
Total Cons. 200,019$ 219,336$ (19,318)$ -9%
(in thousands)
19
Consolidated Statement of Changes in Net Position
The Consolidated Statement of Changes in Net Position (SCNP) presents the change in net
position during the reporting period. The DISA GF net position is affected by changes to its two
components, Cumulative Results of Operations incorporating Net Cost of Operations to include
Other Financing Sources (transfers in/out without reimbursement and imputed financing from
costs absorbed by others) and Unexpended Appropriations consisting primarily of appropriations
received. The SCNP format displays both components of net position separately to enable the
user to better understand the nature of changes to net position as a whole.
Appropriations received increased $248.2 million primarily for O&M with an increase of
$553.3 million offset by a decrease of $303.8 million in Procurement funding for
FY 2018.
Other Financing Sources, Transfers in/out without reimbursement decreased by a net
$56.4 million from prior year driven by the transfers-out of assets to the DISA Working
Capital Fund.
Other Financing Sources, Imputed financing from costs absorbed by others decreased
$140.8 million due to the DoD early implementation of SFFAS 55 “Amending Inter-
Entity Cost Provisions” whereby the DISA GF was not required to record the imputed
cost of military labor for FY 2018 as was done for FY 2017.
Statement of Budgetary Resources
The Statement of Budgetary Resources provides information on the budgetary resources
available to DISA as of 30 September 2018, and 30 September 2017, and the status of those
budgetary resources. The results and variances of key amounts reported in the Statement of
Budgetary Resources not described elsewhere are outlined below.
20
4. Management Systems, Controls & Compliance with Laws and Regulations
Management Assurances
Our management structure, policies and procedures, and our Internal Control (IC) reviews of our
key mission processes contribute to the reasonable assurance that our internal controls are
operating as intended. Our Governance Board and Internal Control Structure along with the
Managers’ Internal Control Program (MICP) is managed through a three tiered approach, as
described in subsequent paragraphs. The first tier is supported by the DISA Senior Assessment
Team (SAT), which provides guidance and oversight to the MICP. The second tier is supported
by subject-matter expert team, the IC team, and the third tier is supported by the Assessable Unit
Managers (AUMs) who manage at the Program/Directorate level within the organization. The
SAT and IC teams maintain a charter that is available on the DISA webpage. Each document
outlines the mission, personnel, roles, and responsibilities of the team. AUMs are appointed in
writing each year, and the appointment letter delineates the role and responsibilities that AUMs
are charged with.
For FY 2018 reporting cycle, DISA identified 12 Assessable Units (AUs): RMC, Component
Acquisition Executive (CAE), Development and Business Center (DBC), Chief of Staff (DDC),
(in thousands)
9/30/2018 9/30/2017 Inc./(Dec.) % Chg.
(O&M 0100)
Obligations Incurred 2,231,058$ 1,618,184$ 612,874$ 38%
Unobligated Balances 83,331$ 82,159$ 1,172$ 1%
Undelivered Orders 844,888$ 586,927$ 257,961$ 419%
Unfilled Customer Orders 101,052$ 61,494$ 39,558$ 64%
(PROC 0300)
Obligations Incurred 934,353$ 1,008,161$ (73,808)$ -7%
Unobligated Balances 295,934$ 443,449$ (147,515)$ -33%
Undelivered Orders 1,400,555$ 1,166,400$ 234,155$ 20%
Unfilled Customer Orders 9,637$ 2,634$ 7,003$ 266%
(RDT&E 0400)
Obligations Incurred 335,765$ 318,795$ 16,970$ 5%
Unobligated Balances 68,471$ 63,270$ 5,201$ 8%
Undelivered Orders 208,332$ 211,823$ (3,491)$ -7%
Unfilled Customer Orders 51,805$ 50,631$ 1,174$ 2%
(MILCON 0500)
Obligations Incurred 1,062$ 2,470$ (1,408)$ -57%
Unobligated Balances 30,026$ 27,698$ 2,328$ 8%
Undelivered Orders 7,829$ 9,450$ (1,621)$ -17%
(Combined)
Obligations Incurred 3,502,238$ 2,947,610$ 554,628$ 19%
Unobligated Balances 477,762$ 616,576$ (138,814)$ -23%
Undelivered Orders 2,461,604$ 1,974,600$ 487,004$ 25%
Unfilled Customer Orders 162,494$ 114,759$ 47,735$ 42%
21
Defense Spectrum Organization (DSO), Inspector General (IG), Joint Force Headquarters-
DODIN (JFHQ-DODIN), JSP, Operations Center (OC), Procurement Services Directorate
(PSD), Risk Management Executive (RME), and White House Communications Agency
(WHCA). Each AU was led by at least one member of the Senior Executive Service (SES) or
military flag officer, or carries a distinct mission within DISA, which in turn causes the AU to
have unique operational risks that require evaluation. All organizations were also required to
identify the functions performed within their area (outside of the required testing areas of
Defense Travel System (DTS), Automated Time Attendance and Production System (ATAAPS),
Records Management, and Property, Plant and Equipment (PP&E)), identify the level of process
documentation available, and determine the associated risk of those functions. Additionally, the
AUM was responsible for identifying and documenting the key controls within their AU. RMC
documented processes and key controls for all ICOFR functions. Each AU documented its key
processes and risk on the Mission Processes Spreadsheet. The RMC MICP team advised the
AUMs to test, at a minimum, those key processes that were self-identified as high risk, as well as
Safety, Security (if applicable), and the required testing areas.
DISA delegates authority only to the extent required to achieve objectives and management
evaluates the delegation for proper segregation of duties to prevent fraud, waste, and abuse. In
addition, DISA relies on external stakeholders, such as DFAS as our accounting data processor,
bill payer, and payroll processor to better achieve our mission as documented in a Service Level
Agreement (SLA).
The DISA IG maintains a hotline for the anonymous reporting of ethics and integrity issues that
is available to employees 24 hours a day, 7 days a week. Additionally, the DISA IG conducts
reviews and inspections to identify or prevent instances of fraud, waste, and abuse.
The RMC/Comptroller conducts the testing and reports on the overall Internal Controls Over
Financial Reporting (ICOFR) for the Agency. The DISA Chief Information Officer (CIO)
conducts the testing and reports results of the Internal Controls Over Financial Systems (ICOFS)
for the Agency. Agency AUMs perform testing and report results of the Internal Controls over
Non-Financial Operations (ICONO).
DISA’s senior management evaluated the system of internal control in effect during the fiscal
year as of the date of this memorandum, according to the guidance in OMB Circular No. A-123
and the Government Accountability Office (GAO) Green Book. Included is the Agency’s
evaluation of whether the system of internal controls for DISA is in compliance with standards
prescribed by the Comptroller General.
The objectives of the system of internal controls of DISA are to provide reasonable assurance of:
Effectiveness and efficiency of operations,
Reliability of financial reporting,
Compliance with applicable laws and regulations; and
Financial information systems are compliant with the FFMIA of 1996 (Public Law 104-
208).
22
The evaluation of internal controls extends to every responsibility and activity undertaken by
DISA and applies to program, administrative, and operational controls. Furthermore, the concept
of reasonable assurance recognizes that (1) the cost of internal controls should not exceed the
benefits expected to be derived, and (2) the benefits include reducing the risk associated with
failing to achieve the stated objectives. Moreover, errors or irregularities may occur and not be
detected because of inherent limitations in any system of internal controls, including those
limitations resulting from resource constraints, congressional restrictions, and other factors.
Finally, projection of any system evaluation to future periods is subject to the risk that
procedures may be inadequate because of changes in conditions, or that the degree of compliance
with procedures may deteriorate. Therefore, this statement of reasonable assurance is provided
within the limits of the preceding description.
DISA management evaluated the system of internal controls in accordance with the guidelines
identified above. The results indicate that the system of internal controls of DISA, in effect as of
the date of this MD&A, taken as a whole, complies with the requirement to provide reasonable
assurance that the above mentioned objectives were achieved. This position on reasonable
assurance is within the limits described in the preceding paragraph.
Using the following process, DISA evaluated its system of internal controls and maintains
sufficient documentation/audit trail to support its evaluation and level of assurance.
As previously discussed, DISA manages MICP through a three-tiered approach. The first tier is
supported by the DISA SAT, which provides guidance and oversight to the MICP. The SAT met
multiple times during this cycle; initially to discuss Enterprise Risk Management (ERM) and
finally to summarize results for the Agency Statement of Assurance (SOA). In FY 2018, the
DISA Director signed a “Tone-at-the-Top” memo that defines management’s leadership and
commitment towards an effective MICP: openness, honesty, integrity, and ethical behavior. The
memo directed the Agency to ensure a risk-based and results-oriented program in alignment with
the Government Accountability Office (GAO) Green Book and OMB A-123. The tone at the top
is set by all levels of management and has a trickle-down effect to all employees. The second
tier, supported by a subject matter expert (SME) team, coordinates requirements with OSD
Comptroller regarding the MICP, in addition to providing guidance, oversight, and validation in
accordance with OSD Directives to the AUMs. DISA provided internal control training for the
AUMs in January 2018 and conducted additional workshops in February 2018. The MICP team
compiles AU submissions for the Agency’s SOA, communicates OSD requirements to
leadership, facilitates information sharing between AUMs, and consolidates results.
Internal Controls over Financial Systems - DISA performed the FY 2018 review of the core
financial systems for the three financial reporting units: 1) Working Capital Fund (WCF),
Financial Accounting Management Information System (FAMIS), Telecommunications Services
and Enterprise Acquisition Services (TSEAS), 2) WCF FAMIS Computing Services (CS) Mod,
and 3) Washington Headquarters Services Allotment Accounting System (WAAS) for the
General Fund (GF). Using independent tests, OMB Circular A-123, Appendix D, and the
Implementation Guidance for FFMIA, the DISA CIO Director of OC, and the Director of RMC
jointly assessed DISA’s core financial systems. Two of the three core financial systems, FAMIS
TSEAS and WAAS, are legacy systems that have certain limitations. DISA relies on several
23
interfaces to the legacy financial systems to achieve certain requirements of FFMIA compliance.
The FY 2018 assessment considered the risks associated with relying on external systems for
core requirements and the necessity to implement manual control activities to mitigate the risk.
There were control deficiencies addressed in the FY 2016 Independent Public Accountant (IPA)
report. To the extent appropriate, the issues identified have been corrected. DISA’s core
financial management systems routinely provide reliable and timely information for managing
day-to-day operations, as well as providing information used to prepare financial statements and
maintain effective internal controls. All of these factors are key indicators of FFMIA
compliance. Additionally, DISA provides application hosting services for the Department’s
service providers (Defense Finance and Accounting Service; Defense Logistics Agency; Defense
Contract Management Agency; Defense Human Resource Activity (DHRA); Military Services,
and Other Defense Organizations). As a result, DISA is responsible for most of the IT general
controls over the computing environment in which many financial, personnel, and logistics
applications reside. In order for service providers and components to rely on automated controls
and documentation within these applications, controls must be appropriately and effectively
designed.
In FY 2018, DISA embarked on two Statement on Standards for Attestation Engagement (SSAE)
18 efforts and received unmodified opinions on both; application hosting services (sixth
consecutive year) and ATAAPS (second consecutive year). These unmodified opinions provide
DISA’s Mission Partners and their auditors the confidence that they can rely on for the
automated controls and documentation within these applications. DISA’s core financial
accounting systems are also covered in this attestation. The WAAS replacement by the Defense
Agencies Initiative (DAI) and FAMIS-TSEAS Enterprise Resource Planning (ERP) replacement
by FAMIS Enterprise Acquisition Services (EAS) Modernization were implemented in
October 2018. The implementation of these ERP approved systems will facilitate resolution of
compliance issues associated with the legacy systems. Finally, DISA considered the FFMIA
compliance Determination Framework to determine whether the Agency complies with the
Section 803(a) requirements of FFMIA. Some of these key indicators include the fact that DISA
consistently provides timely and reliable financial statements to OMB within 21 calendar days at
the end of the first through third quarters and unaudited financial statements to OMB, GAO, and
Congress by 15 November each year. DISA has not reported anti-deficiency violations in more
than a decade, and the Agency continues to demonstrate compliance with laws and regulations.
In addition, Information Assurance (IA) policies and procedures were converted from
Department of Defense Information Assurance Certification and Accreditation Process
(DIACAP) to the Risk Management Framework (RMF) as of March 2018.
Internal Controls over Financial Reporting - The RMC/Comptroller documented end-to-end
business processes and identified key internal control activities supporting key business
processes for ICOFR. DISA conducted an internal risk assessment that evaluated the results of
prior year audits, internal analysis of the results of financial operations, and known upcoming
business events. An internal control assessment was conducted within DISA for mission specific
key processes.
Based on the results of the internal risk analysis, internal testing was conducted to evaluate the
significance of potential deficiencies identified. Specific areas of testing included the following:
24
Year End Obligations (GF)
Revenue/Collections (GF and WCF)
Expense/Disbursements (GF and WCF)
Accounts Payable (WCF)
Accounts Receivable (WCF)
Integrated Defense Enterprise Acquisition System (IDEAS) Telecommunication
(TELCOM) initial contracting actions (WCF)
Undelivered Orders (UDOs) (GF)
Year-End Roll Forward (GF and WCF)
PP&E Disposals (GF)
PP&E Non-DISA Sites (GF)
Employee Debt Review (WCF)
Unfilled Customer Orders (UCOs) (WCF)
The details of these internal control reviews and the supporting documentation are kept on file
for reference. No material weaknesses were found.
DISA is currently undergoing an FY 2018 full financial statement audit for both the WCF and
GF. Because DISA’s FY 2016 audit was out-of-cycle and not completed until July 2017, a
decision was made to forego the audit of FY 2017 financial statements.
DISA is one of the few DoD agencies to navigate the rigors of a full financial statement audit.
This success is a culmination of the DISA efforts in support of the Department-wide initiatives to
achieve audit readiness. DISA is recognized for best practices for building a foundation through
compliant processes, establishing a seasoned audit support team, standardizing reconciliations
and analyses, building a staging library of key supporting documents, and establishing an overall
culture of readiness. DISA was able to successfully provide universe of transaction details,
monthly Fund Balance with Treasury (FBwT) reconciliations, capital property existence,
completeness and valuation requirements and support, aging schedules for accounts receivable
and accounts payable (AP), journal voucher coordination with the Defense Finance and
Accounting Service (DFAS), and elimination reconciliations with DISA’s trading partners.
These have all been identified as issues that, in the past, have prevented other DoD agencies
from achieving an audit opinion. To ensure quick responses to the auditors’ demands, RM3
prepositioned key artifacts in DISA's Financial Reporting library.
Internal Controls over Operations - During DoD IG Audit 2017-113, a potential material
weakness was identified with regard to payments made on 1,077 expired Communication
Services Authorizations (CSAs). DISA concurred with the DoD IG recommendation to
determine whether payments on expired CSAs were improper, in accordance with the Improper
Payments Elimination and Recovery Improvement Act (IPERIA). The research identified
approximately $205M in payments made on CSAs and related noncompliant contract actions.
The contract actions were noncompliant because DISA did not follow the Federal Acquisition
Regulations (FAR) when DISA continued a contractual relationship with a vendor without re-
competing the requirement or preparing a justification and approval.
25
While the payments for these noncompliant contract actions meet the definition of improper
payments under OMB A-123 guidance, the government cannot pursue recovery actions because
the government received value for the services rendered.
Accounting for Service Providers’ Internal Controls - DISA fully supports the Department's goal
to achieve auditable financial statements and as a service provider, demonstrates this
commitment through annual examinations by the IPA. For the seventh consecutive year, DISA
received an unmodified opinion on the hosting services platform Statement of Standard for
Attestation Engagements (SSAE) No. 18. The Agency continually works to improve processes,
enhance controls, and validate information. Additionally, DISA undertook an independent
application examination of the ATAAPS, for which the Agency received an unmodified opinion
for the second consecutive year. Even though DISA as a reporting agency has migrated to
Defense Agencies Initiative (DAI) Oracle Time and Labor module as of June 2018, the SSAE 18
process for ATAAPS will continue on behalf of DISA’s customers.
DISA hosts more than 100 financial systems throughout the DoD. DISA’s sustained clean
opinion on hosting services provides mission partners and their auditor the confidence that they
can rely on the automated controls and documentation within these applications.
In 2017, OSD Financial Improvement and Audit Readiness (FIAR) led Department-wide
discussions regarding SSAE 18s and the impact to component financial statements. DISA
participated in these discussions from both a service provider and reporting entity perspective.
As a result, 275 Complementary User Entity Controls (CUECs) were identified that had impact
to the financial statements. In addition to continued participation in multiple Service Provider
CUEC discussions in 2018, DISA has analyzed the 275 identified CUECs and determined the
Agency’s level of risk, and identified control descriptions and control attributes for each. For
those CUECs determined to be common across all the identified systems, testing was conducted
for areas of high risk.
26
Conclusion on Overall Assessment of Internal Control
27
28
29
In addition to FMFIA, DISA reports its compliance with the Federal Financial Management
Improvement Act (FFMIA). FFMIA requires an assessment of adherence to financial
management system requirements, accounting standards, and U.S. Standard General Ledger
transaction level reporting. For FY 2018, DISA is reporting overall substantial compliance. The
following is a comprehensive list of laws and regulations which were assessed for compliance by
the DISA WCF in context of the FY 2018 audit.
Acronym
Laws & Regulations
(Supplement Number)
ADA
Antideficiency Act, 31 U.S.C. 1341 and 1517, January 7, 2011 and OMB A-11,
Preparation, Submission and Execution of the Budget, July 2010.
FAM 803
DCIA
Provisions Governing Claims of the U.S. Government as provided primarily in 31
U.S.C. 3711-3720E (Including the Debt Collection Improvement Act of 1996) (DCIA).
FAM 809
PPA
Prompt Payment Act, 5 CFR 1315, September 29, 1999. FAM 810
CSRA
Civil Service Retirement Act
FAM 813
FEHB
Federal Employees Health Benefits Act
FAM 814
FECA
Federal Employees’ Compensation Act
FAM 816
FERS
Federal Employees’ Retirement System Act of 1986
FAM 817
PAS for
CEs
Pay and Allowance System for Civilian Employees as Provided Primarily in Chapters
51-59 of Title 5, U.S. Code
FAM 812
CFO Act,
A-123
Chief Financial Officers (CFO) Act of 1990 and OMB Circular A-136, Financial
Reporting Requirements, September 29, 2010.
FFMIA
Federal Financial Management Improvement Act (FFMIA) of 1996; OMB Circular A-
127, Financial Management Systems, January 9, 2009; OMB Circular A-130,
Transmittal Memorandum #4, Management of Federal Information Resources,
November 28, 2000.
FMFIA and
A-123
Federal Managers Financial Integrity Act (FMFIA) of 1982 and OMB Circular A-123,
Appendix A, August 1, 2005.
FISMA
Federal Information Security Management Act (FISMA) of 2002.
DoD FMR
Department of Defense (DoD), Financial Management Regulation 7000.14-R,
August 26, 2011.
IPERA
Improper Payments Elimination and Recovery Act of 2010 (IPERA) and OMB Circular
A-123, Appendix C, Parts I and II, April 14, 2011 and Part III, March 22, 2010.
30
Financial Management Systems Framework, Goals, and Strategies
DISA’s WCF financial related system implementations have been planned and designed within
the framework of the Business Enterprise Architecture (BEA) established within the Department
of Defense, which facilitates to the extent possible a more standardized framework for systems in
the Department. Financial system related initiatives target implementation of a standardized
financial information structure that will be compliant with FFMIA and BEA requirements, and
provide DISA with cost accounting data and timely accounting information that enables
enhanced decision-making.
The WAAS replacement by the Defense Agencies Initiative (DAI) and FAMIS-TSEAS
Enterprise Resource Planning (ERP) replacement by FAMIS Enterprise Acquisition Services
(EAS) Modernization were implemented in October 2018. The implementation of these ERP
approved systems will facilitate resolution of compliance issues associated with the legacy
systems. Finally, DISA considered the FFMIA compliance Determination Framework to
determine whether the Agency complies with the Section 803(a) requirements of FFMIA. Some
of these key indicators include the fact that DISA consistently provides timely and reliable
financial statements to OMB within 21 calendar days at the end of the first through third quarters
and unaudited financial statements to OMB, GAO, and Congress by 15 November each year.
DISA has not reported anti-deficiency violations in more than a decade, and the Agency
continues to demonstrate compliance with laws and regulations. In addition, Information
Assurance (IA) policies and procedures were converted from Department of Defense
Information Assurance Certification and Accreditation Process (DIACAP) to the Risk
Management Framework (RMF) as of March 2018.
DISA also conducted an internal review of the effectiveness of the internal controls over the
integrated financial management systems in accordance with Federal Financial Management
Improvement Act (FFMIA) of 1996 (Public Law I 04-208) and 0MB Circular No. A-123,
Appendix D. The "Internal Control Evaluation" section provides specific information on how
DISA conducted this assessment. Based on the results of this assessment, DISA can provide
reasonable assurance, except for the two non-conformances reported in the "Significant
Deficiencies/Material Weaknesses and Corrective Action Plans Template" that the internal
controls over the financial systems are in compliance with the FFMIA and 0MB Circular
No. A-l23, Appendix D, as of 30 September 2018.
5. Limitations of the Financial Statements
The principal financial statements have been prepared to report the financial position and results
of operations of the DISA WCF and GF, pursuant to the requirements of 31 U.S.C. 3515(b).
While the statements have been prepared from books and records of the DISA WCF and GF in
accordance with GAAP for Federal entities and the formats prescribed by OMB, the statements
are in addition to the financial reports used to monitor and control budgetary resources, which
are prepared from the same books and records.
The statements should be read with the realization that they are for a Defense Agency of the U.S.
Government, a sovereign entity.
31
Principal Statements
32
7KHDFFRPSDQ\LQJQRWHVDUHDQLQWHJUDOSDUWRIWKHVHVWDWHPHQWV
LQ7KRXVDQGV
'HSDUWPHQWRI'HIHQVH
'HIHQVH,QIRUPDWLRQ6\VWHPV$JHQF\*HQHUDO)XQG
&2162/,'$7('%$/$1&(6+((7
$VRI6HSWHPEHUDQG
$66(761RWH
,QWUDJRYHUQPHQWDO
)XQG%DODQFHZLWK7UHDVXU\1RWH
$FFRXQWV5HFHLYDEOH1RWH
7RWDO,QWUDJRYHUQPHQWDO$VVHWV
$FFRXQWV5HFHLYDEOH1HW1RWH
*HQHUDO3URSHUW\3ODQWDQG(TXLSPHQW1HW1RWH
2WKHU$VVHWV1RWH
727$/$66(76
67(:$5'6+,33523(57<3/$17(48,30(171$
/,$%,/,7,(61RWH
,QWUDJRYHUQPHQWDO
$FFRXQWV3D\DEOH1RWH
2WKHU/LDELOLWLHV1RWH
7RWDO,QWUDJRYHUQPHQWDO/LDELOLWLHV
$FFRXQWV3D\DEOH1RWH
0LOLWDU\5HWLUHPHQWDQG2WKHU)HGHUDO
(PSOR\PHQW%HQHILWV1RWH
2WKHU/LDELOLWLHV1RWHDQG1RWH
727$//,$%,/,7,(6
&200,70(176$1'&217,1*(1&,(6127(
1(7326,7,21
8QH[SHQGHG$SSURSULDWLRQV2WKHU)XQGV
&XPXODWLYH5HVXOWVRI2SHUDWLRQV2WKHU)XQGV
727$/1(7326,7,21
727$//,$%,/,7,(6$1'1(7326,7,21
&RQVROLGDWHG
8QDXGLWHG
&RQVROLGDWHG
8QDXGLWHG
33
7KHDFFRPSDQ\LQJQRWHVDUHDQLQWHJUDOSDUWRIWKHVHVWDWHPHQWV
LQ7KRXVDQGV
'HSDUWPHQWRI'HIHQVH
'HIHQVH,QIRUPDWLRQ6\VWHPV$JHQF\*HQHUDO)XQG
&2162/,'$7('67$7(0(172)1(7&267
)RUWKHSHULRGVHQGHG6HSWHPEHUDQG
3URJUDP&RVWV
*URVV&RVWV
/HVV(DUQHG5HYHQXH
1HW&RVWEHIRUH/RVVHV*DLQVIURP$FWXDULDO$VVXPSWLRQ&KDQJHV
IRU0LOLWDU\5HWLUHPHQW%HQHILWV
1HW3URJUDP&RVWV,QFOXGLQJ$VVXPSWLRQ&KDQJHV
1HW&RVWRI2SHUDWLRQV
&RQVROLGDWHG
8QDXGLWHG
&RQVROLGDWHG
8QDXGLWHG
34
7KHDFFRPSDQ\LQJQRWHVDUHDQLQWHJUDOSDUWRIWKHVHVWDWHPHQWV
LQ7KRXVDQGV
'HSDUWPHQWRI'HIHQVH
'HIHQVH,QIRUPDWLRQ6\VWHPV$JHQF\*HQHUDO)XQG
&2162/,'$7('67$7(0(172)&+$1*(6,11(7326,7,21
)RUWKHSHULRGVHQGHG6HSWHPEHUDQG
81(;3(1'('$335235,$7,216
%HJLQQLQJ%DODQFHV,QFOXGHV)XQGVIURP'HGLFDWHG
&ROOHFWLRQV1$
%HJLQQLQJEDODQFHVDVDGMXVWHG
%XGJHWDU\)LQDQFLQJ6RXUFHV
$SSURSULDWLRQVUHFHLYHG
$SSURSULDWLRQVWUDQVIHUUHGLQRXW
2WKHUDGMXVWPHQWV
$SSURSULDWLRQVXVHG
7RWDO%XGJHWDU\)LQDQFLQJ6RXUFHV,QFOXGHV)XQGVIURP
'HGLFDWHG&ROOHFWLRQV1$
7RWDO8QH[SHQGHG$SSURSULDWLRQV,QFOXGHV)XQGVIURP
'HGLFDWHG&ROOHFWLRQV1$
&808/$7,9(5(68/762)23(5$7,216
%HJLQQLQJ%DODQFHV
%HJLQQLQJEDODQFHVDVDGMXVWHG,QFOXGHV)XQGVIURP
'HGLFDWHG&ROOHFWLRQV1$
2WKHUDGMXVWPHQWV
$SSURSULDWLRQVXVHG
2WKHUEXGJHWDU\ILQDQFLQJVRXUFHV
7UDQVIHUVLQRXWZLWKRXWUHLPEXUVHPHQW
,PSXWHGILQDQFLQJIURPFRVWVDEVRUEHGE\RWKHUV
2WKHU
7RWDO)LQDQFLQJ6RXUFHV,QFOXGHV)XQGVIURP'HGLFDWHG
&ROOHFWLRQV1$
1HW&RVWRI2SHUDWLRQV,QFOXGHV)XQGVIURP
'HGLFDWHG&ROOHFWLRQV1$
1HW&KDQJH
&XPXODWLYH5HVXOWVRI2SHUDWLRQV,QFOXGHV)XQGVIURP
'HGLFDWHG&ROOHFWLRQV1$
1HW3RVLWLRQ
&RQVROLGDWHG
8QDXGLWHG
&RQVROLGDWHG
8QDXGLWHG
35
7KHDFFRPSDQ\LQJQRWHVDUHDQLQWHJUDOSDUWRIWKHVHVWDWHPHQWV
LQ7KRXVDQGV
'HSDUWPHQWRI'HIHQVH'HIHQVH,QIRUPDWLRQ6\VWHPV$JHQF\*HQHUDO)XQG
&20%,1('67$7(0(172)%8'*(7$5<5(6285&(6
)RUWKHSHULRGVHQGHG6HSWHPEHUDQG
%XGJHWDU\5HVRXUFHV
8QREOLJDWHGEDODQFHIURPSULRU\HDUEXGJHWDXWKRULW\QHW
GLVFUHWLRQDU\DQGPDQGDWRU\
$SSURSULDWLRQVGLVFUHWLRQDU\DQGPDQGDWRU\
6SHQGLQJ$XWKRULW\IURPRIIVHWWLQJFROOHFWLRQV
GLVFUHWLRQDU\DQGPDQGDWRU\
7RWDO%XGJHWDU\5HVRXUFHV
1HWDGMXVWPHQWVWRXQREOLJDWHGEDODQFHEURXJKWIRUZDUG2FW
6WDWXVRI%XGJHWDU\5HVRXUFHV
1HZREOLJDWLRQVDQGXSZDUGDGMXVWPHQWVWRWDO
8QREOLJDWHGEDODQFHHQGRI\HDU
$SSRUWLRQHGXQH[SLUHGDFFRXQWV
8QDSSRUWLRQHGXQH[SLUHGDFFRXQWV
8QH[SLUHGXQREOLJDWHGEDODQFHHQGRI\HDU
([SLUHGXQREOLJDWHGEDODQFHHQGRI\HDU
8QREOLJDWHGEDODQFHHQGRI\HDUWRWDO
7RWDO%XGJHWDU\5HVRXUFHV
2XWOD\VQHW
2XWOD\VQHWWRWDOGLVFUHWLRQDU\DQGPDQGDWRU\
$JHQF\2XWOD\VQHWGLVFUHWLRQDU\DQGPDQGDWRU\
&RPELQHG
8QDXGLWHG
&RPELQHG
8QDXGLWHG
36
Defense Information Systems Agency
General Fund
Notes to the Principal Statements
4
th
Quarter Fiscal Year 2018, ending September 30, 2018
37
DISA General Fund
Note1.
Significant Accounting Policies
A. Reporting Entity
The Defense Information Systems Agency (DISA), a Combat Support Agency, provides,
operates, and assures command and control, information-sharing capabilities, and a globally
accessible enterprise information infrastructure in direct support of joint warfighters, national-level
leaders, and other mission and coalition partners across the full spectrum of operations.
The history of DISA is traceable to the Defense Reorganization Act of 1958, which authorized the
creation of a joint military communications network to be formed by consolidation of the
communications facilities of the Military Departments. This would ultimately lead to the formation
of the Defense Communications Agency (DCA). Over the next several years, DCA expanded its
mission and underwent a number of mergers with other agencies to enhance the interoperability
of command, control, and communications (C3). On June 25, 1991, DCA was renamed DISA to
reflect its expanded role in implementing the Department of Defense’s (DoD) information
initiatives, and to clearly identify DISA as a combat support agency. Currently, DISA is the
premier Information Technology Combat Support Agency that provides and assures command,
control, communications, computing, intelligence, surveillance, and reconnaissance (C4ISR) to
the warfighter, and delivers enterprise services and data at the user point of need. In addition,
with the standup of the new Joint Force Headquarters-DoD Information Network (JFHQ-DoDIN)
organization on January 15, 2015, DISA now serves as the joint operational arm of defense
cyberspace operations for the DoD. The JFHQ-DoDIN exercises command and control of DoDIN
operations and defensive cyber operations-internal defense measures globally in order to
synchronize the protection of DoD component capabilities and to enable power projection and
freedom of action across all warfighting domains. The DISA operates under the direction,
authority, and control of the DoD Chief Information Officer (CIO) who reports directly to the
Secretary of Defense.
The DISA operates using two funding sources: general fund (GF) appropriations and a working
capital fund (WCF). The DISA WCF is a separately reported fund and not included herein. The
DISA GF receives appropriations and funds through the established Office of Management and
Budget (OMB) and DoD fund distribution process. The DISA GF uses these appropriations and
funds to execute missions that are not funded by WCF, and it subsequently reports on resource
usage supported by financial transactions for civilian personnel, operation and maintenance,
research and development, procurement, and military construction.
The DISA GF is a party to allocation transfers with other federal agencies as a transferring parent
entity. An allocation transfer is an entity’s legal delegation of authority to obligate budget
authority and outlay funds on its behalf. Generally, all financial activity related to allocation
transfers (e.g., budget authority, obligations, and outlays) are reported in the financial statements
of the parent entity. As a parent, DISA GF allocates funds to U.S. Army Central.
B. Basis of Presentation and Accounting
The accompanying financial statements and footnotes are prepared in accordance with OMB
Circular A-136, Financial Reporting Requirements. The statements are prepared from the books
and records of DISA in accordance with generally accepted accounting principles (GAAP). The
American Institute of Certified Public Accountants’ (AICPA) Statement on Auditing Standards
(SAS) No. 91, Federal GAAP Hierarchy, established a hierarchy of GAAP for federal financial
38
statements in which the Federal Accounting Standards Advisory Board (FASAB) is the standard-
setting body. The financial statements account for all resources for which DISA GF is
responsible, with the exception of information relating to classified assets, programs, and
operations that is either excluded from the statements or otherwise aggregated and reported in a
manner that is not discernible.
Accounting standards require all reporting entities to disclose that accounting standards allow
certain presentations and disclosures to be modified, if needed to prevent the disclosure of
classified information.
Information relative to classified assets, programs, and operations is excluded from the
statements or otherwise aggregated and reported in such a manner that it is not discernible.
The DISA records accounting transactions on both an accrual and budgetary basis of accounting.
Under the accrual method, revenue is recognized when earned and costs/expenses are
recognized when incurred, without regard to receipt or payment of cash. Budgetary accounting
facilitates compliance with legal constraints and controls over the use of federal funds.
Preparation of the financial statements requires management to make estimates and
assumptions that affect the reported amounts of assets and liabilities, revenues and expenses,
and disclosure of contingent assets and liabilities as of the reporting date. Estimates are made
for significant items such as payroll expenses and contract expenses (federal and nonfederal).
Payroll estimates pertain to the number of remaining work days in the current period for which
actual payroll expenses have not been received from the Defense Civilian Payroll System. The
estimate is based on the cost per day using the past two pay period actual expenses available
multiplied by the number of days remaining in the period. Contractual estimates pertain to the
value of services and/or goods received but not invoiced. The estimates are based on the period
of performance and values identified in the contract and/or historical data and actual or estimated
usage. Actual results may differ from those estimates.
C. Use Of Estimates
The DISA GF management makes assumptions and reasonable estimates in the preparations of
the financial statements based on current conditions that may affect the reported amounts.
Actual results could differ from the estimated amounts. Significant estimates include such items
as year-end accruals of accounts payable for payroll expenses and contract expenses (federal
and nonfederal), and actuarial liabilities related to workers’ compensation. Payroll estimates
pertain to the number of remaining workdays in the current period for which actual payroll
expenses have not been received from the Defense Civilian Payroll System. The estimate is
based on the cost per day using the past two pay period actual expenses available multiplied by
the number of days remaining in the period. Contractual estimates pertain to the value of
services and/or goods received but not invoiced. The estimates are based on the period of
performance and values identified in the contract and/or historical data and actual or estimated
usage. Actual results may differ from those estimates, therefore estimates are adjusted (trued-
up) to reflect actuals during the period they become available.
D. Recognition of Revenue
The DISA GF receives appropriations as financing sources for general funds that expire annually,
expire on a multi-year basis, or do not expire. When authorized by legislation, these
appropriations are supplemented by revenues generated by sales of goods or services. The
DIS
A GF recognizes revenue as a result of costs incurred for goods and services provided to
other federal agencies and the public. The DISA GF recognizes revenue when earned and
expenses in the period incurred.
E. Recognition of Expenses
In accordance with DoD FMR Volume 4, Chapter 17, Paragraph 170401, DISA GF commonly
reports expenses at their gross amount at the time that the expense is incurred. Expenses are
39
recognized in the period that services are rendered, not when invoices are received. Estimates
are made for major items such as payroll expenses and accounts payable.
F. Accounting for DISA Intra-entity General Fund Transactions
The preparation of financial statements in accordance with GAAP requires special treatment of
revenues earned and costs incurred within DISA GF’s reporting entity. These “intra-entity”
transactions between appropriation types (programs) within DISA GF are recorded and then
eliminated as part of the financial statement consolidation and preparation process. Prior to
consolidation, appropriation type balances are reconciled to each other, with any resulting
adjustments made to pertinent balances to complete the elimination process.
G. Reconciliation with Intragovernmental Trading Partners
The DISA GF engages in a manual reconciliation process with trading partners where transaction
detail is identified and any material differences are resolved. The DISA GF also reconciles its
buyer-side data with several tier-one federal agencies, including balances pertaining to Federal
Employees’ Compensation Act (FECA) transactions with the Department of Labor (DOL) and
benefit program transactions with the Office of Personnel Management (OPM). In general, DISA
GF does more buying than selling with other intragovernmental agencies. The largest trading
partner on the buyer side and seller side is DISA WCF. Other major federal agency trading
partners for the buyer side include the Department of the Navy WCF, the Department of the Navy
GF, the Department of the Army GF, and the Defense Technical Information Center (DTIC). On
the seller side, the DISA GF engages in sales and receivables activities with DISA WCF, the
Department of Army GF, The Department of the Air Force GF, and the Department of the Navy
GF. There are other intragovernmental trading partners on both sides, with smaller transactional
volume with DISA.
H. Funds with the U.S. Treasury
The DISA GF’s monetary resources are maintained in U.S. Treasury accounts as a Fund Balance
with Treasury (FBWT). The disbursing offices of the Defense Finance and Accounting Service
(DFAS) process the majority of DISA GF’s cash collections, disbursements, and adjustments
worldwide. Each disbursing station prepares monthly reports to the U.S. Treasury on checks
issued, electronic fund transfers, interagency transfers, and deposits.
In addition, DFAS sites submit reports to U.S. Treasury by appropriation on interagency transfers,
collections received, and disbursements issued. The U.S. Treasury records these transactions to
the applicable FBWT account. On a monthly basis, DISA GF’s FBWT is adjusted to agree with
U.S. Treasury accounts.
I. Accounts Receivable
Accounts receivable from other federal entities or the public include earned accounts receivable,
claims receivable, and refunds receivable. Allowances for uncollectible accounts due from the
public are based upon a percentage of aged accounts receivable. The DoD does not recognize
an allowance for estimated uncollectible amounts from other federal agencies. Claims against
other federal agencies are resolved between the agencies in accordance with dispute resolution
procedures defined in the intragovernmental business rules published in the Treasury Financial
Manual, or TFM (see TFM Bulletin No. 2011-08).
J. General Property, Plant and Equipment
The DISA GF General Property, Plant and Equipment (PP&E) consists of telecommunications
equipment, computer equipment, computer software, assets under capital lease, construction in
progress
and leasehold improvem
ents whereby the acquisition cost falls within prescribed
40
thresholds and the estimated useful life is 2 or more years. The DISA GF PP&E capitalization
threshold is $250 thousand for asset acquisitions and modifications/improvements placed into
service after September 30, 2013. PP&E assets acquired prior to October 1, 2013 were
capitalized at prior threshold levels ($100 thousand for equipment and $20 thousand for real
property). PP&E with an acquisition cost of less than the capitalization threshold is expensed
when purchased. Property and equipment meeting the capitalization threshold is depreciated
using the straight-line method over the initial or remaining useful life as appropriate, that range
from 3 to 25 years.
The DISA GF capitalizes improvements to existing General PP&E assets if the improvements
equal or exceed the capitalization threshold and extend the useful life or increase the size,
efficiency, or capacity of the asset. Leasehold improvements are amortized over the lesser of
their useful life, generally five years, or the unexpired lease term.
A subset of DISA assets do not lend themselves to a single activation date. Statement of Federal
Financial Accounting Standard 6 directs that depreciation is calculated through a systematic and
rational allocation of cost; and that a composite methodology for a heterogeneous set of assets
may be permissible. DISA applies a mid-year type approach to commencing depreciation
expense for these assets because it provides the most systematic and rational approach to
applying an asset activation date, one that addresses the standards and achieves the objectives
of matching expense to the period in which the benefit is derived. The date chosen is not the
actual mid-year point of the fiscal year, but rather September 30 of each year because the third
and fourth quarters of the fiscal year consistently represent the periods of highest activity for
receipt of goods.
K. Other Assets
The DISA GF’s other assets primarily consists of advances and prepayments. However, other
assets may include military and civil service employee pay advances, and travel advances that
are not reported elsewhere on DISA GF’s balance sheet.
When advances are permitted by law, legislative action, or presidential authorization, DISA GF
records advances or prepayments in accordance with federal GAAP. Accordingly, payments
made in advance of the receipt of goods and services are reported as an asset on the balance
sheet.
L. Leas
es
The GF lease payments for the rental of equipment and operating facilities are classified as
operating leases. The DISA GF, as the lessee, receives the use and possession of leased
property from a lessor in exchange for a payment of funds. An operating lease does not
substantially transfer all the benefits and risk of ownership. Payments for operating leases are
expensed over the lease term as they become payable.
Office space leases entered into by DISA GF form the largest component of operating leases and
are based on costs obtained from existing leases.
M. Accounts Payable
Accounts payable includes amounts owed to federal and nonfederal entities for goods and
services received. The DISA GF recognizes accounts payable during the period that the goods,
services, or benefit are received. Accounts payable balances are reviewed periodically for
validity by accounting personnel during the performance of daily duties, through internal reviews
such as the required triannual reviews, other internal quality assurance reviews, and as part of
contract closeout procedures.
41
N. Accrued Payroll and Benefits
Accrued payroll and benefits includes the portion of employee compensation earned, but not
paid, at the end of the period, along with DISA GF’s share of associated taxes, benefits, and
retirement plan contributions.
O. Accrued Leave
The DISA GF reports liabilities for accrued compensatory and annual leave for civilians as it is
earned. The accrual is reduced for actual leave taken and increased for leave earned. Sick
leave for civilians is expensed as taken. The liabilities are based on current pay rates.
P. Imputed Costs and Sources of Financing
The OPM is the administrative entity for post-retirement pension, life insurance, and medical
benefits provided to DISA GF retirees. Accordingly, benefits will be paid from OPM
appropriations rather than from DISA GF. The portion paid by OPM represents an imputed
financing source to DISA GF. The present value of the cost of future retirement benefits
attributable to employees’ service during the current year is an associated imputed cost of equal
value. Both imputed financing sources and imputed costs are recognized in the current period
and are calculated using cost factors developed by OPM actuaries.
The DISA receives an imputed financing source for office space and military labor provided by
DoD entities at no charge to DISA GF. In compliance with Interpretation 6, Accounting for
Imputed Intra-Departmental Costs: An Interpretation of SFFAS No. 4, DISA GF recognizes an
associated imputed cost for military labor through assigned military personnel. The imputed cost
for military labor is obtained from the Fiscal Year (FY) 2017 military composite pay and
reimbursement rates. The DISA GF recognizes an associated imputed cost based on General
Services Administration (GSA) rates for comparable office space.
Q. Net P
osition
Net position consists of unexpended appropriations and cumulative results of operations.
Unexpended appropriations represent the amounts of budget authority that are unobligated and
have not been rescinded or withdrawn. Unexpended appropriations also represent amounts
obligated for which legal liabilities for payments have not been incurred.
Cumulative results of operations represent the net difference between expenses and losses and
financing sources (including appropriations, revenue, and gains) since inception. The cumulative
results of operations also include donations and transfers in and out of assets that were not
reimbursed.
R. Undistributed Disbursements and Collections
Undistributed disbursements and collections represent the difference between disbursements and
collections matched at the transaction level to specific obligations, payables, or receivables in the
source systems and those reported by the U.S. Treasury. The DoD allocates supported
undistributed disbursements and collections between federal and nonfederal categories based on
the percentage of distributed federal and nonfederal accounts payable and accounts receivable.
Supported undistributed disbursements and collections are then applied to reduce accounts
payable and accounts receivable accordingly.
42
Note 2.
Nonentity Assets
As of September 30
2018
2017
(Amounts in thousands)
1. Intragovernmental Assets
A. Fund Balance with Treasury
$
0
$
0
B. Accounts Receivable
0
0
C. Other Assets
0
0
D. Total Intragovernmental Assets
$
0
$
0
2. Nonfederal Assets
A. Cash and Other Monetary Assets
$
0
$
0
B. Accounts Receivable
7
2
C. Other Assets
0
0
D. Total Nonfederal Assets
$
7
$
2
3. Total Nonentity Assets
$
7
$
2
4. Total Entity Assets
$
3,501,073
$
3,165,931
5. Total Assets
$
3,501,080
$
3,165,933
Non-entity assets are assets for which DISA GF maintains stewardship accountability and reporting
responsibility but are not available for DISA GF’s normal operations.
The DISA GF non-entity assets are comprised of immaterial amounts of accumulated interest receivable,
allowance for loss on interest receivable, and accumulated penalties and administrative fees receivable as
reported in the Monthly Debt Management Report Contract Debt System. The DFAS initiates collection
actions and transfers collected funds to the U.S. Treasury after receipt of payment.
Non-entity intergovernmental accounts receivable are receivables that were previously entity assets. These
receivables are related to cancelled appropriations; if collections are received related to a cancelled
appropriation, the funds are no longer available for use by DISA GF and are deposited into the U.S. Treasury.
43
Note 3.
Fund Balance with Treasury
As of September 30
2018
2017
(Amounts in thousands)
Status of Fund Balance with Treasury
1. Unobligated Balance
A. Available
$
360,268
$
498,410
B. Unavailable
117,494
118,166
2. Obligated Balance not yet
Disbursed
$
2,684,299
$
2,182,901
3. Non-budgetary FBWT
$
0
$
0
4. Non-FBWT Budgetary
Accounts
$
(177,525)
$
(135,623)
5. Total
$
2,984,536
$
2,663,854
The U.S. Treasury maintains and reports fund balances at the Treasury Index (TI) appropriation level. The
DISA GF is included at the TI 97 appropriation level, an aggregate level that does not provide identification
of the separate defense agencies. As a result, the U.S. Treasury does not separately report an amount for
DISA GF. Therefore, the entire DISA GF FBWT amount is reflected as a reconciling amount.
44
Note 4.
Accounts Receivable
As of September 30
2018
Gross Amount Due
Allowance For Estimated
Uncollectibles
Accounts Receivable, Net
ts in thousands)
1. Intragovernmental
Receivables
$
15,678
N/A
$
15,678
2. Nonfederal
Receivables (From
the Public)
$
294
$
0
$
294
3. Total Accounts
Receivable
$
15,972
$
0
$
15,972
As of September 30
2017
Gross Amount Due
Allowance For Estimated
Uncollectibles
Accounts Receivable, Net
(Amounts in
thousands)
1. Intragovernmental
Receivables
$
25,375
N/A
$
25,375
2. Nonfederal
Receivables (From
the Public)
$
151
$
(4)
$
147
3. Total Accounts
Receivable
$
25,526
$
( 4)
$
25,522
The accounts receivable represent DISA GF’s claim for payment from other entities. The DISA GF
recognizes an allowance for uncollectible amounts from the public. Claims with other federal agencies are
resolved in accordance with the Intragovernmental Business Rules.
The allowance for uncollectible accounts of nonfederal receivables i
s determined by using a systematic
methodology that includes performing an analysis of the applicable accounts receivable historical data.
45
Note 5.
General PP&E, Net
As of September
30
2018
Depreciation
/
Amortization
Method
Service
Life
Acquisition
Value
(Accumulated Depreciation/
Amortization)
Net Book
Value
(Amounts in thousands)
1.
Major Asset
Classes
A.Land
N/A
N/A
$
0
N/A
$
0
B.Buildings,
Structures, and
Facilities
S/L
20, 40 Or
45
458,368
$
(85,944)
372,424
C.Leasehold
Improvements
S/L
lease term
52,941
(28,195)
24,746
D.Software
S/L
2-5 Or 10
9,339
(8,518)
821
E.General
Equipment
S/L
Various
378,154
(296,637)
81,517
F.Assets Under
Capital Lease
S/L
lease term
0
0
0
G. Construction
-in-
Progress
N/A
N/A
20,927
N/A
20,927
H.Other
0
0
0
I. Total General
PP&E
$
919,729
$
(419,294)
$
500,435
As of September
30
2017
Depreciation/
Amortization
Method
Service
Life
Acquisition
Value
(Accumulated Depreciation/
Amortization)
Net Book
Value
(Amounts in thousands)
1.
Major Asset
Classes
A.Land
N/A
N/A
$
0
N/A
$
0
B.Buildings,
Structures, and
Facilities
S/L
20 , 40 Or
45
458,368
$
(74,485)
383,883
C.Leasehold
Improvements
S/L
lease term
45,982
(22,403)
23,579
D.Software
S/L
2-5 Or 10
9,858
(8,056)
1,802
E.General
Equipment
S/L
Various
322,858
(257,400)
65,458
F.Assets Under
Capital Lease
S/L
lease term
0
0
0
G. Construction
-in-
Progress
N/A
N/A
630
N/A
630
H.Other
0
0
0
I. Total General
PP&E
$
837,696
$
(362,344)
$
475,352
46
The DISA GF General PP&E is comprised of leasehold improvements, equipment, and software with a net
book value (NBV) of $500.4 million.
There are no restrictions on the use or convertibility of DISA GF’s property and equipment, and all values are
based on acquisition cost.
The DISA GF does not possess any Stewardship PP&E (Federal Mission PP&E, Heritage Assets, or
Stewardship Land). The implementation of Statement of Federal Financial Accounting Standard (SFFAS) No.
6 did not result in any changes in asset values and was accomplished through the application of guidance
contained in DoD FMR Volume 4, Chapter 6, paragraphs 0601 and 0602.
Assets Under Capital Lease
As of September 30
2018
2017
(Amounts in thousands)
1. Entity as Lessee, Assets Under Capital Lease
A. Land and Buildings
$
0
$
0
B. Equipment
0
0
C. Accumulated Amortization
0
0
D. Total Capital Leases
$
0
$
0
47
Note 6.
Other Assets
As of September 30
2018
2017
(Amounts in thousands)
1. Intragovernmental Other Assets
A. Advances and Prepayments
$
0
$
0
B. Other Assets
0
0
C. Total Intragovernmental Other Assets
$
0
$
0
2. Nonfederal Other Assets
A. Outstanding Contract Financing Payments
$
124
$
1,019
B. Advances and Prepayments
13
186
C. Other Assets (With the Public)
0
0
D. Total Nonfederal Other Assets
$
137
$
1,205
3. Total Other Assets
$
137
$
1,205
The DISA GF’s other assets consists of minimal amounts for advances and prepayments, and outstanding
contract financing payments
48
Note 7.
Liabilities Not Covered by Budgetary Resources
As of September 30
2018
2017
(Amounts in thousands)
1. Intragovernmental Liabilities
A. Accounts Payable
$
0
$
0
B. Debt
0
0
C. Other
1,345
1,392
D. Total Intragovernmental Liabilities
$
1,345
$
1,392
2. Nonfederal Liabilities
A. Accounts Payable
$
0
$
26,780
B. Military Retirement and
Other Federal Employment Benefits
5,777
6,478
C. Environmental and Disposal Liabilities
0
0
D. Other Liabilities
33,174
28,810
E. Total Nonfederal Liabilities
$
38,951
$
62,068
3. Total Liabilities Not Covered by Budgetary
Resources
$
40,296
$
63,460
4. Total Liabilities Covered by Budgetary
Resources
$
223,487
$
214,019
5. Total Liabilities Not Requiring Budgetary
Resources
$
0
$
0
6. Total Liabilities
$
263,783
$
277,479
Liabilities Not Covered by Budgetary Resources includes liabilities for which congressional action is needed before
budgetary resources can be provided.
Intragovernmental Liabilities Other consists of $1.3
million of unfunded FECA liabilities related to bills from the DOL that are
not funded until the billings are received.
Nonfederal Liabilities Accounts Payable consists of payables related to cancelled appropriations which are not covered by
Budgetary Resources.
Military Retirement and Other Federal Employment Benefits consists of various em
ployee actuarial liabilities not due and
payable during the current fiscal year
Nonfederal Liabilities Other is annual leave liability in the amount of $33.1 mill
ion. This balance reflects amounts of annual
leave that have been earned but will be paid from future appropriations.
49
Note 8.
Accounts Payable
As of September 30
2018
Accounts Payable
Interest, Penalties, and
Administrative Fees
Total
(Amounts in thousands)
1. Intragovernmental
Payables
$
189,862
$
N/A
$
189,862
2. Nonfederal Payables
(to the Public)
10,157
0
10,157
3. Total
$
200,019
$
0
$
200,019
As of September 30
2017
Accounts Payable
Interest, Penalties, and
Administrative Fees
Total
(Amounts in thousands)
1. Intragovernmental
Payables
$
171,343
$
N/A
$
171,343
2. Nonfederal Payables
(to the Public)
47,996
0
47,996
3. Total
$
219,339
$
0
$
219,339
The DISA GF accounts payable includes amounts owed to federal and nonfederal entities for goods and services
received. The DISA GF employs a trading partner reconciliation process throughout the year to validate DISA GF
buyer side and seller side balances, and it collaborates with its major DoD partners to identify and resolve material
differences. Generally, in accordance with DoD FMR Volume 6B, Chapter 13, paragraph 130201, the internal DoD
buyer-side accounts payable are adjusted to agree with intra-agency seller-side accounts receivable. The DISA GF’s
accounts payable are adjusted based upon trading partner reconciliations and the revised estimated accrued
expenses to properly reflect balances at the end of the period.
50
Note 9.
Other Liabilities
As of September 30
2018
Current
Liability
Noncurrent
Liability
Total
(Amounts in thousands)
1. Intragovernmental
A. Advances from Others
$
0
$
0
$
0
B. Deposit Funds and
Suspense Account
Liabilities
0
0
0
C. Disbursing Officer Cash
0
0
0
D. Judgment Fund Liabilities
45
0
45
E. FECA Reimbursement to
the Department of Labor
568
732
1,300
F. Custodial Liabilities
7
0
7
G. Employer Contribution
and
Payroll Taxes Payable
2,638
0
2,638
H. Other Liabilities
0
0
0
I. Total Intragovernmental
Other Liabilities
$
3,258
$
732
$
3,990
(Amounts in thousands)
2. Nonfederal
A. Accrued Funded Payroll
and Benefits
$
10,636
$
0
$
10,636
B. Advances from Others
5,803
0
5,803
C. Deferred Credits
0
0
0
D. Deposit Funds and
Suspense Accounts
0
0
0
E. Temporary Early
Retirement Authority
0
0
0
F. Nonenvironmental
Disposal Liabilities
(1) Military Equipment
(Nonnuclear)
0
0
0
(2) Excess/Obsolete
Structures
0
0
0
(3) Conventional
Munitions Disposal
0
0
0
G. Accrued Unfunded
Annual Leave
33,174
0
33,174
H. Capital Lease Liability
0
0
0
I. Contract Holdbacks
0
0
0
51
J. Employer Contribution
and
Payroll Taxes Payable
4,259
0
4,259
K. Contingent Liabilities
0
125
125
L. Other Liabilities
0
0
0
M.Total Nonfederal Other
Liabilities
$
53,872
$
125
$
53,997
3. Total Other Liabilities
$
57,130
$
857
$
57,987
As of September 30
2017
Current
Liability
Noncurrent
Liability
Total
(Amounts in thousands)
1. Intragovernmental
A. Advances from Others
$
0
$
0
$
0
B. Deposit Funds and
Suspense Account
Liabilities
0
0
0
C. Disbursing Officer Cash
0
0
0
D. Judgment Fund
Liabilities
0
0
0
E. FECA Reimbursement to
the Department of Labor
616
776
1,392
F. Custodial Liabilities
2
0
2
G. Employer Contribution
and
Payroll Taxes Payable
2,279
0
2,279
H. Other Liabilities
0
0
0
I. Total Intragovernmental
Other Liabilities
$
2,897
$
776
$
3,673
(Amounts in thousands)
2. Nonfederal
A. Accrued Funded Payroll
and Benefits
$
9,205
$
0
$
9,205
B. Advances from Others
5,232
0
5,232
C. Deferred Credits
0
0
0
D. Deposit Funds and
Suspense Accounts
0
0
0
E. Temporary Early
Retirement Authority
0
0
0
F. Nonenvironmental
Disposal Liabilities
(1) Military Equipment
(Nnnuclear)
0
0
0
52
(2) Excess/Obsolete
Structures
0
0
0
(3) Conventional
Munitions Disposal
0
0
0
G. Accrued Unfunded
Annual Leave
28,809
0
28,809
H. Capital Lease Liability
0
0
0
I. Contract Holdbacks
0
0
0
J. Employer Contribution
and
Payroll Taxes Payable
3,724
0
3,724
K. Contingent Liabilities
0
1,019
1,019
L. Other Liabilities
0
0
0
M.Total Nonfederal Other
Liabilities
$
46,970
$
1,019
$
47,989
3. Total Other Liabilities
$
49,867
$
1,795
$
51,662
Intragovernmental
The FECA Reimbursement to DOL is $1.3 million, of which $0.6 million is classified as a current liability.
The FECA program provides benefits to employees injured on the job and their beneficiaries. The program
is administered by DOL, which pays claim amounts and then seeks reimbursement from DISA GF. The
amount owed by DISA GF for FECA liabilities has two components. The first component is the
reimbursement due to the DOL for amounts actually paid on behalf of the DISA GF. The second component
is an actuarial liability which is an estimate of future payments to be made by DOL. The actuarial liability is
based on historical patterns, assessed level of risk, and medical and wage inflation factors. Both liabilities
are unfunded until budgetary resources become available for reimbursement.
Custodial liabilities ($6 thousand) consist of interest and fees payable to Treasury for collected past due
receivables.
Employer Contribution and Payroll Taxes Payable totals $2.6 million. The DISA GF pays a portion. The
DISA GF employees are generally covered under the Civil Service Retirement System or Federal Employee
Retirement System.
Nonfederal
Accrued Funded Payroll and Benefits in the amount of $10.6 million represents the unpaid portion of
accrued, funded civilian payroll for DISA GF.
Advances from Others totals $5.8 million, which represents the remaining amount of customer advance
billings. These customer advances will be liquidated in future periods as the result of filling customer
orders/earned revenue based on the completion of contract task orders and other direct costs being applied
to the specific customer advance accounts under Major Range and Test Facility Base guidelines, polices,
and regulation.
Accrued Unfunded Annual Leave is $33.2 million. As earned annual leave is used, the annual leave liability
is reduced. Unused leave is an unfunded liability that will be paid from future resources when taken or when
the employee retires or separates. The amount reported at the end of the period reflects current pay rates.
Sick leave is not a vested benefit, and therefore is expensed when taken
53
Capital Lease Liability
As of September 30
2018
Asset Category
Land and
Buildings
Equipment Other Total
(Amounts in thousands)
1. Future Payments Due
Intragovernmental
B. 2019
0
0
0
0
C. 2020
0
0
0
0
D. 2021
0
0
0
0
E. 2022
0
0
0
0
F. 2023
0
0
0
0
G. After 5 Years
0
0
0
0
H. Total Future Lease
Payments Due
$
0
$
0
$
0
$
0
I. Less: Imputed
Interest Executory
Costs
0
0
0
0
J. Net Capital Lease
Liability
$
0
$
0
$
0
$
0
As of September 30
2018
Asset Category
Land and
Buildings
Equipment Other Total
(Amounts in thousands)
1. Future Payments Due
Nonfederal
B. 2019
0
0
0
0
C. 2020
0
0
0
0
D. 2021
0
0
0
0
E. 2022
0
0
0
0
F. 2023
0
0
0
0
G. After 5 Years
0
0
0
0
H. Total Future Lease
Payments Due
$
0
$
0
$
0
$
0
I. Less: Imputed
Interest Executory
Costs
0
0
0
0
J. Net Capital Lease
Liability
$
0
$
0
$
0
$
0
2. Capital Lease Liabilities Covered by Budgetary Resources
$
0
3. Capital Lease Liabilities Not Covered by Budgetary Resources
$
0
54
As of September 30
2017
Asset Category
Land and
Buildings
Equipment Other Total
(Amounts in thousands)
1. Future Payments Due
B. 2018
0
0
0
0
C. 2019
0
0
0
0
D. 2020
0
0
0
0
E. 2021
0
0
0
0
F. 2022
0
0
0
0
G. After 5 Years
0
0
0
0
H. Total Future Lease
Payments Due
$
0
$
0
$
0
$
0
I. Less: Imputed
Interest Executory
Costs
0
0
0
0
J. Net Capital Lease
Liability
$
0
$
0
$
0
$
0
2. Capital Lease Liabilities Covered by Budgetary Resources
$
0
3. Capital Lease Liabilities Not Covered by Budgetary Resources
$
0
55
Note 10.
Military Retirement and Other Federal Employment Benefits
As of September 30
2018
Liabilities
(Less: Assets Available to Pay
Benefits)
Unfunded Liabilities
(Amounts in thousands)
1. Pension and Health Benefits
A. Military Retirement Pensions
$
0
$
0
$
0
B. Military Pre Medicare-
Eligible
Retiree Health Benefits
0
0
0
C. Military Medicare-Eligible
Retiree Health Benefits
0
0
0
D. Total Pension and Health
Benefits
$
0
$
0
$
0
2. Other Benefits
A. FECA
$
5,777
$
0
$
5,777
B. Voluntary Separation
Incentive Programs
0
0
0
C. DoD Education Benefits
Fund
0
0
0
D. Other
0
0
0
E. Total Other Benefits
$
5,777
$
0
$
5,777
3. Total Military Retirement and
Other Federal Employment
Benefits:
$
5,777
$
0
$
5,777
As of September 30
2017
Liabilities
(Less: Assets Available to Pay
Benefits)
Unfunded Liabilities
(Amounts in thousands)
1. Pension and Health Benefits
A. Military Retirement Pensions
$
0
$
0
$
0
B. Military Pre Medicare-
Eligible
Retiree Health Benefits
0
0
0
C. Military Medicare-Eligible
Retiree Health Benefits
0
0
0
D. Total Pension and Health
Benefits
$
0
$
0
$
0
2. Other Benefits
A. FECA
$
6,478
$
0
$
6,478
B. Voluntary Separation
Incentive Programs
0
0
0
C. DoD Education Benefits
Fund
0
0
0
D. Other
0
0
0
E. Total Other Benefits
$
6,478
$
0
$
6,478
3. Total Military Retirement and
Other Federal Employment
Benefits:
$
6,478
$
0
$
6,478
56
(Amounts in
thousands)
As of
September 30
2018
Military Retirement
Pensions
Military Pre
Medicare-
Eligible
Retiree Health
Benefits
Military Medicare-
Eligible Retiree
Health Benefits
Voluntary
Separation
Incentive
Programs
DoD Education
Benefits Fund
(Amounts in thousands)
Beginning Actuarial
Liability
$
0
0
0
0
0
Plus Expenses:
Normal Cost
0
0
0
0
0
Interest Cost
0
0
0
0
0
Plan Amendments
0
0
0
0
0
Experience Losses
(Gains)
0
0
0
0
0
Other factors
0
0
0
0
0
Subtotal: Expenses
before Losses (Gains)
from Actuarial
Assumption Changes
0
0
0
0
0
Actuarial losses
/
(gains)/
due to:
Changes in trend
assumptions
0
0
0
0
0
Changes in
assumptions
other than trend
0
0
0
0
0
Subtotal: Losses
(Gains) from Actuarial
Assumption Changes
0
0
0
0
0
Total Expenses
$
0
0
0
0
0
Less Benefit Outlays
0
0
0
0
0
Total Changes in
Actuarial Liability
$
0
0
0
0
0
Ending Actuarial
Liability
$
0
0
0
0
0
57
Note 11.
Commitments and Contingencies
The DISA GF is a party in various administrative proceedings and legal actions related to contractual based disputes. The
DISA GF is not aware of any contingent liabilities for legal actions for FY 2018.
58
Note 12.
General Disclosures Related to the Statement of Net Cost
Intragovernmental Costs and Exchange Revenue
As of September 30
2018
2017
(Amounts in thousands)
Military Retirement Benefits
1. Gross Cost
$
0
$
0
2. Less: Earned Revenue
0
0
3. Losses/(Gains) from Actuarial Assumption
Changes for Military Retirement Benefits
$
0
$
0
Total Net Cost
$
0
$
0
Civil Works
1. Gross Cost
$
0
$
0
2. Less: Earned Revenue
0
0
3. Losses/(Gains) from Actuarial Assumption
Changes for Military Retirement Benefits
$
0
$
0
Total Net Cost
$
0
$
0
Military Personnel
1. Gross Cost
$
0
$
0
2. Less: Earned Revenue
0
0
3. Losses/(Gains) from Actuarial Assumption
Changes for Military Retirement Benefits
$
0
$
0
Total Net Cost
$
0
$
0
Operations, Readiness & Support
1. Gross Cost
$
1,971,565
$
1,718,957
2. Less: Earned Revenue
(111,256)
(113,341)
3. Losses/(Gains) from Actuarial Assumption
Changes for Military Retirement Benefits
$
0
$
(1)
Total Net Cost
$
1,860,309
$
1,605,615
Procurement
1. Gross Cost
$
370,805
$
319,041
2. Less: Earned Revenue
(7,540)
(7,736)
3. Losses/(Gains) from Actuarial Assumption
Changes for Military Retirement Benefits
$
0
$
0
Total Net Cost
$
363,265
$
311,305
Research, Development, Test & Evaluation
1. Gross Cost
$
308,798
$
280,363
2. Less: Earned Revenue
(57,087)
(59,020)
3. Losses/(Gains) from Actuarial Assumption
Changes for Military Retirement Benefits
$
0
$
0
Total Net Cost
$
251,711
$
221,343
59
Family Housing & Military Construction
1. Gross Cost
$
942
$
959
2. Less: Earned Revenue
0
0
3. Losses/(Gains) from Actuarial Assumption
Changes for Military Retirement Benefits
$
0
$
0
Total Net Cost
$
942
$
959
Consolidated
1. Gross Cost
$
2,652,110
$
2,319,320
2. Less: Earned Revenue
(175,883)
(180,097)
3. Losses/(Gains) from Actuarial Assumption
Changes for Military Retirement Benefits
$
0
$
( 1)
4. Costs Not Assigned to Programs
$
0
$
0
5. (Less: Earned Revenues) Not Attributed to
Programs
$
0
$
0
Total Net Cost
$
2,476,227
$
2,139,222
The Statement of Net Cost represents the net cost of programs and organizations that are supported by DISA GF. The
purpose of the Statement of Net Cost is to provide gross and net cost information related to DISA GF.
Intragovernmental costs and revenue are related to transactions between two reporting entities within the Federal
Government. Public costs and revenue are exchange transactions made between DISA GF and a nonfederal entity.
The DISA GF reports exchange revenues for inflows of resources that have been earned. They arise from exchange
transactions, which occur when each party to the transaction sacrifices value and receives value in return. Exchange
revenues arise when DISA GF provides something of value to the public or another Government entity at a price. Pricing
policy for exchange revenues are derived by recovering costs.
The DISA GF employs a trading partner reconciliation throughout the year to validate buyer-side and seller side balances,
and collaborates with its major DoD partners to identify and resolve material differences. Generally, in accordance with
DoD FMR Volume 6B, Chapter 13, paragraph 13201, the internal DoD buyer-side balances are adjusted to agree with
internal seller-side balances for revenue. For variances that remain unreconciled at the end of the period, DISA GF
expenses are adjusted by reclassifying amounts between federal and nonfederal expenses or by accruing additional
accounts payable and expenses.
60
Note 13.
Disclosures Related to the Statement of Budgetary Resources
As of September 30
2018
2017
(Amounts in thousands)
1. Intragovernmental Budgetary Resources Obligated
for Undelivered Orders:
A. Unpaid
2,339,723
0
B. Prepaid/Advanced
0
0
C. Total Intragovernmental
$
2,339,723
$
0
2. Nonfederal Budgetary Resources Obligated for
Undelivered Orders:
A. Unpaid
121,869
0
B. Prepaid/Advanced
13
0
C. Total Nonfederal
$
121,882
$
0
3. Budgetary Resources Obligated for Undelivered
Orders at the End of the Period
$
2,461,604
$
1,974,600
4. Available Borrowing and Contract Authority at the
End of the Period
$
0
$
0
The DISA GF operates primarily with funding derived from direct appropriations which are subject to
cancellation by the time period in which funds may be used. An additional funding source is the use of
reimbursable authority obtained from customer orders for services provided.
Intra-entity Transactions
The DISA GF Statement of Budgetary Resources includes intra-entity transactions because the statements are
presented as combined.
Other Disclosures
The DISA GF does not have any legal arrangements affecting the use of unobligated budget authority, and has
not received permanent indefinite appropriations.
The amount of obligations incurred by DISA GF may not be directly compared to the amounts reported in the
Budget of the United States Government because DISA GF funding is received and reported as a component
of the “Other Defense Funds” program. The “Other Defense Funds” is combined with the service components
and other DoD elements and then compared to the Budget of the United States Government at the defense
agency level.
61
Note 14.
Reconciliation of Net Cost of Operations to Budget
Resources Used to Finance Activities:
Budgetary Resources Obligated:
1. Obligations incurred
$
3,502,238
$
2,947,610
2. Less: Spending authority from offsetting
collections and recoveries (-)
(363,508)
(320,922)
3. Obligations net of offsetting collections
and recoveries
$
3,138,730
$
2,626,688
4. Less: Offsetting receipts (-)
0
0
5. Net obligations
$
3,138,730
$
2,626,688
Other Resources:
6. Donations and forfeitures of property
0
0
7. Transfers in/out without reimbursement (+/-)
(226,195)
(169,831)
8. Imputed financing from costs absorbed by others
51,651
192,430
9. Other (+/-)
0
0
10. Net other resources used to finance activities
$
(174,544)
$
22,599
11. Total resources used to finance activities
$
2,964,186
$
2,649,287
Resources Used to Finance Items not Part of the Net
Cost of Operations:
12. Change in budgetary resources obligated for
goods, services and benefits ordered but not yet
provided:
12a. Undelivered Orders (-)
$
(487,005)
$
(508,021)
12b. Unfilled Customer Orders
47,735
(25,836)
13. Resources that fund expenses recognized in prior
Periods (-)
(27,526)
(583)
14. Budgetary offsetting collections and receipts that
do not affect Net Cost of Operations
0
0
15. Resources that finance the acquisition of assets (-)
(317,955)
(209,334)
16. Other resources or adjustments to net obligated
resources that do not affect Net Cost of
Operations:
16a. Less: Trust or Special Fund Receipts
Related to exchange in the Entity’s Budget (-)
0
0
16b. Other (+/-)
226,195
169,830
17. Total resources used to finance items not part
of the Net Cost of Operations
$
(558,556)
$
(573,944)
18. Total resources used to finance the Net Cost
of Operations
$
2,405,630
$
2,075,343
As of September 30
2018
2017
(Amounts in thousands)
62
Components of the Net Cost of Operations that will
not Require or Generate Resources in the Current
Period:
Components Requiring or
Generating Resources in
Future Period:
19. Increase in annual leave liability
$
4,365
$
2,895
20. Increase in environmental and disposal liability
0
0
21. Upward/Downward reestimates of credit subsidy
expense (+/-)
0
0
22. Increase in exchange revenue receivable from
the public (-)
(106)
695
23. Other (+/-)
0
544
24. Total components of Net Cost of Operations that
will Require or Generate Resources in future
periods
$
4,259
$
4,134
Components not Requiring or Generating Resources:
25. Depreciation and amortization
$
66,374
$
62,012
26. Revaluation of assets or liabilities (+/-)
0
(2,271)
27. Other (+/-)
27a. Trust Fund Exchange Revenue
0
0
27b. Cost of Goods Sold
0
0
27c. Operating Material and Supplies Used
0
0
27d. Other
(36)
4
28. Total Components of Net Cost of Operations that
will not Require or Generate Resources
$
66,338
$
59,745
29. Total components of Net Cost of Operations
that will not Require or Generate Resources in
the current period
$
70,597
$
63,879
30. Net Cost of Operations
$
2,476,227
$
2,139,222
As of September 30
2018
2017
(Amounts in thousands)
63
Note 15.
Other Disclosures
As of September 30
2018
Asset Category
Land and Buildings
Equipment
Other
Total
(Amounts in
thousands)
1. Intragovernmental
Operating Leases
Future Payments Due
Fiscal Year
2019
39,869
1,446
2,348
43,663
2020
41,365
1,465
2,466
45,296
2021
42,128
1,485
2,589
46,202
2022
42,991
859
2,718
46,568
2023
43,925
881
2,854
47,660
After 5 Years
50,077
4,620
15,211
69,908
Total Intragovernmental
Future Lease
Payments Due
$
260,355
$
10,756
$
28,186
$
299,297
2. Nonfederal
Operating Leases
Future Payments
Due
Fiscal Year
2019
0
0
618
618
2020
0
0
649
649
2021
0
0
681
681
2022
0
0
715
715
2023
0
0
751
751
After 5 Years
0
0
4,003
4,003
Total Nonfederal
Future Lease
Payments Due
$
0
$
0
$
7,417
$
7,417
3. Total Future Lease
Payments Due
$
260,355
$
10,756
$
35,603
$
306,714
64
INSPECTOR GENERAL
DEPARTMENT OF
DEFENSE
48OO MARK CENTER
DRIVE
ALEXANDRIA,
VIRGINIA 22350-1 5OO
fanuary
18,2019
MEMORANDUM
FOR
UNDER SECRETARY
OF DEFENSE
[COMPTROLLER)/
CHIEF
FINANCIAL OFFICER,
DOD
DIRECTOR, DEFENSE INFORMATION SYSTEMS
AGENCY
DIRECTOR, DEFENSE
FINANCE AND ACCOUNTING SERVICE
INSPECTOR GENERAL, DEFENSE INFORMATION
SYSTEMS AGENCY
SUBf ECT: Transmittal of the
Independent Auditor's Report on the Defense
Information Systems Agency General Fund Financial Statements and
Related Notes for FY 2018
fProject
No. D2018-D000FL-0057.000,
Report No. DODIG-20 19-046)
We contracted with the independent
public
accounting firm of Kearney & Company to
audit the
Defense Information
Systems
Agency
IDISA]
General Fund FY 2018 Financial
Statements and
related notes as ofSeptember 30, 2018, and for the
year
then ended,
and to
provide
a report on internal control over financial
reporting
and compliance
with
laws and regulations. The contract
required
Kearney & Company to conduct the
audit
in
accordance
with
generally
accepted
government
auditing standards
(GAGAS];
Office of
Management
and
Budget
audit
guidance;
and the Government
Accountability
Office/President s Council on Integrity and
Efficiency,
"Financial
Audit Manual,"
July
2008.t
Kearney
& Company's
Independent Auditor's Reports are attached.
Kearney & Company's audit
resulted in
a disclaimer of
opinion. Kearney & Company
could
not
obtain sufficient, appropriate
audit evidence to support the
reported
amounts
within
the
DISA
General
Fund financial statements. As a result, Kearney & Company
could not conclude
whether
the
financial
statements
and related notes were fairly
llnJune20lS,theGovernmentAccountabilityOfficeissuedanqpdatedFinancialAuditManual.
Kearney&Companyupdated
its
audit
procedures
to be
in
accordance
with
the updates
issued in
the Government
Accountability Office/Council of the
lnspectors
General on lntegrity and Efficiency,
"Financial
Audit Manual," June 2018.
65
presented
in
accordance
with Generally
Accepted Accounting
Principles. Accordingly,
Kearney & Company
did not express an opinion
on the DISA General
Fund FY 2018
Financial Statements
and
related notes.
Kearney &
Company's separate
report on
"lnternal
Control over
Financial Reporting"
discusses
five material
weaknesses related to the
DISA
General
Fund's internal controls
over
financial reporting. Specifically
Kearney
&
Company found
material weaknesses
including:
Fund Balance With Treasury,
Accounts
Receivable,
Accounts
Payable,
Budgetary
Resources, and Information
Technologr. Kearney & Company's additional
report on
"Compliance
with Laws, Regulations, Contracts, and Grant
Agreements"
discusses three
instances
of noncompliance
with
applicable
laws and
regulations.
In
connection
with the contract
we reviewed Kearney
&
Company's reponts and
related
documentation
and discussed the audit results
with Kearney
& Company
representatives.
Our
review, as differentiated from an audit
in
accordance
with
GAGAS,
was not intended to enable us to express, and
we
did
not express, an opinion on the
DISA
General
Fund FY 2018 Financial Statements and related
notes,
conclusions about
the
effectiveness
of internal control, conclusions on whether the DISA General
Fund's
financial systems substantially complied
with
the
"Federal
Financial Management
Improvement Act of
1996,"
or conclusions on
whether
the
DISA
General
Fund
complied
with laws and regulations.
Kearney & Company
is responsible for
the attached
reports, dated
fanuary
18,2019,
and the conclusions
expressed in
these
reports. However, our
review
disclosed
no
instances in which Kearney & Company did
not
comply,
in all material respects,
with
GAGAS.
We appreciate the courtesies extended
to the staff Please direet
questions
to
me
at
(703J
601-5e45.
J
-r-1
/ ,,
i\,.1r^.-1.
/{/nafr/-'|-
Lorin T.
Venable,
CPA
Assistant lnspector General
Financial Management and Reporting
Attachments:
As stated
66
1701 Duke Street, Suite 500, Alexandria, VA 22314
PH: 703.931.5600, FX: 703.931.3655, www.kearneyco.com
INDEPENDENT AUDITOR’S REPORT
To the Director, Defense Information Systems Agency, and the Inspector General of the
Department of Defense
Report on the Financial Statements
We were engaged to audit the accompanying consolidated General Fund (GF) financial
statements of the Defense Information Systems Agency (DISA), which comprise the balance
sheet as of September 30, 2018, the related statements of net cost and changes in net position,
and the combined statements of budgetary resources (hereinafter referred to as the “financial
statements”) for the year then ended, and the related notes to the financial statements.
Management’s Responsibility for the Financial Statements
Management is responsible for the preparation and fair presentation of these financial statements
in accordance with accounting principles generally accepted in the United States of America; this
includes the design, implementation, and maintenance of internal control relevant to the
preparation and fair presentation of financial statements that are free from material misstatement,
whether due to fraud or error.
Auditor’s Responsibility
Our responsibility is to express an opinion on these financial statements based on our audit. We
conducted the audit in accordance with auditing standards generally accepted in the United
States of America; the standards applicable to financial audits contained in Government Auditing
Standards, issued by the Comptroller General of the United States; and Office of Management
and Budget (OMB) Bulletin No. 19-01, Audit Requirements for Federal Financial Statements.
Because of the matters described in the Basis for Disclaimer of Opinion section below, we were
not able to obtain sufficient appropriate audit evidence to provide a basis for an audit opinion.
Basis for Disclaimer of Opinion
We were unable to obtain sufficient appropriate audit evidence to provide a basis for an audit
opinion that the financial statements are complete and free from material misstatements when
taken as a whole. We identified a material amount of unreconciled transactions and unexplained
variances that potentially impact the completeness and accuracy of DISA’s financial statements.
DISA utilizes a service organization, which supports multiple other Federal entities, to process
disbursement and collection transactions. We identified a material amount of disbursements and
collections which were processed; however, DISA and its service organization were unable to
assign the transactions to a specific entity because of various transactional errors. We also
identified unreconciled differences between the service organization’s records and amounts
reported by the U.S. Department of the Treasury. DISA and its service organization were unable
67
to provide evidential matter to validate that these unresolved and unreconciled items did not
impact DISA’s financial statements.
The effects of the conditions in the preceding paragraph and overall challenges in obtaining
sufficient audit evidence limited our ability to execute all planned audit procedures. As a result,
we were unable to determine whether any adjustments were necessary to DISA’s financial
statements.
Disclaimer of Opinion
Because of the significance of the matters described in the Basis for Disclaimer of Opinion
section above, we were not able to obtain sufficient appropriate audit evidence to provide a basis
for an audit opinion. Accordingly, we do not express an opinion on these financial statements.
Other Matters
Required Supplementary Information
Accounting principles generally accepted in the United States of America require that the
Management’s Discussion and Analysis, other Required Supplementary Information, and
Required Supplementary Stewardship Information (hereinafter referred to as the “required
supplementary information”) be presented to supplement the financial statements. Such
information, although not a part of the financial statements, is required by OMB and the Federal
Accounting Standards Advisory Board (FASAB), who consider it to be an essential part of the
financial reporting for placing the financial statements in an appropriate operational, economic,
or historical context. We have applied certain limited procedures to the required supplementary
information in accordance with auditing standards generally accepted in the United States of
America, which consisted of inquiries of management about the methods of preparing the
information and comparing the information for consistency with management’s responses to our
inquiries, the basic financial statements, and other knowledge we obtained during our audit of the
basic financial statements. We do not express an opinion or provide any assurance on the
information because the limited procedures do not provide us with evidence sufficient to express
an opinion or provide any assurance.
Management has omitted Deferred Maintenance information that accounting principles generally
accepted in the United States of America require to be presented to supplement the basic
financial statements. Such missing information, although not a part of the basic financial
statements, is required by OMB and FASAB, who consider it to be an essential part of financial
reporting for placing the basic financial statements in an appropriate operational, economic, or
historical context. Our opinion on the basic financial statements is not affected by this missing
information.
68
Other Reporting Required by Government Auditing Standards
In accordance with Government Auditing Standards and OMB Bulletin No. 19-01, we have also
issued reports, dated January 18, 2019, on our consideration of DISA’s internal control over
financial reporting and on our tests of DISA’s compliance with provisions of applicable laws,
regulations, contracts, and grant agreements, and other matters for the year ended
September 30, 2018. The purpose of those reports is to describe the scope of our testing of
internal control over financial reporting and compliance and the results of that testing, and not to
provide an opinion on internal control over financial reporting or on compliance and other
matters. Those reports are an integral part of an audit performed in accordance with Government
Auditing Standards and OMB Bulletin No. 19-01 and should be considered in assessing the
results of our audit.
Alexandria, Virginia
January 18, 2019
69
1701 Duke Street, Suite 500, Alexandria, VA 22314
PH: 703.931.5600, FX: 703.931.3655, www.kearneyco.com
INDEPENDENT AUDITOR’S REPORT ON INTERNAL CONTROL OVER
FINANCIAL REPORTING
To the Director, Defense Information Systems Agency, and the Inspector General of the
Department of Defense
We were engaged to audit, in accordance with the auditing standards generally accepted in the
United States of America; the standards applicable to financial audits contained in Government
Auditing Standards, issued by the Comptroller General of the United States; and Office of
Management and Budget (OMB) Bulletin No. 19-01, Audit Requirements for Federal Financial
Statements, the General Fund (GF) financial statements of the Defense Information Systems
Agency (DISA) as of and for the year ended September 30, 2018, and we have issued our report
thereon dated January 18, 2019. Our report disclaims an opinion on such financial statements
because we were unable to obtain sufficient appropriate audit evidence to provide a basis for an
audit opinion.
Internal Control over Financial Reporting
In connection with our engagement to audit the financial statements, we considered DISA’s
internal control over financial reporting (internal control) to determine the audit procedures that
are appropriate in the circumstances for the purpose of expressing an opinion on the financial
statements, but not for the purpose of expressing an opinion on the effectiveness of DISA’s
internal control. Accordingly, we do not express an opinion on the effectiveness of DISA’s
internal control. We limited our internal control testing to those controls necessary to achieve
the objectives described in OMB Bulletin No. 19-01. We did not test all internal controls
relevant to operating objectives as broadly defined by the Federal Managers’ Financial Integrity
Act of 1982 (FMFIA), such as those controls relevant to ensuring efficient operations.
Our consideration of internal control was for the limited purpose described in the preceding
paragraph and was not designed to identify all deficiencies in internal control that might be
material weaknesses or significant deficiencies; therefore, material weaknesses or significant
deficiencies may exist that were not identified. However, as described in the accompanying
Schedule of Findings, we identified certain deficiencies in internal control that we consider to be
material weaknesses.
A deficiency in internal control exists when the design or operation of a control does not allow
management or employees, in the normal course of performing their assigned functions, to
prevent or detect and correct misstatements on a timely basis. A material weakness is a
deficiency, or combination of deficiencies, in internal control, such that there is a reasonable
possibility that a material misstatement of the entity’s financial statements will not be prevented
or detected and corrected on a timely basis. We consider the deficiencies described in the
accompanying Schedule of Findings to be material weaknesses.
70
A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is
less severe than a material weakness yet important enough to merit attention by those charged
with governance.
We noted certain additional matters involving internal control over financial reporting that we
will report to DISA’s management in a separate letter.
DISA’s Response to Findings
DISA’s response to the findings identified in our engagement is described in a separate
memorandum attached to this report in Section 2, Financial Section, of the Agency Financial
Report. DISA’s response was not subjected to the auditing procedures applied in our
engagement of the financial statements; accordingly, we do not express an opinion on it.
Purpose of this Report
The purpose of this report is solely to describe the scope of our testing of internal control and the
results of that testing, and not to provide an opinion on the effectiveness of DISA’s internal
control. This report is an integral part of an engagement to perform an audit in accordance with
Government Auditing Standards and OMB Bulletin No. 19-01 in considering the entity’s internal
control. Accordingly, this communication is not suitable for any other purpose.
Alexandria, Virginia
January 18, 2019
71
Schedule of Findings
Material Weaknesses
Throughout the course of our audit work at the Defense Information Systems Agency (DISA),
we identified internal control deficiencies which were considered for the purposes of reporting
on internal control over financial reporting. The material weaknesses presented in this Schedule
of Findings have been formulated based on our determination of how individual control
deficiencies, in aggregate, affect internal control over financial reporting. The table below
presents the material weaknesses identified during our audit:
Material Weakness Contributing Deficiency Areas
I. Fund Balance with
Treasury
A. Suspense Accounts
B. Statements of Differences
C. Cash Mana
g
ement Report
II. Accounts Receivable Accounts Receivable
III. Accounts Payable
A. Accounts Payable from Cancelled Appropriations
B. Accounts Pa
y
able Balance
IV. Budgetary Resources
A. Unfilled Customer Orders and Undelivered Obligations
B. Recoveries of Prior-Year Unpaid Obligations
C. New Obli
g
ations
V. Information Technolo
gy
Information S
y
stem Securit
y
Controls
I. Fund Balance with Treasury (New Condition)
Deficiencies in three related areas define this material weakness:
A. Suspense Accounts
B. Statements of Differences
C. Cash Management Report
A. Suspense Accounts
Background: DISA, in conjunction with its service organization (collectively referred to as
“DISA” hereafter), manages, reports, and accounts for Fund Balance with Treasury (FBWT)
clearing (suspense) account activities. Clearing accounts temporarily hold unidentifiable
collections or disbursements that belong to the Federal Government. The U.S. Department of the
Treasury (Treasury) allows entities with a justifiable business need, such as deposits from a
specific program which are not authorized to be recorded in another deposit account, to use
suspense accounts as a temporary holding place for transactions. However, the transactions
should be cleared within 60 days. The Department of Defense (DoD) uses a number of clearing
accounts in this manner.
72
DISA uses one core financial accounting system for its General Fund (GF), the Washington
Headquarters Services (WHS) Allotment Accounting System (WAAS). WAAS uses several
feeder systems to process collection and disbursement transactions. DISA shares these feeder
systems with the Department of the Army (DA), Department of the Air Force (DAF), and the
Department of the Navy (DON), as well as the Other Defense Organizations (ODO).
Additionally, DISA uses numerous Defense Finance and Accounting Service (DFAS) Disbursing
Stations, which are also shared with DA, DAF, DON, and the ODOs, to perform collection and
disbursement activity.
During input to the feeder systems or interfaces between the feeder systems and WAAS at the
various Disbursing Stations, it is possible for a transaction to be processed with an incomplete,
inaccurate, or invalid Treasury Account Symbol (TAS), which includes information in the fields
for Treasury Index (TI), budget fiscal year (BFY), and fund. When this occurs, the transactions
are recorded in a suspense account. DFAS reports activity recorded to suspense accounts to
Treasury monthly.
Amounts recorded in DoD suspense accounts are not reflected in the FBWT balance of any
component DoD organization until it is determined to which organization the transaction pertains
and the activity is “cleared” out of suspense to the appropriate agency’s TI and TAS. As such,
the transactions in the suspense accounts represent a financial reporting completeness risk to all
DoD organizations until they are researched and cleared.
Condition: DISA did not have established processes in place to develop a list of transactions in
the suspense accounts, document how the items in suspense were resolved, or identify which
suspense accounts were used for deposit activity in unusual accounts versus capturing processing
exceptions.
Cause: DISA did not have effective processes and controls to ensure that suspense accounts
were only used for valid or isolated reasons. Systems used by DISA to process disbursement and
collection activity lacked sufficient edit checks to prevent processing of transactions for which
TI and TAS cannot be reliably determined. This resulted in suspense accounts being used in
high volumes.
Effect: Ineffective business processes and system controls result in a high volume of transactions
in DoD suspense accounts. Ineffective procedures to research, clear, and document suspense
activity impacts DISA’s ability to support the completeness and accuracy of the agency’s FBWT.
Transactions that are material to DISA may reside in suspense accounts and become omitted
from DISA’s financial statements.
Recommendations: Kearney & Company, P.C. (Kearney) recommends that DISA:
1. Strengthen system and process controls to ensure that disbursements and collections are
processed with valid TI and TAS inputs.
2. Strengthen internal controls when suspense accounts must be used, including:
73
a. Develop and implement effective monthly reconciliation controls to support amounts
reported to Treasury in all DoD suspense accounts at a transaction level.
b. Develop and implement effective controls to ensure that transactions are cleared from
suspense accounts on a timely basis and sufficient supporting documentation is
maintained to demonstrate to which entity the transactions were cleared and that the
entity to which it was cleared was appropriate.
c. Develop and implement procedures to isolate and document instances where suspense
accounts are being used for routine, valid purposes, rather than being used for
transactions with edit errors.
B. Statements of Differences
Background: The FBWT account is increased and decreased by collections and disbursements,
respectively. DISA’s service organization reports its disbursing activity monthly under various
Agency Location Codes (ALC), often referred to as Disbursing Symbol Station Numbers.
Treasury compares data submitted by financial institutions and Treasury Regional Financial
Centers to ensure the accuracy and completeness of the collection and disbursement activity
submitted. Discrepancies are reported in Treasury’s Central Accounting Reporting System
(CARS) monthly for each ALC by accounting month (i.e., month the report is generated) and
accomplished month (i.e., month the difference occurred). Reporting entities are required to
research and resolve the Statements of Differences (SOD) monthly.
Condition: DISA did not resolve SODs in a timely manner, nor did it design and implement
controls to clear SODs in a timely manner (prior to the next reporting period). DISA did not
have formalized procedures in place to identify the actual or estimated impact of SODs to
DISA’s financial statements. The agency failed to provide historical records showing the
resolution of SOD differences to allow it to assess or estimate the potential impact of current
SOD differences.
Cause: DISA’s service organization reports expenditure activity monthly to Treasury on behalf
of DISA using reporting ALCs shared with other DoD agencies. Treasury’s CARS only reports
SODs at the ALC level and does not provide the information to allow DISA to easily identify the
agency responsible and timely resolve the differences.
DISA did not have procedures requiring documentation and retention of SOD population details
to support monthly reconciliations and variance resolution or have a methodology to determine
the financial reporting impact of SODs to DISA’s financial statements. Formalized
communication procedures between DISA and its service organization were not established.
Effect: DISA cannot assess the financial reporting impact of SOD differences that are not
researched and resolved timely, nor can it assert that reported collections and disbursements are
complete and accurate without properly designed and implemented control procedures. DISA’s
financial statements may be materially misstated, and these misstatements may not be detected
and corrected timely.
74
Recommendations: Kearney recommends that DISA formally develop and implement the
following:
1. Work with Treasury, the Office of the Secretary of Defense (OSD), its service
organization, and other parties to transition away from using monthly reporting ALCs to
daily reporting ALCs.
2. Develop and implement a methodology to identify the actual or estimated impact of SOD
amounts that should be attributed to DISA’s FBWT account.
3. Work with Treasury, OSD, and its service organization to establish an ALC that
processes DISA’s transactions exclusively.
4. Work with its service organization by providing supporting information to clear
transactions timely.
5. Identify ALCs that primarily report collection and disbursement activity to Treasury on
behalf of DISA.
6. Identify and retain the individual transactions that reconcile to the SOD.
7. Develop a common approach and timeframe across DoD related to researching and
resolving SODs monthly.
8. Monitor and track the resolution of SODs cleared to DISA to enable the agency to
perform root cause analysis and create projections of potential outstanding unresolved
balances.
9. Implement procedures to reduce the amounts reported on SODs using a root cause
analysis.
10. Schedule recurring meetings with its service organization to help resolve outstanding
differences.
C. Cash Management Report
Background: Treasury maintains and reports FBWT at the TAS level. DISA receives the Cash
Management Report (CMR) audit workbook from its service organization to provide its FBWT
balance at the agency level because data is not available from Treasury’s CARS. The CMR is
prepared by gathering FBWT expenditure activity from approximately 335 disbursing ALCs
throughout the DoD and transferred to FoxPro, a legacy off-the-shelf database program, to create
the CMR. DISA then enters journal vouchers to agree its FBWT balance to the CMR.
The CMR contains several categories of transactions that cannot be identified to a specific
agency. Until fully researched in subsequent months, these transactions were not reflected in any
agency financial statements.
Condition: DISA failed to:
Formalize procedures around the generation of the monthly CMR
Document which source files are required from specific source systems
Document how data is consolidated and transferred to FoxPro to create the CMR
Perform data validation procedures to ensure the source files used to create the CMR
reconcile back to the original source systems
75
Identify all transactions in the CMR to a specific agency.
FoxPro is an off-the-shelf legacy database that was created in the 1970s. It is not covered by a
System and Organization Controls (SOC) report. Additionally, it does not have the ability to
limit user access, produce an audit log, or leverage other controls that would restrict the ability to
edit data.
Cause: Treasury does not report FBWT below the TAS level, creating the need for the monthly
CMR. DISA shares TI and basic symbols with multiple agencies, which prevents it from
obtaining its discrete FBWT balance directly from Treasury. As a result, DISA is dependent on
its service organization to provide support for the FBWT amount reported in its financial
statements. While DISA is able to explain the details and steps leading up to the creation of the
CMR, it has not documented the procedures performed and internal control activities that support
its assertions, nor adequately developed compensating controls to ensure that its FBWT is
complete and accurate. To date, DISA has not implemented a procedure to resolve the
unidentified transactions in the CMR in a timely manner so that they can be reflected in the
financial statements of the appropriate agencies.
Effect: DISA is unable to support the completeness and accuracy of its FBWT without
documented procedures and controls over the generation of the CMR and resolution of the
unidentified transactions. As a result, DISA’s financial statements may contain significant
misstatements that may not be detected and corrected in a timely manner.
DISA enters journal vouchers each month to bring its FBWT balance into agreement with the
CMR. The entries are based solely on the amounts included in the CMR, rather than an in-depth
reconciliation or analysis describing the transactions which compose the amounts.
Recommendations: Kearney recommends that DISA:
1. Work with Treasury to develop a method, such as establishing subaccounts under the
basic symbol used by DISA, so that it can obtain CARS reports to document its FBWT
balance directly from Treasury and remove the need for the creation of the CMR.
2. Work with Treasury, OSD, its service organization, and other parties to transition away
from using monthly non-CARS reporting ALCs to daily full CARS reporting ALCs.
3. Work with Treasury, OSD, and its service organization to establish an ALC that
processes DISA’s transactions exclusively.
Until the above recommendation can be implemented or determined not feasible, Kearney
recommends that DISA work with its service organization to:
1. Document formalized procedures around the generation of the monthly CMR to provide
an audit trail demonstrating the completeness and accuracy of the report. This should
include documenting which source files are used and why those are the appropriate files
to include.
76
2. Implement appropriate data validation controls of the source files used to create the CMR
as they are gathered and transferred from system to system during the creation of the
CMR process.
3. Create the CMR in a system with appropriate controls to prevent changes to the data
without appropriate authorization.
4. Document formalized procedures around the timely resolution of the unidentified
transactions in the CMR.
5. Document formalized procedures to identify the actual or estimated impact of CMR
differences that should be attributed to DISA’s FBWT account.
6. Document formalized procedures to resolve differences between the CMR and CARS
monthly and identify the impact to DISA’s FBWT account.
7. Work with its service organization to monitor and track the resolution of the various
CMR difference categories cleared to DISA to allow DISA to perform root cause analysis
and create projections of potential outstanding unresolved balances.
II. Accounts Receivable (New Condition)
Background: Accounts Receivable (AR) arise from claims to cash or other assets against
another entity. At the time revenue is recognized and payment has not been received in advance,
a receivable must be established. AR from other Federal entities or the public includes earned
AR, claims receivable, and refunds receivable. Federal accounting standards state that losses on
receivables should be recognized when it is more likely than not that the receivables will not be
collected.
Condition: DISA’s accounting records contained a significant number of aged AR balances
(more than 180 days without activity). DISA could not support the validity and collectability of
these balances.
Cause: DISA’s process for reviewing its AR balance does not include performing an assessment
to identify or estimate balances that are more likely than not to be uncollectible, which should be
written off for financial reporting purposes.
Effect: As a result of our audit, DISA recorded significant adjustments to its AR balances.
Without a process to identify or estimate uncollectible AR balances, DISA’s financial statements
may contain misstatements.
Recommendations: Kearney recommends that DISA establish procedures to perform periodic
reviews which will determine if aged AR balances should be written down. DISA should adjust
its financial statements based on the results of this review.
77
III. Accounts Payable (New Condition)
Deficiencies in two related areas define this material weakness:
A. Accounts Payable from Cancelled Appropriations
B. Accounts Payable Balance
A. Accounts Payable from Cancelled Appropriations
Background: A liability, such as Accounts Payable (AP), is a present obligation of the Federal
Government to provide assets or services to another entity at a determinable date, when a
specified event occurs, or on demand. Federal agencies should only record a liability when there
is a probable and measurable future outflow or other sacrifice of resources as a result of past
transactions.
Condition: DISA’s AP from Cancelled Appropriations account contained a significant volume
of balances that no longer represented valid liabilities.
Cause: DISA’s posting models in its accounting systems resulted in the invalid liabilities
remaining in its accounting records. The posting flaw in DISA’s WAAS system resulted in the
erroneous recording of a liability when certain cash collections were processed. In addition,
DISA did not have a process to review its accounting records for potentially invalid balances.
Effect: DISA adjusted the amounts reported in its AP from Cancelled Appropriations account.
Without a process to review account balances for validity, DISA’s financial statements may
continue to contain undetected overstatements of liabilities.
Recommendations: Kearney recommends that DISA:
1. Correct the posting models that caused the incorrect postings.
2. Strengthen procedures to review and monitor liability balances for validity and
conformation with Federal requirements.
3. Require periodic reviews of transaction posting models to ensure account entries are in
accordance with the United States Standard General Ledger (USSGL).
4. Record accounting adjustments to remove invalid liability balances from its accounting
records.
B. Accounts Payable Balance
Background: AP are amounts owed by a Federal entity for goods and services received from,
progress in contract performance made by, and rents due to other entities. DISA management
utilizes estimates and automated accruals to record payables due to vendor billing delays, volume
of transaction processing, and decentralized operations. A significant portion of DISA’s GF
revenue and expense transactions are with DISA’s Working Capital Fund (WCF).
78
DISA identifies specific contracts that are deemed appropriate to post monthly estimated
accruals. The accruals are posted for estimated services received during the month, but not yet
billed by the vendor. Accruals are automatically posted monthly based on a prorated figure
calculated at 96% of the contractual obligation throughout the funding vehicle’s period of
performance. The corresponding payable is based on contractual terms, rather than actual
invoices. After a valid invoice is received from the vendor, the subsequent vendor payment will
liquidate the previous payable (or a portion thereof).
Condition: DISA was unable to provide sufficient documentation to support the validity of a
significant number of AP balances. The lack of documentation consisted of:
Instances where DISA was unable to support the validity of AP accrual balances that
were significantly aged
Instances where there were significant variances between the assumptions in DISA’s
accrual methodologies and actual billings submitted by vendors.
The accounting system automatically posts an AR at month-end that is linked to the accrued AP.
DISA’s accrual methodology was also applied to AR balances. The receivable is recorded based
on the accrual calculation.
Cause: DISA recorded accrual balances based on prorated calculations from contractual
agreements with the assumption that their expenses would be generally consistent on a monthly
basis throughout the contract’s period of performance, even if the contract was not firm-fixed
price in nature. DISA did not have a process to adjust its prorated calculations when the scope of
a contract was changed or when vendor invoices were submitted at lower value than the accrual
calculated. In addition, DISA did not have an effective process to evaluate the validity of aged
accrual balances without recent activity, including those pending contract close-out. Outside of
the accrual methodology, DISA’s controls to ensure that sufficient invoices were received and
accurately processed by the Contracting Officer’s Representative (COR) were not effectively
designed.
Effect: DISA adjusted a significant number of invalid AP balances. Without a process to
validate accrual methods and review balances for validity, DISA’s financial statements may
continue to contain undetected misstatements.
Recommendations: Kearney recommends that DISA design and implement improvements to its
accrual methodologies and underlying assumptions. Specifically, Kearney recommends that
DISA:
1. Validate and adjust the process used to establish accruals using prorated contractual
terms.
2. Develop and implement a process to review potentially invalid or inaccurate accrual
balances. This review should involve correspondence with program managers to confirm
the status of potentially stale balances, identify significant changes in contract scope, and
confirm the accuracy of key contract terms.
79
3. Develop and implement techniques to ensure that sufficient invoices are required from
vendors and accurately processed. This may include training for CORs to convey the
importance of the criteria for invoice acceptance.
IV. Budgetary Resources (New Condition)
Deficiencies in three related areas define this material weakness:
A. Unfilled Customer Orders and Undelivered Obligations
B. Recoveries of Prior-Year Unpaid Obligations
C. New Obligations
A. Unfilled Customer Orders and Undelivered Obligations
Background: Unfilled Customer Orders (UCO) represent orders for goods and/or services to be
furnished for other Federal Government agencies and for the public. Federal agencies record
UCOs when they enter into an agreement, such as a Military Interdepartmental Purchase Request
(MIPR), contract, or sales order, to provide goods and/or services when a customer cash advance
is not received. These orders provide obligational budgetary authority for reimbursable
programs.
Undelivered Orders (UDO) represent the amount of goods and/or services ordered, which have
not been actually or constructively received and can be unpaid or prepaid. Federal agencies
record UDOs when they enter into an agreement, such as a MIPR, contract, or sales order, to
receive goods and/or services.
Condition: DISA did not reduce amounts recorded in UCO and UDO accounts once no
additional orders would be received from a customer or vendor, respectively.
Cause: DISA did not have effective control procedures in place to ensure that invalid UCOs and
UDOs were identified by fund holders and adjusted in a timely manner. Dormant balances
remain open and reported in the financial statements due to the lack of effective reviews for
validity by fund holders, delays in contract close-out processing by DISA’s Procurement
Services Directorate (PSD), and delays in Defense Contract Audit Agency (DCAA) audits. In
addition, DISA did not have a process in place to estimate invalid UCOs and UDOs in order to
record a year-end adjustment for financial reporting purposes.
Effect: DISA made significant adjustments to its UCO and UDO accounts. Without a process to
identify and adjust invalid balances, DISA’s financial statements may continue to contain
misstatements associated with Spending Authority from Offsetting Collections; New Obligations
and Upward Adjustments; and Unexpired Unobligated Balance, End of Year on the Statement of
Budgetary Resources.
80
Recommendations: Kearney recommends that DISA:
1. Strengthen procedures to review and monitor UCOs and UDOs for validity and
conformation with Federal requirements.
2. Consider periodic reviews of transaction posting models to ensure account entries are in
accordance with Treasury Financial Manual (TFM) Section III guidance.
3. Record accounting adjustments to remove invalid UCOs and UDOs from its accounting
records.
4. Strengthen existing policies to ensure that fund holders are adequately assessing the
validity of the open UCO and UDO balances and adjust when appropriate.
5. Implement policies, or strengthen existing policies, to process contract actions timely
once all goods and services have been provided to the customer or received from the
vendor.
6. Develop and implement a process to estimate invalid UCOs and UDOs to determine
whether a temporary adjustment is required for year-end financial reporting purposes to
supplement the contract close-out accrual.
B. Recoveries of Prior-Year Unpaid Obligations
Background: Recoveries of unpaid obligations are transactions resulting from downward
adjustments to obligations or delivered orders originally recorded in a prior fiscal year (FY).
Condition: DISA recorded downward adjustments to obligations established in FY 2018. These
transactions were incorrectly recorded as recoveries of prior-year unpaid obligations.
Cause: DISA did not have effective control procedures to ensure that transactions recorded as
recoveries only related to downward adjustments to prior-year obligations. In addition, DISA
did not have adequate controls in place to ensure that downward adjustments to current-year
obligations were accurately reported in its financial statements.
Effect: Without controls to ensure that only valid recoveries are recorded, DISA’s financial
statements may contain misstatements to Unobligated Balance from Prior Year Budget
Authority, Net on the Statement of Budgetary Resources.
Recommendations: Kearney recommends that DISA:
1. Implement policies to ensure that all transactions recorded as recoveries of unpaid
obligations reference obligations recorded in a prior FY.
2. Perform periodic reviews of recoveries of unpaid obligations transactions to ensure that
any transactions that reduce current-year obligations are accurately reported on its
financial stat
ements.
81
C. New Obligations
Background: An obligation is a legally binding agreement that will result in outlays,
immediately or in the future. When an agency places an order, signs a contract, awards a grant,
purchases a service, or takes other actions that require the Government to make payments to the
public or from one Government account to another, the agency incurs an obligation. Agencies
should maintain policies, procedures, and information systems to ensure that obligations
represent required Federal outlays, comply with laws and regulations, and are appropriately
approved.
Condition: DISA’s accounting records contained a significant number of customer orders and
obligations that were not recorded in a timely manner after the execution of the customer order
or the obligating document.
Cause: DISA does not have effective transaction-level control procedures to ensure customer
orders or obligations are recorded in the financial management system in a timely manner. In
addition, DISA did not have centralized monitoring procedures to identify potentially unrecorded
customer orders and obligations.
Effect: Without controls to monitor and record budgetary accounting events timely, DISA’s
financial statements may contain misstatements associated with Spending Authority from
Offsetting Collections; New Obligations and Upward Adjustments; and Unexpired Unobligated
Balance, End of Year on the Statement of Budgetary Resources. In addition, DISA may provide
or receive goods or services prior to an authorized customer order certifying the availability of
funds or prior to an authorized contract or purchase order being established. If obligations are
not recorded prior to the acquisition of goods and/or services, DISA could obligate funds in
excess of its valid budget authority and potentially violate the Antideficiency Act.
Recommendations: Kearney recommends that DISA strengthen controls to ensure the timely
creation, approval, and recording of customer orders and obligations. Specifically, Kearney
recommends that DISA:
1. Implement controls at the transaction level to ensure that customer orders and obligations
are recorded in a timely manner to support funds control.
2. Develop and implement a process to monitor the execution of DISA policies and
procedures related to establishing customer orders and obligations.
V. Information Systems (New Condition)
Background: DISA operates in a complex information system environment to execute its
mission and record transactions timely and accurately. During FY 2018, DISA operated and
managed information system security for the WAAS, which is the core financial accounting
system for DISA’s GF. DISA plans to retire WAAS in the beginning of FY 2019 and replace it
with the Defense Agencies Initiative (DAI), which is a budget, finance, and accounting system
provided by the Defense Logistics Agency (DLA). As such, DISA plans to develop, document,
82
and implement the appropriate controls, as required by DLA, to ensure the new system is secure.
In addition to WAAS, DISA utilized several service organizations to support its operations and
mission throughout FY 2018. Service organization systems are systems that organizations other
than DISA own and operate but still affect the agency’s business processes and financial
statements.
Because of the sensitive nature of DISA’s information system environment, Kearney does not
present specific details related to the systems, conditions, or criteria discussed within this
material weakness. We provided those details separately to DISA management and relevant
stakeholders through Notifications of Findings and Recommendations (NFR).
Condition: DISA has several deficiencies in the design and operating effectiveness of internal
controls related to WAAS and the service organization systems. While no single noted control
deficiency meets the level of a material weakness, in combination, these deficiencies elevate to a
material weakness due to the pervasiveness of the weaknesses throughout the information system
environment and DISA’s reliance on these systems for financial reporting. Our audit disclosed
deficiencies in the following areas:
Security Management
- Incomplete system security plan (SSP). Specifically, the WAAS SSP did not include
information regarding DISA’s implementation of National Institute of Standards and
Technology (NIST) Special Publication (SP) 800-53, Revision (Rev.) 4 baseline
security controls, as required by the NIST Risk Management Framework (RMF)
Access controls and segregation of duties
- Incomplete or not fully implemented policies and procedures for managing and
monitoring access to select third-party systems
- Lack of logging and monitoring of activity for WAAS
- Inconsistent implementation of user account recertification to verify the propriety of
access to WAAS
- Lack of strong password configurations for the WAAS operating system
- Failure to remove access to WAAS in a timely manner
- Incomplete policies and procedures for the proper segregation of duties within the
WAAS application
Configuration management
- Lack of a controlled process for implementing WAAS change management requests.
Cause: DISA did not have an effective process to appropriately design, document, and
implement many of the required information system controls and supporting processes. In some
instances, DISA designed controls that explicitly did not meet minimum DoD-wide
requirements. In addition, the WAAS management team experienced a reduction in resources
due to the planned retirement and replacement of the application with an external system from a
service organization in early FY 2019.
83
Effect: Without robust controls throughout the information system environment, the risk of
unauthorized access and information system changes increases, thereby increasing the risk to the
systems and the data confidentiality, integrity, and availability.
Recommendations: Kearney recommends that DISA:
1. Develop, update, and implement policies and procedures addressing security controls
required by existing service organizations.
2. Design, document, and implement security controls for DAI in FY 2019, as appropriate,
based on coordination with DLA for the effective use and security of DAI as a core
financial accounting system.
3. Maintain evidence of DISA’s implementation of the controls for third-party evaluation.
84
1701 Duke Street, Suite 500, Alexandria, VA 22314
PH: 703.931.5600, FX: 703.931.3655, www.kearneyco.com
INDEPENDENT AUDITOR’S REPORT ON COMPLIANCE WITH LAWS,
REGULATIONS, CONTRACTS, AND GRANT AGREEMENTS
To the Director, Defense Information Systems Agency, and the Inspector General of the
Department of Defense
We were engaged to audit, in accordance with the auditing standards generally accepted in the
United States of America; the standards applicable to financial audits contained in Government
Auditing Standards, issued by the Comptroller General of the United States; and Office of
Management and Budget (OMB) Bulletin No. 19-01, Audit Requirements for Federal Financial
Statements, the General Fund (GF) financial statements of the Defense Information Systems
Agency (DISA) as of and for the year ended September 30, 2018, and we have issued our report
thereon dated January 18, 2019. Our report disclaims an opinion on such financial statements
because we were unable to obtain sufficient appropriate audit evidence to provide a basis for an
audit opinion.
Compliance and Other Matters
As part of obtaining reasonable assurance about whether DISA’s financial statements are free
from material misstatement, we performed tests of its compliance with provisions of applicable
laws, regulations, contracts, and grant agreements, noncompliance which could have a direct and
material effect on the financial statements, and provisions referred to in Section 803(a) of the
Federal Financial Management Improvement Act of 1996 (FFMIA). We limited our tests of
compliance to these provisions and did not test compliance with all laws, regulations, contracts,
and grant agreements applicable to DISA. Providing an opinion on compliance with those
provisions was not an objective of our audit; accordingly, we do not express such an opinion.
The results of our tests, exclusive of those referred to in the FFMIA, disclosed instances of
noncompliance or other matters that are required to be reported under Government Auditing
Standards and OMB Bulletin No. 19-01 and are described in the accompanying Schedule of
Findings.
The results of our tests of compliance with FFMIA disclosed that DISA’s financial management
systems did not comply substantially with the Federal financial management system’s
requirements, applicable Federal accounting standards, or application of the United States
Standard General Ledger (USSGL) at the transaction level, as described in the accompanying
Schedule of Findings.
Additionally, if the scope of our work had been sufficient to enable us to express an opinion on
the financial statements, other instances of noncompliance, or other matters may have been
identified and reported herein.
85
DISA’s Response to Findings
DISA’s response to the findings identified in our engagement is described in a separate
memorandum attached to this report. DISA’s response was not subjected to the auditing
procedures applied in our engagement to audit the financial statements; accordingly, we do not
express an opinion on it.
Purpose of this Report
The purpose of this report is solely to describe the scope of our testing of compliance and the
results of that testing, and not to provide an opinion on the effectiveness of the entity’s
compliance. This report is an integral part of an engagement to perform an audit in accordance
with Government Auditing Standards and OMB Bulletin No. 19-01 in considering the entity’s
compliance. Accordingly, this communication is not suitable for any other purpose.
Alexandria, Virginia
January 18, 2019
86
Schedule of Findings
Noncompliance and Other Matters
I. The Federal Financial Management Improvement Act of 1996 (New Condition)
The Federal Financial Management Improvement Act of 1996 (FFMIA) requires that an entity’s
overall financial management systems environment operate, process, and report data in a
meaningful manner to support business decisions. FFMIA states that Federal agencies shall
comply substantially with the requirements within Section 803(a). These requirements include:
Federal financial management system requirements
Applicable Federal accounting standards
United States Standard General Ledger (USSGL) at the transaction level.
DISA’s financial management systems do not substantially comply with the requirements within
FFMIA, as discussed below.
Federal Financial Management Systems Requirements
FFMIA requires reliable financial reporting, including the availability of timely and accurate
financial information, and maintaining internal control over financial reporting and financial
system security. The matters described in the Basis for Disclaimer of Opinion section in the
accompanying Independent Auditor’s Report, as well as the material weaknesses reported in the
accompanying Report on Internal Control over Financial Reporting, represent noncompliance
with the requirement for reliable financial reporting.
FFMIA requires financial management system owners to implement and monitor Federal
information system security controls to minimize the impact to the confidentiality, integrity, and
availability of the systems and data. The primary means for Federal entities to provide these
controls is the implementation and monitoring of controls defined in National Institute of
Standards and Technology (NIST) Special Publication (SP) 800-53, Revision (Rev.) 4, Security
and Privacy Controls for Federal Information Systems and Organizations. DISA deviated from
recommended controls defined in NIST SP 800-53, Rev. 4, as discussed in Section V,
Information Technology, in our Report on Internal Control over Financial Reporting. These
deviations related to security management, access controls, segregation of duties, and
configuration management, and they represent instances of noncompliance with information
security requirements.
Federal Accounting Standards
FFMIA requires that agency management systems maintain data to support financial reporting in
accordance with accounting principles generally accepted in the United States of America
(GAAP). As described in the Basis for Disclaimer of Opinion section in the accompanying
Independent Auditor’s Report, we experienced a scope limitation and were unable to obtain
87
sufficient appropriate audit evidence regarding the completeness and accuracy of DISA’s
financial statements. Because of the significance of this scope limitation, we were unable
determine whether DISA’s financial statements contained material departures from GAAP.
United States Standard General Ledger at the Transaction Level
FFMIA requires that agency management systems record financial events by applying the
USSGL guidance in the Treasury Financial Manual (TFM) at the transaction level. As described
in the Basis for Disclaimer of Opinion section in the accompanying Independent Auditor’s
Report, we experienced a scope limitation and were unable to obtain sufficient appropriate audit
evidence regarding the completeness and accuracy of DISA’s financial statements. Because of
the significance of this scope limitation, we were unable to execute all planned audit procedures,
including tests for compliance with the USSGL at the transaction level.
II. The Federal Information Security Modernization Act of 2014 (New Condition)
The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to
provide information security controls commensurate with the risk and potential harm of not
having those controls in place. NIST publishes standards and guidelines for Federal entities to
implement for non-national security systems. Deviations from NIST standards and guidelines
represent departures from FISMA requirements. During our audit, we noted several deviations
from NIST standards and guidelines that contributed to an overall material weakness related to
information systems, as described in Section V, Information Technology, in our Report on
Internal Control over Financial Reporting. These deviations represent DISA’s noncompliance
with FISMA. By not complying with FISMA, DISA’s security controls may adversely affect the
confidentiality, integrity, and availability of information and information systems. See Section
V, Information Technology, in the accompanying Report on Internal Control over Financial
Reporting for additional details.
III. The Federal Managers’ Financial Integrity Act of 1982 (New Condition)
The Office of Management and Budget (OMB) Circular A-123, Management’s Responsibility
for Enterprise Risk Management and Internal Control, implements the requirements of the
Federal Managers’ Financial Integrity Act of 1982 (FMFIA). FMFIA and OMB Circular A-123
require agencies to establish a process to document, assess, and assert to the effectiveness of
internal control over financial reporting.
DISA’s fiscal year 2018 Statement of Assurance stated that its internal controls were operating
effectively as of September 30, 2018. In our Report on Internal Control over Financial
Reporting, we noted five material weaknesses. Because these conditions were not reported in
DISA’s Statement of Assurance, DISA has not complied with the requirements of FMFIA.
88
Attachment 1 – DISA Comments
89
Message from the Defense Information Systems Agency
r
7
90
DEFENSE INFORMATION SYSTEMS AGENCY
P. O. BOX 549
FORT MEADE, MARYLAND 20755-0549
Mr. David Zavada
Kearney & Company
1701 Duke Street, Suite 500
Alexandria, VA 22314
Mr. Zavada:
Thank you for providing us a copy of Kearney’s draft audit report for DISA's FY 2018 General
Fund (GF) financial statements. DISA appreciates Kearney’s insights and feedback and will
actively pursue clarification and/or corrective action where required.
Below outlines our comments and concerns regarding the draft conclusions
presented.
I. Fund Balance with Treasury
A. Suspense Accounts
Condition: DISA did not have established processes in place to develop a list of
transactions in the suspense accounts, document how the items in suspense were resolved, or
identify which suspense accounts were used for deposit activity in unusual accounts versus
capturing processing exceptions.
DISA Response: DISA will work with our service provider, Defense Finance and
Accounting Service (DFAS) as well as Office of Secretary of Defense (OSD) Comptroller to
address these Department-wide issues.
B. Statements of Differences (SOD)
Condition: DISA did not resolve SODs in a timely manner, nor did it design and
implement controls to clear SODs in a timely manner (prior to the next reporting period). DISA
did not have formalized procedures in place to identify the actual or estimated impact of SODs
to DISA’s financial statements. The agency failed to provide historical records showing the
resolution of SOD differences to allow them to assess or estimate the potential impact of current
SOD differences.
DISA Response: DISA will work with our service provider, DFAS, as well as OSD
Comptroller to address these Department-wide issues.
C. Cash Management Report (CMR)
Condition: DISA failed to:
• Formalize procedures around the generation of the monthly CMR
• Document which source files are required from specific source systems
91
• Document how data is consolidated and transferred to FoxPro to create the
CMR
• Perform data validation procedures to ensure the source files used to create
the CMR reconcile back to the original source systems
• Identify all transactions in the CMR to a specific agency.
FoxPro is an off-the-shelf legacy database that was created in the 1970s. It is not covered by a
Service Organization Controls (SOC) report. Additionally, it does not have the ability to limit
user access, produce an audit log, or leverage other controls that would restrict the ability to
edit data.
DISA Response: DISA will work with our service provider, DFAS, as well as OSD
Comptroller to address these Department-wide issues.
II. Accounts Receivable
Condition: DISA’s accounting records contained a significant number of aged AR
balances (more than 180 days without activity). DISA could not support the validity and
collectability of these balances.
DISA Response: DISA partially concurs – The intergovernmental accounts
receivable are valid. Services were provided, revenue was recognized and receivables
were reported. DISA has limited control with collectability due to the nature of its
customer. DISA will increase visibility of the aged receivables and strengthen follow-up
processes.
III. Accounts Payable
A. Accounts Payable from Cancelled Appropriations
Condition: DISA’s Accounts Payable (AP) from Cancelled Appropriations account
contained a significant volume of balances that no longer represented valid liabilities.
DISA Response: DISA partially concurs - As of September 30, 2018 the financial
statements reflected no cancelled appropriations. The condition that canceled payables
re-established subject to Treasury posting guidance became no longer applicable and
the likelihood of liquidation is low. DISA management took action to reverse all prior
year canceled payables as of June 30, 2018. DISA will establish a new process going
forward to re-establish payables canceled as of the balance sheet date. If invoices are
not received by 2nd quarter of the following year to liquidate those payables, DISA
will reverse those as of 2nd quarter reporting for that subsequent fiscal year. This
should ensure that the reported payables do not become stale going forward.
B. Accounts Payable Balance
Condition: DISA was unable to provide sufficient documentation to support the
validity of a significant number of AP balances. The lack of documentation consisted
of:
• Instances where DISA was unable to support the validity of AP accrual
balances that were significantly aged
• Instances where there were significant variances between the assumptions in
DISA’s accrual methodologies and actual billings submitted by vendors.
92
accrued payable. DISA’s accrual methodology was also applied to AR balances. The
receivable is recorded based on the accrual calculation.
DISA Response: DISA partially concurs - Comment for the last recommendation,
"Develop and implement techniques to ensure that sufficient invoices are required from
vendors and accurately processed. This may include training for CORs to convey the
importance of the criteria for invoice acceptance." DISA is accruing based on the
contractual terms vice vendor invoices.
Vendors are already following the guidance in the Financial Management Regulation
(FRM) as well as submitting invoices in accordance with business rules in
iRAPT/WAWF. DISA does not have authority to force vendors to submit invoices
differently; however, we will work with PSD to include this recommendation for
change in the COR training/guidance.
DISA and Kearney discussed the follow-up questions to the samples which was
anticipated by DISA for further clarification, which was not provided.
IV. Budgetary Accounting
A. Unfilled Customer Orders and Undelivered Obligations
Condition: DISA did not reduce amounts recorded in UCO and UDO accounts
once no additional orders would be received from a customer or vendor, respectively.
DISA Response: DISA concurs with the identified condition. The finding
occurred within the legacy accounting system, WAAS, which relied on manual
controls to ensure posting accuracy. Beginning with FY 2019, DlSA GF accounting
activity will be posted in the Defense Agency Initiative (DAI) system. Prior to the
DAI accounting system migration, DISA performed additional analysis of dormant
documents resulting in the correction of over 1,300 documents in WAAS. These
corrections properly reflected balances in the Financial Statements as of September 30
and were converted into DAI.
B. Recoveries of Prior-Year Unpaid Obligations
Condition: DISA recorded downward adjustments to obligations established in
FY 2018. These transactions were incorrectly recorded as recoveries of prior-year
unpaid obligations.
DISA Response: DISA concurs with the identified condition. The finding is based
on transactions within the legacy accounting system, WAAS, which relied on manual
controls to ensure posting accuracy. Beginning with FY 2019, DISA GF accounting
activity was migrated to the DAI Accounting system. The system required these
transactions to be flagged as Prior Year Adjustments (PYA) in WAAS to reflect the
recoveries properly. If not flagged properly, the posting logic was wrong. The system
would allow for PYA transactions even in the current year when it shouldn’t have been
allowed.
C. New Obligations
Condition: DISA’s accounting records contained a significant number of customer
orders and obligations that were not recorded in a timely manner after the execution of the
customer order or the obligating document.
93
DISA Response: DISA concurs with the identified condition. The finding occurred
within the legacy accounting system, WAAS, which relied on manual controls to ensure
posting accuracy. Beginning with FY 2019, DISA GF accounting activity will be posted in
the DAI system. Prior to the DAI accounting system migration, DISA performed additional
analysis of dormant documents resulting in the correction of over 1,300 documents in
WAAS. These corrections properly reflected balances in the Financial Statements as of
September 30 and were converted into DAI.
V. Information Technology
Information System Security Controls
Condition: DISA has several deficiencies in the design and operating
effectiveness of internal controls related to WAAS and the service organization
systems. While no single noted control deficiency meets the level of a material
weakness, in combination, these deficiencies elevate to a material weakness due to the
pervasiveness of the weaknesses throughout the information system environment and
DISA’s reliance on these systems for financial reporting. Our audit disclosed
deficiencies in the following areas:
Security Management
- Incomplete system security plan (SSP). Specifically, the Washington Headquarters
Services Allotment and Accounting System (WAAS) SSP did not include information
regarding DISA’s implementation of National Institute of Standards and Technology
(NIST) Special Publication (SP) 800-53, Revision (Rev.) 4 baseline security controls,
as required by the NIST Risk Management Framework (RMF)
Access controls and segregation of duties
- Incomplete or not fully implemented policies and procedures for managing and
monitoring access to select third-party systems
- Lack of logging and monitoring of activity for WAAS
- Inconsistent implementation of user account recertification to verify the propriety of
access to WAAS
- Lack of strong password configurations for the WAAS operating system
- Failure to remove access to WAAS in a timely manner
- Incomplete policies and procedures for the proper segregation of duties within the
WAAS application
Configuration management
- Lack of a controlled process for implementing WAAS change management requests
DISA Response: DISA concurs. The legacy WAAS was retired September 30,
2018 and subsumed by DAI.
As stated above, DISA appreciates Kearney’s assessment and will collaborate with
Kearney to resolve these issues in the upcoming period.
BARBARA C. CRAWFORD
Chief, Accounting
Operations/Compliance
94
